Networking Tutorials

DHCP Snooping Explained: Stopping Rogue DHCP Servers

DHCP snooping is a switch security feature that stops rogue DHCP servers — it marks legitimate server-facing ports as trusted and drops DHCP server replies (offers/acks) arriving on any untrusted port, so an attacker's fake DHCP server can't hand out malicious settings.

The rogue DHCP attack it prevents

Anyone can plug in a device running a DHCP server. If it answers clients faster than the real server, victims receive an attacker-controlled default gateway and DNS — silently routing all their traffic through the attacker (a man-in-the-middle). DHCP snooping kills this: server-type messages from untrusted ports are simply dropped.

The binding table — a foundation for more security

As snooping watches legitimate DHCP exchanges, it records a binding table: which IP was leased to which MAC on which port. This table then powers Dynamic ARP Inspection (validating ARP replies against real bindings) and IP Source Guard — a layered defence stack built on one feature. Configuration: enable globally and per-VLAN, then mark the uplink/server port ip dhcp snooping trust.

Common mistakes

The classic error: forgetting to trust the port toward the real DHCP server — suddenly no client can get a lease, because the legitimate offers are dropped too. Also remember trunk/uplink ports carrying DHCP from elsewhere need trust. Symptoms are instant and dramatic, so misconfigurations reveal themselves fast.

Frequently asked questions

What does DHCP snooping protect against?

Rogue DHCP servers — it drops DHCP server replies arriving on untrusted ports, so only designated legitimate servers can hand out addresses.

What is the DHCP snooping binding table?

A record of legitimate leases (IP, MAC, port, VLAN) learned by watching DHCP exchanges — used by Dynamic ARP Inspection and IP Source Guard for further validation.

Why would clients stop getting IPs after enabling DHCP snooping?

The port toward the legitimate DHCP server wasn't marked trusted — so even real server replies are dropped. Trust the server-facing and uplink ports.

Which ports should be trusted?

Only ports toward legitimate DHCP servers and uplinks that carry DHCP from them — all access/user ports stay untrusted.

VS
Vipul Sir — Lead Instructor, Attila Technologies20+ years in Cisco networking. Teaching CCNA, CCNP, CCIE & CyberOps in Ahmedabad since 2004.

Want hands-on training?

Learn this on real Cisco lab devices with placement support at Attila Technologies, Ahmedabad.

Start your networking career with Attila Technologies

Hands-on Cisco training, real lab devices and placement support in Ahmedabad.