DHCP snooping is a security feature inteneded to prevent rogue DHCP server from sending malicious DHCP replies.
When DHCP snooping is enabled, the switch intercept all the DHCP requests, and discards DHCP replies coming from “untrusted” ports. The offending switch ports are automatically shut down and put in errdisable state.
DHCP snooping also has a database containing client MAC address, IP address offered, lease
time, and so on for all the completed DHCP bindings.
Configuring DHCP Snooping
Enable DHCP snooping globally on a switch
Switch(config)# ip dhcp snooping
Identify VLANs for DHCP snooping. In this case VLAN 10 to 15
Switch(config)# ip dhcp snooping vlan number 10-15
By default all ports are “untrusted”, so we have to add trusted ports
Here we are adding fa1/1 as trusted port
Switch(config)# interface type fa1/1
Switch(config-if)# ip dhcp snooping trust
(Optional) Rate limiting untrusted port.
Here we are rate limiting interface fa0/1
Switch(config)# interface fa0/1
Switch(config-if)# ip dhcp snooping limit rate 10
The rate can be 1 to 2048 DHCP packets per second.
Show DHCP snooping status
Switch# show ip dhcp snooping
DHCP snooping is useful for mitigating malicious DHCP replies. However there are times when users connect their own DHCP server (for example wireless Linksys router having its own DHCP). DHCP snooping can be used effectively to remedy these kind of situations.