Cisco DHCP Snooping: Complete Configuration Guide with Examples and Troubleshooting

Last updated: 01-02-2026

What is DHCP Snooping?

DHCP Snooping is a Layer 2 security feature available on Cisco Catalyst switches that acts as a firewall between untrusted hosts and trusted DHCP servers. It filters untrusted DHCP messages and builds a binding database (DHCP snooping binding table) that maps client MAC addresses, IP addresses, VLAN IDs, and port information. This database becomes the foundation for other security features like Dynamic ARP Inspection (DAI) and IP Source Guard.

The primary purpose of DHCP Snooping is to prevent rogue DHCP servers from distributing incorrect IP addressing information to network clients. Rogue DHCP servers can be intentionally deployed by malicious users to intercept network traffic, redirect users to phishing sites, or perform man-in-the-middle attacks. They can also be accidentally introduced when users connect unauthorized devices like wireless routers to the network.

DHCP Snooping operates by designating switch ports as either trusted or untrusted. Trusted ports connect to legitimate DHCP servers or upstream switches, while untrusted ports connect to end-user devices. The switch inspects all DHCP messages on untrusted ports and drops packets from unauthorized sources, ensuring only legitimate DHCP servers can respond to client requests.

How DHCP Snooping Works

Trusted vs. Untrusted Ports

DHCP Snooping divides switch ports into two categories:

Trusted Ports: Ports that connect to legitimate DHCP servers, distribution switches, or the network core. These ports can send and receive all DHCP message types without restriction. Uplink ports to authorized DHCP servers must always be configured as trusted.
Untrusted Ports: Ports that connect to end-user devices like workstations, printers, IP phones, and other client equipment. By default, all ports are untrusted. These ports can only send DHCP client messages (DISCOVER, REQUEST, DECLINE, RELEASE, INFORM). Any DHCP server messages (OFFER, ACK, NAK) received on untrusted ports are dropped.

DHCP Message Validation

When DHCP Snooping is enabled, the switch performs several validation checks on DHCP messages received on untrusted ports:

Server Message Filtering: Drops DHCP server messages (OFFER, ACK, NAK) received on untrusted ports, preventing rogue servers from responding to client requests
Source MAC Verification: Ensures the source MAC address in the Ethernet header matches the client hardware address in the DHCP packet, preventing MAC address spoofing
DHCP RELEASE and DECLINE Validation: Verifies that RELEASE and DECLINE messages match entries in the DHCP snooping binding table, preventing clients from releasing IP addresses assigned to other devices
Rate Limiting: Limits the number of DHCP packets per second on untrusted ports to prevent DHCP starvation attacks where attackers flood the network with DHCP requests to exhaust the server's address pool

DHCP Snooping Binding Table

The DHCP snooping binding table (also called the DHCP snooping database) stores information about successful DHCP transactions. Each entry includes:

MAC Address: Client's hardware address
IP Address: IP address assigned to the client
VLAN ID: VLAN where the client resides
Interface: Switch port connected to the client
Lease Time: Duration of the DHCP lease

This database serves as a trusted source of IP-to-MAC-to-port bindings and is used by complementary security features like Dynamic ARP Inspection and IP Source Guard to validate ARP packets and IP traffic respectively.

DHCP Snooping Benefits and Use Cases

Security Benefits

Prevents Rogue DHCP Servers: Blocks unauthorized DHCP servers from distributing incorrect network information
Stops Man-in-the-Middle Attacks: Prevents attackers from acting as DHCP servers to intercept traffic
Mitigates DHCP Starvation: Rate limiting prevents attackers from exhausting the DHCP address pool
Prevents IP Address Spoofing: MAC verification ensures clients cannot spoof other devices' addresses
Foundation for Advanced Security: Enables Dynamic ARP Inspection and IP Source Guard

Common Use Cases

Enterprise campus networks with distributed access switches
Service provider environments with untrusted customer connections
Educational institutions where users may connect unauthorized devices
Guest networks requiring additional security controls
Networks requiring compliance with security standards

Attack Scenarios Prevented

Rogue DHCP Server Attack

An attacker connects a device configured as a DHCP server to the network. Without DHCP Snooping, this rogue server could respond faster than the legitimate server, distributing incorrect IP configurations including:

Wrong default gateway (redirecting traffic through attacker's device)
Malicious DNS servers (redirecting users to phishing websites)
Incorrect subnet masks (causing network connectivity issues)

DHCP Snooping prevents this by dropping DHCP server messages on untrusted ports.

