From CCIE Study Wiki

DHCP Snooping causes a switch to examine DHCP message and filter ones it deems inappropriate.

Theory

The DHCP Snooping feature will build a table called the DHCP snooping binding table consisting of IP address and port mappings based on received DHCP messages.

With DHCP Snooping, a switch considers a port to be trusted or untrusted. All DHCP messages are allowed on trusted ports but certain DHCP messages will be filter on untrusted ports:

• All messages only sent by DHCP servers
• DHCP release and decline messages are checked against the DHCP binding table, if the IP and port are not listed, the message is filtered.
• It can be configured to compare a DHCP hardware address value with the source MAC address value in the Ethernet header

The DHCP snooping binding table is also used by the Dynamic ARP Inspection and IP Source Guard IOS features.

Commands

• ip dhcp snooping vlan vlan-range (global) - enables DHCP Snooping for one or more vlans.

• [no] ip dhcp snooping trust (interface) - enables or disable a trust level on an interface

• ip dhcp snooping binding mac-add vlan vlan-id ip-add interface interface-id expiry sec (global) - used to add static entries to binding database

• ip dhcp snooping verify mac-address (global) - adds the optional source mac check

• ip dhcp snooping limit rate rate (interface) - set a max number of DHCP messages per sec

Default Settings

• After DHCP Snooping is enabled, all ports are trusted by default

Verification

• Nothing listed yet

Troubleshooting, Tips, and Tricks

• Nothing listed yet

Online Resources

• CCIE To Be: Is there a missing command with DHCP snooping?

• Ivan writes about configuring DHCP snooping.

• It's Your IP also discusses DHCP Snooping.

• CCIE Matt Hill of Matt Hill CCIE makes a few points about filtering in DHCP snooping.

• Some good notes on configuring DHCP snooping from Router Ric.

• Layer 2 security from Keith of Internetwork Expert.

Have something to contribute? See a mistake on this page? Have a hint or a link to share?
The CCIE Study Wiki is open to everyone to edit! All you need to do is to create an account to start contributing.
Please be sure to follow our posting guidelines when editing the wiki.

Maybe you have just have some thoughts or suggestions for this entry?
Use the Discussion link on the top or bottom menu to create or join the CCIE forum post on this topic.
You can also go straight to the CCIE Forums and start a new discussion in the forum of your choice.

If you'd rather just contact us with your thoughts, we'd love to hear what you have to say.