Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

DHCP authentication

I want to turn a Cisco router to be a DHCP server, will it support authetication. I want to restrict the hosts which can get address from the DHCP server.


Cisco Employee

Re: DHCP authentication


There is no authentication mechanism embedded in the DHCP protocol.

You could do manual bindings and would need a pool per host. Use the client-identifier to bind your host to a pool:

ip dhcp pool POOL


client-identifier 0100.1b77.66cf.55




The client-identifier for windows host is 01 prepended to the mac-address



New Member

Re: DHCP authentication

we can use FTP server where ip address and corresponding Mac address will (.txt file ) be mention .In this, when user wants ip through DHCP sever ,first goes to FTP sever ( *.txt) and after match , gets the corresponding IP address.

Note :- Static ip address has always

more preference than DHCP ip address.

Thanks ,


New Member

Re: DHCP authentication

You may want to have a look at DHCP snooping:

Basically this helps you define which interfaces are in trusted mode to receive DHCP conversations. It has a lot of features. I advise you to read the PDF.

From Cisco:

DHCP snooping is a DHCP security feature that provides security by filtering untrusted DHCP messages

and by building and maintaining a DHCP snooping binding table. An untrusted message is a message

that is received from outside the network or firewall and that can cause traffic attacks within your


The DHCP snooping binding table contains the MAC address, IP address, lease time, binding type,

VLAN number, and interface information that corresponds to the local untrusted interfaces of a switch;

it does not contain information regarding hosts interconnected with a trusted interface. An untrusted

interface is an interface that is configured to receive messages from outside the network or firewall. A

trusted interface is an interface that is configured to receive only messages from within the network.

DHCP snooping acts like a firewall between untrusted hosts and DHCP servers. It also gives you a way

to differentiate between untrusted interfaces connected to the end-user and trusted interfaces connected

to the DHCP server or another switch.