DHCP Starvation Attack

An attacker floods the network with DHCP DISCOVER messages using spoofed MAC addresses, attempting to exhaust all available IP addresses in the DHCP pool. Once the pool is exhausted, legitimate clients cannot obtain IP addresses. DHCP Snooping's rate limiting feature prevents this by limiting the number of DHCP packets per second on untrusted ports.

Prerequisites and Requirements

Hardware and Software Requirements

Supported Platforms: Cisco Catalyst switches (2960, 3560, 3750, 3850, 9300, 9500 series and higher)
IOS Version: DHCP Snooping is available in most modern IOS versions (12.2(25)SE and later for Catalyst 2960)
License: Included in LAN Base license and higher

Network Design Considerations

Identify DHCP Servers: Document all legitimate DHCP server locations and their connected switch ports
Map Network Topology: Understand which ports connect to other switches (trunk ports) versus end devices (access ports)
Plan Trusted Ports: Determine which ports should be trusted (typically uplinks and server ports)
VLAN Strategy: DHCP Snooping is configured per VLAN, so plan which VLANs require protection
Database Storage: Plan where to store the DHCP snooping database for persistence across reboots

Important Considerations

Critical: Before enabling DHCP Snooping, you must configure trusted ports for all uplinks and ports connecting to legitimate DHCP servers. Failing to do so will prevent all DHCP traffic, causing all clients to lose network connectivity when their current leases expire.

Basic DHCP Snooping Configuration

Step 1: Enable DHCP Snooping Globally

Switch(config)# ip dhcp snooping
Switch(config)# ip dhcp snooping vlan 10,20,30

This enables DHCP Snooping globally on the switch and activates it for VLANs 10, 20, and 30. You can specify individual VLANs or ranges (e.g., vlan 10-50).

Step 2: Configure Trusted Ports

! Configure uplink port as trusted
Switch(config)# interface GigabitEthernet1/0/1
Switch(config-if)# description Uplink to Core Switch
Switch(config-if)# ip dhcp snooping trust
Switch(config-if)# exit

! Configure DHCP server port as trusted
Switch(config)# interface GigabitEthernet1/0/24
Switch(config-if)# description DHCP Server
Switch(config-if)# ip dhcp snooping trust
Switch(config-if)# exit

Important: All ports connecting to legitimate DHCP servers or upstream switches must be configured as trusted. Access ports connecting to end-user devices should remain untrusted (the default state).

Step 3: Enable MAC Address Verification (Recommended)

Switch(config)# ip dhcp snooping verify mac-address

This command enables verification that the source MAC address in the Ethernet header matches the client hardware address in the DHCP payload. This prevents MAC address spoofing attacks.

Step 4: Configure Rate Limiting (Optional but Recommended)

! Apply rate limiting to access ports
Switch(config)# interface range GigabitEthernet1/0/2-23
Switch(config-if-range)# description Access Ports
Switch(config-if-range)# ip dhcp snooping limit rate 10
Switch(config-if-range)# exit

This limits untrusted ports to 10 DHCP packets per second, preventing DHCP starvation attacks. The appropriate rate depends on your environment; 10-100 packets/second is typical for access ports.

Complete Basic Configuration Example

! Enable DHCP Snooping
Switch(config)# ip dhcp snooping
Switch(config)# ip dhcp snooping vlan 10,20,30
Switch(config)# ip dhcp snooping verify mac-address

! Configure trusted uplink
Switch(config)# interface GigabitEthernet1/0/1
Switch(config-if)# description Uplink to Distribution
Switch(config-if)# ip dhcp snooping trust

! Configure trusted DHCP server port
Switch(config)# interface GigabitEthernet1/0/24
Switch(config-if)# description DHCP Server
Switch(config-if)# ip dhcp snooping trust

! Configure untrusted access ports with rate limiting
Switch(config)# interface range GigabitEthernet1/0/2-23
Switch(config-if-range)# description Access Ports
Switch(config-if-range)# ip dhcp snooping limit rate 15

Advanced DHCP Snooping Configuration

Configuring DHCP Snooping Database

By default, the DHCP snooping binding table exists only in RAM and is lost when the switch reboots. To maintain bindings across reboots, configure persistent storage:

Store Database on Flash

Switch(config)# ip dhcp snooping database flash:dhcp-snooping.db
Switch(config)# ip dhcp snooping database write-delay 300

This stores the database in flash memory with a write delay of 300 seconds (5 minutes). The write delay batches updates to reduce flash wear.

