DHCP snooping is a DHCP
security feature that provides network security by filtering untrusted DHCP
messages and by building and maintaining a DHCP snooping binding database, also
referred to as a DHCP snooping binding table.
DHCP snooping acts like a
firewall between untrusted hosts and DHCP servers. You use DHCP snooping to
differentiate between untrusted interfaces connected to the end user and
trusted interfaces connected to the DHCP server or another switch.
For DHCP snooping to function properly, all DHCP servers must be connected to the switch through trusted interfaces, as untrusted
DHCP messages will be forwarded only to trusted interfaces.
An untrusted DHCP message is a message that is
received through an untrusted interface. By default, the switch considers all
interfaces untrusted. So, the switch must be configured to trust some
interfaces to use DHCP Snooping. When you use DHCP snooping in a
service-provider environment, an untrusted message is sent from a device that
is not in the service-provider network, such as a customer’s switch. Messages
from unknown devices are untrusted because they can be sources of traffic
The DHCP snooping binding
database has the MAC address, the IP address, the lease time, the binding type,
the VLAN number, and the interface information that corresponds to the local
untrusted interfaces of a switch. It does not have information regarding hosts
interconnected with a trusted interface.
When configuring DHCP snooping to block unauthorized IP address using the ip verify source prot-security command on an interface, the switchport port-security command should also be configured.
In a service-provider network, an example of
an interface you might configure as trusted is one connected to a port on a
device in the same network. An example of an untrusted interface is one that is
connected to an untrusted interface in the network or to an interface on a
device that is not in the network.
When a switch receives a
packet on an untrusted interface and the interface belongs to a VLAN in which
DHCP snooping is enabled, the switch compares the source MAC address and the
DHCP client hardware address. If the addresses match (the default), the switch
forwards the packet. If the addresses do not match, the switch drops the
The switch drops a DHCP
packet when one of these situations occurs:
A packet from a DHCP server,
such as a DHCPOFFER, DHCPACK, DHCPNAK, or DHCPLEASEQUERY packet, is received
from outside the network or firewall.
A packet is received on an
untrusted interface, and the source MAC address and the DHCP client hardware
address do not match.
The switch receives a
DHCPRELEASE or DHCPDECLINE broadcast message that has a MAC address in the DHCP
snooping binding database, but the interface information in the binding
database does not match the interface on which the message was received.
A DHCP relay agent forwards a
DHCP packet that includes a relay-agent IP address that is not 0.0.0.0, or the
relay agent forwards a packet that includes option-82 information to an
If the switch is an aggregation switch
supporting DHCP snooping and is connected to an edge switch that is inserting
DHCP option-82 information, the switch drops packets with option-82 information
when packets are received on an untrusted interface. If DHCP snooping is
enabled and packets are received on a trusted port, the aggregation switch does
not learn the DHCP snooping bindings for connected devices and cannot build a
complete DHCP snooping binding database.
When an aggregation switch
can be connected to an edge switch through an untrusted interface and you enter
ip dhcp snooping information option
allow-untrusted global configuration command, the aggregation
switch accepts packets with option-82 information from the edge switch. The
aggregation switch learns the bindings for hosts connected through an untrusted
switch interface. The DHCP security features, such as dynamic ARP inspection or
IP source guard, can still be enabled on the aggregation switch while the
switch receives packets with option-82 information on untrusted input
interfaces to which hosts are connected. The port on the edge switch that
connects to the aggregation switch must be configured as a trusted interface.
Normally, it is not desirable to broadcast packets to wireless clients. So, DHCP snooping replaces destination broadcast MAC
address (ffff.ffff.ffff) with unicast MAC address for DHCP packets that are going from server to wireless clients. The unicast
MAC address is retrieved from CHADDR field in the DHCP payload. This processing is applied for server to client packets such
as DHCP OFFER, DHCP ACK, and DHCP NACK messages. The ip dhcp snooping wireless bootp-broadcast enable can be used to revert this behavior. When the wireless BOOTP broadcast is enabled, the broadcast DHCP packets from server
are forwarded to wireless clients without changing the destination MAC address.