In a network, devices need IP addresses to communicate with each other. DHCP (Dynamic Host Configuration Protocol) is what automatically assigns these addresses so devices can connect without manual setup. But not all DHCP servers on a network are trustworthy. A rogue DHCP server can give out wrong IP addresses, cause network problems, or even allow attackers to intercept traffic.

This is where DHCP Snooping comes in. It’s a security feature that helps protect your network by monitoring and controlling which devices can act as DHCP servers. In this blog, we’ll explain what DHCP Snooping is, why it’s important, how it works, and how to configure it on your network.

---

What is DHCP Snooping?

DHCP Snooping is a network security feature that protects your network from rogue or unauthorized DHCP servers. Its main job is to make sure that only trusted DHCP servers can assign IP addresses to devices. Without DHCP Snooping, a rogue server could hand out incorrect IP addresses, causing network issues or allowing attackers to intercept traffic.

Think of it like a gatekeeper for IP addresses. It watches the traffic between devices and DHCP servers and blocks anything suspicious.

---

How DHCP Snooping Works

DHCP Snooping works by classifying network ports into trusted and untrusted:

• Trusted ports: These are usually the ports connected to legitimate DHCP servers. DHCP messages from these ports are allowed.

• Untrusted ports: These are the ports connected to regular devices or users. DHCP messages from these ports are blocked to prevent rogue servers from assigning IP addresses.

When DHCP Snooping is enabled, the switch keeps a DHCP Snooping binding table. This table records important information about each device that gets an IP address from a trusted DHCP server, including:

• MAC address of the device

• IP address assigned

• Lease time

• Port where the device is connected

• VLAN information

This table is used to validate traffic on the network. If a device tries to use an IP address that doesn’t match the binding table, the switch can block it. This prevents attackers from assigning fake IP addresses or intercepting network traffic.

---

What is DHCP Starvation?

DHCP Starvation is a type of network attack that targets the DHCP service. In this attack, an attacker floods the DHCP server with a large number of fake requests for IP addresses. The goal is to exhaust the pool of available IP addresses, leaving legitimate devices unable to get an IP address. When this happens, users can’t connect to the network properly, which can disrupt business operations or network access.

DHCP Starvation is often used as a first step in more serious attacks, like setting up a rogue DHCP server to intercept traffic once the legitimate server is overloaded.

---

How DHCP Starvation Works

1. Flooding Requests: The attacker’s device sends a huge number of DHCP requests with fake MAC addresses.

2. Exhausting the Pool: The DHCP server assigns IP addresses to all these fake requests. Eventually, the server runs out of available addresses.

3. Impact on Users: Legitimate devices trying to connect to the network can’t get an IP address and fail to communicate.

4. Rogue DHCP Opportunity: Once the legitimate server is overwhelmed, the attacker can set up a rogue DHCP server to assign IP addresses with malicious settings, potentially intercepting or redirecting network traffic.

---

Why It Matters

DHCP Starvation can cause network downtime and make users unable to connect. It also opens the door for attackers to take control of network traffic. Preventing it is important for maintaining a stable and secure network.

---

How DHCP Snooping Prevents DHCP Starvation

DHCP Snooping is one of the key tools to protect your network from DHCP Starvation attacks. Here’s how it helps:

1. Trusted and Untrusted Ports
   By marking ports as trusted (connected to legitimate DHCP servers) or untrusted (connected to regular devices), DHCP Snooping ensures that only approved servers can respond to DHCP requests. This blocks rogue devices from acting as fake DHCP servers.

2. Rate Limiting
   On untrusted ports, DHCP Snooping can limit the number of DHCP requests a device can send. If a device suddenly starts sending hundreds of requests to exhaust IP addresses, the switch can block it. This stops DHCP Starvation before it affects legitimate users.

3. Binding Table Validation
   The DHCP Snooping binding table tracks which IP addresses are assigned to which MAC addresses and ports. If a device tries to use an IP address that doesn’t match the table, the switch can block it. This ensures that attackers cannot take over addresses or set up rogue servers easily.

---

What is DHCP Poisoning?

DHCP Poisoning is a type of attack where an attacker sets up a rogue DHCP server on the network. The goal is to trick legitimate devices into accepting false IP configuration information. This can include:

• Fake default gateway – sending traffic through the attacker’s device

• Fake DNS server – redirecting users to malicious websites

• Other network settings that allow the attacker to intercept, monitor, or modify traffic

Once successful, this attack often leads to a man-in-the-middle (MITM) scenario, where the attacker can see or manipulate all network traffic between devices and the real network resources.

