DHCP Snooping: Prevent attackers or users from adding their own DHCP Server to the network and only a whitelist of IP addresses may access the network. When you use DHCP snooping, you can only place the DHCP Server on a “Trusted Port”. The Trust Port can be defined by the network administrator manually. All clients can get the IP address from the “Trusted” DHCP Server. All DHCP IP address assignments will be also recorded into an internal table called the “Snooping Table”.
This table contains these key attributes:
- MAC address
- VLAN ID
- IP address
- Port number
If there is a binding, the Switch forwards the packet or discards it, if no binding can be found.
Now, if there is another DHCP Server connected to the network, but is located on a “untrusted” port, all its DHCP messages will be discarded on that port and thus no one else will be able to get IP from this un-authorized DHCP Server.
How to setup Global DHCP Snooping
- Advanced Application > IP Source Guard > IPv4 Source Guard Setup > DHCP Snooping > Configure
DHCP VLAN: Select a VLAN ID if you want the Switch to forward DHCP packets to DHCP servers on a specific VLAN (DHCP server’s VLAN).
How to Setup Trusted Port
- Advanced Application > IP Source Guard > IPv4 Source Guard Setup > DHCP Snooping > Configure > P
Trusted port: for ports connected to DHCP servers or other switches.
Untrusted port: for ports connected to clients and untrusted DHCP servers, and the Switch discards DHCP packets from untrusted ports in the following situations:
- The packet is a DHCP server packet (for example, OFFER, ACK, or NACK).
- The source MAC address and source IP address in the packet do not match any of the current bindings.
- The packet is a RELEASE or DECLINE packet, and the source MAC address and source port do not match any of the current bindings.
- The rate at which DHCP packets arrive is too high.
Note: specify the maximum number for DHCP packets (1-2048) that the Switch receives from each port each second. The Switch discards any additional DHCP packets. Enter 0 to disable this limit, which is recommended for trusted ports.
How to Setup DHCP Snooping for VLAN
- Advanced Application > IP Source Guard > IPv4 Source Guard Setup > DHCP Snooping > Configure > VLAN
What can be go wrong:
Sometimes DHCP snooping might not work properly, below you can find a reason why and how to solve it: I've activated DHCP Snooping on the switch configuration page.
And I've also set trusted and untrusted ports, accordingly.
However, it still gets an IP from an illegitimate DHCP server that is not from port 10.
Why is DHCP snooping not working properly?
Step by step guide
To get DHCP Snooping working, you have to select VLAN on the top right side.
Enable the VLAN you'd like to implement DHCP Snooping at.