DHCP Snooping & Option 82
Overview
Section titled “Overview”DHCP snooping prevents DHCP server spoofing and exhaustion attacks by controlling which ports can respond to DHCP requests. It maintains a binding table that tracks IP-to-MAC-to-port relationships for security enforcement.
Key Functions
- Only trusted ports may respond to DHCP discover messages
- Maintains IP, MAC, and port bindings for verification
- Inspects DHCP messages on untrusted ports
All ports are untrusted by default. Uplinks and DHCP server ports should be configured as trusted so messages are not inspected.
Basic Configuration
Section titled “Basic Configuration”ip dhcp snoopingip dhcp snooping vlan 1
interface Ethernet1/1 description To-DHCP-Server ip dhcp snooping trustNote: Always trust the port connected to your DHCP server. In multi-switch scenarios, also trust the uplink side of trunk links between switches.
DHCP Message Inspection
Section titled “DHCP Message Inspection”When DHCP messages arrive on untrusted ports, the switch inspects them according to these rules:
Server Messages (OFFER, ACK, NACK)
- Always dropped on untrusted ports
Client Messages
- DISCOVER/REQUEST: Source MAC must match the DHCP message CHADDR field
- RELEASE/DECLINE: Source IP and interface must match the snooping binding table entry
- Any message with Option 82: Dropped
Binding Table
Section titled “Binding Table”The DHCP snooping binding table records successful DHCP assignments including IP address, MAC address, interface, and lease time. This information is used to verify RELEASE and DECLINE messages from clients.
show ip dhcp snooping bindingThe binding table ensures that only the legitimate client that received an IP address can send RELEASE or DECLINE messages for that address.
Rate Limiting
Section titled “Rate Limiting”DHCP snooping can rate-limit DHCP messages per interface. If the rate limit is exceeded, the port enters error-disabled state.
interface Ethernet1/2 ip dhcp snooping limit rate 10
errdisable recovery cause dhcp-rate-limitThis limits the interface to 10 DHCP messages per second. Configure rate limiting on client-facing ports to prevent DHCP exhaustion attacks.
DHCP Option 82
Section titled “DHCP Option 82”DHCP Option 82 (relay agent information option) provides additional information about where the DHCP message was received. DHCP relay agents typically add this option when forwarding messages to remote DHCP servers.
Default Behavior: With DHCP snooping enabled, the switch automatically adds Option 82 to messages from untrusted ports, even when not acting as a DHCP relay agent.
Common Issues
- Upstream trunk trusted ports will drop messages with Option 82
- DHCP servers will reject messages with Option 82 that weren’t added by actual relay agents
Disabling Insertion
Section titled “Disabling Insertion”no ip dhcp snooping information optionUse this command when Option 82 insertion causes issues with your DHCP server or upstream devices.
Verification
Section titled “Verification”show ip dhcp snoopingshow ip dhcp snooping bindingshow ip dhcp snooping databaseshow errdisable recovery