Store Database on TFTP Server

Switch(config)# ip dhcp snooping database tftp://192.168.1.100/dhcp-snooping.db
Switch(config)# ip dhcp snooping database write-delay 300
Switch(config)# ip dhcp snooping database timeout 3600

This stores the database on a TFTP server. The timeout value (3600 seconds = 1 hour) specifies how long to wait for the TFTP server to respond before giving up.

Information Option 82 Configuration

DHCP Option 82 (Relay Agent Information Option) allows switches to insert information about the client's location in DHCP packets. This helps DHCP servers provide location-specific configurations.

Allow Option 82

! By default, DHCP Snooping drops packets with Option 82
! Allow Option 82 packets
Switch(config)# ip dhcp snooping information option allow-untrusted

Insert Option 82 Information

! Configure switch to insert Option 82 information
Switch(config)# ip dhcp snooping information option

! Specify custom format (optional)
Switch(config)# ip dhcp snooping information option format remote-id string BUILDING-1-FLOOR-2

Per-VLAN Configuration

You can enable DHCP Snooping selectively on specific VLANs:

! Enable on multiple VLANs
Switch(config)# ip dhcp snooping vlan 10,20,30-40

! Add more VLANs later
Switch(config)# ip dhcp snooping vlan 50

! Remove VLANs from snooping
Switch(config)# no ip dhcp snooping vlan 30

Configuring for IP Phones

When using IP phones with PCs connected through the phone's switch port, both devices need DHCP. Configure appropriate rate limits:

! Ports with IP phones typically need higher rate limits
Switch(config)# interface range GigabitEthernet1/0/5-20
Switch(config-if-range)# description IP Phone + PC Ports
Switch(config-if-range)# ip dhcp snooping limit rate 20

Verification Commands

Verify DHCP Snooping Status

Switch# show ip dhcp snooping

Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
10,20,30
DHCP snooping is operational on following VLANs:
10,20,30
DHCP snooping is configured on the following L3 Interfaces:

Insertion of option 82 is enabled
   circuit-id default format: vlan-mod-port
   remote-id: 0cd0.f89a.2c00 (MAC)
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Verification of giaddr field is enabled
DHCP snooping trust/rate is configured on the following Interfaces:

Interface                  Trusted    Allow option    Rate limit (pps)
-----------------------    -------    ------------    ----------------
GigabitEthernet1/0/1       yes        yes             unlimited
GigabitEthernet1/0/24      yes        yes             unlimited
GigabitEthernet1/0/2       no         no              15
GigabitEthernet1/0/3       no         no              15

View DHCP Snooping Binding Table

Switch# show ip dhcp snooping binding

MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface
------------------  ---------------  ----------  -------------  ----  --------------------
00:50:56:A1:2B:3C   192.168.10.100   86395       dhcp-snooping   10   GigabitEthernet1/0/5
00:50:56:A1:4D:5E   192.168.10.101   86398       dhcp-snooping   10   GigabitEthernet1/0/6
00:1A:2B:3C:4D:5E   192.168.20.50    86400       dhcp-snooping   20   GigabitEthernet1/0/10
Total number of bindings: 3

Check DHCP Snooping Statistics

Switch# show ip dhcp snooping statistics

Packets Forwarded                  = 1245
Packets Dropped                    = 15
Packets Dropped From untrusted port = 15

View Interface-Specific Information

Switch# show ip dhcp snooping binding interface GigabitEthernet1/0/5

MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface
------------------  ---------------  ----------  -------------  ----  --------------------
00:50:56:A1:2B:3C   192.168.10.100   86395       dhcp-snooping   10   GigabitEthernet1/0/5
Total number of bindings: 1

Check Database Status

Switch# show ip dhcp snooping database

Agent URL : flash:dhcp-snooping.db
Write delay Timer : 300 seconds
Abort Timer : 300 seconds

Agent Running : No
Delay Timer Expiry : Not Running
Abort Timer Expiry : Not Running

Last Succeeded Time : None
Last Failed Time : None
Last Failed Reason : No failure recorded.

