Access Control Lists

3-101

3

DHCP Snooping

The addresses assigned to DHCP clients on insecure ports can be carefully
controlled using the dynamic bindings registered with DHCP Snooping (or using the
static bindings configured with IP Source Guard). DHCP snooping allows a switch to
protect a network from rogue DHCP servers or other devices which send
port-related information to a DHCP server. This information can be useful in tracking
an IP address back to a physical port.
Command Usage
Network traffic may be disrupted when malicious DHCP messages are received
from an outside source. DHCP snooping is used to filter DHCP messages received
on a non-secure interface from outside the network or firewall. When DHCP
snooping is enabled globally and enabled on a VLAN interface, DHCP messages
received on an untrusted interface from a device not listed in the DHCP snooping
table will be dropped.
Table entries are only learned for trusted interfaces. An entry is added or removed
dynamically to the DHCP snooping table when a client receives or releases an IP
address from a DHCP server. Each entry includes a MAC address, IP address,
lease time, VLAN identifier, and port identifier.
The rate limit for the number of DHCP messages that can be processed by the
switch is 100 packets per second. Any DHCP packets in excess of this limit are
dropped.
When DHCP snooping is enabled, DHCP messages entering an untrusted
interface are filtered based upon dynamic entries learned via DHCP snooping.
Filtering rules are implemented as follows:
- If the global DHCP snooping is disabled, all DHCP packets are forwarded.
- If DHCP snooping is enabled globally, and also enabled on the VLAN where the
DHCP packet is received, all DHCP packets are forwarded for a trusted port. If
the received packet is a DHCP ACK message, a dynamic DHCP snooping entry
is also added to the binding table.
- If DHCP snooping is enabled globally, and also enabled on the VLAN where the
DHCP packet is received, but the port is not trusted, it is processed as follows:
* If the DHCP packet is a reply packet from a DHCP server (including OFFER,
ACK or NAK messages), the packet is dropped.
* If the DHCP packet is from a client, such as a DECLINE or RELEASE
message, the switch forwards the packet only if the corresponding entry is
found in the binding table.
* If the DHCP packet is from a client, such as a DISCOVER, REQUEST,
INFORM, DECLINE or RELEASE message, the packet is forwarded if MAC
address verification is disabled. However, if MAC address verification is
enabled, then the packet will only be forwarded if the client’s hardware
address stored in the DHCP packet is the same as the source MAC address
in the Ethernet header.
* If the DHCP packet is not a recognizable type, it is dropped.