|This article does not cite any sources. (January 2016)|
When DHCP servers are allocating IP addresses to the clients on the LAN, DHCP snooping can be configured on LAN switches to harden the security on the LAN to allow only clients with specific IP and MAC addresses to have access to the network.
DHCP snooping is a series of layer-2 techniques that ensures IP integrity on a Layer 2 switched domain. It works with information from a DHCP server to:
- Track the physical location of hosts.
- Ensure that hosts only use the IP addresses assigned to them.
- Ensure that only authorized DHCP servers are accessible.
With DHCP snooping, only a whitelist of IP addresses may access the network. The whitelist is configured at the switch port level, and the DHCP server manages the access control. Only specific IP addresses with specific MAC addresses on specific ports may access the IP network.
DHCP snooping can also prevent attackers from adding their own DHCP servers to the network. An attacker-controlled DHCP server (Rogue DHCP) could cause malfunction of the network or even control it.
DHCP snooping is an important component in the defense against ARP spoofing. ARP security checks the IP address in the Source Protocol Address field of ARP packets. If that IP address is not an address that DHCP snooping has recorded as being in use by a host connected to the ingress port of the ARP, then the ARP packet is dropped.