Configure DHCP Snooping on Cisco Switches
DHCP snooping is a Layer 2 security feature available only on switches. It filters and blocks specific types of DHCP traffic. It mitigates security risks associated with rogue DHCP servers. It works on a per-VLAN basis and is disabled by default. To use this feature, you must enable it first. Once configured, it monitors incoming traffic on all ports within the selected VLAN and either permits or drops DHCP packets based on the configuration.
Lab setup
Set up a practice lab as shown in the following image. You can use real devices or network simulator software to build this lab. This lab is optional and needed only if you want hands-on experience with this topic. If you need only the commands and configurations required to configure DHCP snooping, you can skip this lab and go directly to the configuration section.
- Assign the IP address 10.0.0.1/8 to the Fa0/0 interface of Router0.
- Configure the Fa0/0 interface of the router to forward all DHCP requests to Server0.
- Assign the IP address 20.0.0.1/8 to the Fa0/1 interface of the Router0.
- Assign the IP address 20.0.0.10/8 to Server0.
- Configure a DHCP pool for the local network connected to Switch0.
- Configure PCs of the local network as DHCP clients.
Configuring the router
Access the router's CLI prompt and run the following commands.
Router>enable Router#configure terminal Router(config)#interface fastethernet 0/0 Router(config-if)#ip address 10.0.0.1 255.0.0.0 Router(config-if)#no shutdown Router(config-if)#exit Router(config)#interface fastethernet 0/1 Router(config-if)#ip address 20.0.0.1 255.0.0.0 Router(config-if)#no shutdown Router(config-if)#exit Router(config)#interface fastethernet 0/0 Router(config-if)#ip helper-address 20.0.0.10 Router(config-if)#exit Router(config)#
| Command | Description |
| Router>enable | Enter Privilege Exec mode. |
| Router#configure terminal | Enter Global configuration mode. |
| Router(config)#interface [interface] [slot/number] | Enter Interface configuration mode. |
| Router(config-if)#ip address [IP address] [subnet mask] | Assign an IP address to the interface. |
| Router(config-if)#ip helper-address [IP address of the DHCP server] | Configure the interface to forward DHCP requests to the DHCP server. |
| Router(config-if)#no shutdown | Enable interface. |
| Router(config-if)#exit | Exit interface configuration mode. |
Assigning a static IP address to Server0
To assign a static IP address to Server0, click Server0 and click the IP configuration option in the Desktop menu. In the IP configuration option, select Static, then assign the static IP configuration.
Enabling the DHCP service and adding a DHCP pool
Click the Services menu icon, click DHCP in the left pane, and select the On option in the right pane. Set the value in the DHCP Pool Options and click the Add button.
Configure DHCP clients
To configure PCs as DHCP clients, click the PC, select the IP configuration option from the Desktop menu, and select the DHCP option.
Verifying the configuration
To verify the configuration, set the IP configuration to DHCP on all PCs. PCs will receive an IP configuration from the DHCP server.
Adding the attacker's DHCP server
To understand how DHCP snooping protects the network from rogue DHCP servers, add an unauthorized DHCP server to the network. PCs must not receive IP configuration from this server.
Assign a static IP configuration to the rogue server.
Add a DHCP pool that replicates the original DHCP server's DHCP pool. In this pool, change the default gateway IP to the IP address that you assigned to this server.
By default, the server has a default pool, and Packet Tracer does not allow you to delete it. If multiple pools are configured, DHCP uses the source address to determine which pool to use. Since DHCP clients use 0.0.0.0 as the source address, and the default pool also uses this address for the default gateway and DNS server addresses, DHCP provides IP configuration from the default pool rather than your pool. To force DHCP to use your pool, change the default gateway IP to the IP address of the server in the default pool.
Verifying the attacker's DHCP server
The attacker's DHCP server is present in the local network and receives DHCP requests from clients before the original DHCP server. As a result, it responds first, and the client obtains its IP configuration from the attacker's server. To verify this, click a PC on the local network, change its IP configuration from Static to DHCP, then back to Static.
If DHCP clients use the IP configuration provided by the attacker's DHCP server, the attacker can intercept or misuse client data. This scenario is known as a man-in-the-middle attack. To learn more about it, you can check the previous tutorial in this series.
This tutorial is part of the tutorial series "DHCP (Dynamic Host Configuration Protocol) basic concepts, configurations, functions, and options explained". Other parts of this series are the following.
Chapter 1 What DHCP is and Types of DHCP Explained
Chapter 2 How DHCP works explained with examples
Chapter 3 DHCP Configuration Parameters and Settings Explained
Chapter 4 How to Configure DHCP Server on Cisco Switches
Chapter 5 Configure DHCP Server for multiple VLANs on the Switch
Chapter 6 How to Configure DHCP Server on Cisco Routers
Chapter 7 How DHCP Relay Agents work Explained
Chapter 8 How to Configure DHCP Relay Agent on Cisco Routers
Chapter 9 How DHCP Snooping works Explained
Chapter 10 Configure DHCP Snooping on Cisco Switches
Configuring DHCP snooping on the switch
Configuring DHCP snooping on the switch involves the following steps.
