USD ($)
$
United States Dollar
India Rupee

What is DHCP Snooping and How to Configure on Cisco Switch

Created by Gautam Sharma in Articles 1 Nov 2024
Share
«Cisco Switch Configure DHCP Scenario

DHCP Snooping is a vital Layer 2 security feature that protects networks from unauthorized DHCP servers, preventing potential man-in-the-middle attacks and IP address spoofing.

By classifying switch ports as trusted or untrusted, DHCP Snooping ensures that only legitimate DHCP messages are processed, while invalid messages from rogue servers are filtered out.

Configuring DHCP Snooping involves enabling the feature on network switches, designating trusted ports, and ensuring that DHCP traffic is monitored effectively. Proper configuration is essential for maintaining a secure and efficient network environment, safeguarding against DHCP-based attacks while allowing legitimate devices to communicate seamlessly.

In this article, we will understand DHCP snooping, the benefits of DHCP snooping and look at the process of DHCP configuration on Cisco Switches. As a part of our online Cisco Enterprise training, we provide more valuable information and guides on Cisco devices and services.

What is DHCP Snooping?

DHCP Snooping is a Layer 2 security feature that protects networks from unauthorized DHCP servers by filtering out invalid DHCP messages. It classifies switch ports as trusted or untrusted, allowing only legitimate DHCP traffic from trusted sources.

This helps prevent attacks such as DHCP spoofing and starvation, ensuring clients receive valid IP addresses from authorized servers. By maintaining a binding database of IP-MAC address mappings, DHCP Snooping enhances network integrity and security.

How Does DHCP Snooping Work

Let's look at the steps and understand how DHCP snooping works. From the beginning to the end, these steps show how DHCP snooping works.

Step 1- Device Initialization: A network device without an IP address sends a DHCP Discover message to locate a DHCP server.

Step 2- Message Classification: The switch classifies its ports into trusted and untrusted. Trusted ports are those connected to legitimate DHCP servers, while untrusted ports are connected to clients.

Step 3- DHCP Offer Reception: If a DHCP server responds with a DHCP Offer, the switch allows the message to pass through only if it originates from a trusted port. If it comes from an untrusted port, the offer is discarded.

Step 4- Acknowledgment Stage: Upon receiving a valid DHCP Offer, the client sends a DHCP Request message back to the server. The server then acknowledges this request with a DHCP ACK message.

Step 5- Binding Table Creation: The switch creates or updates the DHCP Snooping Binding Database using information from the DHCP ACK message, which includes the client's MAC address, leased IP address, lease time, VLAN number, and interface information.

Step 6- Subsequent Requests Validation: For any future DHCP packets received from untrusted hosts, the switch checks them against the binding database. If they do not match any entry, those packets are dropped.

Step 7- Ongoing Monitoring: The switch continuously monitors DHCP traffic to ensure that only valid messages from trusted sources are processed, maintaining network integrity and preventing unauthorized access.


CCNP Training CourseLearn more such concepts on Cisco Enterprise technologies.Explore course
custom banner static image

How to Configure DHCP Snooping on Cisco Switches

Let's learn the DHCP Snooping configuration on Cisco switches. The step-by-step process to configure DHCP snooping can be done on our CCNP virtual lab.

Image description

Tasks:

● In this task, we will configure DHCP Snooping

 Configuration

Step 1: Configure the R1 as a DHCP Server and following configuration on R1

R1 : Configure Eth0/0 with IP address 1.1.1.1/24

Configure DHCP pool for Vlan 24 On R1

Configure the Default route from R1 to SW2 Interface Eth10/0 IP address 2.1.2.2

interface Ethernet0/0

ip address 1.1.1.1 255.255.255.0

duplex auto

speed auto

ip route 0.0.0.0 0.0.0.0 1.1.1.11

ip dhcp pool CCNP

network 24.24.24.0 255.255.255.0

default-router 24.24.24.22

lease 7

Step 2: Configure the SW1 With Following Configuration

SW1 : Configure Eth1/0 in vlan 1

Configure L3 vlan 1 on SW1 with Following Information : Ip address 1.1.1.11/24 Configure eth10/0 with ip address 2.1.2.1/24

