DHCP Snooping configuration: Protect against Rogue DHCP Servers
Quick Summary
- Let’s look at an example of DHCP snooping configuration to see how we can get DHCP snooping enabled on a Cisco switch so that only DHCP traffic from a legitimate DHCP server is allowed and DHCP attack prevention is enabled.
- DHCP snooping is a security feature on many switches and acts as a guardian by making sure only trusted DHCP messages are relayed across your network.
- DHCP snooping is a network security technique that monitors Dynamic Host Configuration Protocol (DHCP) messages on a network.
Dynamic host configuration protocol (DHCP) is a fundamental network service in operation on most networks today. It provides IP address allocation for devices on the network, so these do not have to be configured manually. However, the threat posed by rogue DHCP servers is a concern. DHCP snooping is a security feature on many switches and acts as a guardian by making sure only trusted DHCP messages are relayed across your network. Let’s look at this security function, how it is configured, and how this feature can protect your network.
Table of contents
What is DHCP snooping?
DHCP snooping is a network security technique that monitors Dynamic Host Configuration Protocol (DHCP) messages on a network. When clients make DHCP requests, it is expected that a DHCP reply will come from a trusted source. These DHCP server messages are crucial on small to large networks where IP addressing is handled automatically/dynamically.
However, hackers can act as DHCP servers to attack systems on the network and disrupt or deny network communication between devices or another network device. You can configure trusted and untrusted sources for DHCP replies for better security. These prevent malicious or rogue DHCP servers from handing out IP addresses to DHCP clients.
Below is a trusted DHCP server that is allowed to hand out DHCP IP addresses.
How it works
When it is enabled, the network switch inspects DHCP traffic. It can identify and filter out potentially malicious DHCP messages from untrusted sources. This is configured by a DHCP snooping binding table. This table records a mapping of each connected device’s MAC address, IP address, lease time, and associated VLAN, helping you to know that DHCP is being handled only by authorized DHCP servers.
Also, you can define a trusted port where an authorized DHCP message is allowed to come across. The other ports are viewed as untrusted. If DHCP offers are seen coming across untrusted ports, these can be blocked.
Below is a look at the Unifi Network application with DHCP snooping turned on globally for switches.
Key terms and concepts to understand
- Enabling DHCP Snooping: To activate DHCP snooping, most switches have a command similar to ip dhcp snooping command (familiar in Cisco IOS)
- Defining Trusted and Untrusted Ports: Not all network ports are equal. Some are designated as trusted, connected to legitimate DHCP servers, while others are untrusted, connected to end devices.
- Configuring DHCP Snooping for VLANs: In multi-VLAN environments, you can enable DHCP snooping on specific VLANs
- Viewing the DHCP Snooping Database: The command show ip dhcp snooping provides a snapshot of the current DHCP snooping database, showing details about leased IP addresses and their associated MAC addresses.
Below is a look at command:
show ip dhcp snoopingIn the switch below, the snooping configuration is disabled.
Configure DHCP snooping
Let’s look at an example of DHCP snooping configuration to see how we can get DHCP snooping enabled on a Cisco switch so that only DHCP traffic from a legitimate DHCP server is allowed and DHCP attack prevention is enabled.
Step 1: Connect to the switch
First, you need to remote into your switch. You can do this using a console cable, SSH, or Telnet (hopefully not), depending on your device configuration.
Step 2: Entering Global Configuration Mode
Once logged in, enter the global configuration mode by typing the command in the CLI:
configure terminalor
conf tStep 3: Enabling DHCP Snooping Globally
In the global configuration mode, enable DHCP snooping for the entire device by typing the command:
ip dhcp snoopingYou can also view the commands in the non-global configuration and global configuration modes.
Below are the options you see with the ip dhcp snooping command outside of global configuration mode.
In global configuration mode, you will see the following:
Step 4: Enabling DHCP Snooping on VLANs
To enable DHCP snooping on specific VLANs, use the following command:
ip dhcp snooping vlan [VLAN_NUMBER]Replace [VLAN_NUMBER] with the actual VLAN number(s) you want to enable DHCP snooping on.
For example, for VLAN 10, you would type:
ip dhcp snooping vlan 10
If you need to enable it on multiple VLANs, separate the VLAN numbers with a comma or specify a range.
After enabling on vlan 10, you can run the following command to view the status of DHCP snooping on your switch if you are still in global configuration mode:
do show ip dhcp snooping
Step 5: Specifying Trusted Interfaces
By default, all interfaces on a Cisco device are untrusted for DHCP snooping. You need to specify which interfaces are trusted manually. A trusted interface is typically connected to a legitimate DHCP server or another trusted switch. To mark an interface as trusted, go to the interface configuration mode and type:
config t
interface [INTERFACE_TYPE/NUMBER]
ip dhcp snooping trustReplace [INTERFACE_TYPE/NUMBER] with your specific interface identifier, like GigabitEthernet0/1. Below, I am using a small business switch. The interface is gi1.
