DHCP snooping is a security feature that provides security by filtering untrusted DHCP messages. DHCP snooping functions when all DHCP servers connected to the switch are configured as trusted interfaces, when a rogue DHCP server is connected to untrusted interface DHCP snooping will drop the DHCP packets.
This post describes configuration of DHCP snooping on an HP ProCurve 2610 switch.
Configuring DHCP Snooping
Configure the VLAN with an IP Helper Address for the DHCP Server
ip helper-address 192.168.20.20
Enable DHCP Snooping globally on the switch
Enable DHCP Snooping on the required VLANs
dhcp-snooping vlan 1-40
Configure the Trusted interface the DHCP Server is connect to
dhcp-snooping trust <INTERFACE>
Configure Authorised DHCP Server
dhcp-snooping authorized-server <IP ADDRESS>
When DHCP Snooping is configured, a packet from a DHCP server must originate from the “Trusted” port/interface and have a source address defined in the authorized server list to be valid. Configuring an authorized server is optional, in that instance all servers are considered to be valid.
To view the configuration of the DHCP Snooping settings use the command “show dhcp-snooping“, this command will detail all the relevant information.
Use the “show dhcp-snooping stats” command to display information about the DHCP snooping process
In the event the DHCP server is connected to a port/interface that is NOT defined as a trusted port then client computers will not receive an IP address. The “show dhcp-snooping stats” will assist in identifying the packet was dropped because the destination was connected on an untrusted port.