DHCP Spoofing Attacks An attacker activates a DHCP server on the VLAN. An attacker replies to a valid client DHCP request. An attacker assigns IP configuration information that establishes a rogue device as client default gateway. An attacker floods the DHCP server with requests.
DHCP Snooping Protects Against Rogue and Malicious DHCP Servers DHCP requests (discover) and responses (offer) are tracked. Rate-limiting requests on untrusted interfaces limit DoS attacks on DHCP servers. Deny responses (offers) on untrusted interfaces to stop malicious or errant DHCP servers.
DHCP Snooping DHCP snooping allows the configuration of ports as trusted or untrusted. Untrusted ports cannot forward DHCP replies. Configure DHCP trust on the uplinks to a DHCP server. Do not configure DHCP trust on client ports.
Switch DHCP snooping is enabled DHCP snooping is configured on following VLANs: 10,20 DHCP snooping is operational on following VLANs: 10,20 DHCP snooping is configured on the following L3 Interfaces:
Insertion of option 82 is enabled
circuit-id default format: vlan-mod-port remote-id: 001a.e372.ab00 (MAC) Option 82 on untrusted port is not allowed Verification of hwaddr field is enabled Verification of giaddr field is enabled DHCP snooping trust/rate is configured on the following Interfaces:
Interface Trusted Allow option Rate limit (pps)
----------------------- ------- ------------ ---------------- FastEthernet0/1 no no 50 FastEthernet0/24 yes yes unlimited
About DAI DAI associates each interface with a trusted state or an untrusted state. Trusted interfaces bypass DAI. Untrusted interfaces undergo DAI validation. DHCP snooping is required to build a table with MAC-to-IP bindings for DAI validation.
IP Source Guard DHCP snooping must be configured to verify source IP addresses. Port security with DHCP snooping allows verification of source IP and MAC addresses.