What You Need to Know About DHCP Snooping

If you’ve ever spent any amount of time on the internet, you know that you have to be cautious. Clicking on that email tempting you with a free gift card, going to a website that seems a little bit shady, or just opening a social media link from a friend may seem innocent, until suddenly, something badhappens. Your social media profile is hacked, you’ve installed malware on your computer that makes it not function properly, or you’re dealing with annoying pop-ups. The point? There are malicious people out there waiting to take advantage of others. You probably know about antivirus software, but if you’re on a network, you need an extra layer of protection. This is where DHCP snooping comes into play.

What is DHCP?

Before we discuss DHCP snooping, it’s important that you have a complete understanding of DHCP. DHCP stands for Dynamic Host Configuration Protocol. DHCP is used for networks, both residential and business. DHCP uses a server that is set up with the proper configurations, typically input by an IT professional. The server then assigns, releases and renews IP addresses for computers equipped with DHCP client software. This means that network administrators don’t have to manually assign IP addresses, and devices equipped with the software can leave and re-join the network as needed, gaining an IP assigned from a pool that is set up during configuration.

When is this beneficial? If multiple devices are connected throughout the day, administrators want to ensure that there are enough assignable IP addresses to go around. This can be done in your own home if you have multiple devices that connect to your network, such as your laptop, smartphone, tablet and other devices, or especially in a business setting. This may be for multiple employees working on computers and other devices, or even in settings such as coffee shops or restaurants that offer free Wi-Fi. Without a DHCP set up, there would likely be delays in connections due to a lack of available IP addresses.

What Are the Potential Risks of DHCP?

Like any other connection to the internet, your device is put at risk if you don’t have the proper precautions in place, and DHCP is no exception. Unauthorized servers known as rogue servers can potentially connect to the network, leaving the network vulnerable to man in the middle and DDoS attacks. Your server and devices can then be compromised, data and your devices are put at risk, and you could have a very big problem on your hands if these rogue servers pass through.

Mitigating Risk With DHCP Snooping

Fortunately, there are protections that can be enabled that can prevent these attacks from happening to a home or business network. DHCP snooping is one of the most important protections that should be used with DHCP servers. In a nutshell, DHCP snooping tracks activity and drops traffic that is deemed malicious.

What Exactly Is DHCP Snooping?

You’ve read the condensed version of what DHCP snooping is, so now, it’s time to get more in-depth. DHCP snooping is classified as a layer 2 security technology for DHCP. It is designed to drop messages and traffic that does not fit certain criteria.

DHCP messages that come through an untrusted server will be dropped. An administrator will designate trusted switchports that messages can flow through. If a message attempts to come through a switchport not on this approved list, it will be dropped. If the source MAC and hardware MAC do not match, this will be another case where DHCP will drop any messages.

Finally, if a message releases a lease or declines offers from a different switchport than the original, DHCP snooping will swoop in and drop the messages. It is important to note, however, that certain IT settings may lead to dropped messages and a logged violation. In these cases, the log will need to be investigated and the appropriate IT professional or system administrator will need to make changes to the configuration to avoid such issues. However, once these are resolved, DHCP snooping will continue to monitor against rogue servers that could potentially attack.

DHCP and Tracking

DHCP snooping actually monitors and tracks activity and violations. This is a good thing for two reasons. First of all, you can be aware of any potential attacks to your system. Secondly, you can also determine if there are any errors in the configuration and can use this log if one of your client servers is having difficulties getting (and staying) connected.

After a message is dropped, the log will show a violation marked with “DHCP_SNOOPING.” There are two different messages that you should be aware of when reviewing this information.

The message %DHCP_SNOOPING-5-DHCP_SNOOPING_MATCH_MAC_FAIL does not necessarily indicate that a rogue server was trying to access the network. This should be investigated to find out whether it’s a problem with IP forwarding or client implementation, or if it is a sign of something more malicious.

The message %DHCP_SNOOPING-5-DHCP_SNOOPING_UNTRUSTED_PORT is one that should be taken very seriously, as this could indicate spoofing or attempted access from a rogue server.


With any network, knowing about DHCP snooping is essential to protecting your server. The configurations for DHCP snooping can get quite complicated, and should be handled by an IT professional or experienced network administrator to ensure that all approved devices can get connected, trusted sources can get through, and untrusted and rogue sources are prevented from gaining access.


Related Articles