---

How DHCP Poisoning Leads to a Man-in-the-Middle Attack

1. Rogue DHCP Server: The attacker connects a device to the network and sets it up to act as a DHCP server.

2. Spoofed IP Configuration: When a legitimate device requests an IP address, the rogue server responds faster than the real server, giving the device false network information.

3. Traffic Interception: The device now sends its network traffic through the attacker’s machine, allowing the attacker to monitor, capture, or even alter the traffic.

4. Exploitation: This can be used to steal passwords, sensitive information, or redirect users to malicious sites.

---

Why It Matters

DHCP Poisoning combined with a man-in-the-middle attack is dangerous because it doesn’t just disrupt network connectivity, it actively puts users’ data at risk. Even simple tasks like browsing the internet or logging into accounts can be intercepted if the attacker controls the network traffic.

---

How DHCP Snooping Helps

DHCP Snooping is one of the best defenses against this attack because it:

• Blocks DHCP messages from untrusted ports, stopping rogue DHCP servers from giving out IP addresses

• Keeps a binding table to verify valid IP assignments, making it harder for attackers to spoof devices

• Can work together with Dynamic ARP Inspection to further prevent MITM attacks

By enabling DHCP Snooping, you make it much harder for an attacker to poison your network and intercept traffic.

---

Understanding DHCP Messages

DHCP (Dynamic Host Configuration Protocol) works through a series of messages exchanged between a client (like a computer or phone) and a DHCP server. These messages allow the client to get an IP address and other network settings automatically. Here’s a simple breakdown of the main DHCP messages:

---

1. DHCP Discover

• Sent by the client when it first connects to the network.

• The client is basically asking, “Is there a DHCP server out there that can give me an IP address?”

• This message is broadcasted so all DHCP servers on the network can see it.

---

2. DHCP Offer

• Sent by the DHCP server in response to the Discover message.

• The server offers an IP address to the client along with other details like subnet mask, default gateway, and DNS servers.

---

3. DHCP Request

• Sent by the client after receiving offers.

• The client selects one of the offers and formally requests that IP address from the chosen DHCP server.

---

4. DHCP Acknowledge (ACK)

• Sent by the DHCP server to confirm the IP address assignment.

• The client can now use the IP address and the other network settings provided.

---

5. DHCP Negative Acknowledge (NAK)

• Sent by the DHCP server if there’s a problem with the client’s request.

• For example, if the requested IP is no longer available, the server will send a NAK, and the client must start the process over.

---

6. DHCP Release

• Sent by the client when it no longer needs the IP address (like when disconnecting).

• This allows the server to put the IP address back into its pool for other devices.

---

7. DHCP Inform

• Sent by the client when it already has an IP address but needs other network settings from the DHCP server.

---

How DHCP Snooping Operates

DHCP Snooping works by actively monitoring and controlling DHCP traffic on a network. It’s not just a feature you turn on, it performs several operations to make sure IP addresses are assigned safely. Here’s how it works in simple terms:

---

1. Classifying Ports

• Trusted Ports: Usually connected to legitimate DHCP servers. These ports are allowed to send DHCP offer and acknowledgment messages.

• Untrusted Ports: Usually connected to client devices. DHCP messages from these ports are limited or blocked to prevent rogue servers from assigning IP addresses.

---

2. Building the DHCP Binding Table

• The switch keeps a table of valid IP-to-MAC-to-port assignments.

• Every time a client gets an IP address from a trusted DHCP server, the switch records:

  • MAC address of the device

  • Assigned IP address

  • Lease time

  • VLAN

  • Port the device is connected to

• This table is used to validate future traffic and ensure no device is using a fake IP.

---

3. Filtering DHCP Messages

• DHCP Snooping inspects every DHCP message coming through untrusted ports.

• If a rogue DHCP server tries to send offers or acknowledgments, the switch blocks them.

• This prevents attacks like DHCP Poisoning or IP conflicts.

---

4. Preventing DHCP Starvation

• DHCP Snooping can set limits on how many DHCP requests a device can send through an untrusted port.

• If a device sends too many requests, it’s blocked, stopping attackers from exhausting the DHCP server’s IP pool.

---

5. Integration with Other Security Features

• DHCP Snooping often works with Dynamic ARP Inspection (DAI) to prevent man-in-the-middle attacks.

• The binding table created by DHCP Snooping helps DAI check that devices are using legitimate IP-MAC combinations.

---

In short, DHCP Snooping operates by:

• Classifying ports as trusted or untrusted

• Recording valid IP assignments in a binding table

• Filtering and validating DHCP messages

• Limiting requests from untrusted devices to prevent attacks

By doing this, it ensures only legitimate DHCP servers assign addresses and protects the network from DHCP-related attacks like DHCP Starvation and Poisoning.

---

DHCP Snooping Commands and Example

Here’s a simple, beginner-friendly example of how to configure DHCP Snooping on a Cisco switch and see it in action.

