DHCP snooping
DHCP snooping is a security feature of switches that filters DHCP messages (and only DHCP) received on untrusted ports. When DHCP snooping is enabled, all ports are untrusted by default. We need to manually set to trusted the specific ports we want, usually the uplinks (ports connected to other switches/routers up the network stack).
DHCP snooping protects networks from 2 threats: DHCP starvation attacks and DHCP poisoning.
In DHCP starvation attacks a device in the LAN floods the network with DHCP Discover messages using spoofed MACs, resulting in the DHCP pool of IPs becoming quickly exhausted: Denial-of-Service.
In DHCP poisoning attacks, the hostile device replies DHCP Discover messages sent by other devices, impersonating the legitimate DHCP server (becoming a spurious DHCP server). In the replies it sets itself as the default gateway thereby intercepting any future traffic to outside networks. This is a Man-in-the-middle attack. If the spurious DHCP server is in the local network and the legitimate DHCP is not, this kind of attack has a high chance of success as DHCP clients usually accept the first Offer message they get and decline the rest. Due to latency, the Offer message from the hostile device in the local LAN is bound to reach the client first.
DHCP snooping differentiates between messages sent by DHCP Servers & Clients:
• DHCP Server: OFFER, ACK and NAK
• DHCP Client: DISCOVER, REQUEST, RELEASE and DECLINE
Let’s do a brief review of the DHCP sequence of messages:
1. DHCP Client floods the LAN with broadcast DISCOVER messages looking for DHCP Server
2. DHCP Server replies with a unicast OFFER message offering an unused IP from the DHCP Pool
3. DHCP Client replies with a unicast REQUEST message requesting ownership of the IP offered
4. DHCP Server replies with a unicast ACK message assigning the IP to the client MAC
5. DHCP Client replies with a unicast DECLINE message to any subsequent OFFER from other DHCP servers
6. DHCP Client sends a unicast RELEASE message to the DHCP server when it does not need the IP anymore
As said before, DHCP messages received on trusted ports are forwarded without further ado. But for any message received on untrusted ports…
• if it is a DHCP Server message (OFFER, ACK and NAK) it is dropped
• if it is a DHCP Client message …
1. DISCOVER/REQUEST messages are dropped if the source MAC address and the CHADDR field do not match.
2. RELEASE/DECLINE messages are dropped if the source IP address and the receiving interface cannot be found in the DHCP Snooping Binding Table.
The DHCP Snooping Binding Table is created as soon as DHCP snooping is enabled and it keeps track of all the DHCP IPs leased and released in the local LAN. Let’s have a look at it:
SW1# show ip dhcp snooping binding
MacAddress IpAddress Lease(sec) Type VLAN Interface
—————— ————– ———- ———— —- ——————–
0C:29:2F:18:79:00 192.168.100.10 86467 dhcp-snooping 1 GigabitEthernet0/1
0C:29:2F:18:79:01 192.168.100.11 86443 dhcp-snooping 1 GigabitEthernet0/2
0C:29:2F:18:79:02 192.168.100.12 86412 dhcp-snooping 1 GigabitEthernet0/3
Total number of bindings: 3
Following up on the explanation above, if the switch gets a RELEASE/DECLINE message from a Interface+IP that does not show up in the table above, there is a spoofing attempt going on and the message will be discarded.
Let’s see how we can enable DHCP snooping:
SW1(config)# ip dhcp snooping
SW1(config)# ip dhcp snooping vlan 1,2,5
SW1(config)# no ip dhcp snooping information option
SW1(config)# interface g0/0
SW1(config-if)# ip dhcp snooping trust
First we have to enable DHCP snooping at the switch level and then we need to enable it also on a per-VLAN basis (one or more comma-separated). We also need to set the uplink ports as trusted as they are all untrusted by default.
Disabling the ip dhcp snooping information option is something we might need to do if our switches operate at level 2. Why? The “DHCP relay agent information option” provides additional information to the DHCP Server about which DHCP relay agent received the client’s message, on which port, on which VLAN, etc. This option is added by switches acting as DHCP relay agents but when DHCP snooping is enabled… it is added by default even if that is not the case! That is a problem because switches upstream will drop DHCP messages with such additional info received on untrusted ports. So we have two options:
1. set those downlink ports up the ladder to trusted (not safe)
2. or disable Option 82 (that’s the name for that additional info)
DHCP snooping also enables rate limiting of DHCP messages received on an interface. When the rate is exceeded by default the interface will be shutdown and its state set to err-disabled. Let’s see how to enable that:
SW1(config)# interface range g0/1 – 3
SW1(config-if-range)# ip dhcp snooping limit rate 10
As soon as an interface receives more than 10 DHCP messages per second, we will see something like this:
*Jun 5 13:15:14:180: %DHCP_SNOOPING-4-DHCP_SNOOPING_ERRDISABLE_WARNING: DHCP Snooping received 10 DHCP packets on interface Gi0/1
*Jun 5 13:15:14:181: %DHCP_SNOOPING-4-DHCP_SNOOPING_RATE_LIMIT_EXCEEDED: The interface Gi0/1 is receiving more than the threshold set
*Jun 5 13:15:14:182: %PM-4-ERR_DISABLE: dhcp-rate-limit error detected on Gi0/1, putting Gi0/1 in err-disable state
*Jun 5 13:15:14:183: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/1, changed state to down
*Jun 5 13:15:14:184: %LINK-3-UPDOWN: Interface GigabitEthernet0/1, changed state to down
As we did with Port Security in the previous section, we can enable auto-recovery of rate-limiting shutdowns:
SW1# show errdisable recovery
ErrDisable Reason Timer Status
—————– ————–
arp-inspection Disabled
bpduguard Disabled
channel-misconfig (STP) Disabled
dhcp-rate-limit Disabled
dtp-flap Disabled
[…]
psecure-violation Disabled
security-violation Disabled
sfp-config-mismatch Disabled
storm-control Disabled
udld Disabled
unicast-flood Disabled
vmps Disabled
psp Disabled
dual-active-recovery Disabled
evc-lite input mapping fa Disabled
Recovery command: “clear Disabled
Timer interval: 300 seconds
Interfaces that will be enabled at the next timeout:
SW1(config)# errdisable recovery cause dhcp-rate-limit
SW1(config)# errdisable recovery interval 600
SW1# show errdisable recovery
ErrDisable Reason Timer Status
—————– ————–
arp-inspection Disabled
bpduguard Disabled
channel-misconfig (STP) Disabled
dhcp-rate-limit Enabled
dtp-flap Disabled
[…]
psecure-violation Enabled
security-violation Disabled
sfp-config-mismatch Disabled
storm-control Disabled
udld Disabled
unicast-flood Disabled
vmps Disabled
psp Disabled
dual-active-recovery Disabled
evc-lite input mapping fa Disabled
Recovery command: “clear Disabled
Timer interval: 600 seconds
Interfaces that will be enabled at the next timeout:
Interface Errdisable reason Time left(sec)
——— —————– ————–
Gi0/1 dhcp-rate-limit 571
Access Control Lists <- Previous Next -> Dynamic ARP inspection