DHCP Snooping

dhcp snooping cisco scenario with a rogue DHCP server impersonating the legitimate DHCP server in a network

1. Introduction to DHCP Snooping

DHCP Snooping Cisco is a security feature originally created by Cisco to protect your network from rogue DHCP servers and IP address exhaustion.

In a typical network, DHCP simplifies configuration by automatically assigning IP settings to clients. But this convenience comes with a risk: malicious devices can impersonate DHCP servers and hijack traffic or deny access to other users.

This lesson shows you how attackers exploit DHCP, and how DHCP Snooping defends your network by filtering messages, verifying sources, and maintaining trusted zones.

Let’s start by understanding the two main types of DHCP attacks.

dhcp server cisco with a router, a switch, and a client requesting an IP address

You likely already know that DHCP (Dynamic Host Configuration Protocol) plays a key role in your network.

It automatically assigns devices essential configuration like:

  • IP addresses,
  • Subnet masks,
  • Default gateways,
  • DNS server

But let’s imagine a scenario. What if a malicious device pretends to be your network’s DHCP server?

dhcp snooping cisco scenario with a rogue DHCP server impersonating the legitimate DHCP server in a network

Two major threats can occur in this situation:

  • Man-in-the-Middle (MITM) attacks (intercepting your sensitive data) or
  • DHCP starvation (denying legitimate devices access to the network)

Sounds alarming, right? Don’t worry! Before we explain how DHCP Snooping solves these issues, first we’ll break down DHCP attacks: the Man-in-the-Middle attack and DHCP Starvation.

This will give you the context you need to see how DHCP Snooping protects your network.

Let’s dive into the details together!

2. Understanding DHCP Attacks

Man-in-the-Middle Attack

Step 1 – DHCP Discover

When a device connects to the network, it starts by sending a DHCP DISCOVER message.

dhcp snooping cisco attack scenario showing a DHCP Discover message sent by a client in a network with a rogue DHCP server

It’s like asking: “Is there a DHCP server out there that can give me an IP address?”

At this point, everything is normal, the device simply broadcasts its request to the entire local network.

Step 2 – Rogue Server Joins In

The DISCOVER message reaches both the legitimate DHCP server and a rogue device pretending to be one.

dhcp snooping cisco step showing DHCP Discover broadcast reaching both legitimate and rogue DHCP servers on the network

That rogue server quickly responds with a fake DHCP OFFER.

Step 3 – First Come, First Served

Both servers reply with a DHCP OFFER.

dhcp snooping cisco step showing both legitimate and rogue DHCP servers sending DHCP OFFER messages to the client

The client will usually accept whichever offer arrives first and that’s often the rogue one.

Step 4 – Malicious Offer Accepted

The client receives the rogue DHCP OFFER first and accepts it.

dhcp snooping cisco example showing a client accepting the DHCP OFFER from a rogue server before the legitimate server

Step 5 – DHCP Request Sent

The device confirms its choice by sending a DHCP REQUEST to the rogue server.

It unknowingly agrees to use malicious network settings.

dhcp snooping cisco scenario where the client sends a DHCP REQUEST to the rogue server confirming use of its malicious configuration

Unfortunately, the device it has no way of knowing that it just accepted settings from a malicious server.

At this point, the rogue server has successfully tricked your device with a malicious IP configuration.

Step 6 – Configuration Completed

The rogue server replies with a DHCP ACK, assigning:

  • An IP address
  • A subnet mask
  • A default gateway pointing to the attacker’s device
  • DNS server(possibly malicious too)
dhcp snooping cisco example showing rogue DHCP server sending DHCP ACK with incorrect IP settings to the client

Step 7

From now on, all your device’s traffic is routed through the attacker.

dhcp snooping cisco diagram showing a Man-in-the-Middle attack where traffic is routed through a rogue DHCP server after assigning malicious gateway settings

Every packet sent by your device now passes through the rogue server before reaching its destination.

From here, the attacker can:

  • Intercept your data: They can capture sensitive information like passwords.
  • Manipulate your traffic: For example, redirecting you to fake websites that look legitimate.

This is a classic example of a Man-in-the-Middle attack demonstrates how DHCP can be abused to compromise a network.

