What is DHCP snooping?
Dynamic Host Configuration Protocol (DHCP) snooping is a security feature that helps to protect against malicious DHCP servers by monitoring and controlling DHCP messages on a network. It works by allowing only trusted DHCP servers to respond to DHCP requests from clients on a network. When DHCP snooping is enabled on a network, the switch or router that is running the feature will examine each DHCP message that passes through it. If the message is from a trusted DHCP server, the message is forwarded on to the client. If the message is not from a trusted DHCP server, the message is discarded and the client does not receive an IP address. This helps to prevent unauthorized DHCP servers from being able to assign IP addresses to clients on the network, which can be used to gain unauthorized access to the network or to launch attacks against other devices on the network.
Why Do We Need DHCP Snooping?
There are a few reasons why DHCP snooping can be useful:
- Security: As mentioned, DHCP snooping helps to protect against malicious DHCP servers by only allowing trusted servers to assign IP addresses to clients. This can help to prevent unauthorized access to the network or attacks against other devices on the network.
- Integrity of the DHCP process: DHCP snooping helps to ensure the integrity of the DHCP process by preventing unauthorized devices from acting as DHCP servers and disrupting the process of assigning IP addresses to clients.
- Network stability: DHCP snooping can help to prevent clients from receiving incorrect or conflicting IP addresses, which can lead to network instability and connectivity issues.
- Network performance: DHCP snooping can improve network performance by limiting the number of DHCP messages that are forwarded on the network. This can help to reduce network congestion and improve the overall performance of the network.
DCHP Snooping Trusted and Untrusted Ports
When DHCP snooping is enabled on a network, the switch or router will typically classify each port as either a trusted or untrusted port.
Trusted ports are ports that are allowed to send and receive DHCP messages. These are typically ports that are connected to trusted DHCP servers, such as the main corporate DHCP server.
Untrusted ports are ports that are not allowed to send or receive DHCP messages. These are typically ports that are connected to end-user devices, such as PCs or laptops.
When a DHCP message is received on an untrusted port, the switch or router will examine the message to determine whether it is from a trusted DHCP server. If the message is from a trusted DHCP server, the message is forwarded on to the client. If the message is not from a trusted DHCP server, the message is discarded and the client does not receive an IP address.
This helps to ensure that only trusted DHCP servers are able to assign IP addresses to clients on the network, which can help to improve network security and stability.
DHCP Example Configuration
Basic configuration example for enabling DHCP snooping on a Cisco switch:
- Enable DHCP snooping globally:
switch(config)# ip dhcp snooping- Enable DHCP snooping on a specific VLAN:
switch(config)# ip dhcp snooping vlan <vlan_number>- Configure trusted interfaces:
switch(config-if)# ip dhcp snooping trust- Configure untrusted interfaces:
switch(config-if)# ip dhcp snooping limit rate <rate>The <rate> in the last command above specifies the maximum number of DHCP requests that an untrusted interface can send per second. This can help to prevent a flood of DHCP requests from disrupting the network.
DHCP Verification Commands
you can use to verify the status and configuration of DHCP snooping on a Cisco switch:
- Display the global DHCP snooping configuration:
switch# show ip dhcp snooping- Display the DHCP snooping binding database:
switch# show ip dhcp snooping bindingThe binding database contains information about the IP addresses that have been assigned to clients by DHCP, along with the MAC addresses of the clients and the VLANs and interfaces on which the clients are located.
- Display the DHCP snooping statistics for a specific interface:
switch# show ip dhcp snooping statistics <interface>This command will show you the number of DHCP packets that have been received and forwarded on the specified interface, as well as any dropped packets.
- Display the DHCP snooping configuration for a specific VLAN:
switch# show ip dhcp snooping vlan <vlan_number>This command will show you the trusted and untrusted interfaces that have been configured for the specified VLAN.
