Imagine a rogue device on your network pretending to be the DHCP server, handing out malicious IP configurations to unsuspecting hosts. That's a DHCP spoofing attack, and it's one of the most common Layer 2 security threats. DHCP Snooping is the Cisco feature that thwarts this attack by acting as a firewall between trusted DHCP servers and untrusted client ports. For the CCNA 200-301 exam (objective 4.3: Configure and verify DHCP client and relay, and understand DHCP Snooping), you must know not only how to configure it but also the underlying mechanism—how it builds a binding database, filters messages, and interacts with DAI and IP Source Guard.
Jump to a section
Imagine you're the bouncer at an exclusive party. There are two types of people: VIPs (trusted DHCP servers) who can enter freely, and regular guests (untrusted clients) who must be checked. The party has one main door (the switch port connected to the DHCP server) where VIPs enter, and many side doors (client ports) where guests try to sneak in. The bouncer's job is to ensure only authorized VIPs can distribute party favors (DHCP offers) and that each guest only gets one favor (IP address) from a legitimate VIP.
Your bouncer keeps a guest list (DHCP snooping binding database) that records who got a favor, from which VIP, and for how long (lease time). When a guest tries to claim they are a VIP and hand out favors (a rogue DHCP server), the bouncer immediately stops them because they came through a side door. Also, if a guest tries to use a favor that wasn't given out by a VIP (like spoofing their MAC address), the bouncer checks the guest list and blocks them. The bouncer also watches for guests who try to grab multiple favors at once (DHCP starvation attack) by limiting how many requests can come from a single door per second (rate limiting).
This system works because the bouncer trusts only the main door (trusted port) and treats all side doors as potentially hostile. The bouncer doesn't just check IDs; he records every transaction. That way, if a guest tries to leave and come back with a fake ID, the bouncer's list catches the mismatch. This is exactly how DHCP snooping works: it builds a dynamic database of legitimate DHCP bindings and filters all DHCP messages based on port trust and message type.
What is DHCP Snooping and Why Does It Exist?
DHCP Snooping is a Layer 2 security feature on Cisco switches that filters untrusted DHCP messages and builds a DHCP snooping binding database. It protects against two primary attacks: - DHCP Spoofing Attack: An attacker connects a rogue DHCP server to an untrusted port, offering malicious IP configurations (e.g., setting the default gateway to the attacker's IP) to intercept traffic. - DHCP Starvation Attack: An attacker floods the network with DHCP Discover messages using spoofed MAC addresses, exhausting the DHCP server's address pool and causing a denial of service.
DHCP snooping is a prerequisite for two other security features: Dynamic ARP Inspection (DAI) and IP Source Guard. The exam often tests these interactions.
How DHCP Snooping Works at the Packet Level
DHCP snooping divides switch ports into two trust states: trusted and untrusted. By default, all ports are untrusted. Only ports connected to legitimate DHCP servers should be configured as trusted.
#### Message Filtering Rules When a switch receives a DHCP message on an interface, it applies these rules:
Trusted port: All DHCP messages are allowed (Discover, Offer, Request, Ack, etc.). This is where the real DHCP server sits.
Untrusted port: Only DHCP Discover and Request messages from clients are allowed. DHCP Offer, Ack, and Nak messages are dropped because they should only come from a server, which must be on a trusted port. Also, DHCP Release and Decline messages are allowed (but may be rate-limited).
#### Building the Binding Database When a client successfully obtains an IP address via DHCP (the DORA process), the switch snoops the DHCP Ack message from the server. It extracts:
Client MAC address
Client IP address (the leased IP)
Lease time
VLAN number
Interface where the client is connected
This information is stored in the DHCP snooping binding database. The switch uses this database to validate subsequent traffic (e.g., for IP Source Guard) and to detect spoofing.
Key States, Timers, and Defaults
DHCP Snooping is globally disabled by default. You must enable it with ip dhcp snooping.
DHCP Snooping is per-VLAN: You must specify which VLANs to snoop with ip dhcp snooping vlan {vlan-id}.
Port trust: All ports are untrusted by default. Configure trusted ports with ip dhcp snooping trust.
Rate Limiting: You can limit the rate of DHCP packets on untrusted ports (default is no limit, but recommended to set). Use ip dhcp snooping limit rate {packets-per-second}. A common value is 10-15 pps.
