DHCP Snooping and Trusted DHCP Server

A fundamental requirement for most of the IP security features described in this section is to configure DHCP snooping and trusted DHCP server.

DHCP snooping enhances security by filtering untrusted DHCP messages and by building and maintaining a DHCP bindings database. Trusted DHCP server also enhances security by forwarding DHCP packets from only configured trusted servers within your network.

The DHCP bindings database contains the IP address, MAC Address, VLAN ID, and port number of the untrusted interface or client. If the switch receives a DHCP ACK message and the IP address does not exist in the DHCP bindings database, the switch creates an entry in the DHCP bindings database. If the switch receives a DHCP RELEASE, NAK or DECLINE message and the IP address exists in the DHCP bindings database, the switch removes the entry.

You can enable DHCP snooping on a per port, per VLAN basis and trusted DHCP server on a per-vlan basis. If configured for DHCP snooping, the switch snoops DHCP packets on the indicated ports and builds a DHCP bindings database of IP address and MAC address bindings from the received packets. If configured for trusted DHCP server, the switch forwards only DHCP packets from the trusted servers. The switch drops DHCP packets from other DHCP snooping-enabled ports.

In addition, to prevent rogue DHCP servers from farming out IP addresses, you can optionally configure a specific port or set of ports as trusted ports. Trusted ports do not block traffic; rather, the switch forwards any DHCP server packets that appear on trusted ports. When configured to do so, the switch drops packets from DHCP snooping-enabled ports and causes one of the following user-configurable actions: disables the port temporarily, disables the port permanently, blocks the violating MAC address temporarily, blocks the violating MAC address permanently, and so on.

Note

Note

When IP security DHCP snooping is enabled on a VLAN, if ports are removed from the VLAN, the IP security snooping configuration is removed. If ports are added back to the VLAN, you must manually enable the IP security snooping configuration again. This is true for both plain and LAG ports.

Also, if LAG is unconfigured, the IP security configuration is removed for those ports.

Also, if a new port is added to a VLAN that has IP security snooping enabled on it already for other ports, you must manually enable IP security snooping again for the new added port. IP security commands are not automatically applied to added ports to a VLAN. They must be manually configured again.

Note

Note

Beginning with version 32.5, the functionality of the option port all in the commands enable ip-security dhcp-snooping dynamic vlan ports all violation-action drop-packet or enable ip-security dhcp-snooping vlan v2 ports all violation-action drop-packet is enhanced to cover all the _future_ member ports of a VLAN or _future_ VLANs.

If the port is dynamically removed or added by any module, for example Netlogin or ONEPolicy, the ports all option enables IP-security snooping on the ports corresponding to the VLAN it adds.