Share this
A Guide to Configuring and Troubleshooting DHCP Snooping
by Darin Knobbe on Jul 9, 2020 1:45:00 PM
During the course network operations, DHCP snooping issues have often come up from our clients and their engineering teams. When they explain their situation, it boils down to being familiar with DHCP and having the confidence to handle the conditions. Today, we outline a resource to focus on DHCP snooping troubleshooting and configuration.
DHCP snooping issues mostly occur due to adding a new device in the environment without erasing previous configurations, man in the middle and bringing your own device (BYOD). Overall, DHCP snooping acts like a firewall between trusted and untrusted DHCP servers and devices. We'll outline how you can configure trusted and untrusted zones manually as well as a full approach to DHCP snooping.
Download the guide and refer back to it at any time!
As a layer 2 security technology incorporated into the operating system, DHCP prevents unauthorized DHCP servers offering IP addresses to DHCP clients.
How DHCP Snooping Works
Dynamic Host Configuration Protocol (DHCP) is at the heart of assigning IP addresses. The keyword in DHCP is "protocol", or the guiding rules and process for Internet connections for everyone, everywhere. DHCP is consistent, accurate and works the same for every computer. DHCP performs the below activities to handle DHCP issues in production networks. By default, DHCP is disabled. The first step is to enable DHCP per VLAN, then the snooping feature performs the following:
- Checks DHCP messages received from untrusted sources and filter all invalid messages
- Maintains the DHCP snooping binding database as it contains the untrusted hosts with leased IP address information
- Use the DHCP snooping binding database to validate subsequent requests from untrusted hosts
Licensing Requirements for DHCP Snooping
Product | License Requirement |
NX-OS | DHCP snooping requires no license. Any feature not included in a license package is bundled with the Cisco NS-OS system images and is provided at no extra charge. |
Don't miss our configuration guide for a Cisco IOS DHCP Server. Click below to view the guide.
Cisco IOS DHCP Server Configuration
Looking for more configurations than DHCP? Check out all the guides we have for you ranging from configuring a Cisco Virtual Switching System (VSS) or routing between VLANs.
Let's Dive Into the Configuration
DHCP Snooping Configurations
You can configure DHCP snooping in 5 simple steps.
First, enable DHCP snooping globally with the following command:
Next, mention a VLAN you want to be secure through DHCP snooping:
Add VLANs with the following command:
Now, configure DHCP server port in "TRUST" with below mention:
The final basic configuration is to verify the configuration with show command as it is helpful during troubleshooting.
DHCP Snooping Troubleshooting
As mentioned above, the basic configurations help prepare for troubleshooting and make the process simple and straightforward. Here we'll take you through an example of common switch IOS errors.
Error 1
DHCP Error Debug Log:
If you ever observed Error 1 during production network you should use the command "ip dhcp relaty information trusted" to tell the switch to ignore the unset giaddr field in the DHCP packet. You can also disable option 82 insertion using the "no ip dhcp-snooping information option" command in global configuration mode.
Error 2
DHCP Error Debug Log:
Your console messages may show Error 2. The DHCP snooping, in this case, has detected a switch connected with your host trying to carry out a denial-of-service attack on another host in the network or on the same switch. Thus, the packet will be dropped.
Recommended Action: This is an informational message only appearing on the console logs. In this case, no action is required.
Error 3
DHCP Error Debug Log:
Error 3 messages are very serious for your production network. These messages indicate that a client is being spoofed and a rogue DHCP server is in operation. In this case, you should trace the rogue DHCP server as soon as possible and disable the port. You can trace fake DHCP servers with the help of a mac address or IP address (ie. Show mac-address (DHCP MAC)
and Show IP ARP (DHCP IP)
. If you have a valid contract with PivIT Global's OneCall maintenance team then contact us to avoid any disturbance in your production network.
About PivIT Global
PivIT Global provides the support you need through infrastructure, maintenance, and professional services. Contact us today to chat more about DHCP snooping or how we can support you through our third-party maintenance and field services offerings.