After we add the ip dhcp snooping trust for the interface, we can check the interface with the command:
show ip dhcp snooping
## in global config mode
do show ip dhcp snooping
Step 6: Optional Configurations
Rate Limiting DHCP Traffic: You can limit the number of DHCP packets on untrusted ports to prevent DHCP flooding attacks. Use the command:
ip dhcp snooping limit rate [PACKETS_PER_SECOND]Replace [PACKETS_PER_SECOND] with the desired rate limit.
Step 7: Saving the Configuration
After configuring DHCP snooping, save your settings by exiting to the privileged EXEC mode and typing:
write memoryor
copy running-config startup-config
Real-World Application
Note the following use cases that can help understand the benefits of DHCP snooping protection and how it can be used.
- Corporate Office Network: In a corporate setting, it is important for protecting the internal network from unauthorized DHCP servers introduced inadvertently by employees or visitors. For instance, if someone connects a router with DHCP capabilities to the network, it could start assigning IP addresses, causing network conflicts. It prevents this by ensuring only the authorized corporate DHCP server can assign IP addresses.
- University Campus Network: Educational institutions often have large and complex networks. Here, DHCP snooping can be used to segment different parts of the network, like administrative offices, classrooms, and student dorms. So, it ensures that only the designated DHCP server for each segment can respond to DHCP requests, maintaining order and security across the vast network.
- Internet Service Providers (ISPs): ISPs use snooping to manage residential or business customers. It helps prevent malicious users from setting up unauthorized DHCP servers, which could misdirect other users’ traffic or lead to IP address conflicts within the network.
- Data Centers: In data center environments, where hosting multiple clients on shared infrastructure is common, it can be used to prevent one client’s DHCP server from serving IP addresses to another client’s network. This isolation helps maintain security for each client hosted in the data center.
- Public Wi-Fi Networks: In places like cafes, airports, or hotels, where public Wi-Fi is provided, it can be used to prevent guests or unauthorized users from introducing rogue DHCP servers into the network. This is important for protecting both the network and the users from potential IP conflicts and security breaches.
- Conference Venues: During events and conferences, where temporary network setups are common, DHCP snooping ensures that only the event-authorized DHCP servers are active. This prevents unauthorized network access or disruptions during critical presentations or activities.
- Apartment Complexes: In shared living spaces with communal internet access, DHCP snooping can be used by the managing network service to prevent tenants from inadvertently or maliciously setting up their own DHCP servers.
Dealing with Rogue DHCP Servers
As we have mentioned, a rogue DHCP server can disrupt network operations by issuing incorrect IP addresses. These unauthorized servers are effectively blocked from impacting the network by deploying DHCP snooping. The DHCP snooping binding database verifies the authenticity of DHCP messages. Note the following advanced features:
Advanced Features
- IP Source Guard: IP Source Guard provides additional security by ensuring that IP traffic is received from the legitimate source.
- Dynamic ARP Inspection (DAI): DAI prevents malicious ARP spoofing attacks, further fortifying network security.
Frequently Asked Questions about DHCP Snooping
DHCP snooping acts as a safeguard by validating DHCP messages on your network. It ensures that only authorized DHCP servers can assign IP addresses, protecting against rogue server attacks which can lead to network disruptions.
In general, it has a minimal impact on network performance. It simply scrutinizes DHCP traffic, which is a small portion of total network traffic. However, improper configuration can lead to issues like blocking legitimate DHCP responses, so careful setup is crucial.
Not all switches support the snooping function. It’s primarily available on managed switches, particularly those designed for enterprise networks. Always check your switch’s specifications or documentation for compatibility.
The key is in correctly identifying which ports connect to DHCP servers (trusted) and which connect to end-user devices (untrusted). This classification is critical to prevent rogue DHCP servers from connecting through untrusted ports.
Yes, it can be configured across multiple VLANs. Each VLAN can be individually set for snooping, allowing for tailored protection based on the network architecture and VLAN distribution.
If a legitimate DHCP server is marked as untrusted, its DHCP responses will be filtered out, leading to a failure in IP address allocation to clients connected to that server. Correctly configuring trusted and untrusted ports is essential to avoid this issue.
It is often used in conjunction with DAI and IP Source Guard for enhanced security. DAI relies on DHCP snooping database to prevent ARP spoofing, while IP Source Guard uses snooping data to ensure IP address integrity, providing a layered defense mechanism.
In wireless networks, It is configured on the wireless LAN controllers and access points. The principles remain the same, but the configuration might differ slightly from wired networks.
While it is not a tool for IP address management, the information in its binding database can provide insights into IP address usage and lease information, which can be valuable for network administrators.
Wrapping up
DHCP snooping configuration is a great way to increase the security of your network and bolster security measures against DHCP attacks. Setting up the network interfaces to assign trusted interfaces for DHCP messages helps prevent attackers from standing up rogue DHCP servers, disrupting network traffic, and compromising clients. Keep in mind that each switch vendor will handle this configuration differently, but the principles and technology generally work the same across the board.
