On the test, I configure DHCP Snooping on the Cisco Catalyst 6509-E to block third-party DHCP servers, on the other Cisco switches, the configuration is basically the same.
After connecting to the device immediately go to the configuration mode:
Enable DHCP Snooping in the desired VLAN:
ip dhcp snooping vlan 226-228,300-302
It is possible to disable the transfer of 82 options (it is standard on):
no ip dhcp snooping information option
Now let’s specify which interfaces are allowed to skip DHCP packets from the servers:
interface TenGigabitEthernet3/3 ip dhcp snooping trust exit interface GigabitEthernet1/4 ip dhcp snooping trust exit
You can cancel the command like this:
no ip dhcp snooping trust
You can specify the addresses of trusted DHCP servers:
ip dhcp-server 10.0.0.1 ip dhcp-server 10.0.0.2
Now enable DHCP Snooping:
ip dhcp snooping
Done, on the other interfaces, the DHCP servers will automatically be blocked.
I recommend that you pay attention to CPU loading after the last command, since in large L3 networks the processor can be heavily loaded.
You can set the DHCP packet limit that the interface can receive (default is not specified):
ip dhcp snooping limit rate
Let’s review the settings, and other information (exit the configuration mode by typing exit):
show ip dhcp snooping show ip dhcp snooping detect spurious show ip dhcp snooping binding show ip dhcp snooping database show ip dhcp snooping statistics clear ip dhcp snooping statistics
To view information in the configuration mode, you need to type before the “do” commands, for example:
do show ip dhcp snooping
You can also use the debugging mode for DHCP Snooping and see the recorded information in the logs:
debug ip dhcp snooping packet no debug ip dhcp snooping packet debug ip dhcp snooping event no debug ip dhcp snooping event show logging
I note that in large networks, the debugging mode can also heavily load the switch.
For Cisco Catalyst 6500 series switches, you can find the official documentation here – https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/snoodhcp.html
See also other my articles with the tag DHCP Snooping.