Introduction
The Dynamic Host Configuration Protocol (DHCP) is a network protocol that enables devices to obtain IP addresses and other network configuration details from a server. DHCP simplifies IP addresses as well as reduces the need for configuration. However, it also introduces security risks, such as DHCP spoofing and DHCP starvation. To safeguard the network against these threats, there is a security feature called DHCP snooping that can be implemented.
DHCP snooping is a Layer 2 Security feature, which allows switches to filter unauthorized DHCP messages and prevent suspicious DHCP servers running on ports that are not trusted. It also creates binding tables of legitimate leases from clients which improves network security and support features such as Dynamic ARP Inspection (DAI) and IP Source Guard.
In this blog, we will explain what DHCP snooping is, how it works, its configuration, and how it can prevent various attacks.
Let’s start by first understanding what DHCP snooping is.
What is DHCP Snooping?
DHCP Snooping is a Layer 2 security mechanism that is mainly used on switches to inspect as well as verify and regulate DHCP traffic that is exchanged among clients as well as DHCP servers. It is mainly used on access-layer switches that connect to end devices such as PCs, laptops, IP phones along with wireless access points.
Its primary goal is to block malicious or rogue DHCP servers from assigning false or unauthorized IP setting to the clients. By allowing DHCP server messages to only be sent on trusted interfaces and limiting them to non-trusted ports, DHCP snooping ensures that clients get IP setting only from authorized DHCP servers.
Another crucial purpose of DHCP snooping is the creation of a binding table. This table stores lease-related information for valid clients, such as:
- MAC address
- Assigned IP address
- VLAN
- Switch interface
- Lease time
The binding information is later used by security features like IP Source Guard and Dynamic ARP Inspection (DAI) to protect against IP spoofing as well as ARP spoofing attacks.
In simple words, DHCP snooping does not only monitor DHCP traffic, but also assists the switch in deciding which DHCP messages are legitimate, and which ones should be blocked.
Why DHCP Snooping Is Important?
DHCP Snooping is important for every organization’s network because, with it, many end-user devices like PCs and laptops can automatically learn IP addresses. The host is creating an IP address lease for the DHCP server.
It needs to be configured on Layer 2 switches where unauthorized hosts are connected to secure hosts in the organization’s network from making connections to unauthorized DHCP servers.
Further, DHCP snooping is important because it:
- Validates DHCP traffic before forwarding it
- Blocks unauthorized DHCP replies on untrusted ports
- Distinguishes between trusted and untrusted interfaces
- Maintains a binding table for valid client leases
- Supports security features such as IP Source Guard and Dynamic ARP Inspection
- Reduces the risk of DHCP starvation attacks through rate limiting
How DHCP Snooping Works?
To understand how DHCP snooping operates, it is essential to understand the DHCP process. The diagram below illustrates an exchange between a client and a server:
The process involves the following steps:
- The client broadcasts a DHCP Discover message to request an IP address.
- The server responds with a DHCP Offer message that includes details of an IP address and other network parameters for the client.
- The client selects one of the offers and thereafter sends a Request message to request that specific IP address from the server formally.
- The server acknowledges the request by sending an Ack message confirming the allocation of the chosen IP address.
- The client configures its network interface by inputting the IP address and other parameters provided by the server.
Let’s understand how DHCP snooping works.
Dynamic Host Configuration Protocol snooping categorizes switch ports into two types: trusted and untrusted.
Trusted and Untrusted Ports in DHCP Snooping
DHCP snooping works by treating switch interfaces as either trusted or untrusted.
A trusted port is an interface connected to a legitimate DHCP server or toward the uplink path where valid DHCP server replies are expected. These ports are allowed to forward DHCP server messages such as DHCPOFFER and DHCPACK.
An untrusted port is usually a user-facing access port where end devices connect. These ports are not allowed to send DHCP server-type replies. If a rogue device connected to an untrusted port tries to behave like a DHCP server, the switch drops those packets.
The following table summarizes how DHCP snooping handles DHCP messages in different scenarios.
| Port type | DHCP message type | Action |
| Trusted | Any DHCP message | Forward |
| Untrusted | DHCPDISCOVER | Forward |
| Untrusted | DHCPREQUEST | Forward |
| Untrusted | DHCPDECLINE | Forward |
| Untrusted | DHCPRELEASE | Forward |
| Untrusted | DHCPINFORM | Forward |
| Untrusted | DHCPOFFER | Drop |
| Untrusted | DHCPACK | Drop |
| Untrusted | DHCPNAK | Drop |
Note: This table shows how DHCP snooping treats DHCP messages based on whether a switch port is configured as trusted or untrusted. Trusted ports forward all DHCP traffic, while untrusted ports allow only client-originated requests and block server-originated replies such as DHCPOFFER and DHCPACK.
Let’s move on to how the snooping can prevent some of the attacks and maintain the integrity of the data.
Common Attacks Prevented by DHCP Snooping
DHCP snooping can prevent two common types of attacks that exploit the DHCP protocol. These are:
DHCP Spoofing
DHCP spoofing is a type of attack where a malicious host pretends to be a server and offers fake or harmful IP addresses and network parameters to unsuspecting clients. This can lead to consequences such as:
- Redirecting client traffic towards a malicious gateway or proxy that can intercept, alter, or discard packets.
- Assigning duplicate IP addresses to clients can cause conflicts and disrupt the network.
- Giving clients invalid IP addresses or subnet masks isolating them from the network.