Total Attempts       :        0   Startup Failures :        0
Successful Transfers :        0   Failed Transfers :        0
Successful Reads     :        0   Failed Reads     :        0
Successful Writes    :        0   Failed Writes    :        0
Media Failures       :        0

Troubleshooting DHCP Snooping

Issue 1: Clients Cannot Obtain IP Addresses

Symptoms: After enabling DHCP Snooping, clients fail to get DHCP addresses

Common Causes and Solutions:

Cause 1: DHCP Server Port Not Trusted

! Verify trusted ports
Switch# show ip dhcp snooping | include Trusted

! If DHCP server port is not listed, configure it as trusted
Switch(config)# interface GigabitEthernet1/0/24
Switch(config-if)# ip dhcp snooping trust

Cause 2: Uplink to DHCP Server Not Trusted

! Ensure uplink ports are trusted
Switch(config)# interface GigabitEthernet1/0/1
Switch(config-if)# ip dhcp snooping trust

Cause 3: DHCP Snooping Not Enabled on Correct VLAN

! Verify DHCP Snooping VLANs
Switch# show ip dhcp snooping | include VLAN

! Add missing VLANs
Switch(config)# ip dhcp snooping vlan 10

Issue 2: DHCP Packets Being Dropped

Symptoms: DHCP statistics show increasing dropped packets

! Check statistics
Switch# show ip dhcp snooping statistics

Packets Dropped                    = 450
Packets Dropped From untrusted port = 450

Solutions:

Check for Rogue DHCP Servers

! Enable debug to see what's being dropped
Switch# debug ip dhcp snooping packet

! Look for DHCP OFFER or ACK messages on untrusted ports
! These indicate rogue DHCP servers

! Find the port
Switch# show ip dhcp snooping binding

! Investigate the device connected to the suspicious port

Rate Limit Exceeded

! Check if rate limiting is too restrictive
Switch# show ip dhcp snooping | include rate

! Increase rate limit if legitimate traffic is being dropped
Switch(config)# interface GigabitEthernet1/0/10
Switch(config-if)# ip dhcp snooping limit rate 20

Issue 3: MAC Address Verification Failures

Symptoms: DHCP requests fail with MAC verification errors

Solutions:

! Check if MAC verification is enabled
Switch# show ip dhcp snooping | include hwaddr
Verification of hwaddr field is enabled

! Some devices (like VMware VMs with certain network adapters) may have issues
! Disable MAC verification if necessary (reduces security)
Switch(config)# no ip dhcp snooping verify mac-address

! Or configure specific ports to bypass verification
! (This is not a standard Cisco feature - consider alternative solutions)

Issue 4: Option 82 Compatibility Problems

Symptoms: DHCP fails when relay agents or certain servers are involved

Solutions:

! Allow Option 82 on untrusted ports if needed
Switch(config)# ip dhcp snooping information option allow-untrusted

! Or disable Option 82 insertion entirely
Switch(config)# no ip dhcp snooping information option

Issue 5: Binding Table Not Persisting

Symptoms: After switch reload, all clients must renew DHCP leases

Solutions:

! Configure database storage
Switch(config)# ip dhcp snooping database flash:dhcp-snooping.db

! Verify database is being written
Switch# show ip dhcp snooping database

! Check for write errors in logs
Switch# show logging | include DHCP

Debug Commands

! Enable DHCP Snooping debugging (use carefully in production)
Switch# debug ip dhcp snooping packet
Switch# debug ip dhcp snooping event
Switch# debug ip dhcp snooping agent

! Disable debugging after troubleshooting
Switch# undebug all

Warning: Debug commands generate significant output and CPU load. Use them sparingly in production environments and disable them immediately after troubleshooting.

Integration with Other Security Features

Dynamic ARP Inspection (DAI)

DAI uses the DHCP snooping binding table to validate ARP packets. It prevents ARP spoofing attacks by verifying that ARP packets contain valid IP-to-MAC mappings.