Binding Database: Stored in RAM. Can be backed up to a file on flash or a TFTP server using ip dhcp snooping database {url}.
Lease time: Extracted from the DHCP Ack. The binding is removed when the lease expires or when the client sends a DHCP Release.
Option 82 (DHCP Relay Information): By default, DHCP snooping inserts Option 82 into DHCP packets from untrusted ports. This can cause issues with some DHCP servers. You can disable it with no ip dhcp snooping information option.
IOS CLI Verification Commands with Example Output
Switch# show ip dhcp snooping
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
10
DHCP snooping is operational on following VLANs:
10
DHCP snooping is configured on following L3 Interfaces:
Insertion of option 82 is enabled
circuit-id default format: vlan-mod-port
remote-id: 0011.2233.4455 (MAC)
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Verification of giaddr field is enabled
DHCP snooping trust/rate is configured on the following Interfaces:
Interface Trusted Rate limit (pps)
----------------------- ------- -----------------
GigabitEthernet0/1 yes unlimited
GigabitEthernet0/2 no 10Switch# show ip dhcp snooping binding
MacAddress IpAddress Lease(sec) Type VLAN Interface
------------------ --------------- ---------- ------------- ---- --------------------
00:11:22:33:44:55 192.168.1.10 86300 dhcp-snooping 10 GigabitEthernet0/2Switch# show ip dhcp snooping statistics
Packets Processed by DHCP Snooping = 100
Packets Dropped Because...
IDB not known = 0
Queue full = 0
Interface is in error down = 0
Rate limit exceeded = 0
DHCP option 82 not allowed = 0
Invalid server IP address = 0
Invalid client IP address = 0
Invalid source MAC address = 0
Invalid destination MAC address = 0
Invalid source MAC address (SPA) = 0
Invalid destination MAC address (DPA) = 0
Invalid DHCP message type = 0
DHCP server received on untrusted port = 5
DHCP client received on trusted port = 0
DHCP relay received on untrusted port = 0
DHCP relay received on trusted port = 0
DHCP option 82 received on untrusted port = 0
DHCP option 82 received on trusted port = 0How DHCP Snooping Interacts with Related Protocols
Dynamic ARP Inspection (DAI): DAI uses the DHCP snooping binding database to validate ARP packets. If a device sends an ARP reply with an IP/MAC that doesn't match the binding, DAI drops it. This prevents ARP spoofing.
IP Source Guard: This feature uses the binding database to filter IP traffic. It drops any packet whose source IP and MAC do not match an entry in the database. IP Source Guard is configured on untrusted ports.
DHCP Relay: When a DHCP relay agent (usually a router or Layer 3 switch) forwards DHCP broadcasts to a server, DHCP snooping can still operate on the switch where the client is connected. The relay agent adds Option 82 (giaddr) which the snooping switch can use to identify the client's subnet.
Enable DHCP Snooping Globally
Enter global configuration mode and enable DHCP snooping with the command `ip dhcp snooping`. Without this, no snooping occurs. Verify with `show ip dhcp snooping` — you should see 'Switch DHCP snooping is enabled'. This step activates the feature on the switch but does not apply to any VLAN yet.
Specify VLANs to Snoop
Use `ip dhcp snooping vlan {vlan-id}` (e.g., `ip dhcp snooping vlan 10`). You can specify a range or multiple VLANs. DHCP snooping only monitors DHCP traffic on these VLANs. All other VLANs are ignored. Verify with `show ip dhcp snooping` — the VLANs appear under 'DHCP snooping is configured on following VLANs'.
Configure Trusted Ports for DHCP Servers
By default, all ports are untrusted. On the interface connected to the legitimate DHCP server, enter interface configuration mode and apply `ip dhcp snooping trust`. This allows all DHCP messages (including Offers, Acks) to be received on that port. Without this, the server's replies would be dropped. Verify with `show ip dhcp snooping` — the trusted interface appears in the table.
Apply Rate Limiting on Untrusted Ports (Optional)
To prevent DHCP starvation attacks, set a rate limit on untrusted ports. On the interface (e.g., GigabitEthernet0/2), use `ip dhcp snooping limit rate 10`. This limits DHCP packets to 10 per second. If exceeded, the port will be err-disabled (unless you configure `errdisable recovery`). Verify with `show ip dhcp snooping` — the rate limit appears in the table.
