In computer networking, DHCP snooping is a series of techniques applied to improve the security of a DHCP infrastructure.
When DHCP servers are allocating IP addresses to the clients on the LAN, DHCP snooping can be configured on LAN switches to allow only clients with specific IP and MAC addresses to have access to the network.
DHCP snooping can ensure IP integrity on a Layer 2 switched domain. It works with information from a DHCP server to:
With DHCP snooping, the information about IP addresses and corresponding MAC addresses is stored in a database on the network switch. Packets from clients that do not match the stored information will be dropped.
The DHCP snooping database sometimes is used for other security features such as IP source guard and dynamic ARP inspection, which makes it a central component of LAN access security.
DHCP snooping can also prevent attackers from adding their own DHCP servers to the network, causing malfunction of the network and adding further unauthorized components.