DHCP Snooping
Switch security feature that blocks rogue DHCP servers. Trusts one port (where the real server lives) and drops DHCP server messages from any other port. Foundation for Dynamic ARP Inspection too.
- DHCP Snooping defends the network from rogue DHCP servers handing out malicious gateway IPs.
- One port flagged as TRUSTED (where the legit server lives). All others UNTRUSTED — server-side DHCP messages from them get dropped.
- Builds a binding table (MAC ↔ IP ↔ port) that other security features (DAI, IP Source Guard) depend on.
Mental model
A user plugs a small home router into a meeting room’s network jack. By default it’s a DHCP server. It starts answering DHCP requests from other users in the building — handing out its own LAN’s IP range and pointing them at itself as the gateway.
Now every user it captures is sending traffic through the rogue device. The attacker has man-in-the-middle access to anyone unlucky enough to renew DHCP after the rogue came online.
DHCP Snooping kills this attack class. The switch learns: “DHCP server messages only ever come from this one port. Drop server messages from anywhere else.”
That’s the whole concept. Configuration is mostly which VLANs to enable it on and which port is trusted.
How it works
DHCP messages have two sides:
- Client → server: DISCOVER, REQUEST (anyone can send these)
- Server → client: OFFER, ACK, NAK (only legitimate servers should send these)
DHCP Snooping classifies switch ports as:
- Trusted — both client and server messages are allowed (uplink to the real DHCP server)
- Untrusted (the default) — only client messages allowed; server messages get dropped
So a rogue device on an access port can send DISCOVERs (client traffic, allowed) but its OFFERs/ACKs get filtered by the switch and never reach victims.
The binding table
While DHCP Snooping is on, the switch records every successful lease in its binding table:
| Client MAC | IP assigned | Lease time | VLAN | Port |
|---|---|---|---|---|
| aaaa.bbbb.cccc | 10.0.0.50 | 86400s | 10 | Gi0/3 |
| dddd.eeee.ffff | 10.0.0.51 | 86400s | 10 | Gi0/5 |
This table is gold. Two related security features rely on it:
- Dynamic ARP Inspection (DAI) — verifies ARP replies match the binding table. Stops ARP poisoning.
- IP Source Guard (IPSG) — blocks a host from spoofing a source IP that doesn’t match the binding table for its port.
Commands
! Globally enable DHCP snooping
SW1(config)# ip dhcp snooping
! Enable on specific VLAN(s)
SW1(config)# ip dhcp snooping vlan 10
SW1(config)# ip dhcp snooping vlan 20
! Mark the uplink to the DHCP server as trusted
SW1(config)# interface GigabitEthernet0/24
SW1(config-if)# ip dhcp snooping trust
! All other ports stay untrusted by default — that's correct
! Optional: rate-limit DHCP requests on access ports (prevents starvation attack)
SW1(config)# interface range GigabitEthernet0/1 - 23
SW1(config-if-range)# ip dhcp snooping limit rate 10 ! 10 pps max
! Optional: explicitly disable Option 82 insertion if downstream device doesn't expect it
SW1(config)# no ip dhcp snooping information option
Verification
SW1# show ip dhcp snooping
SW1# show ip dhcp snooping binding
SW1# show ip dhcp snooping interfaces
show ip dhcp snooping binding shows the live binding table — the most useful single command.
Common mistakes
-
Forgetting to enable on specific VLANs.
ip dhcp snoopingglobally turns it on, but it only takes effect on VLANs you explicitly list withip dhcp snooping vlan N. Many engineers forget this and wonder why nothing’s happening. -
Trusting the wrong port. If you flag an access port as trusted, you’ve just allowed any device on that port to be a rogue DHCP server. Trust only the uplink (or interconnect) toward the real server.
-
Option 82 mismatch. By default, Cisco switches insert DHCP Option 82 information when relaying. Some downstream DHCP servers reject these. Either disable Option 82 insertion or configure the server to accept it.
-
Rate-limit set too low. If you rate-limit DHCP to 5 pps and the DHCP server tries to renew dozens of leases simultaneously, the switch starts dropping legitimate traffic. (Default behavior is no rate-limit until you configure
ip dhcp snooping limit rate; 100 pps is a sane starting point if you choose to set one.) -
Not pairing it with DAI / IPSG. DHCP Snooping by itself only stops rogue servers. Real defense in depth requires Dynamic ARP Inspection (blocks ARP poisoning) and IP Source Guard (blocks IP spoofing) — both depend on the snooping binding table.
-
Binding table lost on switch reboot. Without persistence, the table rebuilds from new leases. To survive a reboot, configure
ip dhcp snooping database flash:dhcp-snooping.txtso it’s saved.
Lab to try tonight
- One switch, two PCs, one DHCP server. Enable DHCP snooping on the VLAN.
- Mark the uplink to the DHCP server as trusted.
- Boot the PCs, watch them get DHCP leases. Verify with
show ip dhcp snooping binding. - Now connect a second device set to “share connection” or with a built-in DHCP server (any home router). Plug it into another switch port (untrusted).
- Try to get a third PC to DHCP from the rogue server. Watch the rogue’s OFFERs get dropped by the switch.
- Bonus: enable Dynamic ARP Inspection on the same VLAN. Run a free ARP spoofing tool from one PC. Watch DAI block it using the snooping binding table.
Cheat strip
| Concept | Plain English |
|---|---|
| Trusted port | Server-side DHCP messages allowed. Usually only the uplink. |
| Untrusted port | Default. Only client-side DHCP messages allowed. |
| Binding table | MAC ↔ IP ↔ port ↔ VLAN — built from successful leases |
| Option 82 | Cisco-inserted relay information. Disable if server rejects it. |
| Rate limit | Caps DHCP requests per port. Stops starvation attacks. |
| DAI / IPSG | Both rely on the snooping binding table. Stack them for real defense. |
| Persistence | Save the binding table to flash so it survives reboot. |
Port Security
Lock a switch port to a specific MAC address (or addresses). Covers static, dynamic, and sticky learning, violation modes (protect / restrict / shutdown), and the err-disable recovery dance.
AAA · RADIUS & TACACS+
Authentication, Authorization, Accounting — centralize who can log in, what they can do, and what they did. Covers RADIUS vs TACACS+, method lists, and why every network with more than 5 devices uses centralized auth.
Want this drilled into reflex?
1:1 weekly sessions, live feedback on your labs, and US interview prep — built around the CCNA® exam blueprint. Free first session. No card on file until you decide.
Related topics
DHCP — Dynamic Host Configuration Protocol
Definitive CCNA-level DHCP guide — the DORA exchange step-by-step, packet anatomy, DHCP options table, lease renewal timing (T1/T2), Cisco IOS server + relay config, DHCPv6 brief, DHCP Snooping security, 8 worked scenarios, and the DHCP debug workflow.
Security FundamentalsPort Security
Lock a switch port to a specific MAC address (or addresses). Covers static, dynamic, and sticky learning, violation modes (protect / restrict / shutdown), and the err-disable recovery dance.
Network AccessVLANs
Definitive CCNA-level VLAN guide — broadcast domains, access vs trunk ports, 802.1Q tagging, native VLAN, voice VLANs, VTP, VLAN design, the 6-step trunk debug, security pitfalls, and 7 worked exam scenarios.
One topic per email, every fortnight
VLANs, OSPF, ACLs, subnetting, automation — written like this. Unsubscribe in one click.
We respect your inbox. One email per week, max. Unsubscribe any time.