DHCP snooping
Overview
DHCP is a protocol used by DHCP servers in IP networks to dynamically allocate network configuration data to client devices (DHCP clients). Possible network configuration data includes user IP address, subnet mask, default gateway IP address, DNS server IP address, and lease duration. The DHCP protocol enables DHCP clients to be dynamically configured with such network configuration data without any manual setup process.
DHCP snooping is a security feature that helps avoid problems caused by an unauthorized DHCP server on the network that provides invalid configuration data to DHCP clients. A user without malicious intent may cause this problem by unknowingly adding to the network a switch or other device that includes a DHCP server enabled by default. In some cases, a user with malicious intent adds a DHCP server to the network as part of their Denial of Service or Man in the Middle attack.
DHCP snooping helps prevent such problems by distinguishing between trusted ports connected to legitimate DHCP servers, and untrusted ports connected to general users. DHCP packets are forwarded between trusted ports without inspection. DHCP packets received on other switch ports are inspected before being forwarded. DHCP Packets from untrusted sources are dropped.
In addition, in support of the separate IP source lockdown feature, DHCP snooping also dynamically collects client information (VLAN, IPv4 address, MAC address, interface), adding the information to the switch IP binding database. Alternatively, also in support of IP lockdown, the IP binding database can be statically updated using the
ipv4 source-binding
or
ipv6 source-binding
commands. Statically configured IP binding information supersedes any dynamically collected information for the same client.
DHCP Snooping and DHCP relay can be configured on the same switch.
Received packet: DHCP snooping processes the DHCP packet before (possibly) handing it to DHCP relay.
Transmitted packet: DHCP packets sent by DHCP relay are intercepted by DHCP snooping to learn IP bindings.
For even more rigorous security that is applied in hardware on a packet-by-packet basis, you can use IP source lockdown feature as described in IP source lockdown.
DHCPv4 snooping conditions for dropping DHCPv4 packets
Packet types that are dropped | Conditions for dropping the packets |
---|---|
DHCPOFFER, DHCPACK, DHCPNACK |
|
DHCPRELEASE, DHCPDECLINE |
|
All DHCP packet types |
|