DHCP snooping - port trust and vlans


DHCP snooping protects the network from common DHCP attacks, including address spoofing resulting from arogue DHCP server operating on the network, or exhaustion of addresses on a DHCP server caused by mass address requests by an attacker on the network. The feature works by designating trusted DHCP servers andports on which DHCP requests and responses will be accepted.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.


To enable DHCPv4 snooping globally:

switch(config)# dhcp-snooping

If using DHCPv6, this is the equivalent command:

switch(config)# dhcpv6-snooping

Once DHCP snooping is globally enabled, the following commands specify the DHCP server at as an authorized server and designate port 8 on the switch-the port from which the authorized DHCP server can be reached-as a trusted port:

switch(config)# dhcp-snooping authorized-server
switch(config)# dhcp-snooping trust 8

Lastly, enable DHCP snooping on client VLANs to be protected:

switch(config)# dhcp-snooping vlan 100,110

With this configuration, DHCP packets received from an unauthorized DHCP server on any port, or from any DHCP server (including the authorized server) on an untrusted port, will be dropped.

See Also


Item Details


References: 800-53|SC-5

Plugin: ArubaOS

Control ID: 064dcf0a51eba69c9e17b9ba4e90ad931cbbf058037d07cc617737379edcce30