Configure Default route Pointing to SW2 Interface eth10/0 ip address 2.1.2.2 Shut Down all other Ports on SW1 ( Eth11/0 , eth12/0)

ip routing

interface Ethernet1/0

switchport mode access

spanning-tree portfast

interface Ethernet10/0

no switchport

ip address 2.1.2.1 255.255.255.0

!

interface Vlan1

ip address 1.1.1.11 255.255.255.0

no shut

!

ip classless

ip route 24.24.24.0 255.255.255.0 2.1.2.2

SW1(config)#int eth11/0

SW1(config-if)#shut

SW1(config-if)#int eth12/0

SW1(config-if)#shut

SW2: Configure the interface Eth2/0 , eth3/0 ,eth4/0 in Vlan 24 Configure L2 vlan 24

Configure int eth10/0 withip address 2.1.2.2

Configure Interface Vlan 24 with Following IP 24.24.24.22/24 Configure Default route Pointing to 2.1.2.1

interface Ethernet10/0

no switchport

ip address 2.1.2.2 255.255.255.0

!

interface Ethernet2/0

switchport access vlan 24

switchport mode access

spanning-tree portfast

!

Interface Ethernet3/0

switchport access vlan 24

switchport mode access

spanning-tree portfast

!

interface Ethernet4/0

switchport access vlan 24

switchport mode access

spanning-tree portfast

!

interface Vlan24

ip address 24.24.24.22 255.255.255.0

ip helper-address 1.1.1.1

no shut

!

ip route 0.0.0.0 0.0.0.0 2.1.2.1

Step 3: Configure the R2 interface eth0/1 so that it can receive the IP address from the DHCP server. Configure the R4 interface eth0/1 so that it can receive the IP address from the DHCP server

R2(config)#int eth0/1

R2(config-if)#ip address dhcp

R2(config-if)#no shut

R4#sh run int eth0/1

interface Ethernet0/1

ip address dhcp

end

banner image

Currently, any broadcasts sent by either Client-R2 or Client-R4 are flooded by Switch-2 and visible to the other clients as well as Router-3 (Rogue DHCP Server). This means that when (as an example) Client-R2 transmits a broadcast DHCP Discover packet, and broadcast DHCP Request packet, these are visible to other devices within VLAN-24. Verify this for yourself by doing the following:

Ensure that you have two Telnet windows open at the same time: a window to R2, and another window to R4.

On Client-R4, enter the command "debug ip udp port 67". This command will display any IP packets that Client-R4 has received and forwarded to its CPU, with a source, or destination, UDP port 67 (the DHCP Server port).

On Client-R2, shutdown interface FastEthernet0/1 and then enable this interface. The debug running on Client-R4 will prove that it has received the DHCP broadcasts sent to and from Client-R2.

Turn off all debugging on Client-R4 with the command "undebug all" (or simply u all).

banner image

Task 4: Complete the configuration of R3 as a Rogue DHCP Server by doing the following:

Enable the command service dhcp.

Create a DHCP Pool

Your pool should provide IP addresses within the correct subnet of 24.24.24.0/24. Your pool should be configured to intentionally offer an INCORRECT IP address of 24.24.24.33 (the Rogue DHCP Server) as the default router for all DHCP clients.

Your pool should be configured with a DHCP Lease time of 7 days.

R3(config)#int eth0/0

R3(config-if)#ip address 24.24.24.33 255.255.255.0

R3(config-if)#no shut

R3(config-if)#exit

R3(config)#ip route 0.0.0.0 0.0.0.0 24.24.24.22

service dhcp

ip dhcp pool CCNP

network 24.24.24.0 /24

default-router 24.24.24.33

lease 7

banner image

Typically, when DHCP clients receive more than a single offer in response to their DHCP Discover packet, they will accept the very first offer they receive.

