DHCP Snooping
DHCP snooping is a security feature that acts like a firewall between untrusted hosts and trusted DHCP servers. The DHCP snooping feature performs the following activities:
Validates DHCP messages received from untrusted sources and filters out invalid messages.
Rate-limits DHCP traffic from trusted and untrusted sources.
Builds and maintains the DHCP snooping binding database, which contains information about untrusted hosts with leased IP addresses.
Utilizes the DHCP snooping binding database to validate subsequent requests from untrusted hosts
Other security features, such as dynamic ARP inspection (DAI), which is described in the next section, also use information stored in the DHCP snooping binding database.
DHCP snooping is enabled on a per-VLAN basis. By default, the feature is inactive on all VLANs. You can enable the feature on a single VLAN or a range of VLANs.
As mentioned previously, DHCP spoofing attacks take place when devices purposely attempt to generate enough DHCP requests to exhaust the number of IP addresses allocated to a DHCP pool.
The DHCP snooping feature determines whether traffic sources are trusted or untrusted. An untrusted source may initiate traffic attacks or other hostile actions. To prevent such attacks, the DHCP snooping feature filters messages and rate-limits traffic from untrusted sources.
The following steps are required to implement DHCP snooping on your network:
Step 1. Define and configure the DHCP server. Configuration of this step does not take place on the switch or router and is beyond the scope of this book.
Step 2. Enable DHCP snooping on at least one VLAN. By default, DHCP snooping is inactive on all VLANs.
Step 3. Ensure that DHCP server is connected through a trusted interface.
By default, the trust state of all interfaces is untrusted.
Step 4. Configure the DHCP snooping database agent. This step ensures that database entries are restored after a restart or switchover.
Step 5. Enable DHCP snooping globally.
The DHCP snooping feature is not active until you complete this step.
Example 9-12 provides the configuration details necessary to implement DHCP snooping to mitigate the effects of DHCP spoofing attacks.
Example 9-12 Configuring DHCP Snooping
! Enable DHCP Snooping Globally
sw2(config)# ip dhcp snooping
! Enable DHCP Snooping on VLAN 10
sw2(config)# ip dhcp snooping vlan 10
! Configure Interface Fa1/0/24 as a Trusted interface
sw2(config)# interface fa1/0/24
sw2(config-if)# ip dhcp snooping trust
! Configure the DHCP snooping database agent to store the bindings at a given location
sw2(config)# ip dhcp snooping database tftp://10.1.1.1/directory/file
sw2(config)# exit
sw2#
! Verify DHCP Snooping Configuration
sw2# show ip dhcp snooping
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
10
DHCP snooping is operational on following VLANs:
none
DHCP snooping is configured on the following L3 Interfaces:
Insertion of option 82 is enabled
circuit-id default format: vlan-mod-port
remote-id: 000f.90df.3400 (MAC)
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Verification of giaddr field is enabled
DHCP snooping trust/rate is configured on the following Interfaces:
Interface Trusted Allow option Rate limit (pps)
----------------------- ------- ------------ ----------------
FastEthernet1/0/24 yes yes unlimited
Custom circuit-ids:
