[cisco] dhcp snooping configuring example

The topology


Dhcp snooping is a technique to prevent rogue dhcp server from being used to allocate illegitimate ip addresses to client.

A rogue dhcp server can be used as a tool for unsuspected clients to obtain illegitimate ip addresses and routes its traffic towards the rogue dhcp server and hence a man-in-the-middle attack is established.

Dhcp snooping can be used to mitigate this risk.


  1. When dhcp snooping is enabled on a switch, all switchports become untrusted.
  2. The interface where the dhcp traffic will exit towards the dhcp server should be marked as trusted.
  3. dhcp traffic from the untrusted source will be validated, invalid dhcp messages, or when a rogue dhcp server is offering dhcp offer will be dropped.
  4. Rate limits can be configured on untrusted interfaces to limit dhcp discovery/request coming from untrusted source.
  5. The switch builds and maintains the database of untrusted source’s mac address binding to leased ip address.


  1. Define the vlan that needs to be snooped eg. ip dhcp snooping vlan 999 on SW.
  2. Identify and marked the switch interface that is trusted, the interface will be the exit towards dhcp server eg. ip dhcp snooping trust.
  3. By default SW inserts dhcp option 82 (i.e. ip dhcp snooping information option), because SW does not set giaddr the dhcp server upon receiving the dhcp message drops the message and the servers will not receive ip address.
  4. Either use no ip dhcp snooping information option in SW globally or trust the dhcp relay on dhcp interface e0/0 eg. ip dhcp relay information trusted.
  5. Optionally you can rate limit the dhcp message from untrusted interface eg. ip dhcp snooping limit rate 1000.
  6. Specify the location to store dhcp snooping database eg. ip dhcp snooping database flash:/snooping.db
  7. enable dhcp snooping globally eg. ip dhcp snooping

SW configuration
ip dhcp snooping vlan 999
ip dhcp snooping database unix:/snooping.db_00002
ip dhcp snooping
interface Ethernet0/3
ip dhcp snooping trust
interface Ethernet0/0
switchport access vlan 999
switchport mode access
ip dhcp snooping limit rate 1000
interface Ethernet0/1
switchport access vlan 999
switchport mode access
ip dhcp snooping limit rate 100
no ip dhcp snooping information option


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s