- Providing incorrect DNS servers or domain names to clients. It will lead the client to various phishing sites.
DHCP snooping comes into play to combat spoofing by identifying and blocking any offer or ACK message that originates from a port. This ensures that only authorized DHCP servers are allowed to provide IP addresses and network settings to clients.
DHCP Starvation
DHCP starvation refers to an attack in which a malicious host floods a server with fake MAC addresses through DHCP discovery messages, depleting the available IP address pool. This attack can lead to consequences such as:
- Legitimate clients are unable to obtain an IP address and access the network.
- The attacker can impersonate a server and provide false or malicious IP addresses and network parameters to clients.
- The attacker can launch a denial-of-service attack on the server by overwhelming it with requests.
To mitigate starvation, one can make use of DHCP snooping, which restricts the rate of DHCP messages on untrusted ports. This prevents attackers from taking control of the system with requests, thereby preserving available IP addresses.
It is a security feature that carefully filters messages. It effectively prevents servers from assigning IP addresses to clients. Enabling this feature is recommended if you wish to safeguard your network against attacks.
Cisco DHCP Snooping Configuration Example
DHCP snooping is an approach where we configure our switches to learn about DHCP traffic and intercept any malicious DHCP packets. An attacker who operates a DHCP server and the same subnet will likely respond more quickly to a client’s DHCP Discover message. In the event that the attacker is successful, he can designate the customer’s IP address as the man-in-the-middle attack’s default gateway.
Create a topology as shown below:
First of all, you should enable DHCP snooping globally.
Click the switch and use the command below to enable the snooping.
SW1(config)#ip dhcp snooping
Before sending a DHCP discovery message to the DHCP server, the switch will add option 82 by default. It annoys those same DHCP servers, and they will drop the packets. After turning on DHCP snooping, if your client does not get the IP address, you should use the command below.
SW1(config)#no ip dhcp snooping information option
Select the WLAN for which you want to use the snooping.
Sw1(config)#ip dhcp snooping vlan 1
Once you enable the snooping all interfaces are untrusted by default. Make sure that the interfaces leading to the DHCP server are trusted.
SWl(config)#interface fa0/3
SWl(config-if)#ip dhcp snooping trust
This is how you will be able to configure DHCP Snooping.
How to Verify DHCP Snooping Configuration?
After enabling DHCP snooping, you should always verify that it is working correctly. Configuration alone is not enough. If the trusted port is wrong or the feature is enabled on the wrong VLAN, clients may fail to receive IP addresses.
Useful Cisco verification commands include:
- show ip dhcp snooping
- show ip dhcp snooping binding
- show ip dhcp snooping statistics
What to check during verification?
- Whether DHCP snooping is enabled globally
- Whether the correct VLANs are included
- Which interfaces are marked as trusted
- Whether binding table entries are being created
- Whether packets are being dropped due to trust or rate-limit violations
If the binding table remains empty even when clients request addresses, it often indicates a trust issue, VLAN mismatch, or DHCP path problem.
DHCP Snooping Best Practices
DHCP snooping is most effective when deployed with care. Incorrect configuration can disrupt a legitimate DHCP service, whereas correct deployment strengthens Layer 2 security considerably.
Follow these DHCP snooping best practices:
- Trust only the essential interfaces
Make sure to only mark ports that are connected to the real DHCP server or valid uplinks as trusted.
- Allow DHCP snooping only on the required VLANs
Use it only when DHCP traffic has to be inspected.
- Do not trust user-facing ports
Access ports should generally remain untrusted to stop the rogue DHCP responses.
- Use DHCP rate limiting on non-trusted ports
This reduces DHCP starvation attacks as well as abnormal request bursts.
- Document trusted interfaces
A good documentation system can prevent accidental outages that occur when switches are replaced or changes are made.
- Verify the option 82 behavior
Certain DHCP relays or servers could deal with Option 82 differently and should be tested prior to rolling out production.
- Use DHCP snooping with DAI as well as IP Source Guard
Together, they provide greater security against ARP Spoofing and IP spoofing.
- Monitor logs and counters
The statistics of a packet’s drop can identify malicious activity or misconfiguration
Frequently Asked Questions
Q1. Should I enable DHCP snooping?
DHCP snooping is a security feature that carefully filters messages. It effectively prevents servers from assigning IP addresses to clients. Enabling this feature is recommended if you wish to safeguard your network against attacks.
Q2. What is the basic DHCP snooping?
When enabled, DHCP snooping establishes a binding table that keeps track of each client’s MAC address, IP address, VLAN information, and corresponding port. Only ports connected to trusted servers are marked as trustworthy. Allowed to send valid DHCP offers and acknowledgments.
Q3. What is the difference between DHCP snooping and DHCP server?
DHCP snooping is a security feature that filters DHCP messages from untrusted sources. A DHCP server is a device that assigns IP addresses to network devices.
Q4. Is DHCP snooping Layer 2 or 3?
DHCP snooping is a security feature that functions at the layer 2 level and filters out messages originating from sources that are not trusted.
Conclusion
DHCP snooping is a layer 2 security feature that filters and validates DHCP messages between clients and servers. It prevents rogue DHCP servers, DHCP spoofing, and DoS attacks by dividing the switch ports into trusted and untrusted types. In this blog, we have explained what DHCP snooping is in detail, along with its working. We also discussed how it can prevent common attacks to safeguard one’s data.
DHCP Snooping is an advanced topic covered in Advanced Network Training that is CCNP ENCOR Training.
