DHCP snooping

Example showing how DHCP snooping works

In computer networking, DHCP snooping is a series of techniques applied to improve the security of a Dynamic Host Configuration Protocol (DHCP) infrastructure. ^[1]

Techniques

DHCP servers allocate IP addresses to clients on a LAN. DHCP snooping can be configured on LAN switches to exclude rogue DHCP servers and remove malicious or malformed DHCP traffic. In addition, information on hosts which have successfully completed a DHCP transaction is accrued in a database of bindings which may then be used by other security or accounting features. ^{[2] [3]}

Other features may use DHCP snooping database information to ensure IP integrity on a Layer 2 switched domain. This information enables a network to:

• Track the physical location of IP addresses when combined with AAA accounting or SNMP.
• Ensure that hosts only use the IP addresses assigned to them when combined with source-guard; a.k.a. source-lockdown ^[4]
• Sanitize ARP requests when combined with arp-inspection; a.k.a. arp-protect

References

1. Banks, Ethan. "Five Things To Know About DHCP Snooping". Packet Pushers. Retrieved 29 February 2016.
2. "What Is DHCP Snooping, all things you should know". Leslie. Retrieved 22 March 2023.
3. "DHCP Snooping". Adarsh Sahni. 14 July 2020.
4. Cisco Systems, Inc. "Catalyst 3750-X and Catalyst 3560-X Switch Software Configuration Guide, Cisco IOS Release 15.0(2)SE and Later". Cisco.com. Retrieved 29 February 2016.