DHCP Snooping Explained

What is DHCP Snooping ?

In computer networking DHCP snooping is a series of techniques applied to ensure the security of an existing DHCP infrastructure.DHCP snooping is a security feature inteneded to prevent rogue DHCP server from sending malicious DHCP replies.
DHCP snooping is a layer 2 security feature we can configure on our Catalyst switches that determines which switch ports can respond to DHCP requests. Ports are identified as trusted and untrusted.DHCP snooping will drop DHCP messages from a DHCP server that is not trusted. Trusted DHCP servers are identified by configuring a switchport’s DHCP snooping trust state. DHCP server messages can flow through switchports that have a DHCP snooping trusted state. DHCP server messages will be dropped if attempting to flow through a switchport that is not trusted.

Now let us look at a this diagram  with a rogue DHCP server inside the network.

Attacker listens for DHCP Requests from clients and answers them with fake DHCP Response before the authorized DHCP Response comes to the clients. The fake DHCP Response often gives its IP address as the client default gateway -> all the traffic sent from the client will go through the attacker computer, the attacker becomes a “man-in-the-middle”.

The attacker can have some ways to make sure its fake DHCP Response arrives first. In fact, if the attacker is “closer” than the DHCP Server then he doesn’t need to do anything. Or he can DoS the DHCP Server so that it can’t send the DHCP Response.

DHCP snooping can prevent DHCP spoofing attacks.Only ports that connect to an authorized DHCP server are trusted, and allowed to send all types of DHCP messages. All other ports on the switch are untrusted and can send only DHCP requests. If a DHCP response is seen on an untrusted port, the port is shut down.

Configuring DHCP Snooping

Enable DHCP snooping globally on a switch
Switch(config)# ip dhcp snooping
Identify VLANs for DHCP snooping. In this case VLAN 1(default)
Switch(config)# ip dhcp snooping vlan 1
By default all ports are “untrusted”, so we have to add trusted ports.Here we are adding fa0/1 as trusted port
Switch(config)# interface fastethernet 0/1 
Switch(config-if)# ip dhcp snooping trust

Verifying Configuration

Show DHCP snooping status
Switch# show ip dhcp snooping

This is all on can do for a simple DHCP SNOOPING option. This will prevent the ROGUE DHCP server to traverse DHCP packets to the VLAN1.