What is DHCP Snooping?

DHCP snooping is a security feature that allows a Cisco switch to filter and block untrusted DHCP messages and build and maintain a binding database of trusted hosts with leased IP addresses. Its main function is to prevent rogue DHCP servers and attackers from issuing malicious DHCP offers, requests, or acknowledgments that could compromise the network security.

You should enable DHCP snooping on a VLAN basis when you want to protect your network from unauthorized DHCP servers or spoofing attacks. You should also enable DHCP snooping on the interfaces that connect to trusted DHCP servers and mark them as trusted, while leaving the other interfaces as untrusted by default. This way, the switch will only accept valid DHCP messages from the trusted sources and drop any invalid messages from the untrusted sources.

You should disable DHCP snooping when you do not need this security feature or when it causes problems with your network operation. For example, if you have multiple DHCP servers on different VLANs or subnets, you may need to disable DHCP snooping or configure it properly to avoid blocking legitimate DHCP traffic. You may also need to disable DHCP snooping if you have devices that use static IP addresses or alternative methods of obtaining IP addresses, such as BOOTP or RARP.

To enable DHCP snooping on a Cisco switch, you need to follow these steps:

• First, you need to enable the DHCP snooping feature on the switch using the command ip dhcp snooping in global configuration mode. This will allow you to configure DHCP snooping on specific VLANs and interfaces.

• Second, you need to enable DHCP snooping globally on the switch using the command ip dhcp snooping vlan vlan-list in global configuration mode. This will activate DHCP snooping on the specified VLANs or all VLANs if you use the keyword all.

• Third, you need to configure the interfaces that connect to trusted DHCP servers or relay agents as trusted using the command ip dhcp snooping trust in interface configuration mode. This will allow the switch to accept valid DHCP messages from these sources and forward them to the clients.

• Fourth, you need to configure the interfaces that connect to untrusted hosts or devices as untrusted using the command no ip dhcp snooping trust in interface configuration mode. This is the default setting for all interfaces when DHCP snooping is enabled. This will make the switch validate and filter DHCP messages from these sources and drop any invalid messages.

For example, if you want to enable DHCP snooping on VLAN 10 and VLAN 20, and you have a trusted DHCP server connected to interface GigabitEthernet 0/1, you can use the following commands:

SW(config)#ip dhcp snooping
SW(config)#ip dhcp snooping vlan 10,20
SW(config)#interface GigabitEthernet 0/1
SW(config-if)#ip dhcp snooping trust
SW(config-if)#exit

To disable DHCP snooping on a Cisco switch, you need to follow these steps:

• First, you need to disable DHCP snooping globally on the switch using the command no ip dhcp snooping in global configuration mode. This will deactivate DHCP snooping on all VLANs and interfaces.

• Second, you need to disable the DHCP snooping feature on the switch using the command no feature dhcp in global configuration mode. This will remove all DHCP snooping configuration from the switch and disable the feature.

• Third, you need to configure the interfaces that were previously marked as trusted or untrusted as default using the command default ip dhcp snooping trust in interface configuration mode. This will restore the default settings for the interfaces.

For example, if you want to disable DHCP snooping on VLAN 10 and VLAN 20, and you have a trusted DHCP server connected to interface GigabitEthernet 0/1, you can use the following commands:

SW(config)#no ip dhcp snooping vlan 10,20
SW(config)#no ip dhcp snooping
SW(config)#no feature dhcp
SW(config)#interface GigabitEthernet 0/1
SW(config-if)#default ip dhcp snooping trust
SW(config-if)#exit