DHCP Snooping – Concepts & Operation

1. What Is DHCP Snooping and Why Is It Needed?

DHCP Snooping is a Layer 2 security feature implemented on a switch that acts as a firewall between untrusted hosts and trusted DHCP servers. It inspects DHCP messages passing through the switch and filters those that could be used to attack or disrupt the network, preventing unauthorised devices from acting as DHCP servers or exhausting the address pool.

Without DHCP Snooping, any device connected to the network can respond to DHCP requests — either accidentally (a misconfigured router or VM) or maliciously (an attacker running a rogue DHCP server). The consequences range from users receiving wrong IP addresses and gateway information (leading to a man-in-the-middle attack) to complete denial of service.

Threat	What Happens	How DHCP Snooping Helps
Rogue DHCP Server	An unauthorised device responds to DHCP Discover messages, assigning clients a false gateway IP — routing all their traffic through the attacker	DHCP Offers and Acks arriving on untrusted ports are dropped; only the legitimate server on the trusted port can respond
DHCP Starvation / Exhaustion	An attacker sends thousands of DHCP Discover messages with spoofed MAC addresses, exhausting the server's address pool so legitimate clients cannot get an IP	Rate limiting on untrusted ports caps the number of DHCP messages per second, triggering an err-disable if exceeded
DHCP Spoofing	A client sends a DHCP Release with a spoofed IP to force another client offline	The binding table validates that Release and Decline messages match the known client IP, MAC, port, and VLAN before allowing them

2. How DHCP Snooping Works — Core Concepts

DHCP Snooping operates by classifying every switch port as either trusted or untrusted, then applying different validation rules to DHCP messages based on which type of port they arrive on.

2.1 Trusted vs Untrusted Ports

Port Type	Connected To	Messages Allowed	Messages Dropped
Trusted	Legitimate DHCP server, uplink to another switch or router, DHCP relay agent	All DHCP messages — both client (Discover, Request) and server (Offer, Ack, Nak)	Nothing — trusted ports are not filtered
Untrusted (default)	End-user devices, PCs, printers, phones, wireless APs	Client-originated messages only: DHCP Discover, Request, Release, Decline, Inform	Server-originated messages: DHCP Offer and Ack — these should never come from an end device

Default state: All switch ports are untrusted by default when DHCP Snooping is enabled. You must explicitly configure trusted ports for the uplinks and DHCP server connections. Over-trusting ports defeats the purpose of DHCP Snooping entirely.

2.2 The DHCP Message Types — Which Direction?

  DHCP Message Flow (DORA Process):

  Client                Switch               Server
    |                     |                     |
    |── DHCP Discover ───>|── (forwarded) ─────>|   Client → server  (untrusted OK)
    |                     |<── DHCP Offer ───────|   Server → client  (trusted port only)
    |── DHCP Request ────>|── (forwarded) ─────>|   Client → server  (untrusted OK)
    |                     |<── DHCP Ack ─────────|   Server → client  (trusted port only)

  DHCP Snooping rule:
  ┌─────────────────────────────────────────────────────────────────┐
  │  If DHCP Offer or Ack arrives on an UNTRUSTED port → DROP IT   │
  │  Only a legitimate server on a TRUSTED port may send Offers    │
  └─────────────────────────────────────────────────────────────────┘

3. The DHCP Snooping Binding Table

The DHCP Snooping Binding Table (also called the DHCP binding database) is a dynamic table maintained by the switch that records a verified mapping of:

  Binding Table Entry Format:

  ┌────────────────┬─────────────────────┬──────────────┬────────┬──────────────┐
  │  MAC Address   │     IP Address      │  Lease Time  │  VLAN  │  Interface   │
  ├────────────────┼─────────────────────┼──────────────┼────────┼──────────────┤
  │ 00:1A:2B:3C:4D │    192.168.10.10    │   86400 sec  │   10   │  Fa0/1       │
  │ 00:5E:6F:7A:8B │    192.168.10.15    │   86400 sec  │   10   │  Fa0/3       │
  │ AA:BB:CC:DD:EE │    192.168.20.50    │   43200 sec  │   20   │  Fa0/7       │
  └────────────────┴─────────────────────┴──────────────┴────────┴──────────────┘

  Verify with:  Switch# show ip dhcp snooping binding

3.1 How the Binding Table Is Populated

  Step 1:  Client sends DHCP Discover out Fa0/1 (untrusted port, VLAN 10)
           Switch inspects the message — it is a client message (Discover) — ALLOWED
           Switch forwards the frame toward the trusted uplink

