Configuring and

Implementing
Switched Data
Plane Security
Solutions

Configuring DHCP Snooping

© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—1-1

 DHCP Attacks

DHCP Server

DHCP requests
with spoofed
MAC addresses

Untrusted

Attacker attempting to Attacker attempting to

set up rogue DHCP starve DHCP server
server

© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—1-2

 DHCP Snooping
Rouge DHCP Client
 DHCP snooping allows the Attacker
configuration of ports as trusted
or untrusted.
 Untrusted ports cannot process
DHCP replies.
 Configure DHCP snooping on
uplinks to a DHCP server.
 Do not configure DHCP
snooping on client ports.

Legitimate
DHCP Server

© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—1-3

 Mitigating DHCP Attacks

Here are two ways to mitigate DHCP spoofing and

starvation attacks:
 Port security
 DHCP snooping

© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—1-4

 Configuration Guidelines

 Globally enable first

 Not active until enabled on a VLAN
 Configure DHCP server and relay agent first
 Configure DHCP addresses and options first
 DHCP option 82 not supported if relay agent is enabled but
snooping is disabled

© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—1-5

© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—1-6
 Commands to Mitigate DHCP Starvation
Attacks

switch(config)# ip dhcp snooping

switch(config)# ip dhcp snooping vlan 90
switch(config)# interface FastEthernet 0/5
switch(config-if)# ip dhcp snooping trust
switch(config-if)# ip dhcp snooping limit rate 300
switch(config-if)# end

Any port
configured for
unauthenticated
access
VLAN 90
DHCP
Fa0/5 Server

© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—1-7

 Examples

switch# show ip dhcp snooping

Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
90
Insertion of option 82 is enabled
Interface Trusted Rate limit (pps)
------------------------ ------- ----------------
FastEthernet0/5 yes 300

© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—1-9

 Examples (Cont.)
By IP Address
switch# show ip dhcp binding 172.16.1.11
IP address Hardware address Lease expiration Type
172.16.1.11 00a0.9802.32de Feb 01 1998 12:00 AM Automatic

switch# show ip dhcp binding 172.16.3.254

IP address Hardware address Lease expiration Type
172.16.3.254 02c7.f800.0422 Infinite Manual

By Subnet
switch# show ip dhcp binding
Bindings from all pools not associated with VRF:
IP address Client-ID/ Lease expiration Type
Hardware address/
User name
10.0.0.0/26 0063.6973.636f.2d64. Mar 29 2003 04:36 AM Automatic
656d.6574.6572.2d47.
4c4f.4241.4c

© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—1-10

 Summary

 DHCP attacks are another type of Layer 2 (switch) attack.

 DHCP snooping is a DHCP security feature that provides network
security.
 Two ways to mitigate DHCP attacks are port security and DHCP
snooping.
 There are several guidelines for configuring DHCP snooping.
 You must first globally enable DHCP snooping.
 There are two commands given to verify DHCP snooping
configuration and operation.

© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—1-11

© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—1-12