Reference Guide

334 | Dynamic Host Configuration Protocol (DHCP)

www.dell.com | support.dell.com

DHCP Snooping

DHCP Snooping protects networks from spoofing. In the context of DHCP Snooping, all ports are either

trusted or untrusted. By default, all ports are untrusted. Trusted ports are ports through which attackers

cannot connect. Manually configure ports connected to legitimate servers and relay agents as trusted.

When DHCP Snooping is enabled, the relay agent builds a binding table—using DHCPACK messages—

containing the client MAC address, IP addresses, IP address lease time, port, VLAN ID, and binding type.

Every time the relay agent receives a DHCPACK on an trusted port, it adds an entry to the table.

The relay agent then checks all subsequent DHCP client-originated IP traffic (DHCPRELEASE,

DHCPNACK, and DHCPDECLINE) against the binding table to ensure that the MAC-IP address pair is

legitimate, and that the packet arrived on the correct port; packets that do not pass this check are forwarded

to the server for validation. This check-point prevents an attacker from spoofing a client and declining or

releasing the real client’s address. Server-originated packets (DHCPOFFER, DHCPACK, DHCPNACK)

that arrive on an untrusted port are also dropped. This check-point prevents an attacker from impostering

as a DHCP server to facilitate a man-in-the-middle attack.

Binding table entries are deleted when a lease expires, or the relay agent encounters a DHCPRELEASE,

DHCPNACK, DHCPDECLINE.

Note: DHCP server packets will be dropped on all untrusted interfaces of a system configured for DHCP

snooping. To prevent these packets from being dropped, configure ip dhcp snooping trust on the

server-connected port.