Snoopy

DHCP Snooping

CCNP Security Dec 7, 2025

Prevents rogue DHCP servers from connecting to the network.

Blocks DHCP server to client messages on untrusted ports: DHCP Offer, and DHCP ACK

All ports are untrusted by default.

  1. ID Trusted ports for DHCP servers and trunk ports towards a DHCP server
  2. Enable on switch
  3. Enable on VLAN
ip dhcp snooping
ip dhcp snooping database flash:/snoop.db
ip dhcp snooping vlan 123

int gi1/0/1
  ip dhcp snooping trust

Optional configuration on client ports

int range gi1/0/2-24
  ip dhcp snooping limit rate 10

If using an IOS device as the DHCP server

ip dhcp relay information trust

Verification commands

show ip dhcp snooping
show ip dhcp snooping binding

Tags

Craig Garnham

Recommended for you