DHCP snooping

From Wikipedia, the free encyclopedia
Jump to: navigation, search

In computer networking, DHCP snooping is a series of techniques applied to ensure the security of an existing DHCP infrastructure.

When DHCP servers are allocating IP addresses to the clients on the LAN, DHCP snooping can be configured on LAN switches to harden the security on the LAN to allow only clients with specific IP/MAC addresses to have access to the network.


DHCP snooping is a series of layer 2 techniques that ensures IP integrity on a Layer 2 switched domain. It works with information from a DHCP server to:

  • Track the physical location of hosts.
  • Ensure that hosts only use the IP addresses assigned to them.
  • Ensure that only authorized DHCP servers are accessible.

With DHCP snooping, only a whitelist of IP addresses may access the network. The whitelist is configured at the switch port level, and the DHCP server manages the access control. Only specific IP addresses with specific MAC addresses on specific ports may access the IP network.

DHCP snooping can also prevent attackers from adding their own DHCP servers to the network. An attacker-controlled DHCP server (Rogue DHCP) could cause malfunction of the network or even control it.

DHCP snooping is an important component in the defense against ARP spoofing. ARP security checks the IP address in the Source Protocol Address field of ARP packets. If that IP address is not an address that DHCP snooping has recorded as being in use by a host connected to the ingress port of the ARP, then the ARP packet is dropped.


  • Some Cisco Catalyst switches have an inbuilt DHCP snooping capability.[1]
  • Some HP ProCurve switches (with recent firmware) have DHCP Snooping capabilities.[2][3]
  • Dell PowerConnect series 5 switches have DHCP Snooping built in (model numbers matching x5xx such as 3548 or 5548 and their associated "p" models with PoE).[4]
  • Brocade Communications Systems ICX-series switches with layer-3 functionality are capable of running DHCP snooping,[5] and DHCP snooping was also recently added to the VDX product line as a layer-3 function.[6]
  • SMC offers some low-priced switches with DHCP snooping, even a 10-ports desktop switch.
  • Avaya Ethernet Routing Switches implement DHCP snooping.[7]


  1. ^ Charlie Schluting (2005-01-20). "Configure Your Catalyst for a More Secure Layer 2". Enterprise Networking Planet. 
  2. ^ "How to Configure DHCP Snooping on ProCurve Switches?". HP. 
  3. ^ "HP Procurve DHCP Snooping". Stefan Lindblom. 
  4. ^ "PowerConnect 3548 Switch". Dell. 
  5. ^ "DHCP snooping". Brocade Communications Systems. 
  6. ^ "Scaling Out Brocade VCS Fabrics" (PDF). Brocade Communications Systems. 
  7. ^ "Avaya Support Search Results". Avaya Support. Retrieved 14 May 2015. 

External links[edit]