DHCP Snooping Concepts

DHCP Snooping: Concept Notes

This post is part of a series of revision notes I put together and used for studying CCNP Switch concepts. I am now writing them up on this website so that they might be useful to others.

They formed a part of my notes intended to explain concepts in simple terms. I hope they come in use, but as a reminder, please do not use these notes as any indication of what is sufficient for CCNP level understanding.

Let’s get started.

What It Is

  • DHCP Snooping is a mechanism used to stop the effects of a rogue DHCP server
  • A rogue DHCP server could be used to pull off a ‘Man In The Middle’ Attack

What is a Man In The Middle Attack?

  • You work for a nice big company downtown and manage the network. Unfortunately, you have not protected your network against such attacks
  • A rogue employee or anyone with less than honest intentions plugs in their laptop into your network
  • This laptop is configured as a DHCP server, and starts handing out IP information to devices and endpoints
  • This rogue DHCP server running on someone’s laptop will also propagate that it is the Default Gateway and therefore all traffic destined for the Default Gateway should go to it
  • As it receives the packets destined for the Default Gateway, it is intercepted and collected
  • To try and cover up their tracks, this rogue laptop acting as the DHCP server then forwards on the traffic to the real Default Gateway and everyone carries on none the wiser as if nothing ever happened…
  • Now the rogue employee has access to confidential information

Clearly this is a less than ideal situation. So how exactly does DHCP Snooping prevent this?

How DHCP Snooping Works

  • DHCP Snooping means that we manually select ports as trusted to give DHCP Replies
  • Anyone can ask for a DHCP IP Address, no problem, but when receiving replies we should know which port the DHCP server response will come from and trust only that port
  • Any other, untrusted ports replying back with a DHCP Reply message will be ignored
  • If an untrusted port receives a DHCP Reply, the port will be put into the error-disabled state
  • Essentially, we manually tell the relevant switch connected to the DHCP server that “The known DHCP server is connected to port X, only trust port X to reply back to DHCP Requests. Every other port is untrusted”
  • So if an attacker plugs in their laptop into their nearest switch port to try and answer DHCP Requests, the port will error disable immediately

As part of the DHCP Snooping Mechanism, the Switch maintains the DHCP Snooping Binding Table. Let’s take a look at what that does.

DHCP Snooping Binding Table

  • The DHCP Snooping Binding Table is where the Switch stores information on the MAC address of Hosts and the IP address they were assigned by the DHCP server
  • It is essentially a mapping of IP Addresses to MAC Addresses learned through DHCP
  • There can only be a maximum of 8000 entries in the database
  • By default, the table is wiped when a Switch reboots, but it can be configured to maintain the table through a reboot by configuring a DHCP Snooping Database Agent

A more literal example of what the table might look like:

MAC AddressIP Address
BA3D.DDEB.C3B5192.168.0.10
BCA7.D180.28BE192.168.0.200
8F5F.4797.BD7E192.168.0.150

We will also make note of the fact that this same DHCP Snooping Binding Table is used for 2 further functions:

  • Dynamic ARP Inspection
  • IP Source Guard

Let’s take a brief look at what these features do.

Dynamic ARP Inspection

  • Prevents Layer 2 MAC Address spoofing
  • If a packet is received where the MAC Address for a given IP in the Binding Table is different, the MAC Address will be assumed to be spoofed and traffic will be dropped
  • This is to prevent ARP Spoofing
  • We can always manually override Dynamic ARP Inspection by configuring static entries

IP Source Guard

  • Prevents Layer 3 IP Address spoofing
  • If a packet is received where the IP Address for a given MAC Address in the Binding Table is suddenly changed, the IP Address will be assumed to be spoofed and traffic will be dropped
  • This is to prevent IP Spoofing
  • We can always manually override IP Source Guard by configuring static entries

Now that we’ve explored these 2 functions, lets take a step back and see how we can configure DHCP Snooping.

Configuring DHCP Snooping

First, we need to enable DHCP Snooping on the Switch globally:

We then need to establish which VLANs we want to protect with this feature:

Lastly, we need to set our trusted interfaces (the interface known to connect to our legitimate DHCP server)

Verification

We can verify our configuration with the following show command:

Revision Flashcard

Last but not least, I have put together a digital flashcard based on my notes.

Please be aware that neither this post nor this flashcard is to be taken as all the information you need to know for DHCP Snooping, it just contains the basics and is intended to be used as a supplement to your own notes and studies.

I hope it helps.

DHCP Snooping Flashcard

 

Leave a Comment