What is DHCP Snooping?
DHCP Snooping is a network security feature that ensures only trusted DHCP servers may hand out IP addresses within a network. It prevents rogue or incorrectly connected devices from assigning IP addresses, which can lead to Spoofing, eavesdropping or network outages.
In OT networks, DHCP Snooping prevents a laptop, rogue Switch or compromised field device from rerouting traffic from PLCs or SCADA servers via a forged IP configuration.
🧠 Why is DHCP Snooping important?
- Protects against rogue DHCP servers (such as improvised access points or laptops)
- Records IP ↔ MAC ↔ switch-port bindings
- Provides the basis for IP Source Guard and Dynamic ARP Inspection
- Improves network stability in OT — preventing duplicate IPs or misrouted traffic
- Essential for MAC Binding, Port Security and Zero Trust Architecture
⚙️ How does DHCP Snooping work?
| Step | Description |
|---|---|
| Switch ports are marked as trusted or untrusted | Only trusted ports may send DHCP offers |
| DHCP requests from untrusted ports | Are forwarded, but only accepted if the response comes from a trusted port |
| Switch records MAC, IP, VLAN, port | These bindings are stored in a DHCP Snooping binding table |
| Other features such as IP Source Guard | Build on this table to detect or block spoofing |
🔐 Example applications in OT
| Scenario | Benefit of DHCP Snooping |
|---|---|
| Production network with a fixed IP range | Prevents a fault leading to unwanted DHCP issuance |
| Connected maintenance laptop | DHCP requests from unknown devices are checked |
| Rogue device tries to redirect traffic | Request is blocked on the untrusted port |
| Integration with Asset Inventory | Binding tables show which device received which IP on which port |
🛡️ Security combinations
| Measure | What it adds |
|---|---|
| IP Source Guard | Blocks packets with spoofed IP addresses |
| Dynamic ARP Inspection | Verifies that ARP traffic matches the DHCP Snooping table |
| Port Security | Limits the number of devices per port |
| 802.1X | Adds authentication before access is granted |
| VLAN isolation | Isolates untrusted ports or unauthorised devices |
⚠️ Considerations
- Always configure the correct ports as trusted (e.g. uplink to your DHCP server)
- Devices with static IPs are not logged in the snooping table
- Support depends on the switch model (Hirschmann, Cisco IE, Moxa, etc.)
- Some switches require NTP for binding timeouts
📌 In summary
DHCP Snooping protects your OT network against forged IP addresses and rogue DHCP servers. It forms the foundation for network integrity and spoofing protection in structured OT architectures.