DHCP Snooping
Overview
DHCP snooping is a series of techniques applied to ensure the security of an existing DHCP infrastructure. It is a security feature that acts like a fire wall between untrusted hosts and trusted DHCP servers. It is a layer-2 security technology built into the operating system of a capable network switch that drops DHCP traffic determined to be unacceptable.
The fundamental use case of DHCP snooping is to prevent unauthorized (rogue) DHCP servers offering IP addresses to DHCP clients. Rogue DHCP servers are often used in 'man-in the middle' or 'Denial of Service' attacks from malicious purpose. Similarly DHCP clients (rogue) can also cause 'Denial of Service' attacks by continuously requesting for IP addresses causing address depletion in the DHCP server.
The DHCP snooping feature performs the following activities:
• Validates DHCP messages received from un-trusted sources and filters out invalid messages.
• Rate-limits DHCP traffic from trusted and un-trusted sources.
• Builds and maintains the DHCP snooping binding database, which contains information about un-trusted hosts with leased IP addresses.
• Utilizes the DHCP snooping binding database to validate subsequent requests from un-trusted hosts.
DHCP snooping is enabled on a per-VLAN basis. By default, the feature is inactive on all VLANs. You can enable the feature on a single VLAN or a range of VLANs.
Last modified date: 10/19/2023