config « Tim Lefler's IT Blog

March 3, 2010

My definition of DHCP-snooping

Filed under: Information Technology,Security — Tags: cisco, config, dhcp, snooping, trusted, untrusted — Tim Lefler @ 2:04 pm

Cisco’s Overview of DHCP Snooping

DHCP snooping is a DHCP security feature that provides security by filtering untrusted DHCP messages and by building and maintaining a DHCP snooping binding table. An untrusted message is a message that is received from outside the network or firewall and that can cause traffic attacks within your network.

The DHCP snooping binding table contains the MAC address, IP address, lease time, binding type, VLAN number, and interface information that corresponds to the local untrusted interfaces of a switch; it does not contain information regarding hosts interconnected with a trusted interface. An untrusted interface is an interface that is configured to receive messages from outside the network or firewall. A trusted interface is an interface that is configured to receive only messages from within the network.

DHCP snooping acts like a firewall between untrusted hosts and DHCP servers. It also gives you a way to differentiate between untrusted interfaces connected to the end-user and trusted interfaces connected to the DHCP server or another switch.

Well thanks for that extremely clear overview…….. what actually is going on? Lets say you have a switch. You hook a DHCP server up to port #1 and designate this as a “trusted” interface and all of the rest of the ports that will have devices connected to them are setup as “untrusted”. You would set this up using the commands:

*** Enable DHCP Snooping & ARP Inspection ***
ip dhcp snooping vlan 100
no ip dhcp snooping information option
ip dhcp snooping database flash:/dhcpdb.dat
ip dhcp snooping
ip arp inspection vlan 100
 
*** Untrusted Access Interfaces for DHCP ****
Int Range Fa1/0/2 - 48
description Workstation
switchport access vlan 100
switchport mode access
no mdix auto
 
Int Range Fa2/0/1 - 48
description Workstation
switchport access vlan 100
switchport mode access
no mdix auto
 
*** Trusted Access Interface for DHCP ***
Int Fa1/0/1
description DHCP Server
switchport access vlan 100
switchport mode access
no mdix auto
ip dhcp snooping trust

DHCP Client requests are forwarded regardless of the trust state of the port, but DHCP server responses are dropped if the port is untrusted.

So lets say on port #2 the switch sees a DHCP discovery packet float by from a DHCP client. Because it is a broadcast message this gets flooded to all ports on the VLAN. The DHCP server connected to port #1 sees the discovery packet and sends an uninicast DHCPOFFER packet to the client. Because this originated from a “trusted” port the offer is allowed to go through. The client recieves the DHCPOFFER chooses an offer from all that it receives and responds with a DHCPREQUEST back to the DHCP server. The server then responds with a DHCPACK and includes the configuration parameters and committed network address. The switch records the client binding port, vlan, mac address, and ip, etc into its local snooping database.
(more…)

Comments (3)