What Exactly Is DHCP Snooping and How Does It Work?

2021-07-29 11:42:56 SPOTO Club CCNP 130

"It is because my laptop has dynamically acquired the IP address that I can not access this network?" In your daily life, have you faced this problem? Did you suspect that the IP address was genuine? Whether the DHCP server is licensed? Otherwise, how can this be prevented? The phrase DHCP Snooping is used to help consumers avoid unlawful IP addresses in this post. In this article

What is snooping with DHCP?

DHCP Snooping is a layer 2 security solution integrated into a powerful network switch operating system that decreases DHCP traffic. DHCP Snooping prohibits unauthorized DHCP (rogue) servers that provide DHCP clients with IP addresses. The functionality DHCP Snooping performs the following:

Validates untrusted DHCP messages and filters out invalid messages.

Creates and maintains a bound DHCP Snooping database containing information about untrusted hosts with rented IP addresses.

Use the binding database of DHCP Snooping to validate subsequent requests from unreliable hosts.

Why is DHCP Snooping required?

To avoid a middle assault from a guy on our network, we require DHCP Snooping. An assailant might pretend (spoof) that it is the DHCP server and answer DHCPDISCOVER's messages before the actual server having time to respond. DHCP Snooping enables network switches to trust the port with which a DHCP server (this can be trunk) is connected, and other ports can not be confided. It also maintains a list of DHCP address bindings by inspecting communication between clients and the DHCP server to ensure authentic hosts. Other security technologies such as IPSG and DAI utilize the binding information gathered by DHCP Snooping.

To understand more about the security knowledge of the CCNP to improve your skills. You can obtain CCNP security certification with our 100% authentic CCNP security dumps and practical tests!

How does DHCP snoop?

To find out how DHCP Snooping functions, we need to find the DHCP working mechanism, which stands for the protocol for the dynamic host setup. With DHCP enabled, four steps "interact" with a network device without an IP address with a DHCP server.

learning pyramid

DHCP Snooping usually classifies interfaces in two groups on the switch, which are trustworthy and untrustworthy ports. A trustworthy port is a port or source that has confidence in DHCP server communications. A port that does not trust is a port that does not charge DHCP server communications. The DHCP Snooping message can only be transmitted via the trusted port when the DHCP Snooping is started. It's going to be dropped otherwise.

learning pyramid

A DHCP binding table is set up according to the DHCP ACK message during the recognition stage. It describes the host MAC address, leased IP address, lease time, binding type, and host-related VLAN number and interface data as illustrated in Figure 3. If it does not match the information acquired from the succeeding DHCP package received from unreliable hosts, it is dropped. Lease of MAC IP Address (sec) Type VLAN Interface

Entry 1 (e2-42) (2673 dhcp) probing 10 Eth (1/22) Entry 1 (2)

Ticket 2

Admission 3


DHCP Snooping Prevented Common Attacks

Attack of DHCP Spoofing

DHCP spoofing happens when an attacker tries to answer DHCP requests and lists himself (spoof) as the standard gateway or DNS server. This allows them to intercept user communications before transferring to the genuine gateway or do DoS via flooding the actual DHCP server with IP address resources shocking requests.

Attack of DHCP Hunger

The DHCP hunger attack is usually directed to DHCP network servers to flood an authorized DHCP server utilizing faked MAC addresses with DHCP REQUEST. In the absence of knowing it is a hunger attack, the DHCP server will reply to all requests with IP addresses, which results in a DHCP pool depletion.

How to activate spying with DHCP?

Only for wired users is DHCP Snooping applicable. A switch having access ports in DHCP-serviced VLAN is often enabled as a security feature for the access layer. You need to set up the reliable port(s) when deploying DHCPSnooping before you enable DHCPSnooping on the VLAN you want to protect. When using the DHCP Snooping system you want. This can be done on both the CLI and the Web GUI interfaces. The CLI commands are presented in the FS S3900 Series Switches DHCP Snooping Configuration.


Although DHCP simplifies IP addresses, it also poses security issues. DHCP snooping can prevent the faulty DHCP addresses of the rogue server and stop the resource-exhausting attack by using all existing DHCP addresses to address these problems. Managed switches from the FS S3900 Series may fully play this function to protect your network. To protect your network. Now that you understand the DHCP snooping overview, you may visit SPOTO for further information if you want to know more about CCNP security. To help you pass the CCNP security examination quickly and easily, SPOTO also gives 100% actual CCNP security dumps and practical tests. Begin today to become the future specialists in cybersecurity!