iDHCP Snooping can be very useful when securing a network from unauthorized DHCP servers on a network. These unwanted servers can appear in many different ways:

• An administrator brings up a new server with the DHCP service running and a configured scope.
• A DHCP server program is started on a client – with malicious intentions of assigning IP addresses and gateways in order to transparently route traffic through a sniffer before going to it’s destination.
• Several network utilities come with DHCP server functionality and is turned on by default (tftpd32 comes to mind).

In order to prevent IP address assignments from these potential sources, an option in each access switch can be configured to block all DHCP messages from ‘untrusted’ ports. The only trusted port(s) configured is the one connecting a valid/authorized DHCP server.

Configure DHCP snooping on all end-user access switch ports in vlan5:

ClientSwitch1(config)# ip dhcp snooping
ClientSwitch1(config)# ip dhcp snooping vlan 5
ClientSwitch1(config)# interface gigabitethernet0/1
ClientSwitch1(config-if)#no ip dhcp snooping trust

Note: Snooping only gets enabled for the vlans defined in the global configuration, regardless of the individual port setting. Make sure to define all the vlans contained on the switch in which protection is desired.

Configure the port a valid DHCP server is connected to:

ServerSwitch(config)# ip dhcp snooping
ServerSwitch(config)# ip dhcp snooping vlan 5
ServerSwitch(config)# interface gigabitethernet0/24
ServerSwitch(config-if)# ip dhcp snooping trust

By configuring an access port with the ip dhcp snooping trust statement, all DHCP traffic is allowed to pass through the port.