DHCP snooping is a series of techniques applied to improve the security of a DHCP infrastructure. It is a layer 2 security technology incorporated into the operating system of a capable network switch that drops DHCP traffic determined to be unacceptable. DHCP servers allocate IP addresses to clients on a LAN, and DHCP snooping can be configured on LAN switches to exclude rogue DHCP servers and remove malicious or malformed DHCP traffic. DHCP snooping can prevent unauthorized (rogue) DHCP servers from offering IP addresses to DHCP clients, and it works as a protection from man-in-the-middle attacks.
DHCP snooping works by dividing interfaces of a switch into two parts: trusted and untrusted ports. Trusted ports are the ports through which legitimate DHCP server messages will flow, while untrusted ports are expected to transmit DHCP DISCOVER and DHCP REQUEST messages from DHCP clients connected to them. If an untrusted port receives DHCPOFFER and DHCPACK messages, the switch discards the DHCP packets. DHCP snooping keeps a record of leased addresses to prevent DHCP starvation attacks.
To enable DHCP snooping, you need to set up the trusted ports and configure the switch to listen in on DHCP traffic and stop any malicious DHCP packets. DHCP snooping is only applicable to wired users and is mostly enabled on any switch containing access ports in a VLAN serviced by DHCP. DHCP snooping can be used to track the physical location of IP addresses when combined with AAA accounting or SNMP, ensure that hosts only use the IP addresses assigned to them when combined with source-guard, and sanitize ARP requests when combined with arp-inspection.
