Networking

DHCP Snooping configuration: Protect against Rogue DHCP Servers

Secure your network: learn about DHCP Snooping, an effective security feature that safeguards against rogue DHCP servers.

Dynamic host configuration protocol (DHCP) is a fundamental network service in operation on most networks today. It provides IP address allocation for devices on the network, so these do not have to be configured manually. However, the threat posed by rogue DHCP servers is a concern. DHCP snooping is a security feature on many switches and acts as a guardian by making sure only trusted DHCP messages are relayed across your network. Let’s look at this security function, how it is configured, and how this feature can protect your network.

What is DHCP snooping?

DHCP snooping is a network security technique that monitors Dynamic Host Configuration Protocol (DHCP) messages on a network. When clients make DHCP requests, it is expected that a DHCP reply will come from a trusted source. These DHCP server messages are crucial on small to large networks where IP addressing is handled automatically/dynamically.

However, hackers can act as DHCP servers to attack systems on the network and disrupt or deny network communication between devices or another network device. You can configure trusted and untrusted sources for DHCP replies for better security. These prevent malicious or rogue DHCP servers from handing out IP addresses to DHCP clients.

Below is a trusted DHCP server that is allowed to hand out DHCP IP addresses.

Windows dhcp server
Windows dhcp server

How it works

When it is enabled, the network switch inspects DHCP traffic. It can identify and filter out potentially malicious DHCP messages from untrusted sources. This is configured by a DHCP snooping binding table. This table records a mapping of each connected device’s MAC address, IP address, lease time, and associated VLAN, helping you to know that DHCP is being handled only by authorized DHCP servers.

Also, you can define a trusted port where an authorized DHCP message is allowed to come across. The other ports are viewed as untrusted. If DHCP offers are seen coming across untrusted ports, these can be blocked.

Below is a look at the Unifi Network application with DHCP snooping turned on globally for switches.

Unifi network application snooping
Unifi network application snooping

Key terms and concepts to understand

  • Enabling DHCP Snooping: To activate DHCP snooping, most switches have a command similar to ip dhcp snooping command (familiar in Cisco IOS)
  • Defining Trusted and Untrusted Ports: Not all network ports are equal. Some are designated as trusted, connected to legitimate DHCP servers, while others are untrusted, connected to end devices.
  • Configuring DHCP Snooping for VLANs: In multi-VLAN environments, you can enable DHCP snooping on specific VLANs
  • Viewing the DHCP Snooping Database: The command show ip dhcp snooping provides a snapshot of the current DHCP snooping database, showing details about leased IP addresses and their associated MAC addresses.

Below is a look at command:

show ip dhcp snooping

In the switch below, the snooping configuration is disabled.

The show command for configuring snooping
The show command for configuring snooping

Configure DHCP snooping

Let’s look at an example of DHCP snooping configuration to see how we can get DHCP snooping enabled on a Cisco switch so that only DHCP traffic from a legitimate DHCP server is allowed and DHCP attack prevention is enabled.

Step 1: Connect to the switch

First, you need to remote into your switch. You can do this using a console cable, SSH, or Telnet (hopefully not), depending on your device configuration.

Step 2: Entering Global Configuration Mode

Once logged in, enter the global configuration mode by typing the command in the CLI:

configure terminal

or

conf t

Step 3: Enabling DHCP Snooping Globally

In the global configuration mode, enable DHCP snooping for the entire device by typing the command:

ip dhcp snooping

You can also view the commands in the non-global configuration and global configuration modes.

Below are the options you see with the ip dhcp snooping command outside of global configuration mode.

Turning on ip dhcp snooping
Viewing snooping command from non global config

In global configuration mode, you will see the following:

Global configuration snooping command
Global configuration snooping command

Step 4: Enabling DHCP Snooping on VLANs

To enable DHCP snooping on specific VLANs, use the following command:

ip dhcp snooping vlan [VLAN_NUMBER]

Replace [VLAN_NUMBER] with the actual VLAN number(s) you want to enable DHCP snooping on.

For example, for VLAN 10, you would type:

ip dhcp snooping vlan 10
Turning snooping on for a specific vlan
Turning snooping on for a specific vlan

If you need to enable it on multiple VLANs, separate the VLAN numbers with a comma or specify a range.

After enabling on vlan 10, you can run the following command to view the status of DHCP snooping on your switch if you are still in global configuration mode:

do show ip dhcp snooping
Showing ip dhcp snooping after partial configuration
Showing ip dhcp snooping after partial configuration

Step 5: Specifying Trusted Interfaces

By default, all interfaces on a Cisco device are untrusted for DHCP snooping. You need to specify which interfaces are trusted manually. A trusted interface is typically connected to a legitimate DHCP server or another trusted switch. To mark an interface as trusted, go to the interface configuration mode and type:

config t
interface [INTERFACE_TYPE/NUMBER]
ip dhcp snooping trust

Replace [INTERFACE_TYPE/NUMBER] with your specific interface identifier, like GigabitEthernet0/1. Below, I am using a small business switch. The interface is gi1.

Adding a specific port to the trusted interfaces
Adding a specific port to the trusted interfaces

After we add the ip dhcp snooping trust for the interface, we can check the interface with the command:

show ip dhcp snooping
## in global config mode
do show ip dhcp snooping
Viewing the trusted port configuration
Viewing the trusted port configuration

Step 6: Optional Configurations

Rate Limiting DHCP Traffic: You can limit the number of DHCP packets on untrusted ports to prevent DHCP flooding attacks. Use the command:

ip dhcp snooping limit rate [PACKETS_PER_SECOND]

Replace [PACKETS_PER_SECOND] with the desired rate limit.

