DHCP Snooping

DHCP snooping is a technique where we configure our switch to listen in on DHCP traffic and stop any malicious DHCP packets. This is best explained with an example so take a look at the picture below:

core distribution access dhcp hacker

In the picture above I have a DHCP server connected to the switch on the top left. At the bottom right you see a legitimate client that would like to get an IP address. What if the l33t hacker script kiddy on the left would run DHCP server software on his computer? Who do you think will respond first to the DHCP discover message? The legitimate DHCP server or the script kiddy’s DHCP server software?

On larger networks you will probably find a central DHCP server somewhere in the server farm. If an attacker runs a DHCP server in the same subnet he will probably respond faster to the DHCP discover message of the client. If this succeeds he might assign the client with its own IP address as the default gateway for a man-in-the-middle attack. Another option would be to send your own IP address as the DNS server so you can spoof websites etc.

The attacker could also send DHCP discover messages to the DHCP server and try to deplete its DHCP pool. So what can we do to stop this madness? DHCP snooping to the rescue! We can configure our switches so they track the DHCP discover and DHCP offer messages. Here’s how:

dhcp snooping discover offer packets

Interfaces that connect to clients should never be allowed to send a DHCP offer message. We can enforce this by making them untrusted. An interface that is untrusted will block DHCP offer messages. Only an interface that has been configured as trusted is allowed to forward DHCP offer messages. We can also rate-limit interfaces to they can’t send an unlimited amount of DHCP discover messages, this will prevent attacks from depleting the DHCP pool.

When a Cisco Catalyst Switch receives a DHCP Discover, it will only forward it on trusted interfaces. This prevents rogue DHCP servers on untrusted interfaces from receiving it in the first place.

Let’s see how we can configure DHCP snooping…

We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You’ve Ever Spent on Your Cisco Career!
  • Full Access to our 739 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)

536 Sign Ups in the last 30 days

100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Tags: ,

Forum Replies

  1. Hi Yevgeniy,

    DHCP Option 82 stands for “DHCP Relay Agent Information Option”. If you haven’t seen how DHCP relay works before, take a look at this lesson:


    Option 82 was originally created for really large (WAN) networks where we have a lot of DHCP relays and central DHCP servers. The idea behind it is that the DHCP relay can add extra information which the DHCP server can use to decide which pool to use for assigning an IP address. Option 82 has a “Circuit ID” and a “Remote ID”.

    The Circuit

    ... Continue reading in our forum

  2. Zaman,
    IOS XE is a different from the “traditional” IOS operating system in terms of its architecture. IOS XE still runs the traditional IOS, but it runs as a single process (daemon) within a larger linux operating system. Notice in your output, there is an indication of this (linux):


    So, “Version 03.12.00a.S” refers to the large linux operating system, while “Version 15.4(2)S0a” refers to the IOS version being run by the IOS daemon within IOS XE. Make sense?

    Here’s some more info on IOS XE if you want to read about the new

    ... Continue reading in our forum

  3. Hello Manuel

    Rene describes what option 82 does in this post very well.

    As to why you should disable option 82, when DHCP snooping is enabled on a switch, option 82 is enabled by default. That is, any DHCP request packets that are sent from a host will enter the switch and will have option 82 information ADDED to the request before it is sent on to the DHCP server. Specifically, enabling DHCP snooping on the switch adds the giaddr value of in the DHCP packet. However, the DHCP server is expecting this field to be set to that of the relay agent (a non

    ... Continue reading in our forum

  4. Hello Harry

    When you post a question, try to find a thread that is close to the topic that you are asking about. This is the perfect thread for this question. However, if you find that there is no thread that matches your question, you can always post a new topic, and we may re-categorize it into the appropriate thread.

    As for your question, keep in mind that the IP helper address command installed on the local router will just take any DHCP request that it hears on the network and forward it to the DHCP server that exists on a different subnet. This does no

    ... Continue reading in our forum

  5. Hello Sumant

    Take a look at the following diagram:


    Here we have an L3 switch that has three VLANs configured on it. We want each VLAN to be assigned an IP address in the range shown, but we want to create only a single DHCP server. We have a DHCP server with an IP address of which is completely outside of the VLANS we want to serve. In order for DHCP broadcast packets to reach this DHCP server, we configure the following command on the inter

    ... Continue reading in our forum

55 more replies! Ask a question or join the discussion by visiting our Community Forum