DHCP Starvation Attack

Unlike a Man-in-the-Middle attack, the goal here isn’t to intercept traffic, it’s to exhaust all available IP addresses so that legitimate users can’t connect to the network.

Flooding the Server

The attacker begins by sending hundreds or thousands of DHCP DISCOVER messages in a very short time.

dhcp snooping cisco example of a DHCP starvation attack where an attacker floods the DHCP server with spoofed DHCP DISCOVER messages using different MAC addresses

Let’s break this down:

  1. The attacker’s device uses a single physical MAC address (example MAC1).
  2. In each DHCP DISCOVER message, it spoofs a different client MAC address in the chaddr field of the DHCP header.
  3. The DHCP server believes each message is from a unique client and assigns an IP address for each one.
  4. Eventually, the server’s IP address pool is completely depleted.

The Result of the Attack

Once the DHCP pool is exhausted, any new legitimate device trying to join the network will be denied access.

dhcp snooping cisco diagram showing DHCP server unable to assign IP addresses after a DHCP starvation attack by a rogue device using fake clients

What happens now?

  • Legitimate clients send DHCP DISCOVER messages but receive no response.
  • They fail to obtain IP addresses, and can’t join the network.
  • Users experience connectivity loss, even though the network infrastructure is up.

Now that you’ve seen how DHCP can be abused, let’s move on to how DHCP Snooping prevents these attacks and protects your network.

3. DHCP Snooping Operation

DHCP Snooping acts like a firewall for DHCP traffic, it watches what comes in, checks if it’s trusted, and blocks anything suspicious.

Let’s break down how this protection works.

Trusted vs Untrusted Areas

To apply security rules effectively, the switch must separate the network into two areas:

dhcp snooping cisco diagram showing division of network into trusted and untrusted areas to filter DHCP traffic

🟩 Trusted Area This includes interfaces that connect to known, secure devices like your DHCP server or router.

🟥 Untrusted Area
This covers ports used by end-user devices, where rogue DHCP servers could appear.

DHCP Message Filtering on Ports

Once ports are classified, the switch applies strict rules:

dhcp snooping cisco diagram showing trusted and untrusted ports on a switch with DHCP message filtering rules

On Trusted Ports

All DHCP messages are allowed: DISCOVER, OFFER, REQUEST, ACK, etc.
These come from your legitimate DHCP server.

dhcp snooping cisco diagram showing trusted port allowing all DHCP messages from a legitimate DHCP server

🚫 On Untrusted Ports

Only client messages (like DISCOVER or REQUEST) are allowed.
Server-type messages (OFFER, ACK, NAK) are blocked.

dhcp snooping cisco diagram showing DHCP server message blocked on untrusted port to prevent rogue server communication

This blocks rogue DHCP servers from assigning fake IP settings.

DHCP Snooping Checks for Starvation Attacks

Now, what about DHCP Starvation?

DHCP Snooping inspects all DHCP DISCOVER messages arriving on untrusted ports.

Here’s the trick:
It compares the MAC address in the Ethernet frame with the CHADDR field in the DHCP header.

If they don’t match, that’s a sign of spoofing and the switch drops the packet.

dhcp snooping cisco preventing DHCP starvation by inspecting mismatched MAC and CHADDR addresses in DHCP DISCOVER messages

This simple validation stops attackers from flooding the IP pool with fake clients.

DHCP Snooping Binding Table

As DHCP traffic is validated, the switch builds a binding table, a dynamic database of all legitimate DHCP clients.

Each entry contains:

  • MAC address
  • IP address
  • Port and VLAN
  • Lease time
dhcp snooping cisco showing DHCP Snooping Binding Table with MAC address, IP, lease, VLAN, and interface information

This feature helps administrators verify active DHCP clients on the switch.

4. Conclusion

Let’s quickly recap:

DHCP vulnerabilities can lead to Man-in-the-Middle attacks and DHCP Starvation, both of which can severely impact your network’s integrity and availability.

DHCP Snooping mitigates these threats by:

  • Dividing the network into trusted and untrusted zones
  • Filtering unauthorized DHCP messages
  • Verifying DHCP message integrity
  • Dynamically tracking legitimate clients in a binding table

This protection is powerful but only if it’s properly configured.

You now understand how DHCP Snooping protects your network, next, let’s see how to configure it step by step on a Cisco switch.