DHCP snooping

From Wikipedia, the free encyclopedia
Jump to: navigation, search

In computer networking, DHCP snooping is a series of techniques applied to improve the security of a DHCP infrastructure.[1]

When DHCP servers are allocating IP addresses to the clients on the LAN, DHCP snooping can be configured on LAN switches to allow only clients with specific IP and MAC addresses to have access to the network.

DHCP snooping can ensure IP integrity on a Layer 2 switched domain. It works with information from a DHCP server to:

  • Track the physical location of hosts.
  • Ensure that hosts only use the IP addresses assigned to them.
  • Ensure that only authorized DHCP servers are accessible.

With DHCP snooping, the information about IP addresses and corresponding MAC addresses is stored in a database on the network switch. Packets from clients that do not match the stored information will be dropped.[2]

The DHCP snooping database sometimes is used for other security features such as IP source guard and dynamic ARP inspection, which makes it a central component of LAN access security.[1]

DHCP snooping can also prevent attackers from adding their own DHCP servers to the network, causing malfunction of the network and adding further unauthorized components.


  1. ^ a b Banks, Ethan. "Five Things To Know About DHCP Snooping". Packet Pushers. Retrieved 29 February 2016. 
  2. ^ Cisco Systems, Inc. "Catalyst 3750-X and Catalyst 3560-X Switch Software Configuration Guide, Cisco IOS Release 15.0(2)SE and Later". Cisco.com. Retrieved 29 February 2016.