set antispoof dhcp-snooping

Use this command to globally enable or disable the DHCP snooping anti-spoofing feature on the specified port.


set antispoof dhcp-snooping {enable | disable} port-string


enable Enables DHCP snooping on the specified port.
disable Disables DHCP snooping on the specified port.
port-string The port or port range.


DHCP snooping defaults to disabled on all ports.


All command modes.


Malicious users can spoof DHCP server response packets allowing them to give false information to a user for such fields as the default gateway or domain name resolution server. Unauthorized servers can mis-configure clients so that client traffic goes through the wrong gateway, allowing an attacker access to that traffic or for purposes of denying a client access to network resources. A malicious user can send packets from the same source MAC address requesting IPs for different users by changing the client hardware address field in the DHCP packet.

The DHCP acknowledgement packet contains the authoritative user MAC and IP addresses. By enabling DHCP snooping on a port, when a DHCP acknowledgement packet is received, if the port is trusted and the user‘s MAC address has been authenticated and exists in the multiauth session table, a source MAC address to source IP address binding for the user is created and populated in the source MAC address to IP address binding table.

DHCP acknowledgement packets received on an untrusted port are recorded, but allowed to be further processed. Anti-spoofing tracks client DHCP assigned addresses on untrusted ports by snooping DHCP server packets on trusted ports as described above. If a client packet address is not in the binding table, a violation occurs. If the class action threshold is met, actions taken are based upon the class configuration assigned to that port. The class is configured using set antispoof class threshold-index. The class is assigned to the port using set antispoof port-class.

DHCP snooping port mode determines the anti-spoofing behavior towards traffic traversing the port. Port mode can be set to trusted, untrusted or bypass. See set antispoof dhcp-snooping port-mode for port mode details. DHCP server acknowledgement messages only populate the source MAC to IP address table on trusted ports. DHCP server acknowledgement messages on bypass ports are ignored for purposes of populating the source MAC to IP address table. Untrusted ports should have a policy configuration that will drop DHCP server packets on that port.

When a DHCP server message contains a new user IP address for a MAC address binding for which the binding‘s lease has not expired, a Syslog message is sent, but the threshold violation counter is not incremented.

If dynamic ARP inspection (see set antispoof arp-inspection) or IP source guard (see set antispoof ip-inspection) are set to disabled (default) or inspection only, DHCP snooping must be enabled for a source MAC to IP address binding to be created.



If IP source guard and dynamic ARP inspection are disabled or configured for inspection only away from the edge of a network, DHCP exchange packets could be missed due, for example, to link loss at the distribution or core layer. DHCP renewals from end users at the edge may not occur and the binding table would not be repopulated. Be aware that, under these circumstances, users could suffer unintended threshold violations and be denied network resources.

Source MAC to IP address bindings will timeout if:

  • The DHCP lease expires
  • A DHCP release frame is received on the port
  • A manual clear is entered using clear antispoof binding


This example shows how to enable DHCP snooping on port ge.1.2:

System(rw)->set antispoof dhcp-snooping enable ge.1.2