Verify the Binding Database
Use `show ip dhcp snooping binding` to see the dynamically learned entries. Each entry shows the client MAC, IP, lease time, type, VLAN, and interface. If no clients have obtained DHCP leases, the table will be empty. This database is key for DAI and IP Source Guard.
Monitor DHCP Snooping Statistics
Use `show ip dhcp snooping statistics` to see how many packets were processed and dropped, and why. Look for 'DHCP server received on untrusted port' — if non-zero, someone is trying to act as a rogue server. This command helps troubleshoot misconfigurations or attacks.
In a typical enterprise campus network, DHCP snooping is deployed on access switches that connect end-user devices. Consider a hospital network where patient monitors, nurse stations, and guest Wi-Fi all use DHCP. The core switch or a dedicated DHCP server (e.g., Windows Server) provides IP addresses. The network engineer configures the port connecting to the DHCP server as trusted, and all access ports as untrusted with a rate limit of 15 pps. This prevents a compromised device in a patient room from running a rogue DHCP server that could redirect traffic to an attacker.
Another scenario is a university dormitory network. Students often bring personal routers that can act as DHCP servers, causing IP conflicts and network outages. DHCP snooping on the residence hall switches blocks these rogue Offers. The network team also enables DAI and IP Source Guard on the same untrusted ports to prevent ARP spoofing and IP spoofing. The binding database is backed up to a TFTP server every hour to survive a switch reboot.
Scale considerations: The binding database is stored in RAM. On a large switch with thousands of clients, memory usage can be significant. Cisco recommends limiting the number of bindings per port or using a dedicated database file. Misconfiguration is common: forgetting to set the trusted port leads to the legitimate DHCP server's Offers being dropped, causing all clients to fail to get an IP. Another mistake is enabling DHCP snooping on a VLAN that includes the DHCP server's own management IP, which can cause the server itself to be blocked if its port is untrusted. Always ensure the server's port is trusted.
The CCNA 200-301 exam tests DHCP snooping under Objective 4.3: 'Configure and verify DHCP client and relay'. You will likely see multiple-choice questions about what DHCP snooping does, which messages are dropped on untrusted ports, and how it interacts with DAI and IP Source Guard. The exam does not require you to configure it from scratch in a simulation, but you may be shown a configuration and asked to identify errors or predict behavior.
Common wrong answers: 1. 'DHCP snooping prevents rogue DHCP clients' — Wrong. It prevents rogue servers, not clients. 2. 'All DHCP messages are allowed on untrusted ports' — Wrong. Only Discover and Request are allowed from clients; Offers, Acks, Naks are dropped. 3. 'DHCP snooping is enabled per-interface' — Wrong. It is enabled globally and per-VLAN; trust is per-interface. 4. 'The binding database stores the DHCP server's IP' — Wrong. It stores client IP, MAC, VLAN, interface, and lease time.
Specific values to know:
- Default trust state: untrusted.
- Default rate limit: unlimited.
- Option 82 insertion: enabled by default.
- Command to enable: ip dhcp snooping (global), ip dhcp snooping vlan {vlan-id}.
- Command to trust: ip dhcp snooping trust.
- Command to verify: show ip dhcp snooping binding, show ip dhcp snooping.
Decision rule: If a question asks which DHCP messages are allowed on an untrusted port, remember: only client-to-server messages (Discover, Request, Decline, Release). Server-to-client messages (Offer, Ack, Nak) are blocked. If a question mentions a rogue DHCP server, the solution is DHCP snooping with the server port trusted and client ports untrusted.
DHCP snooping prevents DHCP spoofing and starvation attacks by filtering DHCP messages based on port trust.
All ports are untrusted by default; configure trusted ports only for legitimate DHCP servers.
On untrusted ports, only DHCP Discover and Request from clients are allowed; Offers, Acks, and Naks are dropped.
Enable globally with `ip dhcp snooping`, then specify VLANs with `ip dhcp snooping vlan {vlan-id}`.
Use `ip dhcp snooping trust` on interfaces connected to DHCP servers.
Rate limiting on untrusted ports (e.g., `ip dhcp snooping limit rate 10`) prevents starvation attacks.