! Enable DHCP Snooping first
Switch(config)# ip dhcp snooping
Switch(config)# ip dhcp snooping vlan 10

! Configure trusted port
Switch(config)# interface GigabitEthernet1/0/1
Switch(config-if)# ip dhcp snooping trust

! Enable Dynamic ARP Inspection
Switch(config)# ip arp inspection vlan 10

! Configure DAI trusted ports (usually same as DHCP Snooping trusted ports)
Switch(config)# interface GigabitEthernet1/0/1
Switch(config-if)# ip arp inspection trust

IP Source Guard

IP Source Guard prevents IP address spoofing by filtering traffic based on the DHCP snooping binding table. It ensures devices can only send traffic using their legitimately assigned IP addresses.

! Enable DHCP Snooping first
Switch(config)# ip dhcp snooping
Switch(config)# ip dhcp snooping vlan 10

! Enable IP Source Guard on access ports
Switch(config)# interface range GigabitEthernet1/0/2-24
Switch(config-if-range)# ip verify source

! Or enable with MAC address verification
Switch(config-if-range)# ip verify source port-security

Port Security Integration

DHCP Snooping works alongside Port Security to provide comprehensive access layer security:

! Configure Port Security
Switch(config)# interface GigabitEthernet1/0/5
Switch(config-if)# switchport mode access
Switch(config-if)# switchport port-security
Switch(config-if)# switchport port-security maximum 2
Switch(config-if)# switchport port-security violation restrict
Switch(config-if)# switchport port-security aging time 1440

! DHCP Snooping rate limiting
Switch(config-if)# ip dhcp snooping limit rate 15

Best Practices

Design and Planning

Document Trusted Ports: Maintain clear documentation of which ports should be trusted and why
Start Small: Enable DHCP Snooping on a single VLAN first, verify it works, then expand to other VLANs
Test in Lab: Test configuration changes in a lab environment before production deployment
Plan for IP Phones: Consider dual VLAN requirements and higher rate limits for voice ports
Consider Wireless: Plan DHCP Snooping integration with wireless controllers and access points

Configuration Best Practices

Enable MAC Verification: Always use ip dhcp snooping verify mac-address unless compatibility issues arise
Configure Rate Limiting: Apply appropriate rate limits to prevent DHCP starvation attacks
Use Database Storage: Configure persistent storage to maintain bindings across reboots
Trust Only Necessary Ports: Minimize the number of trusted ports to reduce attack surface
Apply to All VLANs: Enable DHCP Snooping on all VLANs where DHCP is used
Document Option 82 Usage: Clearly document if and why Option 82 is enabled or disabled

Operational Best Practices

Monitor Binding Table: Regularly review the binding table for anomalies
Check Drop Statistics: Monitor dropped packet counts to detect potential attacks or misconfigurations
Review Logs Regularly: Check system logs for DHCP Snooping-related messages
Verify After Changes: Always verify DHCP Snooping operation after network changes
Maintain Backups: Keep backups of working configurations
Update Documentation: Keep network documentation current with trusted port configurations

Security Best Practices

Combine with DAI and IPSG: Use all three features together for comprehensive Layer 2 security
Implement Port Security: Add Port Security alongside DHCP Snooping for defense in depth
Regular Audits: Periodically audit trusted port configurations to ensure they're still appropriate
Alert on Drops: Configure SNMP or syslog alerts for excessive DHCP packet drops
Physical Security: Ensure physical security of switches to prevent console-based attacks that could disable DHCP Snooping

Common Mistakes to Avoid

Not Configuring Trusted Ports: Forgetting to trust uplinks or server ports causes total DHCP failure
Trusting Too Many Ports: Over-trusting reduces security effectiveness
Inadequate Testing: Enabling DHCP Snooping network-wide without testing causes widespread outages
Ignoring Rate Limits: Not configuring rate limits leaves network vulnerable to DHCP starvation
No Database Persistence: Failing to configure database storage forces all clients to renew after switch reboots
Disabling MAC Verification: Removing MAC verification weakens security significantly

