DHCP snooping
DHCP snooping protects the network from common DHCP attacks, including address spoofing resulting from a rogue DHCP server operating on the network, or exhaustion of addresses on a DHCP server caused by mass address requests by an attacker on the network. The feature works by designating trusted DHCP servers and ports on which DHCP requests and responses will be accepted.
To enable DHCPv4 snooping globally:
switch(config)# dhcp-snooping
If using DHCPv6, this is the equivalent command:
switch(config)# dhcpv6-snooping
Once DHCP snooping is globally enabled, the following commands specify the DHCP server at 10.100.0.254 as an authorized server and designate port 8 on the switch—the port from which the authorized DHCP server can be reached—as a trusted port:
switch(config)# dhcp-snooping authorized-server 10.100.0.254 switch(config)# dhcp-snooping trust 8
Lastly, enable DHCP snooping on client VLANs to be protected:
switch(config)# dhcp-snooping vlan 100,110
With this configuration, DHCP packets received from an unauthorized DHCP server on any port, or from any DHCP server (including the authorized server) on an untrusted port, will be dropped.