DHCP Snooping

I was going to talk about Dynamic Arp Inspection, but thought I had better talk about DHCP snooping first, since it is required for DAI.

Having a rogue DHCP server on your network is obviously a problem, so we can block this at the switch level. DHCP snooping actually keeps a table of DHCP binding information for each port (that you leave untrusted). First you enable it globally with ip dhcp snooping. Then you enable it per vlan with the ip dhcp snooping vlan number (you can use a range of vlan numbers here as well).

Next you need to manually set all your trusted interfaces. This means all your switch uplinks, as well as any DHCP servers. These ports must be trusted to allow DHCP responses to traverse the interface inbound (from the server to the switch).

This means regular clients should always be on an untrusted port so that they cannot act as an DHCP server.

Other options include rate limiting. Ip dhcp snooping limit rate rate will allow you to limit how many requests a client on an untrusted port can make as well. Set this on a per-interface basis.

DHCP snooping binding tables include MAC address, IP address, lease time, binding type,VLAN number, and interface information