DHCP snooping

Overview

DHCP is a protocol used by DHCP servers in IP networks to dynamically allocate network configuration data to client devices (DHCP clients). Possible network configuration data includes user IP address, subnet mask, default gateway IP address, DNS server IP address, and lease duration. The DHCP protocol enables DHCP clients to be dynamically configured with such network configuration data without any manual setup process.

DHCP snooping is a security feature that helps avoid problems caused by an unauthorized DHCP server on the network that provides invalid configuration data to DHCP clients. A user without malicious intent may cause this problem by unknowingly adding to the network a switch or other device that includes a DHCP server enabled by default. In some cases, a user with malicious intent adds a DHCP server to the network as part of their Denial of Service or Man in the Middle attack.

DHCP snooping helps prevent such problems by distinguishing between trusted ports connected to legitimate DHCP servers, and untrusted ports connected to general users. DHCP packets are forwarded between trusted ports without inspection. DHCP packets received on other switch ports are inspected before being forwarded. DHCP Packets from untrusted sources are dropped.

In addition, in support of the separate IP source lockdown feature, DHCP snooping also dynamically collects client information (VLAN, IPv4 address, MAC address, interface), adding the information to the switch IP binding database. Alternatively, also in support of IP lockdown, the IP binding database can be statically updated using the ipv4 source-binding or ipv6 source-binding commands. Statically configured IP binding information supersedes any dynamically collected information for the same client.

NOTE:

DHCP Snooping and DHCP relay should not be configured on the same switch.

NOTE:

For even more rigorous security that is applied in hardware on a packet-by-packet basis, you can use IP source lockdown feature as described in IP source lockdown.

DHCPv4 snooping conditions for dropping DHCPv4 packets

Applies only to DHCPv4 snooping.
Packet types that are dropped Conditions for dropping the packets
DHCPOFFER, DHCPACK, DHCPNACK
  • A packet from a DHCP server is received on an untrusted port.

  • The switch is configured with a list of authorized DHCP server addresses and a packet is received from a DHCP server on a trusted port with a source IP address that is not in the list of authorized DHCP server addresses.

DHCPRELEASE, DHCPDECLINE
  • A broadcast packet that has a MAC address in the DHCP binding database, but the port in the DHCP binding database does not match the port on which the packet is received.

All DHCP packet types
  • When enabled (the default) a DHCP packet received on an untrusted port in which the DHCP client hardware MAC address does not match the source MAC address in the packet.

  • When enabled (the default), a DHCP packet containing DHCP relay information (option 82) is received from an untrusted port.