Complete Configuration Example

Network Topology

Access Switch: Catalyst 2960-X with 48 ports
GigabitEthernet1/0/1: Uplink to distribution switch
GigabitEthernet1/0/24: DHCP server connection
GigabitEthernet1/0/2-23: Access ports for end devices
VLANs: 10 (Data), 20 (Voice), 30 (Guest)

Complete DHCP Snooping Configuration

! ============================================
! DHCP Snooping Configuration - Access Switch
! ============================================

! Enable DHCP Snooping globally
ip dhcp snooping
ip dhcp snooping vlan 10,20,30

! Enable MAC address verification
ip dhcp snooping verify mac-address

! Configure Option 82
ip dhcp snooping information option

! Configure database persistence
ip dhcp snooping database flash:dhcp-snooping.db
ip dhcp snooping database write-delay 300

! ============================================
! Trusted Ports Configuration
! ============================================

! Uplink to distribution switch (TRUSTED)
interface GigabitEthernet1/0/1
 description Uplink to Distribution Switch
 switchport mode trunk
 switchport trunk allowed vlan 10,20,30
 ip dhcp snooping trust
 spanning-tree portfast trunk
!

! DHCP Server Port (TRUSTED)
interface GigabitEthernet1/0/24
 description DHCP Server
 switchport mode access
 switchport access vlan 10
 ip dhcp snooping trust
 spanning-tree portfast
!

! ============================================
! Access Ports Configuration (UNTRUSTED)
! ============================================

! Standard access ports
interface range GigabitEthernet1/0/2-12
 description Standard User Ports
 switchport mode access
 switchport access vlan 10
 switchport voice vlan 20
 ip dhcp snooping limit rate 15
 spanning-tree portfast
 spanning-tree bpduguard enable
!

! Guest network ports
interface range GigabitEthernet1/0/13-20
 description Guest Network Ports
 switchport mode access
 switchport access vlan 30
 ip dhcp snooping limit rate 10
 spanning-tree portfast
 spanning-tree bpduguard enable
!

! Conference room ports (higher rate limit for multiple devices)
interface range GigabitEthernet1/0/21-23
 description Conference Room Ports
 switchport mode access
 switchport access vlan 10
 switchport voice vlan 20
 ip dhcp snooping limit rate 25
 spanning-tree portfast
!

! ============================================
! Optional: Integration with DAI and IPSG
! ============================================

! Enable Dynamic ARP Inspection
ip arp inspection vlan 10,20,30
ip arp inspection validate src-mac dst-mac ip

! Trust DAI on uplink and server ports
interface GigabitEthernet1/0/1
 ip arp inspection trust
!
interface GigabitEthernet1/0/24
 ip arp inspection trust
!

! Enable IP Source Guard on access ports
interface range GigabitEthernet1/0/2-23
 ip verify source
!

! Save configuration
end
write memory

Verification After Configuration

! Verify DHCP Snooping is enabled
Switch# show ip dhcp snooping

Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
10,20,30
DHCP snooping is operational on following VLANs:
10,20,30

! Check trusted ports
Switch# show ip dhcp snooping | begin Interface

Interface                  Trusted    Allow option    Rate limit (pps)
-----------------------    -------    ------------    ----------------
GigabitEthernet1/0/1       yes        yes             unlimited
GigabitEthernet1/0/24      yes        yes             unlimited
GigabitEthernet1/0/2       no         no              15
GigabitEthernet1/0/3       no         no              15

! View binding table
Switch# show ip dhcp snooping binding

MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface
------------------  ---------------  ----------  -------------  ----  --------------------
00:50:56:A1:2B:3C   192.168.10.100   86395       dhcp-snooping   10   GigabitEthernet1/0/5
00:1A:2B:3C:4D:5E   192.168.10.101   86398       dhcp-snooping   10   GigabitEthernet1/0/6
00:0C:29:5F:6A:7B   192.168.20.50    86400       dhcp-snooping   20   GigabitEthernet1/0/8

! Check statistics
Switch# show ip dhcp snooping statistics

Packets Forwarded                  = 3542
Packets Dropped                    = 0
Packets Dropped From untrusted port = 0

Monitoring and Maintenance

Regular Monitoring Commands

Daily Checks

! Check for dropped packets (potential attacks or misconfigurations)
Switch# show ip dhcp snooping statistics