In this case, because the Rogue DHCP Server is located in the same VLAN as the DHCP clients, any DHCP offer sent from this device should be accepted before any legitimate offer sent from the Corporate DHCP Server. This will result in DHCP clients being given an IP address in the correct subnet, but their default gateway assignment will be wrong.

Any packets they attempt to send off-subnet will be sent to R3 (the Rogue DHCP Server) because the clients believe that the device is their default gateway.

To verify this:

Disable interface Ethernet0/1 on Client-R2.

Re-enable this interface.

Watch for this interface to be assigned a DHCP Address.

To prove that this address came from the Rogue DHCP Server, issue the command show ip route and notice that you now have a default route to 24.24.24.33. This route SHOULD have pointed to 24.24.24.22 (your DHCP Relay Agent/Default-Gateway).

banner image

If the above steps do not work, and you still have a default route pointing at your legitimate Default Gateway of 24.24.24.22, disable Ethernet0/1 on CLient-R2, wait at least 30 seconds, and then enable this interface again.

Step  5:

Configure DHCP Snooping on Switch-2.

Verify that DHCP Snooping is functional by:

Verify that the DHCP Snooping feature has been enabled correctly by viewing the output of the command "show ip dhcp snooping".

View the DHCP Snooping Binding Database and look for entries created by DHCP Clients R2 and R4.

Verify that all DHCP clients received their DHCP information from the Corporate DHCP Server.

SW2(config)#ip dhcp snooping

SW2(config)#ip dhcp snooping vlan 24

banner image

R2(config)#int eth0/1

R2(config-if)#shut

R2(config-if)#no shut

R4(config)#int eth0/1

R4(config-if)#shut

R4(config-if)#no shut

banner image

banner image

Step 6:

Notice that in the previous steps, you enabled DHCP Snooping on a switch (Switch-2) that was configured as a DHCP Relay Agent. In other words, when Switch-2 receives DHCP broadcasts on its VLAN-24 Switched Virtual Interface, it encapsulates those and routes them toward the Corporate DHCP Server as unicasts.

Now, change the configuration of Switch-1 and Switch-2 so they match the topology diagram below (notice that Switch-1 is now configured as the DHCP Relay Agent, and the link between Switch-1 and Switch-2 is a Layer-2 Access Switchport. Do NOT change any of your existing DHCP Snooping configuration on Switch-2.

banner image

SW1(config)#int eth10/0

SW1(config-if)#switchport mode access

SW1(config-if)#switchport access vlan 24

interface vlan 24

ip address 24.24.24.22 255.255.255.0

ip helper-address 1.1.1.1

no shut

SW2(config)#int eth10/0

SW2(config-if)#switchport

SW2(config-if)#switchport access vlan 24

SW2(config)#no int vlan 24

Test to see if DHCP Snooping is still functional on Switch-2. If not, do you know WHY?

banner image

You should have noticed on both Client-R2 and Client-R4 that they are no longer able to obtain DHCP information from any DHCP Server.

Fix DHCP Snooping on Switch-2 so that both DHCP clients can, once again, obtain DHCP information from the Corporate DHCP Server.

SW2(config)#no ip dhcp snooping information option

SW2(config)#int eth10/0

SW2(config-if)#ip dhcp snooping trust

SW2(config-if)#^Z

banner image

DHCP Snooping Configuration Considerations for Layer-2 and Layer-3 Switches

When configuring DHCP Snooping, it’s important to understand how it operates differently depending on whether the switch functions as a Layer-2 or Layer-3 device.

Layer-3 Switch as a DHCP Relay Agent:

When a switch operates as a Layer-3 switch and acts as a DHCP Relay Agent, the Switch Virtual Interface (SVI) that receives inbound DHCP broadcasts from clients is automatically considered trusted by DHCP Snooping. Therefore, there is no need to manually configure any interfaces—physical or virtual—as trusted interfaces.

