Concept Guide

ManualsBrandsDell ManualsAccess PlatformsNetworking S3100 Series

281

282

283

284

285

286

287

288

289

290

the real client’s address. Server-originated packets (DHCPOFFER, DHCPACK, and DHCPNACK) that arrive on a not trusted port are also

dropped. This checkpoint prevents an attacker from acting as an imposter as a DHCP server to facilitate a man-in-the-middle attack.

Binding table entries are deleted when a lease expires, or the relay agent encounters a DHCPRELEASE, DHCPNACK, or DHCPDECLINE.

DHCP snooping is supported on Layer 2 and Layer 3 trac. DHCP snooping on Layer 2 interfaces does not require a relay agent.

NOTE: In DHCP relay agent, congure DHCP snooping such that the packet from DHCP client must not pass through DHCP

snooping-enabled switches twice before reaching the DHCP server.

Binding table entries are deleted when a lease expires or when the relay agent encounters a DHCPRELEASE. Line cards maintain a list of

snooped VLANs. When the binding table is exhausted, DHCP packets are dropped on snooped VLANs, while these packets are forwarded

across non-snooped VLANs. Because DHCP packets are dropped, no new IP address assignments are made. However, DHCPRELEASE

and DHCPDECLINE packets are allowed so that the DHCP snooping table can decrease in size. After the table usage falls below the

maximum limit of 4000 entries, new IP address assignments are allowed.

NOTE: DHCP server packets are dropped on all non-trusted interfaces of a system congured for DHCP snooping. To prevent

these packets from being dropped, congure ip dhcp snooping trust on the server-connected port.

DHCP Snooping for a Multi-Tenant Host

You can congure the DHCP snooping feature such that multiple IP addresses are expected for the same MAC address. You can use the

ip dhcp snooping command multiple times to map the same MAC address with dierent IP addresses. This conguration is also used

for dynamic ARP inspection (DAI) and source address validation (SAV). The DAI and SAV tables reect the same entries in the DHCP

snooping binding table.

NOTE

: If you enable DHCP Option 82 using the ip dhcp relay command, by default, the remote-ID eld contains the MAC

address of the relay agent. If you congure the remote ID as the host name in a VLT setup, congure dierent host names on

both VLT peers. If you congure the remote ID with your own string, ensure that your strings are dierent on both VLT peers.

DHCP Snooping in a VLT Setup

In a VLT setup, the DHCP snooping binding table synchronizes between the VLT nodes. Similarly, the DAI and SAV tables also synchronize

between VLT nodes. For this feature to work in a VLT setup, make sure that DHCP relay, DHCP snooping, SAV, and DAI congurations are

identical between the VLT peer nodes.

Enabling DHCP Snooping

To enable DHCP snooping, use the following commands.

1 Enable DHCP snooping globally.

CONFIGURATION mode

ip dhcp snooping

2 Specify ports connected to DHCP servers as trusted.

INTERFACE mode

INTERFACE PORT EXTENDER mode

ip dhcp snooping trust

3 Enable DHCP snooping on a VLAN.

CONFIGURATION mode

Dynamic Host

Conguration Protocol (DHCP) 287