! Review binding table size and entries
Switch# show ip dhcp snooping binding | include Total
Total number of bindings: 45

! Check database status
Switch# show ip dhcp snooping database | include Successful
Successful Writes    :       12

Weekly Checks

! Review full binding table for anomalies
Switch# show ip dhcp snooping binding

! Check for excessive drops on specific interfaces
Switch# show interfaces | include drops

! Verify trusted port configuration hasn't changed
Switch# show ip dhcp snooping | include Trusted

SNMP Monitoring

Configure SNMP to monitor DHCP Snooping status and receive alerts:

! Enable SNMP traps for DHCP Snooping
Switch(config)# snmp-server enable traps dhcp-snooping

! Configure SNMP community and trap destination
Switch(config)# snmp-server community NetworkMonitor RO
Switch(config)# snmp-server host 192.168.1.50 version 2c NetworkMonitor

Syslog Monitoring

! Configure syslog for DHCP Snooping events
Switch(config)# logging host 192.168.1.100
Switch(config)# logging trap informational

! Review DHCP Snooping logs
Switch# show logging | include DHCP

Jan 31 14:23:45.123: %DHCP_SNOOPING-6-AGENT_OPERATION_SUCCEEDED: DHCP snooping database agent operation succeeded.
Jan 31 14:25:10.456: %DHCP_SNOOPING-5-DHCP_SNOOPING_MATCH_MAC_FAIL: Packet with invalid source MAC on Gi1/0/15

Creating Alerts

Use EEM (Embedded Event Manager) to create custom alerts for DHCP Snooping events:

! Alert when DHCP packets are dropped
event manager applet DHCP-DROP-ALERT
 event syslog pattern "DHCP_SNOOPING.*DROP"
 action 1.0 syslog msg "ALERT: DHCP Snooping dropped packets detected!"
 action 2.0 mail server "192.168.1.100" to "netadmin@company.com" from "switch@company.com" subject "DHCP Snooping Alert"
!

! Alert when rogue DHCP server detected
event manager applet ROGUE-DHCP-ALERT
 event syslog pattern "DHCP_SNOOPING.*untrusted.*OFFER"
 action 1.0 syslog msg "CRITICAL: Rogue DHCP server detected!"
 action 2.0 mail server "192.168.1.100" to "security@company.com" from "switch@company.com" subject "SECURITY ALERT: Rogue DHCP Server"

Troubleshooting Scenario: Step-by-Step

Scenario: Users Report DHCP Issues After Enabling DHCP Snooping

Problem: After enabling DHCP Snooping, some users cannot obtain IP addresses while others can.

Step 1: Verify DHCP Snooping Configuration

Switch# show ip dhcp snooping

! Check if DHCP Snooping is enabled
! Verify correct VLANs are configured

Step 2: Check Trusted Ports

Switch# show ip dhcp snooping | include Interface

! Verify uplink and DHCP server ports are trusted
! If not, configure them:
Switch(config)# interface GigabitEthernet1/0/1
Switch(config-if)# ip dhcp snooping trust

Step 3: Review Drop Statistics

Switch# show ip dhcp snooping statistics

Packets Forwarded                  = 150
Packets Dropped                    = 45
Packets Dropped From untrusted port = 45

! High drop count indicates misconfiguration or attack

Step 4: Enable Debug (Carefully)

! Enable debug during maintenance window only
Switch# debug ip dhcp snooping packet

! Observe output for dropped packets
! Look for messages like:
! "DHCP_SNOOPING: received OFFER on untrusted port Gi1/0/15"

! This indicates a rogue DHCP server on port Gi1/0/15

Step 5: Identify Problematic Port

! Check what's connected to the problem port
Switch# show mac address-table interface GigabitEthernet1/0/15

! Check CDP neighbors
Switch# show cdp neighbors GigabitEthernet1/0/15

! Review port description
Switch# show interface GigabitEthernet1/0/15 description

Step 6: Take Corrective Action

! If it's a legitimate DHCP server, trust the port
Switch(config)# interface GigabitEthernet1/0/15
Switch(config-if)# ip dhcp snooping trust

! If it's a rogue server, shut down the port
Switch(config)# interface GigabitEthernet1/0/15
Switch(config-if)# shutdown
Switch(config-if)# description DISABLED - Rogue DHCP server detected

