DHCP Snooping Explained: Stopping Rogue DHCP Servers
DHCP snooping is a switch security feature that stops rogue DHCP servers — it marks legitimate server-facing ports as trusted and drops DHCP server replies (offers/acks) arriving on any untrusted port, so an attacker's fake DHCP server can't hand out malicious settings.
The rogue DHCP attack it prevents
Anyone can plug in a device running a DHCP server. If it answers clients faster than the real server, victims receive an attacker-controlled default gateway and DNS — silently routing all their traffic through the attacker (a man-in-the-middle). DHCP snooping kills this: server-type messages from untrusted ports are simply dropped.
The binding table — a foundation for more security
As snooping watches legitimate DHCP exchanges, it records a binding table: which IP was leased to which MAC on which port. This table then powers Dynamic ARP Inspection (validating ARP replies against real bindings) and IP Source Guard — a layered defence stack built on one feature. Configuration: enable globally and per-VLAN, then mark the uplink/server port ip dhcp snooping trust.
Common mistakes
The classic error: forgetting to trust the port toward the real DHCP server — suddenly no client can get a lease, because the legitimate offers are dropped too. Also remember trunk/uplink ports carrying DHCP from elsewhere need trust. Symptoms are instant and dramatic, so misconfigurations reveal themselves fast.
Frequently asked questions
What does DHCP snooping protect against?
Rogue DHCP servers — it drops DHCP server replies arriving on untrusted ports, so only designated legitimate servers can hand out addresses.
What is the DHCP snooping binding table?
A record of legitimate leases (IP, MAC, port, VLAN) learned by watching DHCP exchanges — used by Dynamic ARP Inspection and IP Source Guard for further validation.
Why would clients stop getting IPs after enabling DHCP snooping?
The port toward the legitimate DHCP server wasn't marked trusted — so even real server replies are dropped. Trust the server-facing and uplink ports.
Which ports should be trusted?
Only ports toward legitimate DHCP servers and uplinks that carry DHCP from them — all access/user ports stay untrusted.
Related articles
Want hands-on training?
Learn this on real Cisco lab devices with placement support at Attila Technologies, Ahmedabad.