The binding database (`show ip dhcp snooping binding`) stores client MAC, IP, lease, VLAN, and interface, and is used by DAI and IP Source Guard.
Option 82 insertion is enabled by default and can cause issues with some DHCP servers; disable with `no ip dhcp snooping information option`.
These come up on the exam all the time. Here's how to tell them apart.
DHCP Snooping
Filters DHCP messages based on port trust.
Builds a binding database of client IP-MAC-interface-VLAN.
Prevents rogue DHCP servers and starvation attacks.
Enabled globally and per-VLAN.
Uses `ip dhcp snooping trust` for server ports.
Dynamic ARP Inspection (DAI)
Filters ARP messages based on IP-MAC bindings.
Uses the DHCP snooping binding database for validation.
Prevents ARP spoofing and man-in-the-middle attacks.
Enabled per-VLAN only (requires DHCP snooping).
Uses `ip arp inspection trust` for trusted ports.
Mistake
DHCP snooping blocks all DHCP traffic on untrusted ports.
Correct
It only blocks DHCP server-to-client messages (Offer, Ack, Nak) on untrusted ports. Client messages (Discover, Request) are allowed.
Candidates often think the feature blocks all DHCP traffic, but it is designed to allow legitimate client requests while blocking rogue server responses.
Mistake
DHCP snooping must be enabled on each interface individually.
Correct
DHCP snooping is enabled globally and per-VLAN. Interface trust is configured per-interface, but the feature itself is not per-interface.
Confusion arises because many security features are applied per-interface (e.g., port security). DHCP snooping's global enablement is unique.
Mistake
The DHCP snooping binding database stores the DHCP server's IP address.
Correct
It stores client IP addresses, not server IPs. The database records which client got which IP, along with MAC, VLAN, and interface.
Candidates may assume the database tracks server information, but it is client-centric for validation purposes.
Mistake
DHCP snooping can prevent a client from using a static IP address.
Correct
DHCP snooping alone does not block static IP usage. That requires IP Source Guard, which uses the binding database to filter traffic.
Candidates often conflate DHCP snooping with IP Source Guard. The exam tests the distinction.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Yes, DHCP snooping works on both Layer 2 and Layer 3 switches. On a Layer 3 switch, you can still enable DHCP snooping on the VLAN interfaces. However, if the switch is acting as a DHCP relay, the relay agent adds Option 82 (giaddr), which DHCP snooping can use. Ensure the relayed DHCP server is on a trusted port or that the switch's uplink to the server is trusted.
There is no default rate limit; it is 'unlimited'. You must explicitly configure a rate limit using `ip dhcp snooping limit rate {pps}` on untrusted ports to prevent starvation attacks. Cisco recommends setting a rate between 10 and 15 packets per second for typical access ports.
Yes, if misconfigured. The most common mistake is forgetting to configure the DHCP server port as trusted. This causes all server replies (Offer, Ack) to be dropped. Also, if Option 82 insertion is enabled and the DHCP server does not support it, the server may drop the packets. Disable Option 82 with `no ip dhcp snooping information option` if needed.
When a DHCP relay agent forwards a client's Discover to a server, it adds the gateway IP (giaddr). The snooping switch sees the relayed traffic. If the relay agent is on a trusted port, the server's response is allowed. The binding database still records the client's information from the final Ack. DHCP snooping can also insert Option 82 (circuit ID, remote ID) which the relay may already include; this can cause duplication.
DHCP snooping filters DHCP messages and builds a binding database. IP Source Guard uses that database to filter all IP traffic on untrusted ports, dropping any packet whose source IP and MAC do not match a binding. In short, DHCP snooping is the foundation; IP Source Guard enforces the bindings for general traffic.
No, DHCP snooping is for IPv4 only. For IPv6, there is a separate feature called DHCPv6 Guard (or IPv6 DHCP Guard), which is not on the CCNA exam. The CCNA 200-301 only covers DHCP snooping for IPv4.
Use the global command `ip dhcp snooping database {url}` where the URL can be `flash:filename` or `tftp://server/filename`. The switch will write the database periodically. You can also trigger a write with `ip dhcp snooping database write`. This backup survives a reload, preventing the loss of bindings.
You've just covered DHCP Snooping — now see how well it sticks with free CCNA 200-301 practice questions. Full explanations included, no account needed.
Done with this chapter?