  Step 2:  Legitimate DHCP server responds with DHCP Offer on the trusted port
           Switch allows the Offer through (trusted port) — forwards to client

  Step 3:  Client sends DHCP Request — Switch allows (client message on untrusted port)

  Step 4:  Server sends DHCP Ack — Switch allows (arrived on trusted port)
           ★ At this moment, the switch extracts from the Ack:
             - Client MAC address
             - Assigned IP address
             - Lease time
             - VLAN
             - Switch port (Fa0/1)
           Switch writes a new entry into the Binding Table

  Step 5:  Future validation — any subsequent messages (Release, Decline) arriving
           on Fa0/1 claiming IP 192.168.10.10 are checked against the binding table
           If the MAC/IP/port/VLAN do not match → packet is DROPPED

3.2 Why the Binding Table Matters Beyond DHCP

The DHCP Snooping Binding Table is not just used by DHCP Snooping itself. It serves as the foundation for two other important Layer 2 security features:

Feature	How It Uses the Binding Table
Dynamic ARP Inspection (DAI)	Validates ARP packets by checking that the sender's IP-to-MAC mapping matches a binding table entry — prevents ARP spoofing and man-in-the-middle attacks
IP Source Guard	Filters IP packets on untrusted ports, only allowing traffic from IP/MAC combinations that are present in the binding table — prevents IP address spoofing

Persistence: By default the binding table is stored only in RAM and is lost on a reboot. Use ip dhcp snooping database <url> to write the table to a TFTP server, flash, or NVRAM so clients do not lose connectivity after a switch reload.

4. Topology – DHCP Snooping in Action

  TOPOLOGY — DHCP Snooping Deployment

                         [ DHCP Server ]
                          192.168.10.1
                               |
                          Gi0/1 ← TRUSTED (server uplink)
                               |
                     ┌─────────────────────┐
                     │    Access Switch     │
                     │  (DHCP Snooping ON) │
                     └──┬──────┬──────┬───┘
                        |      |      |
                    Fa0/1   Fa0/2   Fa0/3
                  UNTRUSTED UNTRUSTED UNTRUSTED
                        |      |      |
                   PC-A      PC-B   [! Rogue DHCP Server]
                 (legit)   (legit)   (attacker device)

  ─────────────────────────────────────────────────────────────
  What happens when the rogue device sends a DHCP Offer on Fa0/3:
    → DHCP Offer arrives on Fa0/3 (UNTRUSTED port)
    → Switch detects server-originated message on untrusted port
    → Switch DROPS the frame immediately
    → Log message generated: %DHCP_SNOOPING-5-DHCP_SNOOPING_MATCH_MAC_FAIL
  ─────────────────────────────────────────────────────────────

  Uplink to distribution switch:
                     [ Access Switch ]
                          |
                       Gi0/2 ← TRUSTED (uplink trunk to distribution)
                          |
                  [ Distribution Switch ]
                    (also running DHCP Snooping)

Uplink ports must be trusted: In a multi-switch network, trunk uplinks between access and distribution switches carry DHCP messages relayed from the legitimate server. These uplinks must be configured as trusted — otherwise the switch will drop legitimate DHCP Offers relayed through the distribution layer.

5. DHCP Starvation Attack and Rate Limiting

A DHCP Starvation attack (also called DHCP exhaustion) does not require a rogue server. Instead, the attacker floods the network with DHCP Discover messages, each using a different spoofed source MAC address. The legitimate DHCP server allocates an IP address for each spoofed MAC until its entire address pool is exhausted. Legitimate clients then receive no IP address when they request one.

  DHCP Starvation Attack Flow:

  [Attacker Tool - e.g. Yersinia]
       |
       |── DHCP Discover (src MAC: AA:AA:AA:AA:AA:01) ──→ Switch → Server assigns .1
       |── DHCP Discover (src MAC: AA:AA:AA:AA:AA:02) ──→ Switch → Server assigns .2
       |── DHCP Discover (src MAC: AA:AA:AA:AA:AA:03) ──→ Switch → Server assigns .3
       |   ... (hundreds per second) ...
       |── DHCP Discover (src MAC: AA:AA:AA:AA:AA:FE) ──→ Server: POOL EXHAUSTED

  [ Legitimate PC ]── DHCP Discover ──→ Server: "No addresses available" → No IP

5.1 Rate Limiting — The Defence

DHCP Snooping can enforce a per-port rate limit on DHCP messages. If any untrusted port exceeds the configured threshold (messages per second), the switch automatically places the port into err-disabled state, shutting it down and logging the event. The port must then be manually re-enabled (or recovered with errdisable recovery).

