DHCP Snooping is a vital Layer 2 security feature that protects networks from unauthorized DHCP servers, preventing potential man-in-the-middle attacks and IP address spoofing.
By classifying switch ports as trusted or untrusted, DHCP Snooping ensures that only legitimate DHCP messages are processed, while invalid messages from rogue servers are filtered out.
Configuring DHCP Snooping involves enabling the feature on network switches, designating trusted ports, and ensuring that DHCP traffic is monitored effectively. Proper configuration is essential for maintaining a secure and efficient network environment, safeguarding against DHCP-based attacks while allowing legitimate devices to communicate seamlessly.
In this article, we will understand DHCP snooping, the benefits of DHCP snooping and look at the process of DHCP configuration on Cisco Switches. As a part of our online Cisco Enterprise training, we provide more valuable information and guides on Cisco devices and services.
DHCP Snooping is a Layer 2 security feature that protects networks from unauthorized DHCP servers by filtering out invalid DHCP messages. It classifies switch ports as trusted or untrusted, allowing only legitimate DHCP traffic from trusted sources.
This helps prevent attacks such as DHCP spoofing and starvation, ensuring clients receive valid IP addresses from authorized servers. By maintaining a binding database of IP-MAC address mappings, DHCP Snooping enhances network integrity and security.
Let's look at the steps and understand how DHCP snooping works. From the beginning to the end, these steps show how DHCP snooping works.
Step 1- Device Initialization: A network device without an IP address sends a DHCP Discover message to locate a DHCP server.
Step 2- Message Classification: The switch classifies its ports into trusted and untrusted. Trusted ports are those connected to legitimate DHCP servers, while untrusted ports are connected to clients.
Step 3- DHCP Offer Reception: If a DHCP server responds with a DHCP Offer, the switch allows the message to pass through only if it originates from a trusted port. If it comes from an untrusted port, the offer is discarded.
Step 4- Acknowledgment Stage: Upon receiving a valid DHCP Offer, the client sends a DHCP Request message back to the server. The server then acknowledges this request with a DHCP ACK message.
Step 5- Binding Table Creation: The switch creates or updates the DHCP Snooping Binding Database using information from the DHCP ACK message, which includes the client's MAC address, leased IP address, lease time, VLAN number, and interface information.
Step 6- Subsequent Requests Validation: For any future DHCP packets received from untrusted hosts, the switch checks them against the binding database. If they do not match any entry, those packets are dropped.
Step 7- Ongoing Monitoring: The switch continuously monitors DHCP traffic to ensure that only valid messages from trusted sources are processed, maintaining network integrity and preventing unauthorized access.
Let's learn the DHCP Snooping configuration on Cisco switches. The step-by-step process to configure DHCP snooping can be done on our CCNP virtual lab.
Tasks:
● In this task, we will configure DHCP Snooping
Configuration
Step 1: Configure the R1 as a DHCP Server and following configuration on R1
R1 : Configure Eth0/0 with IP address 1.1.1.1/24
Configure DHCP pool for Vlan 24 On R1
Configure the Default route from R1 to SW2 Interface Eth10/0 IP address 2.1.2.2
Step 2: Configure the SW1 With Following Configuration
SW1 : Configure Eth1/0 in vlan 1
Configure L3 vlan 1 on SW1 with Following Information : Ip address 1.1.1.11/24 Configure eth10/0 with ip address 2.1.2.1/24
Configure Default route Pointing to SW2 Interface eth10/0 ip address 2.1.2.2 Shut Down all other Ports on SW1 ( Eth11/0 , eth12/0)
Step 3: Configure the R2 interface eth0/1 so that it can receive the IP address from the DHCP server. Configure the R4 interface eth0/1 so that it can receive the IP address from the DHCP server
Currently, any broadcasts sent by either Client-R2 or Client-R4 are flooded by Switch-2 and visible to the other clients as well as Router-3 (Rogue DHCP Server). This means that when (as an example) Client-R2 transmits a broadcast DHCP Discover packet, and broadcast DHCP Request packet, these are visible to other devices within VLAN-24. Verify this for yourself by doing the following:
Ensure that you have two Telnet windows open at the same time: a window to R2, and another window to R4.
On Client-R4, enter the command "debug ip udp port 67". This command will display any IP packets that Client-R4 has received and forwarded to its CPU, with a source, or destination, UDP port 67 (the DHCP Server port).
On Client-R2, shutdown interface FastEthernet0/1 and then enable this interface. The debug running on Client-R4 will prove that it has received the DHCP broadcasts sent to and from Client-R2.
Turn off all debugging on Client-R4 with the command "undebug all" (or simply u all).
Task 4: Complete the configuration of R3 as a Rogue DHCP Server by doing the following:
Enable the command service dhcp.
Create a DHCP Pool
Your pool should provide IP addresses within the correct subnet of 24.24.24.0/24. Your pool should be configured to intentionally offer an INCORRECT IP address of 24.24.24.33 (the Rogue DHCP Server) as the default router for all DHCP clients.
Your pool should be configured with a DHCP Lease time of 7 days.
Typically, when DHCP clients receive more than a single offer in response to their DHCP Discover packet, they will accept the very first offer they receive.
In this case, because the Rogue DHCP Server is located in the same VLAN as the DHCP clients, any DHCP offer sent from this device should be accepted before any legitimate offer sent from the Corporate DHCP Server. This will result in DHCP clients being given an IP address in the correct subnet, but their default gateway assignment will be wrong.
