In order for hosts to communicate with one another, addressing is required as it is a fundamental law of networking. In the early days of networking, devices were frequently given static addresses due to the infrequency with which these resources were relocated. However, addressing hosts using a static format does not scale well. (Can you even fathom having to manually update the IP address on your smartphone each time you leave the house?) Because of this, dynamic address setup has emerged as the de facto standard for the vast majority of networks across the globe. The Dynamic Host Configuration Protocol, often known as DHCP, is used at establishments such as coffee shops and hotels, as well as on your company’s network, in order to make life a little bit simpler for the numerous iPads, cellphones, and other computing devices that need access to your company’s network and to the Internet. DHCP ports was developed by the Internet Engineering Task Force.
DHCP snooping is a feature of Layer 2 switches that helps alleviate the security concerns caused by the denial-of-service attacks carried out by rogue DHCP servers. These attacks cause disruption to networks because they compete with legal DHCP servers, which are responsible for configuring hosts on the network so they can communicate.
From what I’ve seen, rogue DHCP servers are enabled by accident the vast majority of the time. For instance, a user who wants to bring wireless services into his workspace plugs in a wireless router that can be purchased at any electronics retailer and has DHCP activated by default. The user is completely unaware that his new toy distributes rogue addresses to hosts that aren’t paying attention, which causes reachability concerns on the network.
Attackers, meanwhile, take advantage of the open nature of DHCP in order to position themselves between the host and the resource that it is attempting to access, which is often the Internet. This vulnerability can be exploited to launch man-in-the-middle attacks, which put the privacy and credentials of users who are unaware of the incident at risk.
DHCP snooping
Cisco was the first company to deploy DHCP snooping as a feature in its network switches. This function was developed to prevent problems caused by malicious DHCP servers and Cisco was the first company to do so. Since then, several manufacturers have included analogous functionality in their operating systems.
DHCP snooping is based on the idea of utilizing one or more trusted ports that have been determined to be connected to trustworthy DHCP servers. The switch creates what is known as a “bindings table” as clients communicate with one another through the network. This table is a database that records the client’s MAC address, the address that was provided by DHCP, the switchport, the VLAN, and the amount of time left on the DHCP lease. The DHCP server communications coming from untrusted ports are screened out by the network switch, which does this to preserve the authenticity of legitimate DHCP servers and the proper functioning of the latter.
Operational Practices of DHCP snooping
In the event that DHCP snooping identifies a violation, the offending packet will be discarded, and an event will be generated with the text DHCP_SNOOPING included in the log message. Mismatches in MAC addresses might be the cause of a violation, as could attempts to deliver DHCP services on ports that are not trusted.
Snooping for DHCP packets is normally enabled on switches that are part of access point configurations. The implementation of rate-limiting for DHCP requests made on untrusted ports is recommended as a best practice. This IOS command, which must be enabled on the port before it can take effect, safeguards the DHCP server from an overwhelming number of addressing requests. It can be activated by entering this command:
Here is the variable number is expressed in packets per second.
ip dhcp snooping limit rate <1-4294967294>
Sum up
If you are interested in deploying DHCP snooping in a production environment, you should first test it in the lab to ensure that you have a thorough grasp of how the functionality is supposed to operate. In my experience, the majority of network engineers are familiar with the fundamental ideas behind DHCP, but a significantly lesser percentage of them grasp the specifics, particularly when it comes to proprietary vendor extensions and the way in which they are utilized.