  Rate Limit Configuration:

  Switch(config-if)# ip dhcp snooping limit rate 15
  ! Drops any port sending more than 15 DHCP packets/second into err-disable

  Automatic recovery (optional):
  Switch(config)# errdisable recovery cause dhcp-rate-limit
  Switch(config)# errdisable recovery interval 300
  ! Automatically re-enables err-disabled ports after 300 seconds

  Verify err-disabled ports:
  Switch# show interfaces status err-disabled
  Switch# show errdisable recovery

Rate Limit Setting	Recommended For	Notes
1–15 packets/sec	End-user access ports (single PC, printer, phone)	A single legitimate client rarely sends more than 1–2 DHCP messages at boot
100+ packets/sec	Ports connecting to DHCP relay agents or downstream switches	Higher limit needed as these ports aggregate traffic from many clients
No limit (trusted)	Trusted ports toward DHCP server or uplinks	Rate limiting is typically applied to untrusted ports only

6. Configuration – Enabling DHCP Snooping

DHCP Snooping is configured globally and then per-VLAN. Ports are untrusted by default; only uplinks and server connections need explicit trust configuration.

  ! ── Step 1: Enable DHCP Snooping globally ──
  Switch(config)# ip dhcp snooping

  ! ── Step 2: Enable DHCP Snooping on specific VLANs ──
  Switch(config)# ip dhcp snooping vlan 10
  Switch(config)# ip dhcp snooping vlan 20
  Switch(config)# ip dhcp snooping vlan 10,20,30     ! comma-separated or range

  ! ── Step 3: Trust the uplink/server port(s) ──
  Switch(config)# interface GigabitEthernet0/1
  Switch(config-if)# ip dhcp snooping trust
  ! Repeat for any other uplinks or server-facing ports

  ! ── Step 4: Apply rate limiting on untrusted access ports ──
  Switch(config)# interface range FastEthernet0/1 - 24
  Switch(config-if-range)# ip dhcp snooping limit rate 15

  ! ── Step 5 (optional): Persist the binding table to flash ──
  Switch(config)# ip dhcp snooping database flash:dhcp-snooping.db
  Switch(config)# ip dhcp snooping database write-delay 300

  ! ── Step 6 (optional): Disable Option 82 insertion if causing issues ──
  ! By default, Cisco switches insert DHCP Option 82 (relay agent info)
  ! Some DHCP servers reject Option 82 from untrusted relays — disable if needed:
  Switch(config)# no ip dhcp snooping information option

Option 82 caveat: When DHCP Snooping is enabled, Cisco switches insert DHCP Option 82 (relay agent information) into client DHCP messages by default. If your DHCP server is not configured to accept Option 82, it may drop the requests. The no ip dhcp snooping information option command disables Option 82 insertion. This is a very common cause of DHCP failures after enabling snooping.

6.1 Full Configuration Example

  ! ════════════════════════════════════════════
  !  Access Switch — DHCP Snooping Full Config
  ! ════════════════════════════════════════════

  ip dhcp snooping
  ip dhcp snooping vlan 10,20

  ! Trusted uplink to distribution switch (trunk)
  interface GigabitEthernet0/1
   description Uplink-to-Distribution
   ip dhcp snooping trust

  ! Trusted port directly connected to DHCP server
  interface GigabitEthernet0/2
   description DHCP-Server
   ip dhcp snooping trust

  ! Untrusted access ports — rate limited
  interface range FastEthernet0/1 - 20
   description Access-Port-End-Users
   ip dhcp snooping limit rate 15

  ! Persist binding table
  ip dhcp snooping database flash:dhcp-snooping-binding.db
  ip dhcp snooping database write-delay 300

  ! Disable Option 82 if DHCP server does not support it
  no ip dhcp snooping information option

7. Verification Commands

Command	What It Shows
`show ip dhcp snooping`	Global DHCP Snooping status, enabled VLANs, Option 82 state, and database URL
`show ip dhcp snooping binding`	The full binding table: MAC, IP, lease time, VLAN, and interface for each entry
`show ip dhcp snooping statistics`	Per-port counters: forwarded, dropped, and rate-limited DHCP messages — useful for spotting attacks
`show ip dhcp snooping database`	Status of the binding table database file (last write time, URL, entries written)
`show interfaces status err-disabled`	Ports shut down due to rate limit violations — identifies attack source ports
`show errdisable recovery`	Shows which err-disable causes have automatic recovery enabled and the timer interval
`show ip dhcp snooping binding \| include Fa0/5`	Filters binding table to show only entries for a specific interface

