DHCP snooping is a layer 2 security technology which enable switch to listen in on DHCP traffic and stop any malicious DHCP packets.
DHCP servers are often used in man in the middle or denial of service attacks for malicious purposes.
DHCP snooping classify the switch ports to trusted and untrusted ports to prevent unauthorized DHCP servers.
Interfaces that connect to clients should never be allowed to offer a DHCP service ,We can enforce this by making them untrusted.An interface that is untrusted will block DHCP offer messages. Only an interface that has been configured as trusted is allowed to forward DHCP offer messages.
Let’s see how we can configure DHCP snooping..
First, we need to enable DHCP snooping, both globally and per access VLAN:
SW1(config)# ip dhcp snooping
SW1(config)# ip dhcp snooping vlan 100
SW1# show ip dhcp snooping binding
SW1(config)# interface Fastethernet0/3
SW1(config-if)# ip dhcp snooping trust
When the DHCP snooping service detects a violation, the packet is dropped, and a message is logged that includes the text “DHCP_SNOOPING” and you can configure the switch to send logs to a syslog server.
By: Hatem Farag | CCIE#54446