Have you ever thought that a simple off the shelf home network router could take down your network?  The home router is a Dynamic Host Configuration Protocol (DHCP) server and plugged into a business network can cause end devices to receive the wrong ip address configuration information.  One would like to think this action is uncommon, but many end users inadvertently take down their own networks looking to add wireless or few more ports to their desk.  Remember, most DHCP clients accept the first DHCPoffer to they receive.

DHCP snooping is a Layer 2 technology to protect IP address management within the network.  DHCP snooping uses concepts of trust and ability of switches to review frames entering its ports.  DHCP snooping uses

• trusted ports for which DHCP servers are off of
• database of trusted DHCP server provided ip address to the client MAC address and switch port it was learned on

A switch port receives a DHCP client request for an IP address.  The DHCPDiscover message is reviewed to compare the Ethernet Frame Source MAC Address to DHCP  Client Hardware Address, CHADDR.  If both are the same, the frame is forwarded, otherwise its dropped.

The switch is configured with trusted ports that lead to DHCP servers. The broadcast DHCPDiscover is forwarded to all ports in the VLAN to include trunk ports.   Any of these ports can reply to DHCP client requests, DHCPDiscover, but only the trusted ports have their DHCP server IP Address response, DHCPack,  to client MAC address in the DHCPDiscover CHADDR entered in the database.  Any other DHCP server on an untrusted port has it’s response dropped.

The dropped frames can generate security messages via syslog and SNMP traps.

DHCP snooping is not to be confused with DHCP Relay.  DHCP snooping the switch is not part of the DHCP conversation, just passively watch.  DHCP relay is forwarding of a DHCP client request with the gateway IP address added to the client request.