What is IP DHCP snooping?
Think of it as a security guard for your network’s IP address assignment process. In a normal setup, a client asks for an IP and a server gives it one, but without snooping, your switch is “blind”βit doesn’t know if that DHCP response came from your actual server or a rogue router some employee plugged in under their desk. When you enable DHCP snooping on a Cisco switch, you’re essentially telling the hardware to distinguish between “trusted” ports (where your real server lives) and “untrusted” ports (everywhere else). The switch then intercepts all DHCP traffic; if it sees a DHCP “offer” coming from an untrusted port, it shuts it down instantly to prevent a “man-in-the-middle” attack. Beyond just blocking bad actors, it also maintains a binding database that keeps track of which MAC address belongs to which IP, acting as a foundation for other heavy-duty security features like Dynamic ARP Inspection (DAI).
CORE SW CONFIG
CORESW#sh run
Building configuration…
Current configuration : 2084 bytes
!
version 16.3.2
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname CORESW
!
no profinet
!
!
ip cef
ip routing
!
no ipv6 cef
!
!
ip dhcp snooping vlan 10,20,30,40
ip dhcp snooping
!
!
!
spanning-tree mode pvst
!
!
interface GigabitEthernet1/0/1
ip dhcp snooping trust
switchport mode trunk
!
interface GigabitEthernet1/0/2
ip dhcp snooping trust
switchport mode trunk
!
interface GigabitEthernet1/0/3
ip dhcp snooping trust
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet1/0/4
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet1/0/5
!
interface GigabitEthernet1/0/6
!
interface GigabitEthernet1/0/7
!
interface GigabitEthernet1/0/8
!
interface GigabitEthernet1/0/9
!
interface GigabitEthernet1/0/10
!
interface GigabitEthernet1/0/11
!
interface GigabitEthernet1/0/12
!
interface GigabitEthernet1/0/13
!
interface GigabitEthernet1/0/14
!
interface GigabitEthernet1/0/15
!
interface GigabitEthernet1/0/16
!
interface GigabitEthernet1/0/17
!
interface GigabitEthernet1/0/18
!
interface GigabitEthernet1/0/19
!
interface GigabitEthernet1/0/20
!
interface GigabitEthernet1/0/21
!
interface GigabitEthernet1/0/22
!
interface GigabitEthernet1/0/23
!
interface GigabitEthernet1/0/24
!
interface GigabitEthernet1/1/1
!
interface GigabitEthernet1/1/2
!
interface GigabitEthernet1/1/3
!
interface GigabitEthernet1/1/4
!
interface Vlan1
no ip address
shutdown
!
interface Vlan10
mac-address 000d.bd48.a601
ip address 192.168.10.1 255.255.255.0
ip helper-address 192.168.40.100
!
interface Vlan20
mac-address 000d.bd48.a602
ip address 192.168.20.1 255.255.255.0
ip helper-address 192.168.40.100
!
interface Vlan30
mac-address 000d.bd48.a603
ip address 192.168.30.1 255.255.255.0
ip helper-address 192.168.40.100
!
interface Vlan40
mac-address 000d.bd48.a604
ip address 192.168.40.1 255.255.255.0
!
ip classless
!
ip flow-export version 9
!
!
line con 0
!
line aux 0
!
line vty 0 4
login
!
end
ACCESS SWITCH 1
ACCESS1#sh run
Building configuration…
Current configuration : 2257 bytes
!
version 16.3.2
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname ACCESS1
!
!
no profinet
!
ip cef
no ipv6 cef
!
!
ip dhcp snooping
!
!
!
spanning-tree mode pvst
!
interface GigabitEthernet1/0/1
ip dhcp snooping trust
switchport mode trunk
!
interface GigabitEthernet1/0/2
ip dhcp snooping limit rate 10
switchport access vlan 10
switchport mode access
!
interface GigabitEthernet1/0/3
ip dhcp snooping limit rate 10
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet1/0/4
ip dhcp snooping limit rate 10
!
interface GigabitEthernet1/0/5
ip dhcp snooping limit rate 10
!
interface GigabitEthernet1/0/6
ip dhcp snooping limit rate 10
!
interface GigabitEthernet1/0/7
ip dhcp snooping limit rate 10
!
interface GigabitEthernet1/0/8
ip dhcp snooping limit rate 10
!
interface GigabitEthernet1/0/9
ip dhcp snooping limit rate 10
!
interface GigabitEthernet1/0/10
ip dhcp snooping limit rate 10
!
