DHCP snooping is a layer 2 security technology built into a capable network switch operating system that drops DHCP traffic determined to be unacceptable. The fundamental use case for DHCP snooping is to prevent unauthorized (rogue) DHCP servers from offering IP addresses to DHCP clients. Rogue DHCP servers are often used in man-in-the-middle or denial-of-service attacks for malicious purposes. However, the most common DoS scenario is a user plugging in a consumer-grade router at their desk, ignorant that the device they plugged in is a DHCP server by default.
|DHCP Snooping Status||Turn on or turn off DHCP snooping.|
|Mac Verify||This feature verifies that the source MAC address and the client hardware address in the DHCP packets on untrusted ports match.|
This setting is to configure the DHCP snooping function in other VLAN. You can configure DHCP snooping for switches and VLANs. When you turn on DHCP snooping on a switch, the interface acts as a Layer 2 bridge, intercepting and safeguarding DHCP messages going to a Layer 2 VLAN. When you turn on DHCP snooping on a VLAN, the switch acts as a Layer 2 bridge within a VLAN domain.
Trust Port Settings
A trusted port is a port that is connected to a DHCP server and is allowed to assign DHCP addresses. DHCP messages received on trusted ports are allowed to pass through the device. Packets from these ports are automatically forwarded. If DHCP Snooping isn't turned on, all ports are trusted by default.
|Port||Displays the port number.|
|State||Indicates whether the Port is Trusted or Untrusted.|
This table shows the DHCP Snooping binding list table.
IP source guard (IPSG)
You can use IP source guard (IPSG) to allow traffic only from devices added to the filtering list. When you use IP source guard, the following restrictions apply:
- Only IPv4 is supported.
- You must turn DHCP snooping on.
- DHCP traffic isn't filtered.
- The maximum amount of entries in the binding list is 127.
- If a port has IPSG turned on, but the binding table is empty, the port will block all traffic.
- Trunk ports don't support IPSG.
To use IPSG, do as follows:
- Go to Configure > L3 protocols > DHCP snooping > Global settings.
For DHCP snooping status, select Turned on.
For MAC address verification, select Turned on.
Go to IP source guard, and select Add.
For VID, enter the VLAN ID that the device is connected to.
For Port, enter the port that the device is connected to.
For IP address, enter the device's IP address.
For MAC address, enter the device's MAC address.
Go to IPSG ports.
Select the check box next to the ports you want to turn on IPSG for, and click Edit.
Select Turned on from the Status drop-down menu.
This table shows the DHCP Snooping VLAN Statistics status.