DHCP Snooping in VXLAN BGP EVPN Overview
DHCP Snooping in VXLAN BGP EVPN is a process that:
-
validates ARP/GARP packets sent from a host, preventing ARP spoofing and malicious ARP storms,
-
validates data-plane traffic from the host using IPSG, preventing malicious hosts from sending data traffic, and
-
replicates DHCP Snooping entries across the VXLAN fabric, enabling DAI and IPSG to function across the fabric even after a host move.
First Hop Security
First Hop Security (FHS) is an access security feature that:
-
provides security to the network at the access point where the host connects to the first switch,
-
authorizes and authenticates hosts, and
-
protects the network by ensuring only authorized hosts are allowed network access.
The Dot1x, port-security, and DHCP Snooping are examples of access security features.
DHCP Snooping database
DHCP Snooping database (DB) is a database that:
-
contains the MAC address of the host, the IP address assigned to the host by the DHCP server, VLAN, and other details like the lease time,
-
can contain local or remote snooping DB entries, and
-
can be configured using the ip source binding ip address vlan vlan-id interface interface interface command.
![]() Note |
Snooping entries added through this command are referred to as static entries, and they are distributed across all VTEPs. |
Distributed DHCP Snooping database
Distributed DHCP Snooping DB is a database that:
-
validates ARPs/GARPs sent from the host using DAI.
-
validates data-plane traffic from the host using IPSG, and
-
is replicated across the fabric.
![]() Note |
The ARP/GARP will be dropped if there is no matching entry in the DB. |

Feedback