Share this
- Configuration Guides (47)
- Cisco Routers (29)
- Switches (27)
- Network Security (23)
- Cisco Switches (21)
- Routing Protocols (21)
- Routers (20)
- Cisco (19)
- Product Comparisons (19)
- Firewall (18)
- Cisco Security (17)
- Cisco Technical Information (17)
- IT Hardware Solutions (17)
- Network Protocols (17)
- Wireless (17)
- Security (15)
- OneCall (13)
- Servers (12)
- cisco asa (12)
- Cisco Wireless (11)
- Router Protocols (11)
- Cisco Catalyst (9)
- Cisco UCS (9)
- Upgrading Network (9)
- Cisco Servers (8)
- Product Highlight (8)
- Access Control Lists (7)
- Fortinet (7)
- Server Comparisons (7)
- Access Points (6)
- Arista Networks (6)
- OSPF (6)
- Wireless APs (6)
- Cisco ASR (5)
- Cloud Solutions (5)
- HPE-Aruba Wireless (5)
- Juniper Mist (5)
- Network Management (5)
- SD-WAN (5)
- Storage (5)
- Switch Comparison (5)
- Back To Basics (4)
- Cybersecurity (4)
- EIGRP (4)
- Firewall Architecture (4)
- HSRP (4)
- Juniper Networks (4)
- Network Automation (4)
- Network Servers (4)
- OEM Comparison (4)
- Aruba Central (3)
- Cisco Telephony (3)
- DHCP (3)
- DHCP Snooping (3)
- Dell EMC PowerEdge (3)
- Internet (3)
- Maintenance (3)
- Maintenance Renewal (3)
- Network Accessories (3)
- TPM (3)
- Telephony (3)
- aruba (3)
- Cisco NX-OS (2)
- Cisco Nexus (2)
- Dell Servers (2)
- Fortinet NGFWs (2)
- IT Trends (2)
- LAN Networks (2)
- Network Time Protocol (2)
- Palo Alto NGFWs (2)
- Rapid PVST+ (2)
- Remote Configuration (2)
- Software Defined Networking (2)
- WLAN (2)
- Ways to Save (2)
- fortigate (2)
- Asset Management (1)
- CPU Usage (1)
- Cisco AIR-CT (1)
- Cisco Aironet (1)
- Cisco DNA (1)
- Cisco ISR (1)
- Cisco Supervisor Engines (1)
- Cisco UCS Manager (1)
- Cognitive Campus (1)
- Cost of Downtime (1)
- Dell EMC Data Domain (1)
- Edge Switches (1)
- Fabric Extenders (1)
- GRE Tunnel (1)
- HPE BL (1)
- Juniper SRX (1)
- Nexus Switches (1)
- Nutanix (1)
- Optics (1)
- PowerEdge R740xd (1)
- STP Extension (1)
- Sparing Integrity Program (1)
- Switched Virtual Interface (1)
- TCP (1)
- UCS Fabric Interconnects (1)
- hyperconverge (1)
- April 2024 (2)
- March 2024 (1)
- February 2024 (2)
- January 2024 (1)
- December 2023 (1)
- November 2023 (2)
- October 2023 (1)
- September 2023 (3)
- August 2023 (5)
- July 2023 (2)
- June 2023 (4)
- May 2023 (5)
- April 2023 (8)
- March 2023 (7)
- February 2023 (5)
- January 2023 (2)
- December 2022 (3)
- November 2022 (3)
- October 2022 (8)
- September 2022 (9)
- August 2022 (9)
- July 2022 (8)
- June 2022 (9)
- May 2022 (5)
- April 2022 (3)
- March 2022 (1)
- February 2022 (2)
- November 2021 (2)
- October 2021 (1)
- September 2021 (2)
- August 2021 (2)
- July 2021 (3)
- June 2021 (2)
- May 2021 (4)
- April 2021 (4)
- March 2021 (2)
- February 2021 (1)
- January 2021 (2)
- December 2020 (2)
- November 2020 (2)
- October 2020 (2)
- September 2020 (2)
- August 2020 (4)
- July 2020 (5)
- June 2020 (4)
- May 2020 (6)
- April 2020 (2)
- March 2020 (1)
- February 2020 (2)
- January 2020 (2)
- December 2019 (1)
- May 2019 (2)
- April 2019 (5)
- February 2019 (1)
- January 2019 (3)
- December 2018 (1)
No Comments Yet
Let us know what you think