What is DHCP Snooping and How it Works?

Introduction

The Dynamic Host Configuration Protocol (DHCP) is a network protocol that enables devices to obtain IP addresses and other network configuration details from a server. DHCP simplifies IP addresses as well as reduces the need for configuration. However, it also introduces security risks, such as DHCP spoofing and DHCP starvation. To safeguard the network against these threats, there is a security feature called DHCP snooping that can be implemented. In this blog, we will explain what DHCP snooping is, how it works, its configuration, and how it can prevent various attacks.

Let’s start by first understanding what DHCP snooping is.

What is DHCP Snooping?

DHCP snooping is a layer 2 security mechanism that filters and verifies DHCP messages exchanged between clients and servers. It operates on switches that connect end devices like PCs, laptops, and access points in order to prevent malicious servers from providing IP addresses to clients. Additionally, it maintains a database of IP address bindings and leases for each client, which aids in verifying the source of network traffic and preventing IP spoofing.

• The DHCP snooping feature performs tasks to ensure network security and proper functioning.
• It verifies the integrity of messages received from sources and filters out any invalid messages.
• It controls traffic flow from both untrusted sources to prevent congestion or potential attacks.
• It maintains a binding table that stores information about clients that have obtained an IP address from a trusted server.
• It utilizes the data in the binding table to enforce security measures like IP source guard and dynamic ARP inspection, which protect against IP and ARP spoofing attacks.

Need of DHCP Snooping

DHCP Snooping is essential for every organization’s network because, with it, many end-user devices like PCs and laptops can automatically learn IP addresses. The host is creating an IP address lease for the DHCP server.

It needs to be configured on Layer 2 switches where unauthorized hosts are connected to secure hosts in the organization’s network from making connections to unauthorized DHCP servers.

But the question that arises is how it really works. Let’s understand in detail.

How DHCP Snooping Works?

To understand how DHCP snooping operates, it is essential to understand the DHCP process. The diagram below illustrates an exchange between a client and a server:

The process involves the following steps:

• The client broadcasts a DHCP Discover message to request an IP address.
• The server responds with a DHCP Offer message that includes details of an IP address and other network parameters for the client.
• The client selects one of the offers and thereafter sends a Request message to request that specific IP address from the server formally.
• The server acknowledges the request by sending an Ack message confirming the allocation of the chosen IP address.
• The client configures its network interface by inputting the IP address and other parameters provided by the server.

Let’s understand how DHCP snooping works.

Dynamic Host Configuration Protocol snooping categorizes switch ports into two types: trusted and untrusted.

DHCP Snooping Trusted and Untrusted Ports

Trusted ports are those that connect to authorized servers or other switches with snooping enabled. On the other hand, Untrusted ports connect to end devices like PCs, laptops, printers, etc. By default, all ports are considered untrusted unless otherwise configured.

It operates by inspecting the messages that pass through the switch and applying rules based on the type of port and message. The actions taken by snooping for scenarios are summarized in the following table:

As shown in the table, DHCP snooping allows any message from a trusted port to pass through without any modifications. This ensures communication between DHCP servers and clients without any disruptions. However, suppose an untrusted port receives a message that’s not a Discover or Request message. In that case, DHCP snooping drops it to prevent rogue servers from offering IP addresses or providing false information to clients. Additionally, any malformed message, or one that does not match the information, in the binding table is also dropped by snooping.

Let’s move on to how the snooping can prevent some of the attacks and maintain the integrity of the data.

Common Attacks Prevented by DHCP Snooping

DHCP snooping can prevent two common types of attacks that exploit the DHCP protocol. These are:

DHCP Spoofing

DHCP spoofing is a type of attack where a malicious host pretends to be a server and offers fake or harmful IP addresses and network parameters to unsuspecting clients. This can lead to consequences such as:

• Redirecting client traffic towards a malicious gateway or proxy that can intercept, alter, or discard packets.
• Assigning duplicate IP addresses to clients can cause conflicts and disrupt the network.
• Giving clients invalid IP addresses or subnet masks isolating them from the network.
• Providing incorrect DNS servers or domain names to clients. It will lead the client to various phishing sites.