---

1. Enable DHCP Snooping Globally

This turns on DHCP Snooping for the entire switch.

Switch> enable
Switch# configure terminal
Switch(config)# ip dhcp snooping

---

2. Enable DHCP Snooping for Specific VLANs

You need to tell the switch which VLANs to monitor.

Switch(config)# ip dhcp snooping vlan 10

---

3. Mark Trusted Ports

Only ports connected to legitimate DHCP servers should be trusted. For example, if the DHCP server is on port GigabitEthernet0/1:

Switch(config)# interface GigabitEthernet0/1
Switch(config-if)# ip dhcp snooping trust

All other ports are untrusted by default.

---

4. Limit DHCP Requests on Untrusted Ports

To prevent DHCP Starvation attacks, you can limit how many DHCP requests a device can send:

Switch(config)# interface range GigabitEthernet0/2 - 24
Switch(config-if-range)# ip dhcp snooping limit rate 10

This allows a maximum of 10 DHCP requests per second per port.

---

5. Verify DHCP Snooping

• Check the DHCP Snooping binding table:

Switch# show ip dhcp snooping binding

This shows the MAC addresses, IP addresses, VLANs, and ports of devices that received IPs from a trusted DHCP server.

• Check which ports are trusted:

Switch# show ip dhcp snooping

This shows whether DHCP Snooping is enabled, which VLANs are monitored, and which ports are trusted.

---

Example Scenario

1. You have a switch with VLAN 10.

2. A DHCP server is connected to port GigabitEthernet0/1.

3. All other ports connect to user devices.

4. You enable DHCP Snooping globally and for VLAN 10.

5. You mark the server port as trusted.

6. You limit requests on untrusted ports.

Now, if a rogue device tries to act as a DHCP server on an untrusted port, or if a device floods DHCP requests, the switch will block it. Only the real DHCP server can assign IP addresses, keeping your network safe from attacks like DHCP Starvation or Poisoning.

---

Understanding the show ip dhcp snooping binding Command

The show ip dhcp snooping binding command is used on Cisco switches to see which devices have received IP addresses through DHCP and are being tracked by DHCP Snooping. It’s one of the most important commands for monitoring and verifying your DHCP Snooping setup.

What It Does

When you run this command, the switch displays a table called the DHCP Snooping Binding Table. This table keeps track of all the devices that received IP addresses from trusted DHCP servers. The information helps you:

• Verify which devices are connected and their assigned IPs

• Check which ports are being used by devices with valid IP addresses

• Identify unauthorized or suspicious devices trying to use IP addresses

• Help prevent DHCP attacks like DHCP Starvation and DHCP Poisoning

Here’s an example of what the show ip dhcp snooping binding command might display on a Cisco switch:

Switch# show ip dhcp snooping binding

Mac Address       Ip Address      Lease(sec)  Type       VLAN  Interface
-------------------------------------------------------------------------------
00:1A:2B:3C:4D:5E  192.168.10.2    86400      dhcp-snooping  10  GigabitEthernet0/2
00:1A:2B:3C:4D:5F  192.168.10.3    86400      dhcp-snooping  10  GigabitEthernet0/3
00:1A:2B:3C:4D:60  192.168.10.4    86400      dhcp-snooping  10  GigabitEthernet0/4

---

Explanation of the Columns

• Mac Address – The MAC address of the device that got an IP from the DHCP server.

• Ip Address – The assigned IP address.

• Lease(sec) – How long the IP address is valid (in seconds).

• Type – Shows dhcp-snooping for entries learned via DHCP Snooping.

• VLAN – The VLAN where the device is connected.

• Interface – The switch port where the device is connected.

This table is useful because it lets you verify which devices have legitimate IP addresses and on which ports. It also helps prevent attacks like DHCP Starvation and DHCP Poisoning by ensuring only trusted devices have IP assignments.

---

DHCP Snooping Rate Limiting

DHCP Snooping Rate Limiting is a feature that helps protect your network from DHCP Starvation attacks. It works by limiting the number of DHCP requests a device can send through a switch port in a given time.

---

Why Rate Limiting is Important

In a DHCP Starvation attack, an attacker floods the DHCP server with fake requests to use up all available IP addresses. When this happens, legitimate devices can’t get IP addresses, causing network disruption. Rate limiting stops this by controlling how many requests each device can send.

---

How It Works

1. Untrusted Ports Only: Rate limiting is applied to untrusted ports, usually the ports connected to user devices. Trusted ports (connected to DHCP servers) are not limited.

2. Request Limit: You can set a maximum number of DHCP requests per second per port.

3. Action When Limit is Exceeded: If a device exceeds the limit, the switch blocks further DHCP requests from that port until the rate drops below the limit.

