How to Configure DHCP Snooping in Cisco Switches?

by Faiz | 3 Jun 2020

In the network switching, you can easily configure DHCP snooping to prevent DHCP spoofing attack and DHCP starvation attack. Before you mitigating DHCP attacks in the network, you need to know about DHCP functions and features. The DHCP servers dynamically provide IP configuration information including IP address, subnet mask, default gateway, DNS servers, and more to clients. The sequence of DHCP message exchange between client and server.

Types of DHCP Attacks

There are some DHCP attacks that hackers can use to hack your network systems and access the information. The DHCP Spoofing attack and the DHCP Starvation attack.

1. DHCP Spoofing Attack

A DHCP spoofing attack occurs when a rogue DHCP server is connected to the network and provides false IP configuration parameters to legitimate clients. A rogue server can provide a variety of misleading information:

  • Wrong default gateway – Attacker provides an invalid gateway or the IP address of its host to create a man-in-the-middle attack. This may go entirely undetected as the intruder intercepts the data flow through the network.
  • Wrong DNS server – Attacker provides an incorrect DNS server address pointing the user to a nefarious website.
  • Wrong IP address – Attacker provides an invalid default gateway IP address and creates a DoS attack on the DHCP client.

2. DHCP Starvation Attack

Another DHCP attack is the DHCP starvation attack. The goal of this attack is to create a DoS for connecting clients. DHCP starvation attacks require an attack tool such as Gobbler.

Gobbler has the ability to look at the entire scope of leasable IP addresses and tries to lease them all. Specifically, it creates DHCP discovery messages with bogus MAC addresses.

Mitigating DHCP Attacks

It is easy to mitigate DHCP starvation attacks using port security. However, mitigating DHCP spoofing attacks requires more protection.

Related articles: Configure DHCP in Cisco Router and Windows Server

For instance, Gobbler uses a unique MAC address for each DHCP request and port security. Port security could be configured to mitigate this. However, Gobbler can also be configured to use the same interface MAC address with a different hardware address for every request. This would render port security ineffective.

DHCP spoofing attacks can be mitigated using DHCP snooping on trusted ports. DHCP snooping also helps mitigate against DHCP starvation attacks by rate limiting the number of DHCP discovery messages that an untrusted port can receive. DHCP snooping builds and maintains a DHCP snooping binding database that the switch can use to filter DHCP messages from untrusted sources. The DHCP snooping binding table includes the client MAC address, IP address, DHCP lease time, binding type, VLAN number, and interface information on each untrusted switchport or interface.

Note: In a large network, the DHCP binding table may take time to build after it is enabled. For example, it could take 2 days for DHCP snooping to complete the table if DHCP lease time is 4 days.

1. DHCP Snooping 

DHCP snooping acts like a firewall between untrusted hosts and trusted DHCP servers. DHCP snooping performs the following activities:

  • Validates DHCP messages received from untrusted sources and filters out invalid messages.
  • Builds and maintains the DHCP snooping binding database, which contains information about untrusted hosts with leased IP addresses.
  • Uses the DHCP snooping binding database to validate subsequent requests from untrusted hosts.

Dynamic ARP inspection (DAI) and IP Source Guard also use information stored in the DHCP snooping binding database.

DHCP snooping is enabled on a per-VLAN basis. By default, the feature is inactive on all VLANs. You can enable the feature on a single VLAN or a range of VLANs. Mitigate VLAN attack.

Configure DHCP Snooping to Mitigate DHCP Attack

When you configure DHCP snooping or enabling on an interface or VLAN, the switch receives a packet on an untrusted port, the switch compares the source packet information with that held in the DHCP snooping binding table.
Configure DHCP Snooping in Cisco switchesConfigure DHCP Snooping in Cisco switches

  • Trusted DHCP ports – Only ports connecting to upstream DHCP servers should be trusted. These ports that are expected to reply with DHCP offer and DHCP Ack messages. Trusted ports must be explicitly identified in the configuration.
  • Untrusted ports – These ports connect to hosts that should not be providing DHCP server messages. By default, all switch ports are untrusted.

The general rule when configuring DHCP snooping is to “trust the port and enable DHCP snooping by VLAN”. Therefore, the following steps should be used to enable or configure DHCP snooping:

  • Step 1. Enable DHCP snooping using the ip dhcp snooping global configuration command.
  • Step 2. On trusted ports, use the ip dhcp snooping trust interface configuration command.
  • Step 3. Enable DHCP snooping by VLAN, or by a range of VLANs.

Configuring a Maximum Number of MAC Addresses
S1(config)# ip dhcp snooping S1(config)# S1(config)# interface f0/1 S1(config-if)# ip dhcp snooping trust S1(config-if)# exit S1(config)# S1(config)# interface range f0/5 – 24 S1(config-if-range)# ip dhcp snooping limit rate 4 S1(config-if-range)# exit S1(config)# S1(config)# ip dhcp snooping vlan 5,10,50-52 S1(config)#
Try to displays the resulting output of the “show ip dhcp snooping” privileged EXEC command.
S1# show ip dhcp snooping
Try to displays the resulting output of the “show ip dhcp snooping binding” command. Another way to verify is with the “show ip dhcp snooping database” command.
S1# show ip dhcp snooping binding
Untrusted ports should also rate limit the number of DHCP discovery messages they can receive per second using the ip dhcp snooping limit rate interface configuration command.

Note: Rate limiting further mitigates the risk of DHCP starvation attacks.

Similar mitigation techniques are available for DHCPv6 and IPv6 clients. Because IPv6 devices can also receive their addressing information from the router’s Router Advertisement (RA) message, there are also mitigation solutions to prevent any rogue RA messages.

Trusted and Untrusted Sources

You can configure whether DHCP snooping trusts traffic sources. An untrusted source may initiate traffic attacks or other hostile actions. To prevent such attacks, DHCP snooping filters messages from untrusted sources.

In an enterprise network, a trusted source is a device that is under your administrative control. These devices include the switches, routers, and servers in the network. Any device beyond the firewall or outside the network is an untrusted source. Generally, host ports are treated as untrusted sources.

In a service provider environment, any device that is not in the service provider network is an untrusted source (such as a customer switch). Host ports are untrusted sources.

In the NX-OS device, you indicate that a source is trusted by configuring the trust state of its connecting interface.

The default trust state of all interfaces is untrusted. You must configure DHCP server interfaces as trusted. You can also configure other interfaces as trusted if they connect to devices (such as switches or routers) inside your network. You usually do not configure host port interfaces as trusted.

Source: Cisco Configure DHCP Snooping


Content retrieved from:

previous post
What exactly is Node.js?