DHCP Snooping:
DHCP Snooping is a security feature in computer networks that is used to prevent rogue Dynamic Host Configuration Protocol (DHCP) servers from distributing incorrect or malicious IP addresses to network devices.
DHCP is a protocol that is used to automatically assign IP addresses to devices on a network.
In addition to preventing unauthorized DHCP servers from distributing IP addresses, DHCP Snooping can also be used to prevent DHCP spoofing attacks, where an attacker spoofs the MAC address of a legitimate device to obtain a valid IP address.
Why we use DHCP snooping?
Here are some of the main reasons why DHCP Snooping is used:
Preventing rogue DHCP servers: DHCP
Snooping prevents unauthorized or rogue DHCP servers from being deployed on the network.
Preventing DHCP Spoofing attacks:
DHCP Spoofing is a type of attack where a malicious device spoofs the MAC address of a legitimate device to obtain a valid IP address. DHCP Snooping can prevent DHCP Spoofing attacks by verifying that DHCP messages are received only from trusted sources.
Ensuring network stability: By preventing incorrect or malicious IP addresses from being distributed, DHCP Snooping helps to ensure network stability and reliability.
Enforcing network policies: DHCP Snooping can be used to enforce network policies, such as limiting the number of IP addresses that are assigned to devices on the network or ensuring that devices only connect to authorized DHCP servers.
Supporting virtual LANs (VLANs): DHCP Snooping can be used to support VLANs, which are logical networks that are created within a physical network. By enabling DHCP Snooping on a per-VLAN basis, network administrators can ensure that DHCP messages are only sent to authorized DHCP servers on each VLAN.
How it Works?
DHCP Snooping works by inspecting and filtering DHCP traffic on a network switch.
The following steps describe the basic operation of DHCP Snooping:
The switch is configured to enable DHCP Snooping.
This is typically done on a per-VLAN basis, meaning that DHCP Snooping can be enabled on specific VLANs on the switch.
Enable DHCP Snooping globally on the switch:
Switch# configure terminal
Switch(config)# ip dhcp snooping
Enable DHCP Snooping on specific VLANs:
Switch(config)# vlan vlan-id
Switch(config-vlan) # ip dhcp snooping
This command enables DHCP Snooping on a specific VLAN.
The switch learns the MAC addresses of devices on the network by monitoring the traffic on each port. The switch maintains a table of MAC addresses, known as the MAC address table.
When a DHCP client sends a DHCP Discover message to obtain an IP address, the switch intercepts the message and inspects it. The switch verifies that the DHCP message was received on a port that is designated as an "trusted" port, meaning that it is connected to a legitimate DHCP server.
Enable DHCP Snooping on the interfaces that connect to the DHCP clients:
Switch(config)# interface interface-id
Switch(config-if) # ip dhcp snooping trust
If the DHCP message is received on an untrusted port, meaning that it is not connected to a legitimate DHCP server, the switch drops the message and prevents the device from obtaining an IP address.
If the DHCP message is received on a trusted port, the switch forwards the message to the DHCP server for processing.
When the DHCP server responds with a DHCP Offer message, the switch inspects the message to verify that it was sent from a trusted source. If the message is from an untrusted source, the switch drops the message and prevents the device from obtaining an IP address.
If the DHCP Offer message is from a trusted source, the switch forwards the message to the device that requested the IP address.
By inspecting and filtering DHCP traffic, DHCP Snooping helps to prevent rogue DHCP servers from distributing invalid or malicious IP addresses to devices on a network. This helps to improve network security by ensuring that only authorized DHCP servers are used to assign IP addresses to devices.
Configuration:
Here are the basic steps to configure DHCP Snooping on a Cisco switch:
Enable DHCP Snooping globally on the switch:
Switch# configure terminal
Switch(config)# ip dhcp snooping
Enable DHCP Snooping on specific VLANs:
Switch(config)# vlan vlan-id
Switch(config-vlan) # ip dhcp snooping
This command enables DHCP Snooping on a specific VLAN.
Enable DHCP Snooping on the interfaces that connect to the DHCP clients:
Switch(config)# interface interface-id
Switch(config-if) # ip dhcp snooping trust
This command sets the interface as a trusted port, which means that it can receive DHCP messages from legitimate DHCP servers.
(Optional) Set the maximum number of DHCP messages per second:
Switch(config)# ip dhcp snooping limit rate rate
This command sets the maximum number of DHCP messages that can be received on the switch per second.