DHCP snooping

From Wikipedia, the free encyclopedia
Jump to navigation Jump to search
Example showing how DHCP snooping works

In computer networking, DHCP snooping is a series of techniques applied to improve the security of a DHCP infrastructure.[1]

When DHCP servers are allocating IP addresses to the clients on the LAN, DHCP snooping can be configured on LAN switches to prevent malicious or malformed DHCP traffic, or rogue DHCP servers. In addition, information on hosts which have successfully completed a DHCP transaction is accrued in a database of "bindings" which may then be used by other security or accounting features.

Other features may use DHCP snooping database information to ensure IP integrity on a Layer 2 switched domain. This information enables a network to:

  • Track the physical location of IP addresses when combined with AAA accounting or SNMP.
  • Ensure that hosts only use the IP addresses assigned to them when combined with source-guard a.k.a. source-lockdown[2]
  • Sanitize ARP requests when combined with arp-inspection a.k.a. arp-protect


  1. ^ Banks, Ethan. "Five Things To Know About DHCP Snooping". Packet Pushers. Retrieved 29 February 2016.
  2. ^ Cisco Systems, Inc. "Catalyst 3750-X and Catalyst 3560-X Switch Software Configuration Guide, Cisco IOS Release 15.0(2)SE and Later". Cisco.com. Retrieved 29 February 2016.