Block DHCP traffic - DHCP Snooping

Machi Ma · ‎09-19-2016

Hi,

If someone connecting into the switch and spoofing as a DHCP server. Is it I just using DHCP Snooping to block those traffic like following?

-------

Switch(config)#interface fastEthernet 0/4

Switch(config-if)#no ip dhcp snooping trust

-------

#show ip dhcp snooping

Switch DHCP snooping is disabled

DHCP snooping is configured on following VLANs:

none

Insertion of option 82 is enabled

Option 82 on untrusted port is not allowed

Verification of hwaddr field is enabled

Interface Trusted Rate limit (pps)

----------------------- ------- ----------------

FastEthernet0/4 no unlimited

*****************************

Thanks!

sarathpa · ‎09-19-2016

Hi,

First you need to enable DHCP snooping globally (You have not enabled). Then you need to make the interface as "Trust" when the original DHCP server connected. All other interface will be considered as "Untrust". So DHCP offer packet is allowed only in "Trust" interface. If any DHCP packet received in "Untrust" interface will be dropped.

(config)#ip dhcp snooping

Machi Ma · ‎09-20-2016

Hello,

Thanks! How about if block under DHCPv6? Is it like following?

# config t
# ipv6 dhcp guard policy dhcpv6-guard
# device-role server

# interface fa0/1-16
# ipv6 dhcp guard attach-policy dhcpv6-guard
# end

With some material it can create some access-list and prefix-list to allow which member of DHCP server is allow. But in my case it just want to block all, so it did not edit those two list.

Thanks!