DHCP Snooping- Guide to Basics of DHCP Snooping

Rashmi Bhardwaj | Blog,Config & Troubleshoot

DHCP Snooping

As we know that DHCP server provides all the basic information to the clients i.e. IP address, subnet mask, Default gateway and DNS server.DHCP snooping is a layer 2 security technology usually used on the access layer switches in layer 2 switched networks.

Related- DHCP Interview Questions

If an attacker connects a rogue DHCP server on a machine in the same subnet as client machine then all packets from client machine can go to the rogue server if the DHCP offer from the rogue server reaches the client before the offer is received from the legitimate DHCP server.


Related- Dora Process in DHCP

To avoid these the switch ports are divided into two categories:

Trusted: To which the DHCP server will connectUntrusted: To which the client machines will connect. 

If a DHCP reply comes from an untrusted port it is discarded and a log message is generated.DHCP server messages can flow through switch ports that have a DHCP snooping trusted state. DHCP server messages will be dropped if attempting to flow through a switch port that is not trusted.



DHCP Snooping

Related- DHCP vs RARP

By default, all the switch ports are in untrusted mode.


To enable DHCP snooping:

SW1(config)#ip dhcp snooping

To configure a port in trusted mode:

SW1(config-if)#int fa0/0ip dhcp snooping trust

To configure DHCP snooping for a particular VLAN

SW1(config)#ip dhcp snooping vlan <vlan-id>

We can also limit DHCP request on a port which by default is unlimited.

SW1(config-if)#ip dhcp snooping limit rate


The show ip dhcp snooping command displays all VLANs (both primary and secondary) that have DHCP snooping enabled.



Leave a Comment

Your email address will not be published. Required fields are marked *

Shopping Cart