DHCP Snooping

DHCP snooping is a layer 2 security technology which enable switch to listen in on DHCP traffic and stop any malicious DHCP packets.

DHCP servers are often used in man in the middle or denial of service attacks for malicious purposes.

DHCP snooping classify the switch ports to trusted and untrusted ports to prevent unauthorized DHCP servers.

Interfaces that connect to clients should never be allowed to offer a DHCP service ,We can enforce this by making them untrusted.An interface that is untrusted will block DHCP offer messages. Only an interface that has been configured as trusted is allowed to forward DHCP offer messages.

When a Cisco Catalyst Switch receives a DHCP Discover, it will only forward it on trusted interfaces. This prevents rogue DHCP servers on untrusted interfaces from receiving it in the first place.
 

Let’s see how we can configure DHCP snooping..

First, we need to enable DHCP snooping, both globally and per access VLAN:

SW1(config)# ip dhcp snooping
SW1(config)# ip dhcp snooping vlan 100
SW1# show ip dhcp snooping binding
MacAddress          IpAddress Lease(sec)    Type      VLAN    Interface
—————— ————— ———- ————- —- ——————————————–
00:19:AA:7D:E6:88 10.1.4.6 86250 dhcp-snooping 100 FastEthernet0/3

After enable the DHCP Snooping the default setting for the ports is untrusted. so, we need to tell the switch the port to which our trusted DHCP server is directly connected.

SW1(config)# interface Fastethernet0/3
SW1(config-if)# ip dhcp snooping trust

When the DHCP snooping service detects a violation, the packet is dropped, and a message is logged that includes the text “DHCP_SNOOPING” and you can configure the switch to send logs to a syslog server.

By: Hatem Farag | CCIE#54446

 

Advertisements

One thought on “DHCP Snooping

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: