Switch - Configure DHCP Snooping

DHCP Snooping: Prevent attackers or users from adding their own DHCP Server to the network and only a whitelist of IP addresses may access the network. When you use DHCP snooping, you can only place the DHCP Server on a “Trusted Port”. The Trust Port can be defined by the network administrator manually. All clients can get the IP address from the “Trusted” DHCP Server. All DHCP IP address assignments will be also recorded into an internal table called the “Snooping Table”.

This table contains these key attributes:

• MAC address
• VLAN ID
• IP address
• Port number

If there is a binding, the Switch forwards the packet or discards it, if no binding can be found.

Now, if there is another DHCP Server connected to the network, but is located on a “untrusted” port, all its DHCP messages will be discarded on that port and thus no one else will be able to get IP from this un-authorized DHCP Server.

 

- Setup Global DHCP Snooping 
- Setup DHCP Snooping for VLAN
- What can be go wrong

 

1) Configure DHCP Snooping

1.1 Configure Global DHCP Snooping

Navigate to: 

SECURITY > IPv4 Source Guard > DHCP Snooping > DHCP Snp. Status

Here you can see the database status of your DHCP Snooping after enabling it. 

 

Navigate to: 

SECURITY > IPv4 Source Guard > DHCP Snooping > DHCP Snp. Setup

DHCP VLAN: Select a VLAN ID if you want the Switch to forward DHCP packets to DHCP servers on a specific VLAN (DHCP server’s VLAN).

Note: You must also enable DHCP snooping on the DHCP VLAN (DHCP server’s VLAN) too.

 

1.2 Configure Trusted Port

Configure the server trusted state by navigating to: 

SECURITY > IPv4 Source Guard > DHCP Snooping > DHCP Snp. Port Setup

Trusted port: for ports connected to DHCP servers or other switches.

Untrusted port: for ports connected to clients and untrusted DHCP servers, and the Switch discards DHCP packets from untrusted ports in the following situations:

1. The packet is a DHCP server packet (for example, OFFER, ACK, or NACK).
2. The source MAC address and source IP address in the packet do not match any of the current bindings.
3. The packet is a RELEASE or DECLINE packet, and the source MAC address and source port do not match any of the current bindings.
4. The rate at which DHCP packets arrive is too high.

Note: specify the maximum number for DHCP packets (1-2048) that the Switch receives from each port each second. The Switch discards any additional DHCP packets. Enter 0 to disable this limit, which is recommended for trusted ports.

 

1.3 Configure DHCP Snooping for VLAN

Before you can get the DHCP snooping properly working for your VLAN, you need to configure the DHCP Snooping VLAN configuration. 

Navigate to:

SECURITY > IPv4 Source Guard > DHCP Snooping > DHCP Snp. VLAN Setup

 

1.4 Save your Configuration

Don't forget to save your configuration when you're doing configuring. If you don't save the configuration, it will reverse back to the previous config when you reboot the switch.

 

 

1.4 What can go wrong

Sometimes DHCP snooping might not work properly, below you can find a reason why and how to solve it: 

 

If you've activated DHCP Snooping on the switch configuration page.

And also set trusted and untrusted ports, accordingly:

To get DHCP Snooping working, you have to select VLAN on the top right side.

Enable the VLAN you'd like to implement DHCP Snooping at.

 

2) Configure DHCP Snooping on legacy GUI

 

Advanced Application > IP Source Guard > IPv4 Source Guard Setup > DHCP Snooping > Configure

DHCP VLAN: Select a VLAN ID if you want the Switch to forward DHCP packets to DHCP servers on a specific VLAN (DHCP server’s VLAN).

Note: You must also enable DHCP snooping on the DHCP VLAN (DHCP server’s VLAN) too.

 

How to Setup Trusted Port

• Advanced Application > IP Source Guard > IPv4 Source Guard Setup > DHCP Snooping > Configure > P

Trusted port: for ports connected to DHCP servers or other switches.

Untrusted port: for ports connected to clients and untrusted DHCP servers, and the Switch discards DHCP packets from untrusted ports in the following situations:

1. The packet is a DHCP server packet (for example, OFFER, ACK, or NACK).
2. The source MAC address and source IP address in the packet do not match any of the current bindings.
3. The packet is a RELEASE or DECLINE packet, and the source MAC address and source port do not match any of the current bindings.
4. The rate at which DHCP packets arrive is too high.

Note: specify the maximum number for DHCP packets (1-2048) that the Switch receives from each port each second. The Switch discards any additional DHCP packets. Enter 0 to disable this limit, which is recommended for trusted ports.

 

How to Setup DHCP Snooping for VLAN

• Advanced Application > IP Source Guard > IPv4 Source Guard Setup > DHCP Snooping > Configure > VLAN

 

 

What can be go wrong:

Sometimes DHCP snooping might not work properly, below you can find a reason why and how to solve it:  I've activated DHCP Snooping on the switch configuration page.

And I've also set trusted and untrusted ports, accordingly.

To get DHCP Snooping working, you have to select VLAN on the top right side.

Enable the VLAN you'd like to implement DHCP Snooping at.