Home / Basics / ccna / Cisco / DHCP / DHCP snooping / networking / CCNA Basics : DHCP Snooping

CCNA Basics : DHCP Snooping

August 20, 2025 , , , , ,

CCNA Basics : DHCP Snooping 

DHCP server is a security feature available on Cisco switches that helps to protect against attacks that take advantage of DHCP. It provides security by filtering untrusted DHCP messages and by building and maintaining a DHCP snooping binding table. An untrusted message is a message that is received from outside the network or firewall and that can cause traffic attacks within your network. 

The DHCP snooping binding table contains the MAC address, IP address, lease time, binding type, VLAN number, and interface information that corresponds to the local untrusted interfaces of a switch; it does not contain information regarding hosts interconnected with a trusted interface. 

CCNA Basics : DHCP Snooping

An untrusted interface is an interface that is configured to receive messages from outside the network or firewall. A trusted interface is an interface that is configured to receive only messages from within the network. 

So simply we can say, DHCP snooping acts like a firewall between untrusted hosts and DHCP servers. It also gives you a way to differentiate between untrusted interfaces connected to the end-user and trusted interfaces connected to the DHCP server or another switch. 

You can configure DHCP snooping for switches and VLANs. When you enable DHCP snooping on a switch, the interface acts as a Layer 2 bridge, intercepting and safeguarding DHCP messages going to a Layer 2 VLAN. When you enable DHCP snooping on a VLAN, the switch acts as a Layer 2 bridge within a VLAN domain. 

We need DHCP Snooping to prevent a man-in-the middle attack on our network. The potential exists for an attacker to pretend (spoof) to be the DHCP server and respond to DHCPDISCOVER messages before the real server has time to respond. DHCP Snooping allows switches on the network to trust the port a DHCP server is connected to (this could be a trunk) and not trust the other ports. 

It also maintains a list of DHCP address bindings by inspecting traffic flowing between clients and the DHCP server, which provides certainty around who the real hosts are. The binding information collected by DHCP Snooping is used by other security features like IPSG and DAI.

Configuring DHCP Snooping on the Switch

When you configure DHCP snooping on your switch, you are enabling the switch to differentiate untrusted interfaces from trusted interfaces. You must enable DHCP snooping globally before you can use DHCP snooping on a VLAN. You can enable DHCP snooping independently from other DHCP features. 

Once you have enabled DHCP snooping, all the DHCP relay information option configuration commands are disabled; this includes the following commands: 

  • ip dhcp relay information check 
  • ip dhcp relay information policy 
  • ip dhcp relay information trusted 
  • ip dhcp relay information trust-all