DHCP Snooping

What is DHCP Snooping?


CCNP 300-115 Switch
– 2.0 Infrastructure Security
– – 2.1a DHCP Snooping


What is it? DHCP Snooping is a Layer 2 Security Feature.

What does it solve?  Prevents Unauthorized/rogue servers.

How does it solve the problem? DHCP Snooping drops DHCP Traffic that is not acceptable on the ports.

Terminology and Operation:

  • DHCP is designed to be configured on Access switches only.
  • The untrusted ports connect to the clients.
  • The Trusted Port leads to the DHCP Server. Requires Manual configuration of the Trusted port
  • DHCP discover and DHCP request packets can only be forwarded out from the untrusted to the trusted ports which lead to the DHCP Server.
  • DHCP Snooping creates a DHCP Snooping Binding Database.

The DHCP Snooping Database include the following information:

  • Client MAC Address
  • Client IP Address
  • Lease Time

Client – Untrusted to Trusted Port allowed messages:

  • DHCP Discover
  • DHCP Request/Inform
  • DHCP Decline
  • DHCP Release

Server – Ingress from Trusted Ports allowed messages:

  • DHCP Offer
  • DHCP Ack
  • DHCP

So if a DHCP offer message was to go from a host that is connect to an untrusted port the packet would be dropped when it got to the switch.

How do we configure it?

Switch(config)#ip dhcp snooping
Switch(config)#ip dhcp snooping <vlan-id>
Switch(config)#ip dhcp snooping limit rate <1-2048>
Switch(config)#ip dhcp snooping trust
Switch(config)#ip dhcp snooping information option

Verify DHCP Snooping configuration

Switch#show ip dhcp snooping
Switch#show ip dhcp snooping binding