7.1 Sample Output – show ip dhcp snooping

  Switch# show ip dhcp snooping
  Switch DHCP snooping is enabled
  DHCP snooping is configured on following VLANs:
  10,20
  DHCP snooping is operational on following VLANs:
  10,20
  DHCP snooping is configured on the following L3 Interfaces:

  Insertion of option 82 is disabled
  circuit-id default format: vlan-mod-port
  remote-id: 001a.2b3c.4d5e (MAC)
  Option 82 on untrusted port is not allowed
  Verification of hwaddr field is enabled
  Verification of giaddr field is enabled
  DHCP snooping trust/rate is configured on the following Interfaces:

  Interface          Trusted    Allow option    Rate limit (pps)
  -----------------  -------    ------------    ----------------
  GigabitEthernet0/1  yes        yes             unlimited
  GigabitEthernet0/2  yes        yes             unlimited
  FastEthernet0/1     no         no              15
  FastEthernet0/2     no         no              15

7.2 Sample Output – show ip dhcp snooping binding

  Switch# show ip dhcp snooping binding
  MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface
  ------------------  ---------------  ----------  -------------  ----  --------------------
  00:1A:2B:3C:4D:5E   192.168.10.10    86394       dhcp-snooping  10    FastEthernet0/1
  00:AA:BB:CC:DD:EE   192.168.10.15    86388       dhcp-snooping  10    FastEthernet0/3
  00:11:22:33:44:55   192.168.20.50    43190       dhcp-snooping  20    FastEthernet0/7
  Total number of bindings: 3

8. Troubleshooting DHCP Snooping

Symptom	Likely Cause	Fix
Clients cannot get an IP address after DHCP Snooping is enabled	The uplink or server port was not configured as trusted — DHCP Offers are being dropped	Add `ip dhcp snooping trust` to the uplink and DHCP server port
DHCP requests fail with Option 82 errors in server logs	DHCP Snooping is inserting Option 82 but the server rejects it	Run `no ip dhcp snooping information option` on the switch
Port goes err-disabled repeatedly	Rate limit is too low for the device (e.g., a downstream switch or DHCP relay)	Raise the rate limit or trust the port if it is a legitimate aggregation link
Binding table empty after switch reboot — clients lose connectivity	Binding table was not persisted; clients must re-acquire leases before DAI or IP Source Guard passes their traffic	Configure `ip dhcp snooping database flash:filename.db` for persistence
Legitimate DHCP server responses dropped on trunk port	Trunk uplink to another switch not marked as trusted — DHCP Offers dropped in transit	Ensure all inter-switch trunk ports carrying DHCP traffic are trusted
`show ip dhcp snooping` shows no operational VLANs	Global `ip dhcp snooping` is enabled but no VLANs specified with `ip dhcp snooping vlan`	Add `ip dhcp snooping vlan <id>` for each required VLAN

9. DHCP Snooping vs Related Security Features

Feature	Layer	What It Prevents	Dependency
DHCP Snooping	Layer 2	Rogue DHCP servers, DHCP starvation, DHCP spoofing	None — base feature; provides the binding table for others
Dynamic ARP Inspection (DAI)	Layer 2	ARP spoofing, ARP poisoning, man-in-the-middle attacks	Requires DHCP Snooping binding table to validate ARP entries
IP Source Guard	Layer 3	IP address spoofing by untrusted hosts	Requires DHCP Snooping binding table to permit valid IP/MAC pairs
Port Security	Layer 2	Unauthorised devices connecting to the network, MAC flooding	Independent of DHCP Snooping; complements it at the physical access layer
802.1X (Port-Based Auth)	Layer 2	Unauthenticated devices gaining network access	Independent; works at EAP/RADIUS level before IP is assigned

Best practice: Deploy DHCP Snooping, Dynamic ARP Inspection, and IP Source Guard together as a layered defence-in-depth strategy on access layer switches. Each feature builds on the DHCP Snooping binding table and closes a different attack vector.

