Back to Command Reference
Global / InterfaceDomain 7.0

ip dhcp snooping

A Layer 2 security feature that acts like a firewall between untrusted hosts and your DHCP servers. It prevents malicious or accidental rogue DHCP servers from handing out invalid IP addresses to your clients, which would otherwise cause a massive network outage or a Man-in-the-Middle (MitM) attack.

Quick Reference

Execution ModeSwitch(config)#
Default Port StateUntrusted
Target ApplicationLayer 2 Access Switches
Companion FeatureDynamic ARP Inspection (DAI)

Trust Boundaries Explained

ip dhcp snooping // Followed by VLAN definitions and interface trust states

DHCP Snooping operates on a strict whitelist logic. The moment you enable it, every single port on the switch becomes "Untrusted".

  • Untrusted Ports (Edge/Access):Can only send DHCP Requests (Discover, Request). If the switch detects a DHCP Reply (Offer, Ack) coming from an untrusted port, it assumes it is a rogue server and instantly blocks the packet.
  • Trusted Ports (Uplinks/Trunks):Configured manually by the administrator using ip dhcp snooping trust. These are the only ports allowed to transmit DHCP server replies. You must configure this on the uplinks pointing toward your legitimate DHCP server.

CLI Deployment Scenarios

Scenario 1: Securing the Access Layer

You are securing an edge switch where users reside on VLAN 10 and VLAN 20. The legitimate corporate DHCP server is connected upstream via trunk port GigabitEthernet1/0/1.

! Step 1: Enable DHCP Snooping globally
Switch(config)# ip dhcp snooping
! Step 2: Activate it on specific VLANs
Switch(config)# ip dhcp snooping vlan 10,20
! Step 3: Establish the Trust Boundary (VERY IMPORTANT)
Switch(config)# interface GigabitEthernet1/0/1
Switch(config-if)# ip dhcp snooping trust
! Step 4: Mitigate DHCP Starvation attacks by rate-limiting user ports
Switch(config)# interface range FastEthernet0/1 - 24
Switch(config-if-range)# ip dhcp snooping limit rate 15

CCNA Exam Gotchas

[!]

The Global vs. VLAN Prerequisite

A common exam trap: A student types ip dhcp snooping vlan 10, but the feature isn't working.
DHCP Snooping requires a two-step activation. You must execute the bare global command ip dhcp snooping to turn on the engine, and then explicitly declare which VLANs are participating.

[!]

Option 82 Insertion Failures

By default, when a switch intercepts a DHCP request from a client, it injects "Option 82" (circuit ID data) into the header before passing it to the server. Some older or misconfigured DHCP servers reject packets containing Option 82, preventing clients from getting IPs. If you run into this in a troubleshooting lab, you can disable the insertion globally using no ip dhcp snooping information option.