DHCP Snooping

DHCP snooping is a DHCP security feature that provides security by filtering untrusted DHCP messages and by building and maintaining a DHCP snooping binding table. An untrusted message is a message that is received from outside the network or firewall and that can cause traffic attacks within your network. 

The DHCP snooping binding table contains the MAC address, IP address, lease time, binding type, VLAN number, and interface information that corresponds to the local untrusted interfaces of a switch; it does not contain information regarding hosts interconnected with a trusted interface. An untrusted interface is an interface that is configured to receive messages from outside the network or firewall. A trusted interface is an interface that is configured to receive only messages from within the network. 

DHCP snooping acts like a firewall between untrusted hosts and DHCP servers. It also gives you a way to differentiate between untrusted interfaces connected to the end-user and trusted interfaces connected to the DHCP server or another switch. 

You can configure DHCP snooping for switches and VLANs. When you enable DHCP snooping on a switch, the interface acts as a Layer 2 bridge, intercepting and safeguarding DHCP messages going to a Layer 2 VLAN. When you enable DHCP snooping on a VLAN, the switch acts as a Layer 2 bridge within a VLAN domain. 

We need DHCP Snooping to prevent a man-in-the middle attack on our network. The potential exists for an attacker to pretend (spoof) to be the DHCP server and respond to DHCPDISCOVER messages before the real server has time to respond. DHCP Snooping allows switches on the network to trust the port a DHCP server is connected to (this could be a trunk) and not trust the other ports. 

It also maintains a list of DHCP address bindings by inspecting traffic flowing between clients and the DHCP server, which provides certainty around who the real hosts are. The binding information collected by DHCP Snooping is used by other security features like IPSG and DAI.

Fig 1.1
Our client connects to an untrusted port; all ports are untrusted by default. When the client machine sends a DHCPDISCOVER message with DHCP Snooping enabled, the switch will only send the DHCP broadcast message to trusted ports. In this case our distribution switch is acting as the DHCP server, but a DHCP server running external to the switch could also be used. A trusted port is the only port which is allowed to send DHCP Server responses such as DHCPOFFER.

Configuring DHCP Snooping on the Switch
When you configure DHCP snooping on your switch, you are enabling the switch to differentiate untrusted interfaces from trusted interfaces. You must enable DHCP snooping globally before you can use DHCP snooping on a VLAN. You can enable DHCP snooping independently from other DHCP features. 
Once you have enabled DHCP snooping, all the DHCP relay information option configuration commands are disabled; this includes the following commands: 

ip dhcp relay information check 
ip dhcp relay information policy 
ip dhcp relay information trusted 
ip dhcp relay information trust-all