Any packets they attempt to send off-subnet will be sent to R3 (the Rogue DHCP Server) because the clients believe that the device is their default gateway.
To verify this:
Disable interface Ethernet0/1 on Client-R2.
Re-enable this interface.
Watch for this interface to be assigned a DHCP Address.
To prove that this address came from the Rogue DHCP Server, issue the command show ip route and notice that you now have a default route to 24.24.24.33. This route SHOULD have pointed to 24.24.24.22 (your DHCP Relay Agent/Default-Gateway).
If the above steps do not work, and you still have a default route pointing at your legitimate Default Gateway of 24.24.24.22, disable Ethernet0/1 on CLient-R2, wait at least 30 seconds, and then enable this interface again.
Step 5:
Configure DHCP Snooping on Switch-2.
Verify that DHCP Snooping is functional by:
Verify that the DHCP Snooping feature has been enabled correctly by viewing the output of the command "show ip dhcp snooping".
View the DHCP Snooping Binding Database and look for entries created by DHCP Clients R2 and R4.
Verify that all DHCP clients received their DHCP information from the Corporate DHCP Server.
SW2(config)#ip dhcp snooping
SW2(config)#ip dhcp snooping vlan 24
Step 6:
Notice that in the previous steps, you enabled DHCP Snooping on a switch (Switch-2) that was configured as a DHCP Relay Agent. In other words, when Switch-2 receives DHCP broadcasts on its VLAN-24 Switched Virtual Interface, it encapsulates those and routes them toward the Corporate DHCP Server as unicasts.
Now, change the configuration of Switch-1 and Switch-2 so they match the topology diagram below (notice that Switch-1 is now configured as the DHCP Relay Agent, and the link between Switch-1 and Switch-2 is a Layer-2 Access Switchport. Do NOT change any of your existing DHCP Snooping configuration on Switch-2.
Test to see if DHCP Snooping is still functional on Switch-2. If not, do you know WHY?
You should have noticed on both Client-R2 and Client-R4 that they are no longer able to obtain DHCP information from any DHCP Server.
Fix DHCP Snooping on Switch-2 so that both DHCP clients can, once again, obtain DHCP information from the Corporate DHCP Server.
When configuring DHCP Snooping, it’s important to understand how it operates differently depending on whether the switch functions as a Layer-2 or Layer-3 device.
When a switch operates as a Layer-3 switch and acts as a DHCP Relay Agent, the Switch Virtual Interface (SVI) that receives inbound DHCP broadcasts from clients is automatically considered trusted by DHCP Snooping. Therefore, there is no need to manually configure any interfaces—physical or virtual—as trusted interfaces.
In scenarios where the switch operates as a Layer-2 device, and all DHCP clients, as well as ports leading to trusted DHCP servers, are configured as Layer-2 switchports, it is essential to designate the physical interfaces that connect upstream to trusted DHCP servers. This is done using the following command: " ip dhcp snooping trust"
By default, a Layer-2 switch will insert DHCP Option 82 into any DHCP client packets it receives. However, many DHCP servers—including Cisco routers and switches configured as DHCP servers—do not recognize Option 82 and may drop any client packets containing this option.
To prevent this issue, you should configure the DHCP Snooping switch to refrain from inserting Option 82 into DHCP client packets by using the following command: "no ip dhcp snooping information option"
By understanding these configurations and their implications, network administrators can effectively implement DHCP Snooping to enhance security while ensuring compatibility with existing DHCP server configurations.
DHCP Snooping is a critical security feature that offers several benefits to network administrators, primarily by protecting against various attacks and ensuring the integrity of IP address assignments. Here are the key benefits and the common attacks it helps prevent:
1. Prevention of Rogue DHCP Servers:
DHCP Snooping helps block unauthorized DHCP servers from distributing IP addresses. By designating trusted and untrusted ports, the switch can filter out malicious DHCP Offer and ACK messages, ensuring only legitimate servers are allowed to communicate with clients.
2. Protection Against DHCP Spoofing Attacks:
DHCP spoofing occurs when an attacker masquerades as a legitimate DHCP server, potentially redirecting clients to incorrect IP configurations. DHCP Snooping mitigates this risk by monitoring and blocking DHCP traffic from untrusted sources, thereby preventing man-in-the-middle attacks.
3. Defense Against DHCP Starvation Attacks:
In a DHCP starvation attack, an attacker floods the network with fake DHCP requests to exhaust the available IP address pool. DHCP Snooping can limit the rate of incoming DHCP requests on untrusted ports, significantly reducing the likelihood of successful starvation attacks.
4. Validation of DHCP Messages:
By maintaining a binding database that tracks valid IP-MAC address mappings, DHCP Snooping ensures that only legitimate requests and responses are processed. This validation helps prevent bogus DHCP messages from being accepted, further securing the network.
5. Integration with Other Security Features:
The binding database created by DHCP Snooping can be leveraged by other security mechanisms such as Dynamic ARP Inspection (DAI) and IP Source Guard, enhancing overall network security by providing additional layers of protection against various types of network attacks.
DHCP Snooping is a crucial security feature that prevents unauthorized DHCP servers from distributing IP addresses, protecting against attacks like DHCP spoofing and starvation. It filters DHCP traffic based on trusted and untrusted ports, ensuring only legitimate servers communicate with clients.
Maintaining a binding database of valid IP-MAC address mappings enhances overall network integrity and facilitates integration with other security features such as Dynamic ARP Inspection. Implementing DHCP Snooping significantly improves network security and reliability.
To learn more about such technologies check out the IT infrastructure training courses at Uninets!