Configuring DHCP Snooping

What is DHCP Snooping

DHCP snooping is a security feature inteneded to prevent rogue DHCP server from sending malicious DHCP replies.
When DHCP snooping is enabled, the switch intercept all the DHCP requests, and discards DHCP replies coming from “untrusted” ports. The offending switch ports are automatically shut down and put in errdisable state.
DHCP snooping also has a database containing client MAC address, IP address offered, lease
time, and so on for all the completed DHCP bindings.

Configuring DHCP Snooping

Enable DHCP snooping globally on a switch

Switch(config)# ip dhcp snooping

Identify VLANs for DHCP snooping. In this case VLAN 10 to 15

Switch(config)# ip dhcp snooping vlan number 10-15

By default all ports are “untrusted”, so we have to add trusted ports
Here we are adding fa1/1 as trusted port

Switch(config)# interface type fa1/1
Switch(config-if)# ip dhcp snooping trust

(Optional) Rate limiting untrusted port.
Here we are rate limiting interface fa0/1

Switch(config)# interface fa0/1
Switch(config-if)# ip dhcp snooping limit rate 10

The rate can be 1 to 2048 DHCP packets per second.

Verifying Configuration

Show DHCP snooping status

Switch# show ip dhcp snooping


DHCP snooping is useful for mitigating malicious DHCP replies. However there are times when users connect their own DHCP server (for example wireless Linksys router having its own DHCP). DHCP snooping can be used effectively to remedy these kind of situations.