What is DHCP Snooping?
DHCP snooping is a security feature used on layer 2 switched networks. It tracks packets and blocks any untrusted data from being sent to the network. A DHCP snooper will intercept, process, and relay DHCP messages between devices on the same VLAN or broadcast domain. This prevents rogue systems from injecting false information into a conversation. In this post, we will go over some of the benefits that come with implementing DHCP snooping in your environment as well as how to configure it for different network scenarios.
What does DHCP snooping do?
DHCP snooping can be used on networks that are using untrusted layer two devices. This could include a switch, wireless access point, or other network devices. It will provide protection against attacks by ensuring your DHCP server is not participating in any malicious activity and also providing security for the communication taking place between clients and servers.
DHCP Snooping works by checking the source IP address of incoming packets. It will then check to see if the device is allowed on your network or not. This is done by looking at a list that you have set up called an Access Control List, aka ACL. If it matches against this list it will create a binding of the source IP address, VLAN ID, and port. This is then stored in an area called the DHCP snooping table for reference later on.
What are some of the benefits of implementing DHCP Snooping?
So why should you want to implement DHCP snooping on your network? Here are just some of the benefits that come with it:
- It will block rogue DHCP servers from sending out incorrect or malicious information when a client requests an IP address.
- It provides protection against attacks involving rogue devices injecting packets into your networks such as ARP poisoning and other denials of service (DoS) type attacks.
- By using port security you can stop DoS attacks such as MAC flooding.
How do you configure DHCP snooping?
There are multiple ways to configure DHCP snooping and we will look at two different methods here: static binding, and dynamic VLAN assignment.
Static Binding: The first method uses a list of IP addresses that you manually enter into your configuration. This is a good option if you have a few DHCP servers or clients that need to be bound. You can enter the MAC addresses along with the IP address and VLAN number they belong on.
Dynamic VLAN assignment: This method works best when you want all devices to receive an IP from a specific pool of available networks but also allows for granular control over the users that are allowed on those VLANs.
In this method, you create a pool of available IP addresses and then assign specific port numbers to each one. Each device will be assigned an available address from your list along with a corresponding access VLAN ID as it connects through DHCP snooping.
This is a great option for allowing users on your network access to specific resources or networks based upon the device they are using.
How to Enable DHCP snooping?
To enable DHCP snooping on your switch, follow these steps:
Configure a VLAN for untrusted users to connect through. This should be the same as any other VLAN you want to protect such as guest or employee networks. Configure port security and assign an access list number (ACL) that will limit the DHCP snooping binding to that specific port. This is needed because the switch will automatically put untrusted devices into VLAN 99 by default if you don’t configure this step. Enable DHCP snooping on your ACL configured in the previous step and set bind checking for all interfaces either globally or per-interface basis.
You can verify your DHCP snooping configuration with the following command: “show ip dhcp snooping”
This is how you configure DHCP Snooping on your network. We will look at Port Security in another article to see how it works and what benefits that brings as well.
Should I use DHCP snooping?
Now that you know a little more about what DHCP snooping is and how it works, we can touch on the benefits of using this security feature. If your network environment has untrusted layer two devices such as wireless access points or switches in use then implementing DHCP snooping will provide protection against attacks involving rogue DHCP servers injecting packets into your network.
It will also provide protection against attacks such as ARP poisoning and other DoS type of attacks that involve spoofing or flooding the DHCP server with fake requests to gain access to a specific IP address on your VLANs or broadcast domain.
DHCP Snooping can also provide protection against MAC spoofing in the event someone tries to use a device that has already been assigned an IP address by your DHCP server. This is done with port security which we will look at later on so be sure to subscribe and keep checking back for more information.
How do I get rid of DHCP snooping?
You should remove DHCP snooping from your network environment if you no longer have any untrusted layer two devices such as wireless access points or switches in use. This is because these rogue devices could potentially cause an issue with the way DHCP snooping operates and cause problems when trying to provide security on your switch ports.
Blocking Downstream DHCP Packets
Blocking downstream packets simply means that switches can be configured to ignore all traffic from a specific IP address. This is useful in the event you have an IP pool for your network devices and need to ensure they are not accessed by anyone but yourself or other trusted sources.
To configure port security on your switch ports, follow the steps below:
Enable port security on your desired interface(s) by setting a maximum number of allowed MAC addresses. Optionally configure the violation mode to either restrict or shut down the offending switch port if it exceeds its configured maximum number of allowable addresses. Configure an IP address that will be used for this specific VLAN’s DHCP snooping. This can be configured per interface or globally for all interfaces depending on your needs and the network environment you are working within at the time.
DHCP snooping provides a layer of security to prevent attacks from untrusted devices that have been given IP addresses by your switch’s Dynamic Host Configuration Protocol (DHCP) server. DHCP snooping also provides protection against MAC spoofing by ensuring that it does not allow a device to obtain an IP address unless its physical port is trusted.