Home

DHCPsnooping

DHCP snooping is a security feature implemented on many network switches to mitigate DHCP-based attacks by monitoring and filtering DHCP messages. By inspecting DHCP traffic on a per-VLAN basis, it helps prevent rogue DHCP servers from distributing incorrect configuration parameters and reduces the risk of man-in-the-middle or denial-of-service attacks that exploit the DHCP protocol.

During operation, DHCP snooping classifies switch ports as trusted or untrusted. Ports connected to legitimate DHCP

As clients receive a DHCP lease, the switch creates a DHCP snooping binding database entry that records

Benefits include preventing rogue servers from issuing addresses, reducing the risk of IP spoofing in DHCP

Limitations and considerations: DHCP snooping requires a functioning DHCP server reachable through trusted ports; without a

servers
are
marked
trusted;
client-facing
ports
are
untrusted.
The
switch
then
enforces
a
policy:
only
DHCP
replies
(Offer/ACK)
from
trusted
sources
are
allowed
on
untrusted
ports,
and
only
after
the
switch
has
created
or
validated
a
binding
entry
for
the
client.
the
client's
MAC
address,
IP
address,
lease
duration,
VLAN,
and
the
port
through
which
the
client
is
reachable.
This
database
is
used
to
validate
subsequent
DHCP
messages
and
can
be
augmented
with
DHCP
relay
information
(option
82)
if
configured.
In
some
implementations,
the
switch
can
insert
or
preserve
option
82
data
to
help
the
DHCP
server
make
appropriate
scope
assignments.
traffic,
and
supporting
subsequent
security
features
such
as
Dynamic
ARP
Inspection,
which
consults
the
binding
database
to
validate
ARP
replies.
valid
binding,
DHCP
replies
on
untrusted
ports
can
be
dropped,
potentially
impacting
clients.
It
can
increase
switch
memory
usage
and
requires
careful
management
of
trusted
ports
and
bindings,
especially
in
networks
with
DHCP
relays
or
multiple
servers.