10. Key Terms Quick Reference

Term	Definition
DHCP Snooping	A Layer 2 switch security feature that inspects DHCP messages, filters rogue server responses, and builds a binding table of valid IP/MAC/port mappings
Trusted Port	A switch port configured to allow all DHCP messages including server Offers and Acks; used for uplinks and DHCP server connections
Untrusted Port	The default state of all ports; only client-originated DHCP messages are allowed; server messages (Offer, Ack) arriving here are dropped
DHCP Binding Table	A dynamic database on the switch mapping each client's MAC address, IP address, lease time, VLAN, and switch port — built from successful DHCP exchanges
Rogue DHCP Server	An unauthorised device responding to DHCP requests — may be accidental (misconfigured host) or malicious (man-in-the-middle attack)
DHCP Starvation	An attack that floods the network with DHCP Discovers using spoofed MACs to exhaust the server's address pool, denying service to legitimate clients
Rate Limiting	A DHCP Snooping per-port control that drops a port into err-disable if it exceeds a configured number of DHCP messages per second
Err-Disable	A Cisco switch port state that automatically shuts down a port when a violation (such as a rate-limit breach) is detected
Option 82	DHCP relay agent information option; inserted by the switch when snooping is active — may need to be disabled if the DHCP server rejects it
DORA	The four-step DHCP process: Discover → Offer → Request → Acknowledge

11. DHCP Snooping – Practice Quiz

1. What is the primary purpose of DHCP Snooping on a Layer 2 switch?

A. To encrypt DHCP messages between clients and servers B. To filter DHCP messages and prevent rogue DHCP servers from responding to client requests by only allowing server responses on trusted ports C. To assign IP addresses to clients when no external DHCP server is present D. To block all DHCP traffic on untrusted VLANs

Correct answer is B. DHCP Snooping acts as a security boundary between untrusted client ports and trusted server uplinks. Its core function is to drop DHCP Offer and Ack messages arriving on untrusted ports — preventing any rogue device from successfully acting as a DHCP server. It also builds a binding table used by DAI and IP Source Guard.

2. What is the default trust state of all switch ports when DHCP Snooping is enabled?

A. All ports are trusted by default B. Trunk ports are trusted; access ports are untrusted C. All ports are untrusted by default — trusted ports must be explicitly configured D. Ports with active end devices are trusted; idle ports are untrusted

Correct answer is C. When DHCP Snooping is enabled, every port defaults to untrusted. The administrator must explicitly run ip dhcp snooping trust on uplinks to other switches and ports facing the legitimate DHCP server. Forgetting to trust uplink ports is the most common configuration mistake — it causes all DHCP Offers to be dropped.

3. A DHCP Offer message arrives on an untrusted port. What does a switch with DHCP Snooping enabled do?

A. Drops the frame — server-originated DHCP messages are never allowed on untrusted ports B. Forwards the frame but logs a warning C. Adds the server to the binding table and forwards the Offer D. Quarantines the port and notifies the administrator

Correct answer is A. DHCP Snooping's fundamental rule is that server-originated messages (Offer, Ack, Nak) must only arrive on trusted ports. Any such message arriving on an untrusted port is immediately dropped — the switch assumes the frame came from a rogue device. The drop happens silently at the port level; statistics are updated in show ip dhcp snooping statistics.

4. When does the DHCP Snooping binding table create a new entry for a client?

A. When a DHCP Discover message is received on an untrusted port B. When a DHCP Request message is received C. When the administrator manually enters a static binding D. When a DHCP Ack is received on a trusted port, confirming the IP assignment — the switch extracts the MAC, IP, lease time, VLAN, and port from the Ack

Correct answer is D. The binding table entry is only created after the full DORA exchange completes successfully — specifically when the DHCP Ack arrives from the trusted server port. At that point the switch has confirmed that the IP address has been legitimately assigned, and it records the full tuple (MAC, IP, lease, VLAN, interface) as a validated binding.

5. An engineer enables DHCP Snooping on a switch, but clients immediately stop receiving IP addresses. No configuration errors are visible. What is the most likely cause?

A. DHCP Snooping blocks all DHCP traffic until a binding table entry exists B. The uplink port toward the DHCP server or distribution switch was not configured as trusted — DHCP Offers are being dropped C. DHCP Snooping is not compatible with the current IOS version D. The VLAN database needs to be cleared and re-populated

Correct answer is B. The most common post-enablement failure is forgetting to trust the uplink port. When DHCP Offers from the legitimate server arrive via the distribution switch on the (now untrusted) uplink, the access switch drops them. Clients send Discovers, but never receive an Offer. Always run ip dhcp snooping trust on all uplinks toward the DHCP server before enabling snooping on production VLANs.

