Home » Network » How to Configure DHCP Snooping in Cisco Switches?

How to Configure DHCP Snooping in Cisco Switches?

How to Configure DHCP Snooping in Cisco Switches?

In the network switching, you can easily configure DHCP snooping to prevent DHCP spoofing attack and DHCP starvation attack. Before you mitigating DHCP attacks in the network, you need to know about DHCP functions and features. The DHCP servers dynamically provide IP configuration information including IP address, subnet mask, default gateway, DNS servers, and more to clients. The sequence of DHCP message exchange between client and server.

Types of DHCP Attacks

There are some DHCP attacks that hackers can use to hack your network systems and access the information. The DHCP Spoofing attack and the DHCP Starvation attack.

1. DHCP Spoofing Attack

A DHCP spoofing attack occurs when a rogue DHCP server is connected to the network and provides false IP configuration parameters to legitimate clients. A rogue server can provide a variety of misleading information:

  • Wrong default gateway – Attacker provides an invalid gateway or the IP address of its host to create a man-in-the-middle attack. This may go entirely undetected as the intruder intercepts the data flow through the network.
  • Wrong DNS server – Attacker provides an incorrect DNS server address pointing the user to a nefarious website.
  • Wrong IP address – Attacker provides an invalid default gateway IP address and creates a DoS attack on the DHCP client.

2. DHCP Starvation Attack

Another DHCP attack is the DHCP starvation attack. The goal of this attack is to create a DoS for connecting clients. DHCP starvation attacks require an attack tool such as Gobbler.

Gobbler has the ability to look at the entire scope of leasable IP addresses and tries to lease them all. Specifically, it creates DHCP discovery messages with bogus MAC addresses.

Mitigating DHCP Attacks

It is easy to mitigate DHCP starvation attacks using port security. However, mitigating DHCP spoofing attacks requires more protection.

Related articles: Configure DHCP in Cisco Router and Windows Server

For instance, Gobbler uses a unique MAC address for each DHCP request and port security. Port security could be configured to mitigate this. However, Gobbler can also be configured to use the same interface MAC address with a different hardware address for every request. This would render port security ineffective.

DHCP spoofing attacks can be mitigated using DHCP snooping on trusted ports. DHCP snooping also helps mitigate against DHCP starvation attacks by rate limiting the number of DHCP discovery messages that an untrusted port can receive. DHCP snooping builds and maintains a DHCP snooping binding database that the switch can use to filter DHCP messages from untrusted sources. The DHCP snooping binding table includes the client MAC address, IP address, DHCP lease time, binding type, VLAN number, and interface information on each untrusted switchport or interface.

Note: In a large network, the DHCP binding table may take time to build after it is enabled. For example, it could take 2 days for DHCP snooping to complete the table if DHCP lease time is 4 days.

1. DHCP Snooping 

DHCP snooping acts like a firewall between untrusted hosts and trusted DHCP servers. DHCP snooping performs the following activities:

  • Validates DHCP messages received from untrusted sources and filters out invalid messages.
  • Builds and maintains the DHCP snooping binding database, which contains information about untrusted hosts with leased IP addresses.
  • Uses the DHCP snooping binding database to validate subsequent requests from untrusted hosts.

Dynamic ARP inspection (DAI) and IP Source Guard also use information stored in the DHCP snooping binding database.

DHCP snooping is enabled on a per-VLAN basis. By default, the feature is inactive on all VLANs. You can enable the feature on a single VLAN or a range of VLANs. Mitigate VLAN attack.

Configure DHCP Snooping to Mitigate DHCP Attack

When you configure DHCP snooping or enabling on an interface or VLAN, the switch receives a packet on an untrusted port, the switch compares the source packet information with that held in the DHCP snooping binding table.

Configure DHCP Snooping in Cisco switchesConfigure DHCP Snooping in Cisco switches

  • Trusted DHCP ports – Only ports connecting to upstream DHCP servers should be trusted. These ports that are expected to reply with DHCP offer and DHCP Ack messages. Trusted ports must be explicitly identified in the configuration.
  • Untrusted ports – These ports connect to hosts that should not be providing DHCP server messages. By default, all switch ports are untrusted.

