DHCP Snooping Explained

By | 16th December 2016


The Dynamic Host Configuration Protocol (DHCP) allocates IP addresses dynamically,
it leases addresses to connected devices and the addresses can be reused when no longer needed.

All connected Hosts and end devices that require IP addresses obtained through DHCP must communicate with a DHCP server across the LAN.

DHCP snooping acts like a firewall between trusted DHCP servers and untrusted hosts. DHCP snooping acts as a guardian or in the form of network security .
DHCP snooping enables the switching or network device, which can be either a switch or a router, to monitor DHCP messages received from untrusted devices connected to the switching device.

When DHCP snooping is enabled on a switched network or VLAN, it examines all DHCP messages sent from untrusted hosts associated with the network or VLAN and extracts their IP addresses and lease information.

dhcp snooping explained

DHCP Snooping Binding Database

All extracted information will be used to build and maintain the DHCP snooping database, also known as the binding table.
Only verified hosts from this database are allowed access to the network.

The database contains an entry for each untrusted host with a leased IP address if the host is associated with a VLAN that has DHCP snooping enabled.

The database does not contain entries for hosts connected through trusted interfaces.
Each entry in the DHCP snooping binding database includes the MAC address of the host, the leased IP address, the lease time, the binding type, and the VLAN number and interface information associated with the host.

Features of DHCP snooping

•DHCP snooping validates incoming messages received from untrusted sources and filters out invalid messages.

•DHCP snooping Builds maintains and stores information about untrusted hosts these include their IP-MAC address binding, the lease time for the IP address, type of binding, VLAN name, and interface for each host.

All these information are extracted, maintained and stored in the DHCP snooping binding database to be validated.

•DHCP snooping uses the binding database to validate subsequent requests from untrusted hosts.

Dynamic ARP inspection (DAI) and IP Source Guard also use information stored in the DHCP snooping binding database.

By default, DHCP Snooping is disabled, DHCP Snooping can be enabled on a single VLAN or a range of VLANs across the network.

DHCP Packet Validation

Switches validate DHCP packets received on the untrusted interfaces of all configured VLANs with DHCP snooping enabled.
The switch then forwards the DHCP packet or packet will be dropped if it fails validation.

When the DHCP snooping service detects a violation, the packet is dropped, and a message is logged that includes the text :


If the switch is configured to send logs to a syslog server.

Messages alert that’s is likely to appear:


The above message indicates that the source frame and embedded client hardware address in a DHCP request differ, and seems to be unfortunately common.

If you see these, consider investigating a few of them to verify that the issue is indeed a poor vendor DHCP client or IP forwarding implementation, and determine your policy going forward.


Such messages are usually serious. This message indicates that a client is being spoofed, or worse. sounds like a rogue DHCP server is in operation.

The following conditions must be met before the switch will forward a packet:

•When the switch receives a packet (with a DHCPOFFER, DHCPACK, DHCPNAK, or DHCPLEASEQUERY packet) from a DHCP server outside the network or firewall.

•The switch receives a packet from an untrusted interface, and the source MAC address and
the DHCP client hardware address do not meet validation rules. This check can only be performed if the DHCP snooping MAC address verification option is turned on.

•The switch receives a DHCPRELEASE or DHCPDECLINE message from an untrusted host with an entry in the DHCP snooping binding table, and the interface information in the binding table does not match the interface on which the message was received.

•The switch receives a DHCP packet that includes a relay agent IP address that is not


1. The network device sends a DHCPDISCOVER packet to request an IP address.

2. The switching device forwards the packet to the DHCP server.

3. The server sends a DHCPOFFER packet to offer an address. If the DHCPOFFER packet is from a trusted interface, the switching device forwards the packet to the DHCP client.

4. The network device sends a DHCPREQUEST packet to accept the IP address.

5. The switching device adds an IP-MAC placeholder binding to the database. The entry is considered a placeholder until a DHCPACK packet is received from the server. Until then,
the IP address could still be assigned to some other host.

6. The server sends a DHCPACK packet to assign the IP address or a DHCPNAK packet to deny the address request.

7. The switching device updates the DHCP snooping database according to the type of packet received (If the switching device receives a DHCPACK packet, it updates lease information for the IP-MAC bindings in its database.
If the switching device receives a DHCPNACK packet, it deletes the placeholder.)

How to Enable DHCP Snooping

This example shows how to enable DHCP snooping globally and on VLAN 8 and to configure a rate limit of 100 packets per second on a port:

Sw1(config)# ip dhcp snooping
Sw1(config)# ip dhcp snooping vlan 8
Sw1(config)# ip dhcp snooping information option
Sw1(config)# interface gigabitethernet0/1
Sw1(config-if)# ip dhcp snooping limit rate 100