Sunday, April 30, 2017

Why & How to Configure Basic DHCP Snooping?

DHCP Snooping is a security configuration which can be done in switches to mitigate Rouge DHCP attacks. These type of attacks are performed by hackers to spoof DHCP information to carry out man in the middle attacks. Because DHCP is the server which tells hosts about the default gateway, DNS etc attackers can change the traffic flow to go through a bogus gateway which they can capture packets.

To stop this, you can configure DHCP Snooping (DHCP Inspection) to accept the DHCP server packets (Offer, Ack etc) only from trusted ports. In the diagram, you can see the DHCP server (trusted) which is connected to the CORE, and the Rouge DHCP (untrusted) which is connected to the SW.

When you configure DHCP Snooping in a switch, all ports become untrusted. You have to configure the trusted ports manually on the ports where the packets from the trusted DHCP server are receiving. In this topology, they are e0/0 of CORE & e0/0 of SW.

I am using IOS 15.2 & here are the basic essential commands to configure snooping..

Assuming VLANs and trunks are configured correctly;
(Here I have only VLAN 1)


CORE(config)#ip dhcp snooping
CORE(config)#ip dhcp snooping vlan 1
CORE(config)#int e0/0
CORE(config-if)#ip dhcp snooping trust

SW(config)#ip dhcp snooping
SW(config)#ip dhcp snooping vlan 1
SW(config)#no ip dhcp snooping information option
SW(config)#int e0/0
SW(config-if)#ip dhcp snooping trust

You can also rate limit the incoming DHCP requests coming from DHCP clients per second by issuing additional commands too which will help to prevent DHCP Exhaustion Attacks..
The above commands will get DHCP snooping working basically..

By default, SW will insert DHCP Option 82 into all DHCP packets it receives from the client. Also by default, CORE will drop those packets as soon as it receives them. A switch with DHCP Snooping enabled will drop packets on untrusted ports that contain Option 82 or have a non-zero giaddr (e.g. 0.0.0.0). This is what is seen in debug on CORE when SW sends a DHCPDISCOVER out port e0/0.

Remember that port e0/1 on CORE is an untrusted port for DHCP Snooping, so it drops the packets by default because Option 82 exists. That traffic never makes it to CORE.

The Option 82 helps to deliver the DHCP messages only to the client for which they are intended. It is turned on by default. The way it does it is using The Circuit ID that identifies the port to which the client is connected (the VLAN and the physical port location in a switch) & The Remote ID that identifies the access switch to which the client is connected (by the MAC address of the switch)

To overcome this problem, you can enter the following command on global configuration mode of CORE to allow option 82;
CORE(config)#ip dhcp snooping information option allow-untrusted

And also if you want to allow option 82 in your network and if the DHCP server is a Cisco device (if CORE switch is the DHCP server in this topology), you will have to enter following command on the DHCP server to identify option 82.
CORE(config)#ip dhcp relay information trust-all

Or you can do in on specific interface only by allowing the following command,
CORE(config-if)#ip dhcp relay information trusted

Or you can simply stop SW from inserting option 82 by entering the following command in global configuration mode of SW;
SW(config)#no ip dhcp snooping information option

That's what I have done in the above topology because it is the easiest solution.

If you are just connecting only a one switch to connect both the client PC and the DHCP server (in same broadcast domain) this is not an issue..

Note:
Dropping DHCP server packets is not the only thing DHCP Snooping does.
Inspecting the DHCP client traffic on untrusted ports and verifies it with the mac address table and dropping the traffic if it is not matching is another thing DHCP Snooping does automatically..

Preventive Actions If a Rouge DHCP detected??

Most of the time this can happen accidentally because of an ADSL router etc. In a case like that, you will get a complain from users that they receive a different IP range which causes a communication failure. What you must do is just issue a ipconfig /all in command prompt in Windows PC and see the DHCP server IP and then issue an arp -a to find the mac address of the DHCP server and trace to the port it is connected via the switch command prompt and shut it down..
If you have configured DHCP snooping correctly this won't be an issue..

0 comments to “Why & How to Configure Basic DHCP Snooping?”

Post a Comment