Using DHCP Snooping Only

On an edge device in an environment where DHCP is exclusively the provider of IP addresses, the switch with DHCP snooping enabled will record all user's DHCP interactions and should have an IP address binding for each connected user.

Untrusted ports do not create bindings from DHCP server packets. Optionally, the client hardware address in the DHCP packet is verified to match the source MAC address of the packet. If it does not, it is dropped. This is a more robust security feature that can be used on the edge of the network where it is expected that the client requests are coming from the client, not a different switch, router, or AP.

No port class actions are taken against users whose IP address assignment changes due to DHCP (where the server responses are on a trusted port), and user counters don't increment. Without DAI or IP source guard configured, anti-spoofing ensures that server packets are only handled where appropriate, that malicious users do not release or decline DHCP IP address assignments for other users, that DHCP client request packets are coming from the actual client (optional), and that the MAC-IP address binding database is populated. In addition, policy should be configured to drop any unwanted server traffic on untrusted ports.

If IP source guard and DAI are disabled or configured for inspection-only away from the edge of a network, DHCP exchange packets could be missed — for example, link loss at the distribution or core layer would not necessarily cause DHCP renewals from the end users at the edge, thus the binding table would not be repopulated — and users could suffer the consequence of unintended violations (for example, denial of service).

However, there are still benefits for using DHCP snooping without IP source guard or DAI away from the edge of the network. This type of network configuration allows for user accounting (user IP address change counters) and allows for the population of the user IP address binding table from known DHCP servers. The binding table will then allow user leases to run for the configured lease time used on the network before turning on other anti-spoofing features. In this scenario, an administrator should recognize that configuring any actions that limit a user's traffic after a violation could potentially disrupt network traffic for an otherwise legitimate user. Generally, this configuration would not be used away from the edge to quarantine or otherwise limit the users' traffic, as these limitations could be manipulated to cause denial of service attacks against a user.