How to Configure DHCP Snooping In Cisco Packet Tracer

For a host to obtain an IP address from a DHCP server, it sends a DHCP request to the DHCP server on the network, and the server will reply by leasing out an IP address from the pool of available addresses to the host. DHCP clients connected to a switch are expected to transmit only DHCP DISCOVER and DHCP REQUEST messages. However, hackers connecting to the switch may attempt to transmit DHCPOFFER and DHCPACK messages, which should only come from a legitimate DHCP server. If this is not mitigated, they can exploit this vulnerability to launch DHCP-based denial-of-service attacks the network.

To protect the hosts within the organization’s network and to prevent unauthorized rogue DHCP servers from establishing connections, it is crucial to configure DHCP snooping on the Layer 2 switch where the unauthorized hosts are connected.

DHCP Snooping is a security technology implemented on a Layer 2 network switch, designed to prevent unauthorized DHCP servers from accessing your network. It serves as protection against untrusted hosts attempting to impersonate DHCP servers. While DHCP operates on Layer 3 of the OSI model, DHCP snooping operates on Layer 2 devices, filtering traffic originating from DHCP clients.

In Cisco switches, DHCP snooping is not enabled by default. To activate DHCP Snooping on a Cisco switch, trusted ports must be manually configured, while the remaining unconfigured ports are considered untrusted. Typically, devices such as routers, switches, and servers are connected to trusted ports, whereas DHCP clients like PCs and laptops are commonly connected to untrusted ports.

After configuring the trusted ports, the switch will permit DHCP server messages such as DHCPOFFER and DHCPACK that originate from trusted sources. Any such messages received from untrusted ports will prompt the switch to discard the DHCP traffic, thus enhancing network security and integrity.

In this post, I will show you how to configure DHCP Snooping in Cisco Packet Tracer using a sample network topology.

Network Topology

The network topology we will be making use of in this post is shown below. As you can see, it consists of a switch, two PCs, a rogue DHCP server, and a Cisco router, which will serve as the trusted DHCP server. In this demonstration, we will configure DHCP snooping by configuring only the switchport connecting to the router as a trusted port and then every other port to be untrusted.


Network topology for configuring DHCP snooping

How to Configure DHCP Snooping in Cisco Switch

Here are steps to configure DHCP snooping in a Cisco switch using the network topology shown above as a case study.

Step 1: Configure Interface of the DHCP server

As shown in our network topology, our DHCP server is the router. So, we will first configure the router’s interfaces by using the commands below:

R1(config)#interface ethernet0/0
R1(config-if)#ip address
R1(config-if)#no shutdown 

Step 2: Configure the DHCP Server

To configure Router as a DHCP server, we need to create a DHCP pool and then specify the DNS server, the default gateway address, and then the domain name.

R1(config)#ip dhcp pool LAN
R1(dhcp-config)#network /24
R1(dhcp-config)#domain-name cisco.lab

Step 3: Configure DHCP Snooping

Enter the following commands on the Cisco switch to configure DHCP snooping:

SW(config)#ip dhcp snooping
SW(config)#interface ethernet0/0
SW(config-if)#ip dhcp snooping trust

SW(config)#interface range ethernet0/1-3
SW(config-if-range)#ip dhcp snooping limit rate 10

Here is a brief explanation of the commands above;

  1. SW(config)#ip dhcp snooping: This command is used to enable DHCP snooping globally on a Cisco switch. When entered in the global configuration mode (config), it activates DHCP snooping functionality throughout the switch, allowing the switch to filter DHCP traffic and maintain a DHCP snooping database.
  2. SW(config-if)#ip dhcp snooping trust: This command is used within the interface configuration mode (config-if) to designate a specific interface as trusted for DHCP traffic (ethernet0/0 in this case). When applied to an interface, it tells the switch that DHCP server messages received on this interface can be trusted.
  3. SW(config-if-range)#ip dhcp snooping limit rate 10: This command sets a rate limit on DHCP messages for the specified range of interfaces. In this case, it limits the rate of DHCP messages to 10 messages per second. This can help prevent DHCP-based denial-of-service attacks by restricting the number of DHCP messages allowed within a certain time frame.

Step 3: Verify DHCP Snooping configuration

You can verify that DHCP snooping was configured properly by using the following show command.

SW#show ip dhcp snooping

Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
DHCP snooping is operational on following VLANs:
DHCP snooping is configured on the following L3 Interfaces:

Insertion of option 82 is enabled
   circuit-id default format: vlan-mod-port
   remote-id: aabb.cc00.2a00 (MAC)
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Verification of giaddr field is enabled
DHCP snooping trust/rate is configured on the following Interfaces:

Interface                  Trusted    Allow option    Rate limit (pps)
-----------------------    -------    ------------    ----------------   
Ethernet0/0                yes        yes             unlimited
  Custom circuit-ids:
Ethernet0/1                no         no              10        
  Custom circuit-ids:
Ethernet0/2                no         no              10        
  Custom circuit-ids:
Ethernet0/3                no         no              10        
  Custom circuit-ids:

Related content;

How to Configure DHCP Server For Multiple VLANS in Packet Tracer

DHCPv4 Server & DHCPv4 Client Configuration on Cisco Router

How to Configure DHCP on Layer 2 Switch in Packet Tracer

How to Configure DHCP Relay Agent on Layer 3 Switch

How to Configure DHCP on Layer 3 Switch In Packet Tracer



Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top