The switch maintains a DHCP binding database that keeps track of DHCP
addresses that are assigned to ports, as well as filtering DHCP messages from untrusted ports. For incoming
packets received on untrusted ports, packets are dropped if the source MAC address does not match MAC in the
binding table entry.
Figure 4-4a. DHCP Snooping Table
Figure 4-4b illustrates the DHCP Snooping feature in action, showing how the intruder is blocked on the
untrusted port when it tries to intervene by injecting a bogus DHCP response packet to a legitimate
conversation between the DHCP client and server.
Figure 4-4b. DHCP Snooping in Action
The DHCP Snooping feature can be configured for switches and VLANs. When enabled on a switch, the interface
acts as a Layer 2 bridge, intercepting and safeguarding DHCP messages going to a Layer 2 VLAN. When enabled
on a VLAN, the switch acts as a Layer 2 bridge within a VLAN domain.
For DHCP Snooping to function correctly, all DHCP servers connected to the switch must be configured as
trusted interfaces. A trusted interface can be configured by using the ip dhcp snooping trust interface
configuration command. All other DHCP clients connected to the switch and other ports receiving traffic from
outside the network or firewall should be configured as untrusted by using the no ip dhcp snooping trust
interface configuration command.
Pages:
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190