Table of Contents
Advertisement
Overview of DHCP Snooping
The DHCP snooping binding database contains the MAC address, the IP address, the lease time, the
binding type, the VLAN number, and the interface information that corresponds to the local untrusted
interfaces of a switch. The database does not contain information regarding hosts interconnected with a
trusted interface.
In a service-provider network, a trusted interface is connected to a port on a device in the same network.
An untrusted interface is connected to an untrusted interface in the network or to an interface on a device
that is not in the network.
When a switch receives a packet on an untrusted interface and the interface belongs to a VLAN in which
DHCP snooping is enabled, the switch compares the source MAC address and the DHCP client hardware
address. If addresses match (the default), the switch forwards the packet. If the addresses do not match,
the switch drops the packet.
The switch drops DHCP packets when any of these situations occur:
•
•
•
•
To support trusted edge switches that are connected to untrusted aggregation-switch ports, you can
enable the DHCP option 82 on untrusted port feature, which enables untrusted aggregation-switch ports
to accept DHCP packets that include option-82 information. Configure the port on the edge switch that
connects to the aggregation switch as a trusted port.
With the DHCP option 82 on untrusted port feature enabled, use dynamic ARP inspection on the
Note
aggregation switch to protect untrusted input interfaces.
DHCP Snooping Option-82 Data Insertion
In residential, metropolitan Ethernet-access environments, DHCP can centrally manage the IP address
assignments for a large number of subscribers. When the DHCP snooping option-82 feature is enabled
on the switch, a subscriber device is identified by the switch port through which it connects to the
network (in addition to its MAC address). Multiple hosts on the subscriber LAN can be connected to the
same port on the access switch and are uniquely identified.
Figure 34-1
assigns IP addresses to subscribers connected to the switch at the access layer. Because the DHCP clients
and their associated DHCP server do not reside on the same IP network or subnet, a DHCP relay agent
is configured with a helper address to enable broadcast forwarding and to transfer DHCP messages
between the clients and the server.
Catalyst Supervisor Engine 32 PISA Cisco IOS Software Configuration Guide, Release 12.2ZY
34-2
The switch receives a packet from a DHCP server, such as a DHCPOFFER, DHCPACK,
DHCPNAK, or DHCPLEASEQUERY packet, from outside the network or firewall.
The switch receives a packet on an untrusted interface, and the source MAC address and the DHCP
client hardware address do not match.
The switch receives a DHCPRELEASE or DHCPDECLINE message that contains a MAC address
in the DHCP snooping binding table, but the interface information in the binding table does not
match the interface on which the message was received.
The switch receives a DHCP packet that includes a relay agent IP address that is not 0.0.0.0.
is an example of a metropolitan Ethernet network in which a centralized DHCP server
Chapter 34
Configuring DHCP Snooping
OL-11439-03
- Quick Links:
- Product Overview
Hide quick links:
Advertisement
Table of Contents
