Configuring DHCP Snooping on HP ProCurve Switches

DHCP snooping is a security feature that provides security by filtering untrusted DHCP messages. DHCP snooping functions when all DHCP servers connected to the switch are configured as trusted interfaces, when a rogue DHCP server is connected to untrusted interface DHCP snooping will drop the DHCP packets.

This post describes configuration of DHCP snooping on an HP ProCurve 2610 switch.

Configuring DHCP Snooping

 

Configure the VLAN with an IP Helper Address for the DHCP Server

vlan 1

ip helper-address 192.168.20.20

Enable DHCP Snooping globally on the switch

dhcp-snooping

Enable DHCP Snooping on the required VLANs

dhcp-snooping vlan 1-40

Configure the Trusted interface the DHCP Server is connect to

dhcp-snooping trust <INTERFACE>

Configure Authorised DHCP Server

dhcp-snooping authorized-server <IP ADDRESS>

When DHCP Snooping is configured, a packet from a DHCP server must originate from the “Trusted” port/interface and have a source address defined in the authorized server list to be valid. Configuring an authorized server is optional, in that instance all servers are considered to be valid.

To view the configuration of the DHCP Snooping settings use the command “show dhcp-snooping“, this command will detail all the relevant information.

Use the “show dhcp-snooping stats” command to display information about the DHCP snooping process

Troubleshooting

In the event the DHCP server is connected to a port/interface that is NOT defined as a trusted port then client computers will not receive an IP address. The “show dhcp-snooping stats” will assist in identifying the packet was dropped because the destination was connected on an untrusted port.

2 thoughts on “Configuring DHCP Snooping on HP ProCurve Switches”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s