SecurityGlobal Config

ip dhcp snooping

Enables DHCP snooping globally on the switch to filter untrusted DHCP messages and prevent rogue DHCP server attacks.

Syntax·Global Config

ip dhcp snooping

When to Use This Command

Preventing a rogue DHCP server from assigning malicious IP addresses to clients on an access layer switch.
Building a DHCP snooping binding database to track legitimate DHCP leases for IP Source Guard or Dynamic ARP Inspection.
Enforcing DHCP rate limiting on untrusted ports to mitigate DHCP starvation attacks.
Logging DHCP snooping violations for security auditing and troubleshooting.

Command Examples

Enable DHCP Snooping Globally and on VLAN 10

ip dhcp snooping
ip dhcp snooping vlan 10

Switch(config)# ip dhcp snooping
Switch(config)# ip dhcp snooping vlan 10
Switch(config)#

The first command enables DHCP snooping globally. The second command enables it specifically on VLAN 10, meaning the switch will inspect DHCP messages on that VLAN.

Verify DHCP Snooping Configuration

show ip dhcp snooping

Switch DHCP snooping is enabled
Switch DHCP snooping is configured for the following VLANs:
10
Insertion of option 82 is enabled
Circuit-id format: vlan-mod-port
Remote-id format: MAC
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Verification of giaddr field is enabled
DHCP snooping trust/rate is configured on the following Interfaces:

Interface                  Trusted     Rate limit (pps)
-----------------------    -------     ------------------
GigabitEthernet0/1         yes         unlimited
GigabitEthernet0/2         no          15

The output shows global status: enabled, VLANs monitored (10), option 82 settings, and per-interface trust state and rate limit. Trusted interfaces (uplinks) are set to 'yes' with unlimited rate; untrusted ports (access ports) are 'no' with a rate limit of 15 packets per second.

Understanding the Output

The 'show ip dhcp snooping' command displays the global DHCP snooping status, the VLANs on which it is enabled, and the trust configuration per interface. The 'Trusted' column indicates whether the interface is considered trusted (yes) or untrusted (no). Trusted ports are typically uplinks to other switches or DHCP servers; untrusted ports are access ports facing clients. The 'Rate limit (pps)' column shows the maximum number of DHCP packets per second allowed on that interface. A rate limit of 'unlimited' means no restriction. In a real network, you should ensure that only uplink ports are trusted and that untrusted ports have a reasonable rate limit (e.g., 15-100 pps) to prevent DHCP starvation attacks. If you see a trusted port on an access VLAN, that could indicate a misconfiguration allowing rogue DHCP servers.

CCNA Exam Tips

CCNA exam tip: DHCP snooping must be enabled globally and per VLAN; both steps are required.

CCNA exam tip: By default, all ports are untrusted; you must manually configure uplink ports as trusted using 'ip dhcp snooping trust'.

CCNA exam tip: DHCP snooping is a prerequisite for Dynamic ARP Inspection (DAI) and IP Source Guard.

CCNA exam tip: Option 82 insertion is enabled by default; the exam may ask about its role in DHCP snooping.

Common Mistakes

Mistake 1: Enabling DHCP snooping globally but forgetting to enable it on the specific VLAN, resulting in no filtering.

Mistake 2: Not configuring the uplink port as trusted, causing legitimate DHCP server responses to be dropped.

Mistake 3: Setting the rate limit too low on access ports, causing legitimate DHCP requests to be dropped during boot storms.

Related Commands

ip dhcp snooping limit rate [pps]

Limits the rate of DHCP packets processed by DHCP snooping on an interface to prevent DHCP starvation attacks.

ip dhcp snooping trust

Configures an interface as a trusted port for DHCP snooping, allowing DHCP server responses to be forwarded through it.

Practice for the CCNA 200-301

Test your knowledge with hundreds of CCNA practice questions covering all exam domains.

Practice CCNA Questions