DHCP snooping is a security feature that you will surely run into in while studying for your Cisco exams or while working in an enterprise environment perhaps. It first off helps ensure that you do not have a rogue DHCP server on your network. In the past, I wrote another post on a basic DHCP snooping lab to walk through basic configuration, but I’ll use this post to actually go into more of the “why” and “how” instead of just jumping to configuration. That other post can be found here: Basic DHCP Snooping Lab
Basic Guide and Configuration
DHCP snooping in the most basic form allows you to go through and specify specific interfaces that you allow DHCP to be served from. A lot of the time, this may be the switch’s uplink. With the rest of the ports as regular L2 ports perhaps, we wouldn’t want to allow DHCP to be served from these ports. By setting a port as trusted, you can control where your trusted DHCP servers reside and more importantly, what ports are designated as not trusted.
First we would want to enable DHCP snooping globally:
switch(config)# ip dhcp snooping
By default, DHCP snooping is disabled on on vlans. You must make sure it is enabled first globally, then enable it on a specific vlan:
switch(config)# ip dhcp snooping vlan 100
The above configuration will enable DHCP snooping globally and then enable it on vlan 100. With that though, snooping is enabled, but no ports are set as trusted. We won’t be able to receive any DHCP messages from our DHCP server because they would be dropped by DHCP snooping. That being the case, we need to enable the port e0/0 in our topology to be trusted by DHCP snooping. That is a single, interface level command:
switch(config)# interface ethernet0/0 switch(config-if)# ip dhcp snooping trust
Now our DHCP messages will be able to come through as intended.
DHCP Snooping Binding Database
The other feature that is great for increasing security in the network is around the source mac address of traffic. Here is an example. I am the client in our topology and my IP address is 192.168.1.5. My mac address is aa00.bb00.cc00. The DHCP snooping binding database keeps track of DHCP clients, their IP address, and their MAC address. Look at the device in our topology above labeled “Rogue-DHCP-Server”. If that device tried to spoof my IP address, the switch would recognize the source traffic would not have the correct MAC address that the binding database has matched to my IP address. That traffic would not be allowed accordingly. This is a default part of DHCP snooping when enabled on your vlan of choice.
DHCP option 82 is a security feature to allow a device to act as a DHCP relay agent in a more secure and advanced manner. Normally a DHCP request with option 82 includes the “giaddr” value which allows the DHCP server to determine which DHCP pool to assign an IP from. If this field is zero, then the DHCP server uses the source interface as the value. To start using option 82, you must enable use of option 82:
switch(config)# ip dhcp relay information option
This will ensure the device acting as the DHCP relay agent inserts the option 82. You must ensure that the DHCP server supports option 82 though. That’s just something to keep in mind. Something more advanced that you could do on your DHCP server would be to use a DHCP class to specify sub-ranges of IP addresses for instance. This guide will stick to a more standard, basic setup.
Sometimes the device acting as the relay agent will receive a DHCP request with an option value already set. Normally, by default, the relay agent will discard the packet. If you want to trust the packet and accept it on the relay agent, you need the following command:
switch(config)# ip dhcp relay information trust-all
Putting all of that together, you can see there are multiple combinations of configurations that you can use with DHCP snooping. You can do general DHCP snooping, snooping with option 82 set, snooping with option 82 sent with a zero value. In summary, this can be customized to your exact network needs. Just know that you don’t need to enable all of these options as a “default template” of sorts. It will all depend on the specific network requirements.
Overall these are the most common uses for DHCP snooping. You can definitely go more in depth, but I would say this is “intermediate level” knowledge into the DHCP snooping topic. As always, leave me some comments below!