Cisco DHCP Snooping

DHCP Snooping allows swtiches on the network to trust the port a right DHCP server is connected to and no trust the other ports.

Basically when the computer is connected to untrusted port send DHCP Discovery Message to find available DHCP Server. This message goes only to trusted ports on switch which are allowed to send DHCP Offer and DHCP Ack messages.

This is very good prevention mechanism from e.g. man-in-the-middle attack and should be use in every networks for security reason.

When switch receives DHCP Offer message from untrusted port it will go to errdisable state.

To enable DHCP Snooping we need to do it globally : 

 R1#ip dhcp snooping

and on specific VLAN

 R1# ip dhcp snooping vlan 5

Remember about option 82 in DHCP, it can cause a lot of trouble,

By default on Cisco switches option 82 is enabled. Which menas the switch expects this option in DHCP field. If your DHCP server doesn't have this option enabled it can mess your DHCP Snooping a liitle bit.

From my experience in situation like this I just turrned off this option using: 

 R1# no ip dhcp snooping information option

Also use : 

 

 R1# ip dhcp snooping information option allow-untrusted

if you have some other switches on the way to DHCP server. If you don't use option 82 switches on the way by default will expect this option and they will send some stragne info to all of them neighbours.

Another usefull command: 

 

 R1# ip dhcp snooping database flash:DHCP_maps.txt

It will tell your switch where to map all ip to mac addresses.