Blocking third-party DHCP on Cisco via DHCP Snooping

On the test, I configure DHCP Snooping on the Cisco Catalyst 6509-E to block third-party DHCP servers, on the other Cisco switches, the configuration is basically the same.

After connecting to the device immediately go to the configuration mode:


Enable DHCP Snooping in the desired VLAN:

ip dhcp snooping vlan 226-228,300-302

It is possible to disable the transfer of 82 options (it is standard on):

no ip dhcp snooping information option

Now let’s specify which interfaces are allowed to skip DHCP packets from the servers:

interface TenGigabitEthernet3/3
ip dhcp snooping trust
interface GigabitEthernet1/4
ip dhcp snooping trust

You can cancel the command like this:

no ip dhcp snooping trust

You can specify the addresses of trusted DHCP servers:

ip dhcp-server
ip dhcp-server

Now enable DHCP Snooping:

ip dhcp snooping

Done, on the other interfaces, the DHCP servers will automatically be blocked.
I recommend that you pay attention to CPU loading after the last command, since in large L3 networks the processor can be heavily loaded.

You can set the DHCP packet limit that the interface can receive (default is not specified):

ip dhcp snooping limit rate

Let’s review the settings, and other information (exit the configuration mode by typing exit):

show ip dhcp snooping
show ip dhcp snooping detect spurious
show ip dhcp snooping binding
show ip dhcp snooping database
show ip dhcp snooping statistics
clear ip dhcp snooping statistics

To view information in the configuration mode, you need to type before the “do” commands, for example:

do show ip dhcp snooping

You can also use the debugging mode for DHCP Snooping and see the recorded information in the logs:

debug ip dhcp snooping packet
no debug ip dhcp snooping packet
debug ip dhcp snooping event
no debug ip dhcp snooping event
show logging

I note that in large networks, the debugging mode can also heavily load the switch.

For Cisco Catalyst 6500 series switches, you can find the official documentation here –

See also other my articles with the tag DHCP Snooping.

Leave a comment

Leave a Reply