DHCP Snooping

---

DHCP snooping is a feature that allows a Cisco switch to inspect DHCP traffic traversing a layer 2 segment and track the IP addresses assigned to hosts on specific switch ports.

• configure on LAN switches to prevent DHCP servers from operating
  • drops DHCP messages that aren’t trusted from a DHCP server
• designed to facilitate two other features:
  • IP Source Guard
  • Dynamic ARP Inspection
• DHCP snooping and Dynamic ARP inspection has:
  • trusted ports
  • untrusted ports
    • all interfaces untrusted by default

Configuring on a Switch

• configure DHCP snooping on switch:
  • enter privileged mode
    • enable
  • enter global config mode
    • conf t (configure terminal)
  • turn on DHCP snooping globally
    • ip dhcp snooping
  • turn on DHCP snooping for VLANs on switch
    • ip dhcp snooping vlan 1
  • setup trusted interface
    • is the interface connected to the legit DHCP server
    • access trusted interface (e.g., `f0/1)
      • interface f0/1
    • ip dhcp snooping trust
• associate the config with Dynamic ARP Inspection:
  • in global config, enter:
    • ip arp inspection vlan 1
• save changes to startup-config file
  • exit to privileged mode
    • exit
  • copy config
    • copy running-config startup-config
    • or copy run start