- By default, DHCP snooping is disabled on Cisco switches. To use this feature, enable it first.
- DHCP snooping works on a per-VLAN basis. Once DHCP snooping is enabled, you must specify the VLAN on which you want to apply it. You can specify a single VLAN or multiple VLANs.
- To configure a single VLAN, specify the VLAN number. To configure a range of VLANs, enter the starting and ending VLAN numbers separated by a dash.
- DHCP snooping treats all ports on the specified VLAN as untrusted. An untrusted port is a port that does not accept DHCP server messages. In other words, if a device is connected to an untrusted port, it can obtain an IP configuration from the DHCP server, but it cannot offer an IP configuration.
- If a DHCP server is connected to the port, you must configure that port as a trusted port. A trusted port is a port that accepts DHCP server messages. In other words, a DHCP server can provide IP configuration only if it is connected to a trusted port.
DHCP snooping commands
| Command | Description |
| Switch(config)#ip dhcp snooping | Enable DHCP snooping globally. |
| Switch(config)#ip dhcp snooping vlan number [number] | Enable DHCP snooping on the specified VLAN. |
| Switch(config-if)#ip dhcp snooping trust | Configure the interface as a trusted interface. |
| Switch(config-if)#ip dhcp snooping limit rate [rate] | Limit the number of DHCP packets that the interface can receive in a second. |
| Switch#show ip dhcp snooping | Display the DHCP snooping configuration and status. |
| Switch#debug ip dhcp snooping event | Start DHCP snooping debugging. |
| Switch#debug ip dhcp snooping packet | Show DHCP messages and packets. |
DHCP snooping configuration
Switch>enable Switch#configure terminal Switch(config)#ip dhcp snooping Switch(config)#ip dhcp snooping vlan 1 Switch(config)#interface fa0/4 Switch(config-if)#ip dhcp snooping trust Switch(config-if)#exit Switch(config)#exit Switch#
- The first command enters Privilege Exec mode.
- The second command enters global configuration mode.
- The third command globally enables DHCP snooping.
- The fourth command configures it on VLAN 1. VLAN 1 is the default VLAN. By default, all switchports belong to it.
- The fifth command enters interface configuration mode for FastEthernet 0/4.
- The sixth command adds this port to the list of trusted ports.
- The seventh command exits Interface configuration mode.
Once DHCP snooping is enabled, only the DHCP server connected to the trusted interface is permitted to provide IP configuration. To verify this functionality, obtain a new IP address on a PC within the local network.
Viewing DHCP snooping configuration
The 'show ip dhcp snooping' shows the DHCP snooping configuration and statistics.
DHCP rate limit
By default, DHCP snooping does not limit the number of DHCP packets that an interface can receive. Since untrusted interfaces connect to DHCP clients, you can enhance security by limiting the number of DHCP packets on these interfaces. The recommended rate limit for each untrusted port is 15 packets per second. Generally, the rate limit is applied to untrusted interfaces. But if required, you can also configure it on a trusted interface. To configure the DHCP snooping rate limit on an interface, use the 'ip dhcp snooping limit rate [number]' command in interface configuration mode. The following image shows the commands to set the rate limit on the Fa0/1 interface and verifies the same.
Debugging DHCP snooping
To debug DHCP snooping events and packets, use the 'debug ip dhcp snooping event' and 'debug ip dhcp snooping packet' commands in Privilege Exec mode. To disable debugging, use the keyword 'no' before the same command.
Downloading the practice lab used in this tutorial
If you want to download the practice lab used in this tutorial, use the following links. Each link provides the practice lab at a different stage.
Practice lab without any configuration
This lab does not contain any configuration. Use this lab if you want to configure it from the start, as explained in this tutorial.
Practice lab with a working DHCP server
In this lab, the DHCP server, router, and DHCP clients are configured; the attacker's DHCP server is not connected to the network. Use this lab to practice adding and configuring an attacker's DHCP server.
Practice lab with both DHCP servers
In this lab, both the original and the attacker's DHCP servers are configured, but DHCP snooping on the switch is not. Use this lab if you only want to practice the DHCP snooping.
Configured practice lab
This lab contains all the configurations. Use this lab as a reference or to cross-check your configuration.
If you download and use a lab from the above links, wait a minute after loading it in Packet Tracer. Switches take about 45-50 seconds to initialize. For this reason, all DHCP requests made before the switch initialized fail. If you see a DHCP fail message, it means the PC tried to obtain a new IP configuration when the switch was initializing. To get a new IP configuration, change the IP configuration to static and back to DHCP. It will force the PC to obtain a new IP configuration.
Conclusion
DHCP snooping is an indispensable security feature for modern networks. By monitoring DHCP messages, differentiating trusted and untrusted interfaces, and maintaining an accurate binding table, DHCP snooping prevents rogue DHCP servers from assigning IP addresses and blocks unauthorized access. This not only protects against man-in-the-middle and denial-of-service attacks but also strengthens the reliability, integrity, and overall security of your network infrastructure. As network threats continue to grow in sophistication, deploying DHCP snooping is essential for proactive and resilient network defense.
By ComputerNetworkingNotes Updated on 2026-02-22