Step 7: Saving the Configuration

After configuring DHCP snooping, save your settings by exiting to the privileged EXEC mode and typing:

write memory

or

copy running-config startup-config
Copying running config to startup config
Copying running config to startup config

Real-World Application

Note the following use cases that can help understand the benefits of DHCP snooping protection and how it can be used.

  1. Corporate Office Network: In a corporate setting, it is important for protecting the internal network from unauthorized DHCP servers introduced inadvertently by employees or visitors. For instance, if someone connects a router with DHCP capabilities to the network, it could start assigning IP addresses, causing network conflicts. It prevents this by ensuring only the authorized corporate DHCP server can assign IP addresses.
  2. University Campus Network: Educational institutions often have large and complex networks. Here, DHCP snooping can be used to segment different parts of the network, like administrative offices, classrooms, and student dorms. So, it ensures that only the designated DHCP server for each segment can respond to DHCP requests, maintaining order and security across the vast network.
  3. Internet Service Providers (ISPs): ISPs use snooping to manage residential or business customers. It helps prevent malicious users from setting up unauthorized DHCP servers, which could misdirect other users’ traffic or lead to IP address conflicts within the network.
  4. Data Centers: In data center environments, where hosting multiple clients on shared infrastructure is common, it can be used to prevent one client’s DHCP server from serving IP addresses to another client’s network. This isolation helps maintain security for each client hosted in the data center.
  5. Public Wi-Fi Networks: In places like cafes, airports, or hotels, where public Wi-Fi is provided, it can be used to prevent guests or unauthorized users from introducing rogue DHCP servers into the network. This is important for protecting both the network and the users from potential IP conflicts and security breaches.
  6. Conference Venues: During events and conferences, where temporary network setups are common, DHCP snooping ensures that only the event-authorized DHCP servers are active. This prevents unauthorized network access or disruptions during critical presentations or activities.
  7. Apartment Complexes: In shared living spaces with communal internet access, DHCP snooping can be used by the managing network service to prevent tenants from inadvertently or maliciously setting up their own DHCP servers.

Dealing with Rogue DHCP Servers

As we have mentioned, a rogue DHCP server can disrupt network operations by issuing incorrect IP addresses. These unauthorized servers are effectively blocked from impacting the network by deploying DHCP snooping. The DHCP snooping binding database verifies the authenticity of DHCP messages. Note the following advanced features:

Advanced Features

  • IP Source Guard: IP Source Guard provides additional security by ensuring that IP traffic is received from the legitimate source.
  • Dynamic ARP Inspection (DAI): DAI prevents malicious ARP spoofing attacks, further fortifying network security.

Frequently Asked Questions about DHCP Snooping

How does DHCP snooping enhance network security?

DHCP snooping acts as a safeguard by validating DHCP messages on your network. It ensures that only authorized DHCP servers can assign IP addresses, protecting against rogue server attacks which can lead to network disruptions.

Can DHCP snooping impact network performance?

In general, it has a minimal impact on network performance. It simply scrutinizes DHCP traffic, which is a small portion of total network traffic. However, improper configuration can lead to issues like blocking legitimate DHCP responses, so careful setup is crucial.

Is DHCP snooping compatible with all network switches?

Not all switches support the snooping function. It’s primarily available on managed switches, particularly those designed for enterprise networks. Always check your switch’s specifications or documentation for compatibility.

How do I balance between trusted and untrusted ports in DHCP snooping?

The key is in correctly identifying which ports connect to DHCP servers (trusted) and which connect to end-user devices (untrusted). This classification is critical to prevent rogue DHCP servers from connecting through untrusted ports.

Does DHCP snooping work across multiple VLANs?

Yes, it can be configured across multiple VLANs. Each VLAN can be individually set for snooping, allowing for tailored protection based on the network architecture and VLAN distribution.

What happens if a legitimate DHCP server is mistakenly marked as untrusted?

If a legitimate DHCP server is marked as untrusted, its DHCP responses will be filtered out, leading to a failure in IP address allocation to clients connected to that server. Correctly configuring trusted and untrusted ports is essential to avoid this issue.

How does DHCP snooping interact with dynamic ARP inspection (DAI) and IP Source Guard?

It is often used in conjunction with DAI and IP Source Guard for enhanced security. DAI relies on DHCP snooping database to prevent ARP spoofing, while IP Source Guard uses snooping data to ensure IP address integrity, providing a layered defense mechanism.

Are there any special considerations for DHCP snooping in wireless networks?

In wireless networks, It is configured on the wireless LAN controllers and access points. The principles remain the same, but the configuration might differ slightly from wired networks.

Can DHCP snooping help in IP address management?

While it is not a tool for IP address management, the information in its binding database can provide insights into IP address usage and lease information, which can be valuable for network administrators.

Wrapping up

DHCP snooping configuration is a great way to increase the security of your network and bolster security measures against DHCP attacks. Setting up the network interfaces to assign trusted interfaces for DHCP messages helps prevent attackers from standing up rogue DHCP servers, disrupting network traffic, and compromising clients. Keep in mind that each switch vendor will handle this configuration differently, but the principles and technology generally work the same across the board.

Subscribe to VirtualizationHowto via Email 🔔

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Brandon Lee

Brandon Lee is the Senior Writer, Engineer and owner at Virtualizationhowto.com and has over two decades of experience in Information Technology. Having worked for numerous Fortune 500 companies as well as in various industries, Brandon has extensive experience in various IT segments and is a strong advocate for open source technologies. Brandon holds many industry certifications, loves the outdoors and spending time with family.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.