DHCP snooping is a DHCP security feature that provides security by filtering untrusted DHCP messages and by building and maintaining a DHCP snooping binding table. An untrusted message is a message that is received from outside the network or firewall and that can cause traffic attacks within your network.
An untrusted interface is an interface that is configured to receive messages from outside the network or firewall. A trusted interface is an interface that is configured to receive only messages from within the network.
The DHCP snooping binding table contains the MAC address, IP address, lease time, binding type, VLAN number, and interface information that corresponds to the local untrusted interfaces of a switch; it does not contain information regarding hosts interconnected with a trusted interface.
DHCP snooping acts like a firewall between untrusted hosts and DHCP servers. It also gives you a way to differentiate between untrusted interfaces connected to the end-user and trusted interfaces connected to the DHCP server or another switch.
we use DHCP snooping to address bellow attacks in our Layer 2 Network, so we use it where there are risks of these kind of rogue activities:
DHCP address exhaustion attack — This type of attack focuses on depleting the address pool on the DHCP server, thus causing a denial of service attack. In a DHCPDISCOVER message broadcast out from a client, there is a field called chaddr which is the client hardware address or MAC address. The chaddr field is set to the source MAC address of the client by default. If an attacker constantly keeps changing his MAC address, he could keep requesting different addresses from the DHCP pool and eventually deplete it. Fortunately, port-security helps mitigate this attack. However, if a client keeps the same MAC address but simply changes the chaddr field to something unique on every request, an attacker could just as well exhaust all DHCP addresses in the pool without causing a port-security violation. The pool could become depleted and legitimate users may not be able to obtain address leases.
IP Address Hijacking — Normally, when a client is done with an address leased to it via DHCP, it sends a DHCPRELEASE to the server to notify the server that it can go ahead and add that IP address back into the pool of available addresses. An attacker that has knowledge of an authorized IP addressed leased through DHCP could send a packet to the server with the DHCPRELEASE field set to that authorized IP address. The attacker could attempt to release that IP address and then take over the IP address on the network. At a minimum, the attacker could be disrupting network communications.
So here we go, with the configuration of DHCP snooping on a Cisco Switch. This feature protects the network by allowing the Cisco Switches to accept DHCP response message only from the authorized servers connected to the trusted interfaces in a Cisco Switch.
All Switch to Switch connections are configured as 802.1 1Q Trunk ports.
IP Address and HSRP Details for the Core
IP Address and HSRP Details for the Core Switcheshttp://http.cdnlayer.com/itke/blogs.dir/58/files/2008/11/dhcp-snooping2.jpgFrom the above scenario we have two Cisco 6513 Series Switches as a Core/ Distribution with three VLANS one for management of Switches VLAN 50,VLAN 100 for all the servers and VLAN 101 for clients. Two Cisco 3560 Series Switches as Server Farm Switches and a Cisco 3560 Series Switch as an Access Switch.There are two DHCP servers with an IP address 10.0.1.100 and 10.0.1.101 connected with Server Farm Switches with HP NIC teaming. We configure DHCP Snooping based on above scenario.
The first step to configure DHCP Snooping is to turn on DHCP snooping in all Cisco Switches using the “ip dhcp snooping” command.
All Cisco Switches (config)#ip dhcp snoopingSecond step is to configure the trusted interfaces, from the above scenario all trunk ports are configured as trusted ports as well as the interfaces G0/7,(ITKESF01 22.214.171.124), G0/17,(ITKESF02 126.96.36.199), G0/9 ITKESF01 188.8.131.52) and G0/18 ITKESF02 184.108.40.206) connected to DHCP servers with IP 10.0.1.100 and 10.0.1.101.Lets configure all trunk ports in ITKEBB01
ITKEBB01(config)#interface range gigabitEthernet 3/21 - 23
ITKEBB01 (config-if)#ip dhcp snooping trust
Now let’s configure all trunk ports in ITKEBB02
ITKEBB02(config)#interface range gigabitEthernet 3/21 - 23ITKEBB02 (config-if)#ip dhcp snooping trust
ITKEBB02 (config)#interface gigabitEthernet 3/16
ITKEBB02 (config-if)#ip dhcp snooping trust
Now let’s configure the trusted ports for the DHCP servers
Now let’s configure the trunk ports Access Switch ITKEAS01
ITKEAS01(config)#interface range gigabitEthernet 0/49 - 52
ITKEAS01 (config-if)#ip dhcp snooping trust
Finally we are going to configure VLANS for DHCP snooping DHCP snooping will used on all the VLANs (VLAN 100 & 101)except management VLAN 50 . Also we will limit the requests rate received in the Access Switch (ITKEAS01)ALL SWITCHES(config)# ip dhcp snooping VLAN 100,101
ITKEAS01(config)#interface range gigabitEthernet 0/1 - 48
The ProblemEnter EVCsHow It Works (Ingress)How It Works
(Egress)Step-by-Step ExampleFinal Thoughts The ProblemOn traditional
switches whenever we have a trunk interface we use the VLAN tag to
demultiplex the VLANs. The switch needs to determine which MAC ...
The ProblemEnter EVCsHow It Works (Ingress)How It Works
(Egress)Step-by-Step ExampleFinal Thoughts Introduction: Netdr is a tool
available on a RSP720, Sup720 or Sup32 that allows one to capture
packets on the RP or SP inband. The netdr command can be use...
IntroductionOSPF, being a link-state protocol, allows for every router
in the network to know of every link and OSPF speaker in the entire
network. From this picture each router independently runs the Shortest
Path First (SPF) algorithm to determine the b...