44 Switching ConfigurationDHCP SnoopingDynamic Host Configuration Protocol (DHCP) Snooping is a security feature that monitors DHCPmessages between a DHCP client and DHCP server to:• Filter harmful DHCP messages• Build a bindings database of (MAC address, IP address, VLAN ID, port) authorized tuples.DHCP snooping is disabled globally and on all VLANs by default. Ports are untrusted by default.Network administrators can enable DHCP snooping globally and on specific VLANs. They can alsoconfigure ports within the VLAN to be trusted or untrusted. DHCP servers must be reached throughtrusted ports.DHCP snooping enforces the following security rules:• DHCP packets from a DHCP server (DHCPOFFER, DHCPACK, DHCPNAK,DHCPRELEASEQUERY) are dropped if received on an untrusted port.• DHCPRELEASE and DHCPDECLINE messages are dropped if for a MAC addresses in the snoopingdatabase, but the binding's interface is other than the interface where the message was received.• On untrusted interfaces, the switch drops DHCP packets with a source MAC address that does notmatch the client hardware address. This is a configurable option.Dynamic ARP Inspection uses the DHCP snooping bindings database to validate ARP packets.To prevent DHCP packets being used as a DoS attack when DHCP snooping is enabled, the snoopingapplication enforces a rate limit for DHCP packets received on interfaces. DHCP snooping monitors thereceive rate on each interface separately. If the receive rate exceeds a configurable limit, DHCP snoopingbrings down the interface. The user must do “no shutdown” on this interface to further work with thatport. The user can configure both the rate and the burst interval.The hardware rate limits DHCP packets sent to the CPU from interfaces to 64 kbps.The DHCP snooping application processes incoming DHCP messages. For DHCPRELEASE andDHCPDECLINE messages, the application compares the receive interface and VLAN with the clientinterface and VLAN in the bindings database. If the interfaces do not match, the application logs theevent and drops the message. For valid client messages, DHCP snooping compares the source MACaddress to the DHCP client hardware address. When there is a mismatch, DHCP snooping logs anddrops the packet. The network administrator can disable this feature using the no ip dhcp snoopingverify mac-address command. DHCP snooping forwards valid client messages on trusted memberswithin the VLAN. If DHCP relay co-exists with DHCP snooping, DHCP client messages are sent toDHCP relay for further processing.The DHCP snooping application uses DHCP messages to build and maintain the binding's database.The binding's database only includes data for clients on untrusted ports. DHCP snooping creates atentative binding from DHCP DISCOVER and REQUEST messages. Tentative bindings tie a client to aport (the port where the DHCP client message was received). Tentative bindings are completed whenDHCP snooping learns the client's IP address from a DHCP ACK message on a trusted port. DHCP