DHCP snooping - global

Information

DHCP snooping protects the network from common DHCP attacks, including address spoofing resulting from arogue DHCP server operating on the network, or exhaustion of addresses on a DHCP server caused by mass address requests by an attacker on the network. The feature works by designating trusted DHCP servers andports on which DHCP requests and responses will be accepted.

Solution

To enable DHCPv4 snooping globally:

switch(config)# dhcp-snooping

If using DHCPv6, this is the equivalent command:

switch(config)# dhcpv6-snooping

Once DHCP snooping is globally enabled, the following commands specify the DHCP server at 10.100.0.254 as an authorized server and designate port 8 on the switch-the port from which the authorized DHCP server can be reached-as a trusted port:

switch(config)# dhcp-snooping authorized-server 10.100.0.254
switch(config)# dhcp-snooping trust 8

Lastly, enable DHCP snooping on client VLANs to be protected:

switch(config)# dhcp-snooping vlan 100,110

With this configuration, DHCP packets received from an unauthorized DHCP server on any port, or from any DHCP server (including the authorized server) on an untrusted port, will be dropped.

See Also

https://support.hpe.com/hpesc/public/docDisplay?docId=a00056155en_us

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-5

Plugin: ArubaOS

Control ID: 36bc448bcaf25cb57965e74842dd8fc18bafc4bf5f5ff739b6ce4c4bf5009238