Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

dhcp snooping discussion

          can anybody explain with an example use of dhcp snooping?       


dhcp snooping discussion

Hi Snuil,

DHCP snooping is a DHCP security feature that provides security by filtering untrusted DHCP messages and by building and maintaining a DHCP snooping binding table. An untrusted message is a message that is received from outside the network or firewall and that can cause traffic attacks within your network.

An untrusted interface is an interface that is configured to receive messages from outside the network or firewall. A trusted interface is an interface that is configured to receive only messages from within the network.

The DHCP snooping binding table contains the MAC address, IP address, lease time, binding type, VLAN number, and interface information that corresponds to the local untrusted interfaces of a switch; it does not contain information regarding hosts interconnected with a trusted interface.

DHCP snooping acts like a firewall between untrusted hosts and DHCP servers. It also gives you a way to differentiate between untrusted interfaces connected to the end-user and trusted interfaces connected to the DHCP server or another switch.

plz Rate if it helped.


Hope it Helps, Soroush.
New Member

dhcp snooping discussion

sorry this i have read already from cisco site but need practical example where we use it.


dhcp snooping discussion

aha, got you... thought u had conceptual problem.

we use DHCP snooping to address bellow attacks in our Layer 2 Network, so we use it where there are risks of these kind of rogue activities:

DHCP address exhaustion attack — This type of attack focuses on depleting the address pool on the DHCP server, thus causing a denial of service attack. In a DHCPDISCOVER message broadcast out from a client, there is a field called chaddr which is the client hardware address or MAC address. The chaddr field is set to the source MAC address of the client by default.  If an attacker constantly keeps changing his MAC address, he could keep requesting different addresses from the DHCP pool and eventually deplete it.  Fortunately, port-security helps mitigate this attack.  However, if a client keeps the same MAC address but simply changes the chaddr field to something unique on every request, an attacker could just as well exhaust all DHCP addresses in the pool without causing a port-security violation.  The pool could become depleted and legitimate users may not be able to obtain address leases.

IP Address Hijacking — Normally, when a client is done with an address leased to it via DHCP, it sends a DHCPRELEASE to the server to notify the server that it can go ahead and add that IP address back into the pool of available addresses.  An attacker that has knowledge of an authorized IP addressed leased through DHCP could send a packet to the server with the DHCPRELEASE field set to that authorized IP address.  The attacker could attempt to release that IP address and then take over the IP address on the network. At a minimum, the attacker could be disrupting network communications.

plz Rate if it helped.


Hope it Helps, Soroush.
New Member

dhcp snooping discussion

this helped me but have confusion like interfaces connected to end users are untrusted and interface connected to dhcp servers are trusted so how it helps to give the ip addresses to valid client.

VIP Purple

dhcp snooping discussion

Hi Sunil,

I got this material from internet for you.

So here we go, with the configuration of DHCP snooping on a Cisco Switch. This feature protects the network by allowing the Cisco Switches to accept DHCP response message only from the authorized servers connected to the trusted interfaces in a Cisco Switch.

All Switch to  Switch connections are configured as 802.1 1Q Trunk ports.

IP Address and HSRP Details for the Core

IP Address and HSRP Details for the Core Switches the above scenario we have two Cisco 6513 Series Switches as a Core/ Distribution with three VLANS one for management of Switches VLAN 50,VLAN 100 for all the servers and VLAN 101 for clients. Two Cisco 3560 Series Switches as Server Farm Switches and a Cisco 3560 Series Switch as an Access Switch.There are two DHCP servers with an IP address and connected with Server Farm Switches with HP NIC teaming. We configure DHCP Snooping based on above scenario.

The first step to configure DHCP Snooping is to turn on DHCP snooping in all Cisco Switches using the “ip dhcp snooping” command.

All Cisco Switches (config)#ip dhcp snooping Second step is to configure the trusted interfaces, from the above scenario all trunk ports are configured as trusted ports as well as the interfaces G0/7,(ITKESF01,  G0/17,(ITKESF02,  G0/9 ITKESF01  and G0/18 ITKESF02  connected to DHCP servers with IP and Lets configure all trunk ports in ITKEBB01

ITKEBB01(config)#interface range  gigabitEthernet 3/21 - 23

ITKEBB01 (config-if)#ip dhcp snooping trust

Now let’s configure all trunk ports in ITKEBB02

ITKEBB02(config)#interface range  gigabitEthernet 3/21 - 23 ITKEBB02 (config-if)#ip dhcp snooping trust

ITKEBB02 (config)#interface gigabitEthernet 3/16

ITKEBB02 (config-if)#ip dhcp snooping trust

Now let’s configure the trusted ports for the DHCP servers

ITKESF01(config)#interface gigabitEthernet 0/7

ITKESF01 (config-if)#ip dhcp snooping trust

ITKESF01(config)#interface gigabitEthernet 0/17 ITKESF01 (config-if)#ip dhcp snooping trust

ITKESF02(config)#interface gigabitEthernet 0/9

ITKESF02 (config-if)#ip dhcp snooping trust

ITKESF02(config)#interface gigabitEthernet 0/18 ITKESF02 (config-if)#ip dhcp snooping trust

Now let’s configure the trunk ports  Access Switch ITKEAS01

ITKEAS01(config)#interface range  gigabitEthernet 0/49 - 52

ITKEAS01 (config-if)#ip dhcp snooping trust

Finally we are going to configure VLANS for DHCP snooping DHCP snooping will used on all the VLANs (VLAN 100 & 101)except management VLAN 50 . Also we will limit the requests rate received in the Access Switch (ITKEAS01) ALL SWITCHES(config)# ip dhcp snooping VLAN 100,101

ITKEAS01(config)#interface range  gigabitEthernet 0/1 - 48

ITKEAS01 (config-if)#ip dhcp snooping limit rate 20

Displaying the DHCP snooping


Please rate of it helps.