What is DHCP Snooping

DHCP Snooping :: Set up a secure Cisco switch

A typical DHCP server is susceptible to many types of attack. An attacker can use up the server's IP pool via many DHCP discovers. Other clients then no longer receive an IP address. An attacker can report used IP addresses as free via DHCP release. For MITM or DoS attacks, an attacker can operate a DHCP server in the network himself (rogue DHCP server).

A Cisco switch can prevent these attacks using DHCP snooping.

Set up DHCP snooping

DHCP snooping is activated globally. In addition, the VLANs must be set for which DHCP snooping is to be carried out. The third command ensures (if desired) the automatic reactivation of an interface after the error disabled:

ip dhcp snooping ip dhcp snooping vlan 1-100 errdisable recovery cause dhcp-rate-limit

Then the interfaces can be divided into trusted and untrusted. In addition, Cisco offers the option of setting a rate limit for each interface. The following interface commands set the FastEthernet0 / 1 interface to untrusted and allow 20 DHCP packets per second. GigabitEthernet0 / 1 is the uplink towards the DHCP server and is therefore trusted.

interface FastEthernet0 / 1 description Edge Port no ip dhcp snooping trust ip dhcp snooping limit rate 20! interface GigabitEthernet0 / 1 description Uplink to the DHCP server ip dhcp snooping trust

In the log, the addressing of DHCP snooping looks something like this:

02:19:11: DHCPSN: Found ingress pkt on Fa0 / 1 VLAN 1 02:19:11: DHCP_SNOOPING: exceeded rate limit 20pps on Fa0 / 1

Trojan installs rogue DHCP server

At the end of 2008, the first Trojans appeared that set up malicious DHCP servers. A variant of the DNSChanger malware installs a driver Ndisprot.sys as a DHCP server. A PC infected in this way distributes an IP configuration containing the attacker's DNS server to all stations in the LAN. For example, and are entered as DNS servers. These servers are in Odessa (Ukraine).

DHCP snooping is an effective way of preventing this type of attack. The infected client's switch port is deactivated immediately.

network lab recommendation

Activate DHCP snooping on all edge ports.



  1. Basics
  2. Spanning Tree / BPDU Guard
  3. Cisco Discovery Protocol (CDP)
  4. Trunking DTP / ISL / dot1q
  5. DHCP snooping
  6. Dynamic ARP Inspection (DAI)
  7. Storm Control
  8. Port security
  9. Example configurations