2 configuration dhcp snooping – CANOGA PERKINS 9175 Configuration Guide User Manual

CanogaOS Configuration Guide

36-3

ip address 5.5.5.2/24
!

Check the dhcp service status

DUT#show services
Networking services configuration:
Service Name Status
============================================================
dhcp enable

Check the dhcp server group configuration

DUT#show dhcp-server
DHCP server group information:
============================================================
group 1 ip address list:
[1] 4.4.4.1

Show dhcp relay statistics to check the dhcp relay statistics

DUT#show dhcp relay statistics
DHCP relay packet statistics:
============================================================
Client relayed packets: 20
Server relayed packets: 20

Client error packets: 20
Server error packets: 0
Bogus GIADDR drops: 0
Bad circuit ID packets: 0
Corrupted agent options: 0
Missing agent options: 0
Missing circuit IDs: 0

36.2 Configuration DHCP Snooping

36.2.1 Overview

DHCP snooping is a security feature that acts like a firewall between untrusted hosts and
trusted DHCP servers. The DHCP snooping feature performs the following activities:

• Validate DHCP messages received from untrusted sources and filters out invalid

messages

• Build and maintain the DHCP snooping binding database, which contains

information about untrusted hosts with leased IP addresses

• Utilize the DHCP snooping binding database to validate subsequent requests

from untrusted hosts

Other security features, such as dynamic ARP inspection (DAI), also use information
stored in the DHCP snooping binding database. DHCP snooping is enabled on a
per-VLAN basis. By default, the feature is inactive on all VLANs. You can enable the
feature on a single VLAN or a range of VLANs. The DHCP snooping feature is
implemented in software basis. All DHCP messages are intercepted in the BAY and
directed to the CPU for processing.