In modern network infrastructures, perimeter security is often associated with firewalls and intrusion detection systems. However, Layer 2 (Data Link layer) threats remain one of the most overlooked attack surfaces.
An attacker who gains physical access to a switch port can launch a man-in-the-middle (MITM) attack or deploy a rogue DHCP server within minutes.
The combination of DHCP Snooping and IP Source Guard (IPSG) creates a trust boundary inside VLANs, allowing the switch to independently validate traffic legitimacy without relying on upstream security devices.
Why Is This Critical?
Without validation mechanisms at the Access Layer, the network implicitly trusts connected devices. This opens multiple attack vectors:
Rogue DHCP Server
An attacker responds to DHCP requests faster than the legitimate server, assigning their own gateway IP. Victim traffic is redirected through the attacker’s machine.
IP Spoofing
A host manually configures an IP address belonging to another device (e.g., a server or printer), causing conflicts or hijacking sessions.
DHCP Starvation
A flood of DHCP requests exhausts the address pool, causing denial of service (DoS) for legitimate clients.
DHCP Snooping validates DHCP servers.
IP Source Guard prevents hosts from arbitrarily changing their IP addresses.
How It Works: The Binding Table as the Source of Truth
The key element is the DHCP Snooping Binding Table.
DHCP Snooping does more than filter packets — it passively listens to DHCP transactions (Discover, Offer, Request, Ack) and builds a database containing:
- Client MAC address
- Assigned IP address
- VLAN ID
- Switch port
- Lease time
This table becomes the source of truth.
IP Source Guard uses it to create dynamic Port ACLs.
If traffic arrives from an IP address not present in the binding table for that port, the switch drops the frames at hardware level.
Step-by-Step Configuration (Cisco IOS)
Configuration must follow the correct order:
- Enable DHCP Snooping
- Configure trusted ports
- Protect against DHCP starvation
- Enable IP Source Guard
1️⃣ Global Activation and VLAN Selection
If you’re not familiar with Cisco CLI syntax, check our Cisco CLI Cheatsheet for quick command reference.
Specify the VLANs where DHCP transactions should be inspected:
conf t
ip dhcp snooping
ip dhcp snooping vlan 10,20,30
⚠ Important:
Enable snooping only on user VLANs. Avoid applying it to management or server VLANs without proper testing.
2️⃣ Configure Trusted Ports
By default, all ports become untrusted once DHCP Snooping is enabled.
This means DHCP Offer and Ack messages are blocked.
You must explicitly trust:
- Ports connected to the legitimate DHCP server
- Uplinks toward the distribution/core layer
interface GigabitEthernet1/0/24
description UPLINK_TO_DHCP_SERVER
ip dhcp snooping trust
🚨 Common mistake:
If you forget to configure a trusted port, clients will stop receiving IP addresses.
Symptom:
The network appears operational, but DHCP fails.
3️⃣ Protect Against DHCP Starvation
Limit the rate of DHCP packets on access ports:
interface range GigabitEthernet1/0/1 - 20
description ACCESS_PORTS
ip dhcp snooping limit rate 15
15 packets per second is usually sufficient for legitimate clients.
If the limit is exceeded, the port may enter err-disable state.
4️⃣ Enable IP Source Guard
Now use the binding table to enforce IP validation:
interface GigabitEthernet1/0/1
ip verify source vlan dhcp-snooping
The vlan parameter enforces VLAN consistency checks and helps mitigate VLAN hopping attacks.
Verification and Troubleshooting
After deployment, verify that everything operates correctly.
Check DHCP Snooping Binding Table
show ip dhcp snooping binding
Expected result:
You should see client MAC addresses, assigned IPs, VLANs, and ports.
If the table is empty:
- Check trusted ports
- Verify DHCP server operation
When adding static bindings or validating IP allocations, you can use our IP Calculator to verify network ranges and masks.
Check IP Source Guard Status
show ip verify source
Expected result:
User-facing ports should show status active.
Common Issues
Clients Do Not Receive IP Addresses
- Verify uplink is configured as trusted
- Confirm DHCP server connectivity
Static IP Devices Do Not Work
IP Source Guard relies on the dynamic binding table.
Devices using static IP addresses will be blocked.
Solution: Add a static binding manually:
ip dhcp snooping binding 0011.2233.4455 vlan 10 192.168.10.5 interface Gi0/1 expiry infinite
High CPU or TCAM Utilization
The binding table is stored in TCAM.
On older switches, table growth may exhaust hardware resources.
Monitor usage:
show platform tcam utilization
Best Practices and Architectural Considerations
Use Together with Dynamic ARP Inspection (DAI)
DAI also relies on the DHCP Snooping binding table.
For full Layer 2 protection, enable:
- DHCP Snooping
- IP Source Guard
- Dynamic ARP Inspection
Virtualization Environments
In VMware or Hyper-V environments, multiple VMs may send DHCP traffic over a single physical uplink.
Adjust rate limits accordingly or disable them on trusted hypervisor ports.
Persist the Binding Database
The dynamic table is lost after a switch reboot.
For production networks, configure database persistence:
ip dhcp snooping database flash:/dhcp_snooping.db
ip dhcp snooping database write-delay 300
This ensures recovery after reboot.
Conclusion
The combination of DHCP Snooping and IP Source Guard moves security enforcement to the access layer, preventing attacks before they reach the network core.
It is:
- Lightweight
- Hardware-accelerated
- License-free
- Industry best practice
Remember: security is a continuous process.
Regularly audit binding tables, monitor TCAM utilization, and adjust configurations as the network evolves.