! Investigate the connected device
! Contact user or security team

Step 7: Verify Resolution

! Check that drops have stopped
Switch# show ip dhcp snooping statistics

! Verify clients are getting addresses
Switch# show ip dhcp snooping binding

! Test from client devices
! Disable and re-enable network adapter or run:
! ipconfig /release
! ipconfig /renew

DHCP Snooping vs. Other DHCP Security Methods

Comparison Table

Feature	DHCP Snooping	DHCP Relay Agent	Port Security
Primary Purpose	Prevent rogue DHCP servers	Forward DHCP across subnets	Limit MAC addresses per port
Security Level	High - Layer 2 filtering	Medium - forwarding control	Medium - access control
Trusted Ports	Yes - required configuration	N/A	N/A
Binding Table	Yes - IP/MAC/VLAN/Port	No	No - only MAC table
Integration	DAI, IPSG, Port Security	Works with DHCP Snooping	Works with DHCP Snooping
Complexity	Medium	Low	Low

When to Use Each Feature

DHCP Snooping: Essential for any network with untrusted access ports requiring DHCP protection
DHCP Relay: Required when DHCP server and clients are in different IP subnets
Port Security: Limits MAC addresses per port; complements DHCP Snooping for comprehensive security
All Combined: Provides defense-in-depth for maximum security in enterprise networks

Frequently Asked Questions

Q: Does DHCP Snooping work with DHCP relay?

A: Yes, DHCP Snooping and DHCP relay work together. Configure the port connecting to the DHCP relay agent as trusted, and the relay agent will forward DHCP requests to the remote DHCP server normally.

Q: Can I use DHCP Snooping with static IP addresses?

A: DHCP Snooping only affects DHCP traffic. Devices with static IP addresses are not impacted. However, if using Dynamic ARP Inspection (which relies on DHCP Snooping bindings), you'll need to create static ARP ACLs for devices with static IPs.

Q: What happens to existing DHCP leases when I enable DHCP Snooping?

A: Existing leases remain valid. The binding table populates as clients renew their leases. Clients don't need to release and renew immediately; the table builds over time as normal DHCP renewal occurs.

Q: How much memory does the binding table consume?

A: Each binding entry requires approximately 200-300 bytes. A network with 1,000 DHCP clients would use roughly 200-300 KB of memory, which is minimal on modern switches.

Q: Can DHCP Snooping prevent all DHCP attacks?

A: DHCP Snooping prevents rogue DHCP servers and DHCP starvation attacks (with rate limiting). However, it doesn't prevent all Layer 2 attacks. Combine it with DAI, IPSG, Port Security, and BPDU Guard for comprehensive Layer 2 security.

Q: Does DHCP Snooping impact switch performance?

A: Modern Cisco switches perform DHCP Snooping in hardware (ASIC) with negligible performance impact. CPU impact is minimal as DHCP traffic represents a tiny fraction of overall network traffic.

Q: Should I enable DHCP Snooping on trunk ports?

A: Trunk ports connecting to other switches should be configured as trusted. The VLAN configuration applies to the VLANs traversing the trunk; DHCP Snooping processes DHCP packets for configured VLANs on trunk links.

Conclusion

DHCP Snooping is a fundamental Layer 2 security feature that protects networks from rogue DHCP servers and related attacks. By creating a trusted boundary between legitimate DHCP infrastructure and end-user devices, it prevents attackers from distributing malicious network configurations that could redirect traffic, enable man-in-the-middle attacks, or cause denial of service.

Successful DHCP Snooping deployment requires careful planning to identify and configure trusted ports, appropriate rate limiting to prevent DHCP starvation attacks, and integration with complementary security features like Dynamic ARP Inspection and IP Source Guard. The binding table created by DHCP Snooping becomes the foundation for these additional security layers, creating a comprehensive defense-in-depth strategy for Layer 2 security.

When implemented with proper testing, monitoring, and maintenance procedures, DHCP Snooping provides robust protection with minimal operational overhead. Regular monitoring of drop statistics, binding table review, and configuration audits ensure the feature continues protecting the network effectively. Combined with other Layer 2 security features and proper physical security, DHCP Snooping significantly strengthens network security posture against common access layer attacks.