Enable/Configure DHCP Snooping in Cisco Catalyst Switches (IOS)

Enable/Configure DHCP Snooping in Cisco Catalyst Switches (IOS)\

DHCP snooping is a DHCP security feature that provides security by filtering untrusted DHCP messages and by building and maintaining a DHCP snooping binding table. An untrusted DHCP message is a message that is received from outside the network or firewall causing denial of service attacks.

The DHCP snooping binding table contains the MAC address, IP address, lease time, binding type, VLAN number, and interface information that corresponds to the local untrusted interfaces of a switch. An untrusted interface is an interface that is configured to receive messages from outside the network or firewall. A trusted interface is an interface that is configured to receive only messages from within the network.
DHCP snooping can be enabled on the switch per vlan as it can intercept the DHCP messages at the layer2.

The following is a step by step procedure to enable and configure DHCP snooping in Cisco catalyst switches running Cisco IOS

Enable DHCP Snooping

ciscoswitch(config)# ip dhcp snooping

Enable DHCP Snooping on VLANs
DHCP snooping can be enabled on one or more VLANs or a range of VLANs

ciscoswitch(config)# ip dhcp snooping vlan number 100

The above enables dhcp snooping on VLAN 100


To enable on more VLANs

ciscoswitch(config)# ip dhcp snooping vlan number 10-15 100 110

where the DHCP snooping is enabled on VLAN 10-15, 100 and 110


Enable DHCP Option 82
This allows DHCP option 82 message insertions into the packets. Option 82 is the Relay Agent Information Option as described in RFC 3046

ciscoswitch(config)# ip dhcp snooping information option

Configure Trust Interface
Interface not explcicitly configured as a trust interface is treated as an untrusted interface.

ciscoswitch(config)# interface fa0/0

ciscoswitch(config-if)# ip dhcp snooping trust

DHCP Snooping Rate limiting (optional)
Rate limiting allows restricting the number of DHCP packets per second (pps) that an interface can receive

ciscoswitch(config-if)# ip dhcp snooping limit rate 202

Where "202" indicates that the interface can receive "202" messages per second
This should configure DHCP Snooping on Cisco IOS switches.


Display DHCP Snooping

ciscoswitch# show ip dhcp snooping
DHCP Snooping is configured on the following VLANs:
    10-15 100 110
Insertion of option 82 information is enabled.
Interface           Trusted        Rate limit (pps)
———           ——-        —————-
FastEthernet2/1     yes            10
FastEthernet2/2     yes            none
FastEthernet3/1     no             20

Display DHCP Snooping Binding Table

ciscoswitch# show ip dhcp snooping binding
MacAddress      IP Address      Lease (seconds)      Type        VLAN      Interface
———–     ———–     —————-     —–       —–     ————
0000.0100.0201  10.0.0.1        1600                 dynamic     100       FastEthernet2/1