DHCP Snooping

You can use DHCP snooping to help avoid the Denial of Service attacks that result from unauthorized users adding a DHCP server to the network that then provides invalid configuration data to other DHCP clients on the network. DHCP snooping accomplishes this by allowing you to distinguish between trusted ports connected to a DHCP server or switch and untrusted ports connected to end-users. DHCP packets are forwarded between trusted ports without inspection. DHCP packets received on other switch ports are inspected before being forwarded. Packets from untrusted sources are dropped. Conditions for dropping packets are shown below.

Condition for dropping a packet

Condition for Dropping a Packet

Packet Type

A packet from a DHCP server received on an untrusted port

DHCPOFFER, DHCPACK, DHCPNACK

If the switch is configured with a list of authorized DHCP server addresses and a packet is received from a DHCP server on a trusted port with a source IP address that is not in the list of authorized DHCP server addresses.

DHCPOFFER, DHCPACK, DHCPNACK

Unless configured to not perform this check, a DHCP packet received on an untrusted port where the DHCP client hardware address field does not match the source MAC address in the packet

N/A

Unless configured to not perform this check, a DHCP packet containing DHCP relay information (option 82) received from an untrusted port

N/A

A broadcast packet that has a MAC address in the DHCP binding database, but the port in the DHCP binding database is different from the port on which the packet is received

DHCPRELEASE, DHCPDECLINE