interface GigabitEthernet1/0/11
ip dhcp snooping limit rate 10
!
interface GigabitEthernet1/0/12
ip dhcp snooping limit rate 10
!
interface GigabitEthernet1/0/13
ip dhcp snooping limit rate 10
!
interface GigabitEthernet1/0/14
ip dhcp snooping limit rate 10
!
interface GigabitEthernet1/0/15
ip dhcp snooping limit rate 10
!
interface GigabitEthernet1/0/16
ip dhcp snooping limit rate 10
!
interface GigabitEthernet1/0/17
ip dhcp snooping limit rate 10
!
interface GigabitEthernet1/0/18
ip dhcp snooping limit rate 10
!
interface GigabitEthernet1/0/19
ip dhcp snooping limit rate 10
!
interface GigabitEthernet1/0/20
ip dhcp snooping limit rate 10
!
interface GigabitEthernet1/0/21
ip dhcp snooping limit rate 10
!
interface GigabitEthernet1/0/22
ip dhcp snooping limit rate 10
!
interface GigabitEthernet1/0/23
ip dhcp snooping limit rate 10
!
interface GigabitEthernet1/0/24
ip dhcp snooping limit rate 10
!
interface GigabitEthernet1/1/1
!
interface GigabitEthernet1/1/2
!
interface GigabitEthernet1/1/3
!
interface GigabitEthernet1/1/4
!
interface Vlan1
no ip address
shutdown
!
ip classless
!
ip flow-export version 9
!
!
line con 0
!
line aux 0
!
line vty 0 4
login
!
!
end
ACCESS SWITCH 2
ACCESS2#sh run
Building configuration…
Current configuration : 2308 bytes
!
version 16.3.2
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname ACCESS2
!
!
no profinet
!
ip cef
no ipv6 cef
!
!
ip dhcp snooping
!
spanning-tree mode pvst
!
!
interface GigabitEthernet1/0/1
ip dhcp snooping trust
switchport mode trunk
!
interface GigabitEthernet1/0/2
ip dhcp snooping limit rate 10
switchport access vlan 10
switchport mode access
!
interface GigabitEthernet1/0/3
ip dhcp snooping limit rate 10
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet1/0/4
ip dhcp snooping limit rate 10
switchport access vlan 30
switchport mode access
!
interface GigabitEthernet1/0/5
ip dhcp snooping limit rate 10
!
interface GigabitEthernet1/0/6
ip dhcp snooping limit rate 10
!
interface GigabitEthernet1/0/7
ip dhcp snooping limit rate 10
!
interface GigabitEthernet1/0/8
ip dhcp snooping limit rate 10
!
interface GigabitEthernet1/0/9
ip dhcp snooping limit rate 10
!
interface GigabitEthernet1/0/10
ip dhcp snooping limit rate 10
!
interface GigabitEthernet1/0/11
ip dhcp snooping limit rate 10
!
interface GigabitEthernet1/0/12
ip dhcp snooping limit rate 10
!
interface GigabitEthernet1/0/13
ip dhcp snooping limit rate 10
!
interface GigabitEthernet1/0/14
ip dhcp snooping limit rate 10
!
interface GigabitEthernet1/0/15
ip dhcp snooping limit rate 10
!
interface GigabitEthernet1/0/16
ip dhcp snooping limit rate 10
!
interface GigabitEthernet1/0/17
ip dhcp snooping limit rate 10
!
interface GigabitEthernet1/0/18
ip dhcp snooping limit rate 10
!
interface GigabitEthernet1/0/19
ip dhcp snooping limit rate 10
!
interface GigabitEthernet1/0/20
ip dhcp snooping limit rate 10
!
interface GigabitEthernet1/0/21
ip dhcp snooping limit rate 10
!
interface GigabitEthernet1/0/22
ip dhcp snooping limit rate 10
!
interface GigabitEthernet1/0/23
ip dhcp snooping limit rate 10
!
interface GigabitEthernet1/0/24
ip dhcp snooping limit rate 10
!
interface GigabitEthernet1/1/1
!
interface GigabitEthernet1/1/2
!
interface GigabitEthernet1/1/3
!
interface GigabitEthernet1/1/4
!
interface Vlan1
no ip address
shutdown
!
ip classless
!
ip flow-export version 9
!
!
line con 0
!
line aux 0
!
line vty 0 4
login
!
end
You can find and download the Cisco Packet Tracer simulation file below.
Happy networking π