6. What type of attack does DHCP rate limiting on untrusted ports defend against?

A. Rogue DHCP server attacks B. ARP spoofing C. DHCP starvation / exhaustion — where an attacker floods the network with Discovers using spoofed MACs to exhaust the server's address pool D. VLAN hopping

Correct answer is C. Rate limiting targets DHCP starvation attacks, where the attacker's goal is not to impersonate a server but to overwhelm the server's address pool by generating vast numbers of Discover messages. By capping the rate at which any single untrusted port can send DHCP messages (e.g., 15 pps), the switch detects the burst and places the port in err-disable before the attack can succeed.

7. Which other Layer 2 security feature directly depends on the DHCP Snooping binding table to function?

A. Dynamic ARP Inspection (DAI) — it validates ARP packets by cross-referencing IP-to-MAC mappings in the snooping binding table B. Port Security — it uses the binding table to limit MAC addresses per port C. Spanning Tree PortFast — it uses the binding table to bypass the listening state D. 802.1Q trunking — it references the binding table to tag VLAN frames correctly

Correct answer is A. Dynamic ARP Inspection (DAI) relies on the DHCP Snooping binding table as its source of truth. When an ARP packet arrives on an untrusted port, DAI checks whether the sender's IP and MAC match a valid entry in the binding table. If they do not match (i.e., the MAC/IP pairing is not in the table), DAI drops the ARP — preventing ARP spoofing and man-in-the-middle attacks. Without a populated binding table, DAI cannot function correctly.

8. After enabling DHCP Snooping, a network engineer notices that the DHCP server is rejecting all client requests. The server logs show "invalid relay agent information." What should the engineer check first?

A. Whether the binding table needs to be manually cleared B. Whether DHCP Snooping is enabled on the correct VLANs C. Whether the rate limit is set too low D. Whether DHCP Option 82 insertion is enabled — the DHCP server may not accept Option 82 from the switch; running no ip dhcp snooping information option disables it

Correct answer is D. By default, Cisco switches insert DHCP Option 82 (relay agent information) into client Discover and Request messages when DHCP Snooping is enabled. Many DHCP servers are not configured to accept Option 82 from a non-relay-agent switch and will silently drop or reject the requests. The fix is no ip dhcp snooping information option, which stops the switch from inserting Option 82. This is one of the most frequently tested DHCP Snooping troubleshooting scenarios on the CCNA exam.

9. A switch port connected to a downstream access switch (carrying DHCP traffic for 50 clients) is rate-limited to 15 DHCP packets per second and goes err-disabled during morning boot-up. What is the correct fix?

A. Disable DHCP Snooping on the VLAN — the rate limit cannot be adjusted B. Either increase the rate limit to a value appropriate for an aggregation link (e.g., 100+ pps) or configure the port as trusted since it connects to a legitimate downstream switch C. Reduce the number of clients on that switch segment D. Move the DHCP server to the same VLAN as the clients

Correct answer is B. A 15 pps rate limit is appropriate for a single end-device port but completely inadequate for a port aggregating 50 clients. During boot-up, all 50 clients simultaneously send DHCP Discovers, easily exceeding 15 pps and triggering err-disable. The correct fix is to either raise the rate limit to match the expected burst (e.g., 100–200 pps) or, if the downstream switch is under administrative control and trusted, configure the port as trusted so DHCP Offers can also pass freely.

10. A switch running DHCP Snooping is reloaded for maintenance. Immediately after reload, clients with existing DHCP leases cannot reach the network even though their leases have not expired. DAI is also enabled. What is the cause?

A. DHCP Snooping disables all ports on reload until re-initialised B. The trusted port configuration was lost from running config C. The DHCP Snooping binding table was stored only in RAM and was lost on reload — DAI now has no entries to validate client ARP packets against, so it drops them D. DHCP lease entries expire immediately when a switch reloads

Correct answer is C. The DHCP Snooping binding table lives in RAM by default and is lost on every reload. When DAI is also running, it checks all ARP packets against the binding table — and since the table is now empty, DAI drops all ARP from existing clients (whose leases are still valid on the DHCP server but unknown to the switch). The clients appear offline. The long-term fix is ip dhcp snooping database flash:filename.db to persist the binding table across reloads. The immediate fix is to have clients renew their leases (which rebuilds the table) or to manually add static bindings.

← Back to Home