Layer-2 Switch Configuration:

In scenarios where the switch operates as a Layer-2 device, and all DHCP clients, as well as ports leading to trusted DHCP servers, are configured as Layer-2 switchports, it is essential to designate the physical interfaces that connect upstream to trusted DHCP servers. This is done using the following command: " ip dhcp snooping trust"

Handling DHCP Option 82:

By default, a Layer-2 switch will insert DHCP Option 82 into any DHCP client packets it receives. However, many DHCP servers—including Cisco routers and switches configured as DHCP servers—do not recognize Option 82 and may drop any client packets containing this option.

To prevent this issue, you should configure the DHCP Snooping switch to refrain from inserting Option 82 into DHCP client packets by using the following command: "no ip dhcp snooping information option"

By understanding these configurations and their implications, network administrators can effectively implement DHCP Snooping to enhance security while ensuring compatibility with existing DHCP server configurations.

Benefits of DHCP Snooping Configuration

DHCP Snooping is a critical security feature that offers several benefits to network administrators, primarily by protecting against various attacks and ensuring the integrity of IP address assignments. Here are the key benefits and the common attacks it helps prevent:

1. Prevention of Rogue DHCP Servers:

DHCP Snooping helps block unauthorized DHCP servers from distributing IP addresses. By designating trusted and untrusted ports, the switch can filter out malicious DHCP Offer and ACK messages, ensuring only legitimate servers are allowed to communicate with clients.

2. Protection Against DHCP Spoofing Attacks:

DHCP spoofing occurs when an attacker masquerades as a legitimate DHCP server, potentially redirecting clients to incorrect IP configurations. DHCP Snooping mitigates this risk by monitoring and blocking DHCP traffic from untrusted sources, thereby preventing man-in-the-middle attacks.

3. Defense Against DHCP Starvation Attacks:

In a DHCP starvation attack, an attacker floods the network with fake DHCP requests to exhaust the available IP address pool. DHCP Snooping can limit the rate of incoming DHCP requests on untrusted ports, significantly reducing the likelihood of successful starvation attacks.

4. Validation of DHCP Messages:

By maintaining a binding database that tracks valid IP-MAC address mappings, DHCP Snooping ensures that only legitimate requests and responses are processed. This validation helps prevent bogus DHCP messages from being accepted, further securing the network.

5. Integration with Other Security Features:

The binding database created by DHCP Snooping can be leveraged by other security mechanisms such as Dynamic ARP Inspection (DAI) and IP Source Guard, enhancing overall network security by providing additional layers of protection against various types of network attacks.

DHCP Snooping - Summing Up

DHCP Snooping is a crucial security feature that prevents unauthorized DHCP servers from distributing IP addresses, protecting against attacks like DHCP spoofing and starvation. It filters DHCP traffic based on trusted and untrusted ports, ensuring only legitimate servers communicate with clients.

Maintaining a binding database of valid IP-MAC address mappings enhances overall network integrity and facilitates integration with other security features such as Dynamic ARP Inspection. Implementing DHCP Snooping significantly improves network security and reliability.

To learn more about such technologies check out the IT infrastructure training courses at Uninets!

Enable SSH on Cisco Switch: Configure ...»
Gautam Sharma

This is Gautam's biography

More... | Author`s Bog | Book a Meeting

FAQ

DHCP snooping is a security feature that protects against unauthorized DHCP servers, while DHCP spoofing is an attack where an unauthorized server responds to client requests, potentially redirecting traffic.
DHCP snooping enhances network security by preventing rogue DHCP servers from distributing IP addresses, thereby safeguarding against man-in-the-middle attacks and ensuring valid IP assignments.
DHCP snooping is a Layer 2 security feature that validates DHCP messages, allowing only authorized servers to assign IP addresses and maintaining a binding database of valid leases.
Two benefits of DHCP snooping include preventing rogue DHCP server attacks and protecting against DHCP starvation attacks by rate-limiting requests from untrusted sources.

Comments (0)

Share

Share this post with others

Contact learning advisor

Captcha image
Join Cisco ACI Live Training – Starting 7th December! Enroll Now to Master ACI.
Join Cisco ACI Live Training – Starting 7th December! Enroll Now to Master ACI.
Expert-Led Cisco ACI Training with Lab Access.
Day
Hr
Min
Sec
Register Now