DHCP snooping is a Layer 2 security feature that acts as a firewall between untrusted hosts and trusted DHCP servers on your network. This technology helps prevent various attacks such as DHCP spoofing, man-in-the-middle attacks, and IP address theft.
When DHCP snooping is enabled, the switch buil…DHCP snooping is a Layer 2 security feature that acts as a firewall between untrusted hosts and trusted DHCP servers on your network. This technology helps prevent various attacks such as DHCP spoofing, man-in-the-middle attacks, and IP address theft.
When DHCP snooping is enabled, the switch builds and maintains a DHCP snooping binding table, also known as a binding database. This table contains information about untrusted hosts with leased IP addresses, including MAC addresses, IP addresses, lease times, VLAN assignments, and interface information.
The concept revolves around trusted and untrusted ports. Trusted ports are typically those connected to legitimate DHCP servers or uplinks to other switches, while untrusted ports connect to end-user devices. By default, all ports are considered untrusted when DHCP snooping is enabled.
On untrusted ports, the switch performs several validation checks on DHCP messages. It filters DHCP server messages such as DHCPOFFER, DHCPACK, and DHCPNAK, as these should only originate from legitimate servers. The switch also validates that DHCP requests from clients match the source MAC address, preventing MAC spoofing attempts.
DHCP snooping provides protection against rogue DHCP servers that attackers might deploy to distribute false network configuration information. When a malicious actor attempts to respond to DHCP requests through an untrusted port, the switch drops these packets.
Configuration involves enabling DHCP snooping globally and per VLAN, then designating trusted interfaces. The binding table created by DHCP snooping is also utilized by other security features like Dynamic ARP Inspection (DAI) and IP Source Guard, creating a comprehensive security framework.
This feature is essential in enterprise environments where network security is paramount. It ensures that only authorized DHCP servers can assign IP addresses and that client devices receive legitimate network configuration, maintaining network integrity and preventing common Layer 2 attacks.
DHCP Snooping: A Complete Guide for CCNA
What is DHCP Snooping?
DHCP Snooping is a Layer 2 security feature that acts as a firewall between untrusted hosts and trusted DHCP servers. It validates DHCP messages received from untrusted sources and filters out invalid messages, protecting the network from rogue DHCP server attacks and DHCP starvation attacks.
Why is DHCP Snooping Important?
DHCP Snooping is critical for network security because:
• Prevents Rogue DHCP Servers: Attackers can set up fake DHCP servers to distribute incorrect IP configurations, redirecting traffic through their systems for man-in-the-middle attacks.
• Stops DHCP Starvation Attacks: Malicious users can exhaust the DHCP address pool by sending thousands of fake requests, causing denial of service.
• Builds the DHCP Snooping Binding Database: This database maps MAC addresses to IP addresses, which is used by other security features like Dynamic ARP Inspection (DAI) and IP Source Guard.
How DHCP Snooping Works
DHCP Snooping classifies switch ports into two categories:
1. Trusted Ports: • Connected to legitimate DHCP servers or other switches • All DHCP messages are permitted • Configured manually by the administrator
2. Untrusted Ports: • Connected to end-user devices (default setting) • Only DHCP client messages are allowed (DISCOVER, REQUEST, DECLINE, RELEASE, INFORM) • DHCP server messages (OFFER, ACK, NAK) are blocked
DHCP Snooping Binding Database
When a valid DHCP transaction occurs, the switch records: • Client MAC address • Assigned IP address • Lease time • VLAN ID • Port information
Configuration Commands
Enable DHCP Snooping globally: Switch(config)# ip dhcp snooping
Enable on specific VLANs: Switch(config)# ip dhcp snooping vlan 10,20,30
Configure trusted port: Switch(config-if)# ip dhcp snooping trust
Set rate limit on untrusted ports: Switch(config-if)# ip dhcp snooping limit rate 15
Verify configuration: Switch# show ip dhcp snooping Switch# show ip dhcp snooping binding
Exam Tips: Answering Questions on DHCP Snooping
Key Points to Remember:
1. Default Port State: All ports are untrusted by default. Only uplinks to DHCP servers and inter-switch links should be trusted.
2. VLAN Requirement: DHCP Snooping must be enabled both globally AND on specific VLANs to function.
3. Option 82: By default, DHCP Snooping inserts Option 82 information. If your DHCP server does not support this, you may need to disable it with no ip dhcp snooping information option.
4. Rate Limiting: Helps prevent DHCP starvation attacks. If exceeded, the port enters err-disabled state.
5. Binding Database: Remember that this database supports DAI and IP Source Guard features.
Common Exam Scenarios:
• If asked about preventing rogue DHCP servers, DHCP Snooping is the answer.
• When a question mentions that DHCP clients cannot obtain addresses after enabling DHCP Snooping, check if the uplink port to the DHCP server is configured as trusted.
• Questions about Layer 2 security features often combine DHCP Snooping with DAI and IP Source Guard.
• Remember that DHCP Snooping operates at Layer 2 and is configured on switches, not routers.
Watch Out For:
• Trick questions where DHCP Snooping is enabled globally but not on the specific VLAN • Scenarios where the wrong port is set as trusted • Questions testing your knowledge of which DHCP message types are blocked on untrusted ports