LAN Security - DHCP Snooping

There are many security functions, implemented in LAN switches to help us to protect our LAN. Start to use it!

To protect local network again rogue DHCP server (un authorized, false DHCP server), there is DHCP Snooping usually available. It allows us to say, which ports of switch can pass the DHCP answers by our DHCP server.
There are usually trunks - uplink ports, and of  course the ports connected directly to the DHCP server.

A:identifiy all ports towards the officila DHCP server, turn DHCP snooping function globaly on and set trust on ports towars DHCP servers. For exapmle allow on the port gi 1/0/24 use

configure terminal
  ip dhcp snooping
  interface gi 1/0/24
    ip dhcp snooping trust
end

B:in more complex network, option 82 in DHCP request is usually used to identify the source network segment (for DHCP scope). That is why the recomended setting on core and ditribution layer (non endpoint switches) is to allow distribute request incoming from trusted ports of other switches issuing

config terminal
ip dhcp snooping information option allow-untrusted
end

C:allow apply the function in specified VLAN

configure terminal
ip dhcp snooping vlan 10 - 20
end

When You apply DHCP snooping protection to Your network successfuly, do not stop. The next step is to apply the ARP inspection, which uses DHCP snooping information to protect LAN clients before man-in-the-middle attacks. Stay tuned!

See:

Configuring DHCP Features on Cisco.com - http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3560/software/release/12-2_25_see/configuration/guide/scg/swdhcp82.pdf