What is DHCP snooping?

Dynamic Host Configuration Protocol (DHCP) is a network management protocol used to automate the process of configuring devices on IP networks. It allows devices to use network services like DNS, NTP, or any other communication protocol based on UDP or TCP.

What is DHCP Snooping?

DHCP snooping is a security feature implemented on network switches to protect DHCP infrastructure from malicious attacks and unauthorized DHCP servers. It acts as a firewall between untrusted hosts and trusted DHCP servers by filtering DHCP messages and maintaining a database of legitimate DHCP transactions.

When DHCP servers allocate IP addresses to clients on the LAN, DHCP snooping prevents malicious or malformed DHCP traffic and blocks rogue DHCP servers from distributing incorrect network configuration information.

How DHCP Snooping Works

DHCP snooping categorizes switch interfaces into two types:

• Trusted ports − Ports connected to legitimate DHCP servers, DHCP relay agents, or other switches. DHCP server messages from these ports are accepted.

• Untrusted ports − Ports connected to end-user devices. DHCP server messages from these ports are dropped to prevent rogue DHCP servers.

When DHCP snooping is enabled, only DHCP offer and acknowledgment messages from trusted ports are forwarded. Messages from untrusted ports are discarded, preventing malicious actors from distributing incorrect IP configuration.

DHCP Snooping Database

The switch maintains a binding database that records information about successful DHCP transactions, including:

• Client MAC address

• Assigned IP address

• VLAN ID

• Interface/port information

• Lease time

This database enables other security features like IP Source Guard, Dynamic ARP Inspection, and helps track the physical location of IP addresses for network accounting and troubleshooting.

Benefits and Security Features

• Prevents rogue DHCP servers − Blocks unauthorized DHCP servers from distributing malicious network configurations

• IP Source Guard integration − Ensures hosts only use IP addresses legitimately assigned to them

• Dynamic ARP Inspection support − Validates ARP packets against the DHCP snooping database

• Network monitoring − Provides visibility into DHCP transactions and client locations

Conclusion

DHCP snooping is a critical Layer 2 security feature that protects networks from rogue DHCP servers and malicious DHCP traffic. By maintaining trusted and untrusted port classifications along with a binding database, it forms the foundation for advanced network security features and helps ensure network integrity.