Trusted and Untrusted Sources
• Builds and maintains the DHCP snooping binding database, which contains information about untrusted
• Uses the DHCP snooping binding database to validate subsequent requests from untrusted hosts.
DHCP snooping can be enabled globally and on a per-VLAN basis. By default, the feature is disabled globally
and on all VLANs. You can enable the feature on a single VLAN or a range of VLANs.
Trusted and Untrusted Sources
You can configure whether DHCP snooping trusts traffic sources. An untrusted source may initiate traffic
attacks or other hostile actions. To prevent such attacks, DHCP snooping filters messages from untrusted
sources.
In an enterprise network, a trusted source is a device that is under your administrative control. These devices
include the switches, routers, and servers in the network. Any device beyond the firewall or outside the network
is an untrusted source. Generally, host ports are treated as untrusted sources.
In a service provider environment, any device that is not in the service provider network is an untrusted source
(such as a customer switch). Host ports are untrusted sources.
In the Cisco NX-OS device, you indicate that a source is trusted by configuring the trust state of its connecting
interface.
The default trust state of all interfaces is untrusted. You must configure DHCP server interfaces as trusted.
You can also configure other interfaces as trusted if they connect to devices (such as switches or routers)
inside your network. You usually do not configure host port interfaces as trusted.
Note
For DHCP snooping to function properly, all DHCP servers must be connected to the device through trusted
interfaces.
DHCP Snooping Binding Database
Using information extracted from intercepted DHCP messages, DHCP snooping dynamically builds and
maintains a database. The database contains an entry for each untrusted host with a leased IP address if the
host is associated with a VLAN that has DHCP snooping enabled. The database does not contain entries for
hosts connected through trusted interfaces.
Note
The DHCP snooping binding database is also referred to as the DHCP snooping binding table.
DHCP snooping updates the database when the device receives specific DHCP messages. For example, the
feature adds an entry to the database when the device receives a DHCPACK message from the server. The
feature removes the entry in the database when the IP address lease expires or the device receives a
DHCPRELEASE message from the host.
Each entry in the DHCP snooping binding database includes the MAC address of the host, the leased IP
address, the lease time, the binding type, and the VLAN number and interface information associated with
the host.
Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x
328
hosts with leased IP addresses.
Configuring DHCP