134
that provide network access to hosts that are in physically unsecured locations or if network users connect
nonstandard hosts to the network.
For example, if an employee unknowingly connects a workstation to the network that has a DHCP server,
and the DHCP server is enabled, hosts that attempt to acquire network information from the legitimate
network DHCP server might obtain incorrect information from the rogue DHCP server. However, if the
workstation with the rogue DHCP server is connected to a port that is configured as untrusted and is a
member of a DHCP Snooping-enabled VLAN, the port discards the DHCP server messages.
4.2.5. Configuring DHCP Snooping
In this example, DHCP snooping is enabled on VLAN 100. Ports 1-20 connect end users to the network and are
members of VLAN 100. These ports are configured to limit the maximum number of DHCP packets with a
rate limit of 100 packets per second. Port-channel 1, which is also a member of VLAN 100 and contains
ports 21-24, is the trunk port that connects the switch to the data center, so it is configured as a trusted
port.
Figure 4-3: DHCP Snooping Configuration Topology
The commands in this example also enforce rate limiting and remote storage of the bindings database. The
switch has a limited amount of storage space in NVRAM and flash memory, so the administrator specifies
that the DHCP snooping bindings database is stored on an external TFTP server.
To configure the switch:
1. Enable DHCP snooping on VLAN 100.
(QCT) #config
(QCT) (Config)#ip dhcp snooping vlan 100
2. Configure Port-channel 1, which includes ports 21-24, as a trusted port. All other interfaces are untrusted
by default.
(QCT) (Config)#interface port-channel 1
(QCT) (if-port-channel ch1)#ip dhcp snooping trust
To Next Page
Loading...
Need help?
General