Skip to content
pablo@docs:~$
Portfolio

DHCP Snooping

1.The Problem

Section titled “1.The Problem”

Normally, when a computer connects to a network, it shouts a broadcast message (DHCP Discover) asking for an IP address. The official DHCP server hears this and replies with a valid IP, subnet mask, and default gateway (DHCP Offer).

However, DHCP has no built-in authentication. If someone plugs a home router into an office wall jack, or runs a malicious script on their laptop, they can act as a Rogue DHCP Server.

If a client shouts for an IP and the rogue server replies faster than the legitimate server, the client will accept the rogue’s IP configuration. This often changes the client’s Default Gateway to the attacker’s machine, routing all of the victim’s web traffic directly through the attacker.

2.The Solution - How DHCP Snooping Works

Section titled “2.The Solution - How DHCP Snooping Works”

When you enable DHCP Snooping on a switch, it fundamentally changes how the switch handles DHCP traffic by dividing all ports into two strict categories:

Untrusted Ports: By default, every port on the switch becomes untrusted. A client connected to an untrusted port is only allowed to ask for an IP (send DHCP Discover/Request messages). If the switch sees a DHCP Offer coming from an untrusted port, it instantly drops the packet and logs a security violation.

Trusted Ports: You manually configure specific ports to be trusted. These are the ports connected to your actual, legitimate DHCP servers (or the uplink trunks leading to them). Only trusted ports are allowed to forward DHCP Offers and Acknowledgments back to the clients.

3. Configuration

Section titled “3. Configuration”

3.1 Enable the feature globally

Section titled “3.1 Enable the feature globally”
Switch# configure terminal
Switch(config)# ip dhcp snooping

3.2 Enable it for specific VLANs

Section titled “3.2 Enable it for specific VLANs”
Switch(config)# ip dhcp snooping vlan 10-20, 50

3.3 Configure the trusted ports

Section titled “3.3 Configure the trusted ports”
Switch(config)# interface GigabitEthernet0/1
Switch(config-if)# ip dhcp snooping trust
Switch(config-if)# exit

3.4 Prevent DHCP Starvation

Section titled “3.4 Prevent DHCP Starvation”
Switch(config)# interface range FastEthernet0/1 - 24
Switch(config-if-range)# ip dhcp snooping limit rate 10
Switch(config-if-range)# exit

4.Verification

Section titled “4.Verification”
show ip dhcp snooping
show ip dhcp snooping binding