Latest reply: Aug 23, 2018 19:44:49 273 1 1 0

  • DHCP is an extension of BOOTP.
  • DHCP is based on Client-Server model.


  • DHCP assign an IP address in this order
    • If there is a manual IP address configured.
    • IP Address assigned to the same client before.
    • First IP Address free found.
    • If there isn't search for the one with timeout and conflicting addresses if there isn't an error is reported.


Remember since the DHCP Discover goes by broadcast the Origin MAC address is the same that is delivery to the DHCP server so when the DHCP server sends the unicast has the destination address of the host in this way he knows the packet it's for him.


DHCP Working Procedure

Just as shows UP with the Discovery, Offer, Request and Ack.

Just remember when a client logs into the network again it doesn't need to send a DHCPDISCOVER again, instead he sends a DHCPREQUEST containing the last IP address allocated to check with the DHCP server if he could use the same. If the IP address is not free the DHCP server answer with an DHCPNAK and the host started the process from 0.



Configuring a DHCP server in each segment of a network is uneconomical. The DHCP Relay functions is solves this issue.

Through a DHCP relay agent a client can apply to the DHCP server on another network. This allow to centralized the management.


DHCP packets are generally broadcast and broadcast packets aren't forwarded by routers.

To make it possible need's relays agents.


DHCP relay agent must listen to all UDP packet whose destination port is 67.


In the DHCP packet there is a Field called giaddr this field indicates the IP address of the first DHCP relay agent. When a client broadcast a packet this field is in 0 then fills this field with his own IP address to forward to the DHCP Server.


If the packet is a response packet from the DHCP server, the Relay Agent broadcast or unicasts the packet to the DHCP client depending on the broadcast flag. 

DHCP Snooping


DHCP snooping ensures that DHCP clients obtain IP addresses from authorized DHCP servers and records mappings between IP addresses and MAC addresses of DHCP clients, preventing DHCP attacks on the network.


DHCP snooping acts as a firewall between DHCP clients and a DHCP server to prevent DHCP attacks on the network, ensuring security in communication services.


  • A DHCP security feature, intercepts and analyzes DHCP messages transmitted between DHCP clients and a DHCP relay agent.
  • DHCP snooping creates and maintains a DCHP snooping binding table, and filters untrusted DHCP messages according to the table.
    • The table contains MAC address, IP address, Lease time, VLAN ID and interface information.
  • DHCP snooping creates a firewall between clients and DHCP server by maintaining this binding table.
  • DHCP snooping protects DHCP enable devices against DoS attacks, bogus DHCP server attacks.


Trusted Interface

Snooping provides the trusted interface to ensure that the client obtains an IP address from an authorized server.

The interfaces that reach some DHCP server are trusted interfaces the other ones no. If an untrusted interface receive a packet with the giaddr different of 0 this isn't analyzed.


You can set a physical interface or a VLAN as trusted or untrusted.

DCHP messages received from untrusted interfaces are directly discarded.


It is the same as STP Guard. If the port shouldn't send DHCP with the giaddr address field different of 0 this means this port should't have an relay agent connected doesn't analyst and dropped. In this way avoids a DoS attack since some one could connected a DHCP relay agent an overload the network with DHCP discovery packets.


Ip dhcp snooping trust -> Cisco command to enable the trust of DHCP packets.


DHCP snooping records a DHCP binding table which contains the clients IP and MAC addresses, port number, and VLAN ID of the interface that received the clients request. When a client is connected an entry is created when the client goes offline the entry is deleted.


When or after a binding table is generated, DHCP snooping checks DHCP packets and compares the fields in the packet with the binding table if there is something different these packet is discarded.


DHCP snooping is used to prevent

Denial of Service DoS

Bogus DHCP server attacks

False DHCP who answer with wrong IP, DNS and Gateway

ARP middleman attacks

The MITM disguises itself as the DHCP server for the Clients request and obtains interaction information between them

IP/MAC spoofing attacks



DHCP snooping can be applied to both layer 2 and layer 3 devices.


DHCP snooping binding table contains dynamic and static binding entries

  • Static Entries: They are manually entered on the inbound interface.
  • Dynamic Entries: They are generated on the inbound interface according to DHCP packets



Static Binding:

If a static IP addresses are allocated to clients you can configure static binding entries for these allocated IP addresses to prevent certain users from stealing these static IP addresses.

Dynamic Binding:

Dynamic entries in the DHCP snooping binding table do not need to be configured

They are automatically generated when DHCP snooping is enabled.


DHCP Snooping Option 82:

When this option is enable in DHCP the DHCP Relay agent inserted in the originated DHCP packets to the DHCP Server.

Servers recognizing the Option may use the information to implement IP address or other parameter assignment policies.



Users with static IP address have not matching DHCP snooping binding entry on the switch because the user didn't obtain the IP address by DHCP so ARP or IP packet sent it from this user are discarded.  To allow the users with statically allocated IP addresses to access the network must configure a static DHCP snooping binding table. This is to avoid someone else configure a static IP address and make use of the network when he shouldn't.


So all packets needs to have an Snooping Binding entry where is an entry of which IP address and Which MAC address should have this host. If the MAC address is different from the one recorded the packets are discarded.


Application of DHCP Snooping


DHCP exhaustion attack: The attacker change his MAC address an request several IP address until the pool is over.

Solution: The MAC address limiting function can prevent this attack. Port-Security feature learned mac addresses.


ARP attacks - The system is overload with ARP request.

In Cisco the command is "ip arp inspection trust"

This need to enable in all ports that connects to another Switch as the "ip dhcp snooping trust"

DHCP Structure Packets


  • In the DHCP packet has a Hops field this is put to 0 by the client and each relay agent that pass add 1.
    • The maximum number of Relay agents allowed is 4. At the 5 relay agent is discarded.
  • Client IP Address: Used in renew, or rebinding process. At the beggining is because the customer haven't a IP address
  • Your IP Address: IP allocated by the DHCP Server.
  • Server IP Address: The IP address of a server.
  • Gateway IP Address: The IP address of the first relay agent.
  • Client Hardware address: Indicates the MAC address of a client
DHCP HCNP Info-2734167-1
  • x
  • convention:

Created Aug 23, 2018 19:44:49 Helpful(0) Helpful(0)

Thanks for the DHCP advices, I think use of DHCP depends of each network, this will information helps to check the good way to use it.
  • x
  • convention:


You need to log in to reply to the post Login | Register

Notice Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Login and enjoy all the member benefits

Login and enjoy all the member benefits