DHCP Snooping Configuration on Packet Tracer

How to Configure DHCP Snooping on Cisco Switches?

DHCP Snooping Configuration is an important security mechanims towards any malicious DHCP attacks. In this lesson, we will learn How to use this important mechanims and How to Configure DHCP Snooping on Cisco swithes.

For our DHCP Snooping Configuration Example, we will use the below simple topology:

We will do the configuration below step by step:

• Interface Configurations
• DHCP Pool Creation
• Enabling DHCP Snooping
• Setting Trusted Ports
• Setting Rate Limit
• DHCP Snooping Verification

Now, let’s focus on our DHCP Snooping Example and learn DHCP Snooping Config step by step.

Interface Configurations

Firstly, we will configure interace ip addresses of the router and the switch. Here, router will be our DHCP Server.

Router# config terminal

Router(config)# interface fastethernet 0/1

Router(config-if)# ip address 192.168.0.1 255.255.255.0

Router(config-if)# no shutdown

Router(config-if)# exit

Router(config)#

DHCP Pool Creation

Secondly, we will create our DHCP Server with DHCP Pool with the name XYX.  Our DHCP Server will be the router above. And our DHCP Pool addresses will be the ip address in 192.168.0.0/24 block.

Router(config)# ip dhcp pool XYZ

Router(dhcp-config)# network 192.168.0.0 255.255.255.0

Router(dhcp-config)# end

Router# copy run start

Enabling DHCP Snooping

Here, we will enable DHCP Snooping on the switch. DHCP Snooping will work on it. DHCP Snooping can be enabled globallay with “ip dhcp snooping” command or it can be enabled on a specific or a range of VLANs with “ip dhcp snooping vlan vlan-id” command. Here, we will enable DHCP Snooping, globally.

Switch# configure terminal

Switch(config)# ip dhcp snooping

Switch(config)# end

Setting Tursted Ports

In DHCP Snooping mechanims there are wo port types as we have talked about before in the DHCP Snooping lesson. One of them is trusted and the other is untrusted. Here, we will set the trusted ports. Here, simply, we will set one trusted port. The port on the switch that is connected to the DHCP Server (router).

We will go to the interface that is connected to the router and set it as trusted port with “ip dhcp snooping trust” command.

Switch(config)# interface fastethernet 0/1

Switch(config-if)# ip dhcp snooping trust

Switch(config-if)# end

Setting Rate Limit

There is one more  important configuration steps here. We can also set DHCP Requests that can be received in a second. If this rate exceeds the configured one, the traffic is dropped.  Here,let’s set it 20.

Switch(config)# interface fastethernet 0/1

Switch(config-if)# ip dhcp snooping limit rate 20

Switch(config-if)# end

DHCP Snooping Verification

To verify our DHCP Snooping configuration, we can use the below verification commands:

• show ip dhcp snooping bindings
• show ip dhcp snooping

Become a Member!