As we know that DHCP server provides all the basic information to the clients i.e. IP address, subnet mask, Default gateway and DNS server.DHCP snooping is a layer 2 security technology usually used on the access layer switches in layer 2 switched networks.

If an attacker connects a rogue DHCP server on a machine in same subnet as client machine then all packets from client machine can go to the rogue server if the DHCP offer from the rogue server reaches the client before the offer is received from legitimate DHCP server.

To avoid these the switch ports are divided into two categories:

Trusted: To which the DHCP server will connectUntrusted: To which the client machines will connect. 

If a DHCP reply comes from an untrusted port it is discarded and a log message is generated.DHCP server messages can flow through switch ports that have a DHCP snooping trusted state. DHCP server messages will be dropped if attempting to flow through a switch port that is not trusted.




By default all the switch ports are in untrusted mode.



To enable DHCP snooping:

SW1(config)#ip dhcp snooping

To configure a port in trusted mode:

SW1(config-if)#int fa0/0ip dhcp snooping trust

To configure DHCP snooping for a particular VLAN

SW1(config)#ip dhcp snooping vlan <vlan-id>

We can also limit DHCP request on a port which by default is unlimited.

SW1(config-if)#ip dhcp snooping limit rate



The show ip dhcp snooping command displays all VLANs (both primary and secondary) that have DHCP snooping enabled.


Please follow and like us:

Add Comment

Social Media Auto Publish Powered By : XYZScripts.com
Select your currency
USD United States (US) dollar

Checkout : E-STORE for latest release "Cabling & Passive Networking Interview Q&A " and our new website "networkinterview.com" for VIDEO COURSES Dismiss