The general rule when configuring DHCP snooping is to “trust the port and enable DHCP snooping by VLAN”. Therefore, the following steps should be used to enable or configure DHCP snooping:

  • Step 1. Enable DHCP snooping using the ip dhcp snooping global configuration command.
  • Step 2. On trusted ports, use the ip dhcp snooping trust interface configuration command.
  • Step 3. Enable DHCP snooping by VLAN, or by a range of VLANs.

Configuring a Maximum Number of MAC Addresses
S1(config)# ip dhcp snooping S1(config)# S1(config)# interface f0/1 S1(config-if)# ip dhcp snooping trust S1(config-if)# exit S1(config)# S1(config)# interface range f0/5 – 24 S1(config-if-range)# ip dhcp snooping limit rate 4 S1(config-if-range)# exit S1(config)# S1(config)# ip dhcp snooping vlan 5,10,50-52 S1(config)#
Try to displays the resulting output of the “show ip dhcp snooping” privileged EXEC command.
S1# show ip dhcp snooping
Try to displays the resulting output of the “show ip dhcp snooping binding” command. Another way to verify is with the “show ip dhcp snooping database” command.
S1# show ip dhcp snooping binding
Untrusted ports should also rate limit the number of DHCP discovery messages they can receive per second using the ip dhcp snooping limit rate interface configuration command.

Note: Rate limiting further mitigates the risk of DHCP starvation attacks.

Similar mitigation techniques are available for DHCPv6 and IPv6 clients. Because IPv6 devices can also receive their addressing information from the router’s Router Advertisement (RA) message, there are also mitigation solutions to prevent any rogue RA messages.

Trusted and Untrusted Sources

You can configure whether DHCP snooping trusts traffic sources. An untrusted source may initiate traffic attacks or other hostile actions. To prevent such attacks, DHCP snooping filters messages from untrusted sources.

In an enterprise network, a trusted source is a device that is under your administrative control. These devices include the switches, routers, and servers in the network. Any device beyond the firewall or outside the network is an untrusted source. Generally, host ports are treated as untrusted sources.

In a service provider environment, any device that is not in the service provider network is an untrusted source (such as a customer switch). Host ports are untrusted sources.

In the NX-OS device, you indicate that a source is trusted by configuring the trust state of its connecting interface.

The default trust state of all interfaces is untrusted. You must configure DHCP server interfaces as trusted. You can also configure other interfaces as trusted if they connect to devices (such as switches or routers) inside your network. You usually do not configure host port interfaces as trusted.

Source: Cisco Configure DHCP Snooping

 

Content retrieved from: https://www.technig.com/configure-dhcp-snooping-cisco-switche/.

Tags:

4 thoughts on “How to Configure DHCP Snooping in Cisco Switches?”

  1. YOU NEED QUALITY VISITORS for your: appjow.com

    My name is Bernd Bunton, and I’m a Web Traffic Specialist. I can get:
    – visitors from search engines
    – visitors from social media
    – visitors from any country you want
    – very low bounce rate & long visit duration

    CLAIM YOUR 24 HOURS FREE TEST =>

  2. I needed to post you the little bit of note so as to give many thanks the moment again with your striking views you’ve provided on this website. It has been simply shockingly generous with people like you to provide openly precisely what some people could possibly have advertised for an e-book to end up making some bucks for their own end, chiefly since you might well have tried it in case you desired. The pointers as well served to be the easy way to fully grasp that most people have similar dreams the same as my own to see a good deal more in terms of this condition. I am certain there are lots of more pleasant times ahead for folks who find out your blog.

  3. *Can I just say what a relief to find someone who actually knows what theyre talking about on the internet. You definitely know how to bring an issue to light and make it important. More people need to read this and understand this side of the story. I cant believe youre not more popular because you definitely have the gift.

Leave a Reply

Your email address will not be published. Required fields are marked *