Mental model
A user plugs a small home router into a meeting room’s network jack. By default it’s a DHCP server. It starts answering DHCP requests from other users in the building — handing out its own LAN’s IP range and pointing them at itself as the gateway.
Now every user it captures is sending traffic through the rogue device. The attacker has man-in-the-middle access to anyone unlucky enough to renew DHCP after the rogue came online.
DHCP Snooping kills this attack class. The switch learns: “DHCP server messages only ever come from this one port. Drop server messages from anywhere else.”
That’s the whole concept. Configuration is mostly which VLANs to enable it on and which port is trusted.
How it works
DHCP messages have two sides:
- Client → server: DISCOVER, REQUEST (anyone can send these)
- Server → client: OFFER, ACK, NAK (only legitimate servers should send these)
DHCP Snooping classifies switch ports as:
- Trusted — both client and server messages are allowed (uplink to the real DHCP server)
- Untrusted (the default) — only client messages allowed; server messages get dropped
So a rogue device on an access port can send DISCOVERs (client traffic, allowed) but its OFFERs/ACKs get filtered by the switch and never reach victims.
The binding table
While DHCP Snooping is on, the switch records every successful lease in its binding table:
| Client MAC | IP assigned | Lease time | VLAN | Port |
|---|---|---|---|---|
| aaaa.bbbb.cccc | 10.0.0.50 | 86400s | 10 | Gi0/3 |
| dddd.eeee.ffff | 10.0.0.51 | 86400s | 10 | Gi0/5 |
This table is gold. Two related security features rely on it:
- Dynamic ARP Inspection (DAI) — verifies ARP replies match the binding table. Stops ARP poisoning.
- IP Source Guard (IPSG) — blocks a host from spoofing a source IP that doesn’t match the binding table for its port.
Commands
! Globally enable DHCP snooping
SW1(config)# ip dhcp snooping
! Enable on specific VLAN(s)
SW1(config)# ip dhcp snooping vlan 10
SW1(config)# ip dhcp snooping vlan 20
! Mark the uplink to the DHCP server as trusted
SW1(config)# interface GigabitEthernet0/24
SW1(config-if)# ip dhcp snooping trust
! All other ports stay untrusted by default — that's correct
! Optional: rate-limit DHCP requests on access ports (prevents starvation attack)
SW1(config)# interface range GigabitEthernet0/1 - 23
SW1(config-if-range)# ip dhcp snooping limit rate 10 ! 10 pps max
! Optional: explicitly disable Option 82 insertion if downstream device doesn't expect it
SW1(config)# no ip dhcp snooping information option
Verification
SW1# show ip dhcp snooping
SW1# show ip dhcp snooping binding
SW1# show ip dhcp snooping interfaces
show ip dhcp snooping binding shows the live binding table — the most useful single command.
Common mistakes
-
Forgetting to enable on specific VLANs.
ip dhcp snoopingglobally turns it on, but it only takes effect on VLANs you explicitly list withip dhcp snooping vlan N. Many engineers forget this and wonder why nothing’s happening. -
Trusting the wrong port. If you flag an access port as trusted, you’ve just allowed any device on that port to be a rogue DHCP server. Trust only the uplink (or interconnect) toward the real server.
-
Option 82 mismatch. By default, Cisco switches insert DHCP Option 82 information when relaying. Some downstream DHCP servers reject these. Either disable Option 82 insertion or configure the server to accept it.
-
Rate-limit set too low. If you rate-limit DHCP to 5 pps and the DHCP server tries to renew dozens of leases simultaneously, the switch starts dropping legitimate traffic. Default 100 pps is usually fine.
-
Not pairing it with DAI / IPSG. DHCP Snooping by itself only stops rogue servers. Real defense in depth requires Dynamic ARP Inspection (blocks ARP poisoning) and IP Source Guard (blocks IP spoofing) — both depend on the snooping binding table.
-
Binding table lost on switch reboot. Without persistence, the table rebuilds from new leases. To survive a reboot, configure
ip dhcp snooping database flash:dhcp-snooping.txtso it’s saved.
Lab to try tonight
- One switch, two PCs, one DHCP server. Enable DHCP snooping on the VLAN.
- Mark the uplink to the DHCP server as trusted.
- Boot the PCs, watch them get DHCP leases. Verify with
show ip dhcp snooping binding. - Now connect a second device set to “share connection” or with a built-in DHCP server (any home router). Plug it into another switch port (untrusted).
- Try to get a third PC to DHCP from the rogue server. Watch the rogue’s OFFERs get dropped by the switch.
- Bonus: enable Dynamic ARP Inspection on the same VLAN. Run a free ARP spoofing tool from one PC. Watch DAI block it using the snooping binding table.
Cheat strip
| Concept | Plain English |
|---|---|
| Trusted port | Server-side DHCP messages allowed. Usually only the uplink. |
| Untrusted port | Default. Only client-side DHCP messages allowed. |
| Binding table | MAC ↔ IP ↔ port ↔ VLAN — built from successful leases |
| Option 82 | Cisco-inserted relay information. Disable if server rejects it. |
| Rate limit | Caps DHCP requests per port. Stops starvation attacks. |
| DAI / IPSG | Both rely on the snooping binding table. Stack them for real defense. |
| Persistence | Save the binding table to flash so it survives reboot. |