---

Example Command

To set a rate limit on ports GigabitEthernet0/2 to 0/24:

Switch(config)# interface range GigabitEthernet0/2 - 24
Switch(config-if-range)# ip dhcp snooping limit rate 10

• This allows a maximum of 10 DHCP requests per second per port.

• Any device sending more than 10 requests per second will be blocked temporarily.

---

Understanding DHCP Option 82 (Relay Agent Information Option)

DHCP Option 82, also called the Relay Agent Information Option, is a feature that adds extra information to DHCP requests as they pass through a network device, like a switch or router. Its main purpose is to help the DHCP server identify where a request came from, which improves security and management in larger networks.

---

Why Option 82 Matters

In complex networks with many switches, VLANs, or remote sites, the DHCP server might not know exactly which port or location a request came from. This can make it harder to:

• Track which device is using which IP

• Apply network policies based on location

• Prevent unauthorized devices from getting IP addresses

Option 82 solves this by adding relay agent information to the DHCP request. The DHCP server can then use this information to make more informed decisions when assigning IP addresses.

---

How It Works

1. Relay Agent Adds Information: When a client sends a DHCP request through a relay device (like a switch or router), the device inserts Option 82 data. This data can include:

   • Circuit ID: Identifies the port or VLAN the request came from

   • Remote ID: Identifies the device or location forwarding the request

2. DHCP Server Processes the Information: The DHCP server reads the Option 82 data and can use it to:

   • Assign IP addresses based on location or VLAN

   • Enforce security policies

   • Keep a detailed log of which device got which IP from which port

3. Optional Policy Enforcement: Some servers can even reject requests that don’t include valid Option 82 information, preventing rogue devices from getting an IP.

---

Example Use Case

Imagine a large office with multiple floors and VLANs. Without Option 82, the DHCP server can only see the request coming from a relay agent’s IP, not the specific port or floor. With Option 82, the server knows exactly which port/floor made the request and can assign IPs accordingly.

---

Understanding no ip dhcp snooping information option

The command no ip dhcp snooping information option is used on a Cisco switch to disable the insertion of DHCP Option 82 (Relay Agent Information) on DHCP requests that pass through the switch.

---

Why You Might Use It

By default, some switches automatically add Option 82 information to DHCP requests. While this can help with tracking and security in large networks, there are situations where you might want to disable it:

• Simpler Networks: In small networks, Option 82 may not be necessary.

• Compatibility Issues: Some DHCP servers may not support or correctly process Option 82.

• Testing or Troubleshooting: Disabling it can help isolate network or DHCP issues.

---

How It Works

• Enabled (default on some switches): The switch adds relay agent information to DHCP requests, letting the server know which port or VLAN the request came from.

• Disabled (no ip dhcp snooping information option): The switch forwards DHCP requests normally, without extra Option 82 data.

---

Example Command

Switch(config)# no ip dhcp snooping information option

After this command, DHCP requests leaving the switch will not include Option 82.

This command is useful when Option 82 is unnecessary or causing issues. While Option 82 is helpful for tracking and security in large networks, disabling it simplifies DHCP traffic and ensures compatibility with all DHCP servers.

---

DHCP Snooping Command Summary

Here’s a quick reference for the key DHCP Snooping commands we’ve discussed:

• Enable DHCP Snooping globally:
  ip dhcp snooping

• Enable DHCP Snooping for specific VLAN(s):
  ip dhcp snooping vlan <vlan-id>

• Mark a port as trusted (usually connected to a DHCP server):

    interface <interface-id>
        ip dhcp snooping trust
  

• Limit DHCP requests on untrusted ports (to prevent DHCP Starvation):

    interface <interface-id>
        ip dhcp snooping limit rate <value>
  

• Show DHCP Snooping status, trusted ports, and monitored VLANs:
  show ip dhcp snooping

• Display the DHCP Snooping binding table (IP-MAC-port mappings):
  show ip dhcp snooping binding

• Disable insertion of Option 82 information into DHCP requests:
  no ip dhcp snooping information option

---

Wrap-Up

DHCP Snooping is a simple but powerful way to secure your network. By controlling which ports can act as DHCP servers, tracking IP assignments, and limiting requests, it prevents common attacks like DHCP Starvation and DHCP Poisoning.

Key points to remember:

• Only trust ports connected to legitimate DHCP servers.

• Use rate limiting on untrusted ports to block flooding attacks.

• Keep an eye on the binding table to verify legitimate IP assignments.

• Option 82 helps with tracking and security, but can be disabled if not needed.

By enabling DHCP Snooping and using these commands, you can protect your network from rogue devices and ensure stable IP management. It’s an essential tool for any network, big or small.