DHCP snooping comes into play to combat spoofing by identifying and blocking any offer or ACK message that originates from a port. This ensures that only authorized DHCP servers are allowed to provide IP addresses and network settings to clients.

DHCP Starvation

DHCP starvation refers to an attack in which a malicious host floods a server with fake MAC addresses through DHCP discovery messages, depleting the available IP address pool. This attack can lead to consequences such as:

• Legitimate clients are unable to obtain an IP address and access the network.
• The attacker can impersonate a server and provide false or malicious IP addresses and network parameters to clients.
• The attacker can launch a denial-of-service attack on the server by overwhelming it with requests.

To mitigate starvation, one can make use of DHCP snooping, which restricts the rate of DHCP messages on untrusted ports. This prevents attackers from taking control of the system with requests, thereby preserving available IP addresses.

It is a security feature that carefully filters messages. It effectively prevents servers from assigning IP addresses to clients. Enabling this feature is recommended if you wish to safeguard your network against attacks.

DHCP Snooping configuration

DHCP snooping is an approach where we configure our switches to learn about DHCP traffic and intercept any malicious DHCP packets. An attacker who operates a DHCP server and the same subnet will likely respond more quickly to a client’s DHCP Discover message. In the event that the attacker is successful, he can designate the customer’s IP address as the man-in-the-middle attack’s default gateway.

Create a topology as shown below:

First of all, you should enable DHCP snooping globally.

Click the switch and use the command below to enable the snooping.

SW1(config)#ip dhcp snooping

Before sending a DHCP discovery message to the DHCP server, the switch will add option 82 by default. It annoys those same DHCP servers, and they will drop the packets. After turning on DHCP snooping, if your client does not get the IP address, you should use the command below.

SW1(config)#no ip dhcp snooping information option

Select the WLAN for which you want to use the snooping.

Sw1(config)#ip dhcp snooping vlan 1

Once you enable the snooping all interfaces are untrusted by default. Make sure that the interfaces leading to the DHCP server are trusted.

SWl(config)#interface fa0/3

SWl(config-if)#ip dhcp snooping trust

This is how you will be able to configure DHCP Snooping.

How to enable DHCP Snooping?

DHCP Snooping is a key security feature used primarily for wired networks. Typically, it’s enabled on switches with access ports in VLANs that rely on DHCP. To implement DHCP Snooping, you first need to configure trusted ports, which are the ports that allow valid DHCP server messages to pass through. Once that’s done, you can enable DHCP Snooping for the VLAN you want to secure. This process can be completed using either the CLI interface or the Web GUI.

Frequently Asked Questions

Q1. Should I enable DHCP snooping?

DHCP snooping is a security feature that carefully filters messages. It effectively prevents servers from assigning IP addresses to clients. Enabling this feature is recommended if you wish to safeguard your network against attacks.

Q2. What is the basic DHCP snooping?

When enabled, DHCP snooping establishes a binding table that keeps track of each client’s MAC address, IP address, VLAN information, and corresponding port. Only ports connected to trusted servers are marked as trustworthy. Allowed to send valid DHCP offers and acknowledgments.

Q3. What is the difference between DHCP snooping and DHCP server?

DHCP snooping is a security feature that filters DHCP messages from untrusted sources. A DHCP server is a device that assigns IP addresses to network devices.

Q4. Is DHCP snooping Layer 2 or 3?

DHCP snooping is a security feature that functions at the layer 2 level and filters out messages originating from sources that are not trusted.

Conclusion

DHCP snooping is a layer 2 security feature that filters and validates DHCP messages between clients and servers. It prevents rogue DHCP servers, DHCP spoofing, and DoS attacks by dividing the switch ports into trusted and untrusted types. In this blog, we have explained what DHCP snooping is in detail, along with its working. We also discussed how it can prevent common attacks to safeguard one’s data.

DHCP Snooping is an advanced topic covered in Advanced Network Training that is CCNP ENCOR Training.