DHCP Snooping:
DHCP Snooping is a security feature in computer networks that
is used to prevent rogue Dynamic Host Configuration Protocol (DHCP) servers
from distributing incorrect or malicious IP addresses to network devices.
DHCP is a protocol that is used to automatically assign IP
addresses to devices on a network.
In addition to preventing unauthorized DHCP servers from
distributing IP addresses, DHCP Snooping can also be used to prevent DHCP
spoofing attacks, where an attacker spoofs the MAC address of a legitimate
device to obtain a valid IP address.
Why we use DHCP snooping?
Here are some of the main reasons why DHCP Snooping
is used:
Preventing rogue DHCP
servers: DHCP
Snooping prevents unauthorized or rogue DHCP servers from being deployed on the
network.
Preventing DHCP
Spoofing attacks:
DHCP Spoofing is a type of attack where a malicious device spoofs the MAC
address of a legitimate device to obtain a valid IP address. DHCP Snooping can
prevent DHCP Spoofing attacks by verifying that DHCP messages are received only
from trusted sources.
Ensuring network stability: By preventing incorrect or malicious IP addresses from being
distributed, DHCP Snooping helps to ensure network stability and reliability.
Enforcing network policies: DHCP Snooping can be used to enforce network policies, such
as limiting the number of IP addresses that are assigned to devices on the
network or ensuring that devices only connect to authorized DHCP servers.
Supporting virtual LANs (VLANs): DHCP Snooping can be used to support VLANs, which are
logical networks that are created within a physical network. By enabling DHCP Snooping
on a per-VLAN basis, network administrators can ensure that DHCP messages are
only sent to authorized DHCP servers on each VLAN.
How it Works?
DHCP Snooping works by inspecting and filtering DHCP traffic
on a network switch.
The following steps describe the basic operation of
DHCP Snooping:
The switch is
configured to enable DHCP Snooping.
This is typically done on a per-VLAN basis, meaning that DHCP
Snooping can be enabled on specific VLANs on the switch.
Enable DHCP Snooping globally on the switch:
Switch# configure terminal
Switch(config)# ip dhcp snooping
Enable DHCP Snooping on specific VLANs:
Switch(config)# vlan vlan-id
Switch(config-vlan) # ip dhcp snooping
This command enables DHCP Snooping on a specific VLAN.
The switch learns the
MAC addresses of devices on the network by monitoring the traffic on each port.
The switch maintains a table of MAC addresses, known as the MAC address table.
When a DHCP client
sends a DHCP Discover message to obtain an IP address, the switch intercepts
the message and inspects it. The switch verifies that the DHCP message was
received on a port that is designated as an “trusted” port, meaning
that it is connected to a legitimate DHCP server.
Enable DHCP Snooping
on the interfaces that connect to the DHCP clients:
Switch(config)# interface interface-id
Switch(config-if) # ip dhcp snooping trust
If the DHCP message is
received on an untrusted port, meaning that it is not connected to a legitimate
DHCP server, the switch drops the message and prevents the device from
obtaining an IP address.
If the DHCP message is
received on a trusted port, the switch forwards the message to the DHCP server
for processing.
When the DHCP server
responds with a DHCP Offer message, the switch inspects the message to verify
that it was sent from a trusted source. If the message is from an untrusted
source, the switch drops the message and prevents the device from obtaining an
IP address.
If the DHCP Offer
message is from a trusted source, the switch forwards the message to the device
that requested the IP address.
By inspecting and
filtering DHCP traffic, DHCP Snooping helps to prevent rogue DHCP servers from
distributing invalid or malicious IP addresses to devices on a network. This
helps to improve network security by ensuring that only authorized DHCP servers
are used to assign IP addresses to devices.
Configuration:
Here are the basic steps to configure DHCP Snooping on a
Cisco switch:
Enable DHCP Snooping
globally on the switch:
Switch# configure terminal
Switch(config)# ip dhcp snooping
Enable DHCP Snooping
on specific VLANs:
Switch(config)# vlan vlan-id
Switch(config-vlan) # ip dhcp snooping
This command enables DHCP Snooping on a specific VLAN.
Enable DHCP Snooping
on the interfaces that connect to the DHCP clients:
Switch(config)# interface interface-id
Switch(config-if) # ip dhcp snooping trust
This command sets the interface as a trusted port, which
means that it can receive DHCP messages from legitimate DHCP servers.
(Optional) Set the
maximum number of DHCP messages per second:
Switch(config)# ip dhcp snooping limit rate rate
This command sets the maximum number of DHCP messages that
can be received on the switch per second.