DHCP snooping is a technique where we configure our switch to listen in on DHCP traffic and stop any malicious DHCP packets. This is best explained with an example so take a look at the picture below:
In the picture above I have a DHCP server connected to the switch on the top left. At the bottom right you see a legitimate client that would like to get an IP address. What if the l33t hacker script kiddy on the left would run DHCP server software on his computer? Who do you think will respond first to the DHCP discover message? The legitimate DHCP server or the script kiddy’s DHCP server software?
On larger networks you will probably find a central DHCP server somewhere in the server farm. If an attacker runs a DHCP server in the same subnet he will probably respond faster to the DHCP discover message of the client. If this succeeds he might assign the client with its own IP address as the default gateway for a man-in-the-middle attack. Another option would be to send your own IP address as the DNS server so you can spoof websites etc.
The attacker could also send DHCP discover messages to the DHCP server and try to deplete its DHCP pool. So what can we do to stop this madness? DHCP snooping to the rescue! We can configure our switches so they track the DHCP discover and DHCP offer messages. Here’s how:
Interfaces that connect to clients should never be allowed to send a DHCP offer message. We can enforce this by making them untrusted. An interface that is untrusted will block DHCP offer messages. Only an interface that has been configured as trusted is allowed to forward DHCP offer messages. We can also rate-limit interfaces to they can’t send an unlimited amount of DHCP discover messages, this will prevent attacks from depleting the DHCP pool.
When a Cisco Catalyst Switch receives a DHCP Discover, it will only forward it on trusted interfaces. This prevents rogue DHCP servers on untrusted interfaces from receiving it in the first place.
Let’s see how we can configure DHCP snooping…
Configuration
I will use the following topology:
Interface fa0/1 is connected to a client that would like to get an IP address from the DHCP server connected to interface fa0/2. There’s an attacker connected to fa0/3 that is running DHCP server software. Let’s see if we can stop him…
SW1(config)#ip dhcp snooping
First you need to enable DHCP snooping globally.
SW1(config)#no ip dhcp snooping information option
By default the switch will add option 82 to the DHCP discover message before passing it along to the DHCP server. Some DHCP servers don’t like this and will drop the packet. If you client doesn’t get an IP address anymore after enabling DHCP snooping globally you should use this command.
SW1(config)#ip dhcp snooping vlan 1
Select the VLANs for which you want to use DHCP snooping.
SW1(config)#interface fa0/2
SW1(config-if)#ip dhcp snooping trust
Once you enable DHCP snooping all interfaces by default are untrusted. Make sure interfaces that lead to the DHCP server are trusted.
SW1(config)#interface fa0/1
SW1(config-if)#ip dhcp snooping limit rate 10
Optionally you can rate-limit the number of DHCP packets that the interface can receive. I’ve set the fa0/1 interface so it can’t receive more than 10 DHCP packets per second.
SW1#show ip dhcp snooping
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
1
DHCP snooping is operational on following VLANs:
1
DHCP snooping is configured on the following L3 Interfaces:
Insertion of option 82 is enabled
circuit-id format: vlan-mod-port
remote-id format: MAC
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Verification of giaddr field is enabled
DHCP snooping trust/rate is configured on the following Interfaces:
Interface Trusted Rate limit (pps)
------------------------ ------- ----------------
FastEthernet0/1 no 10
FastEthernet0/2 yes unlimited
Use the show ip dhcp snooping command to verify your configuration.
SW1#show ip dhcp snooping binding
MacAddress IpAddress Lease(sec) Type VLAN Interface
------------------ --------------- ---------- ------------- ---- --------------------
00:0C:29:28:5C:6C 192.168.1.1 85655 dhcp-snooping 1 FastEthernet0/1
Once your client receives an IP address from the legit DHCP server you can see SW1 keeps track of the MAC to IP binding. DHCP offer messages from the DHCP server on the untrusted interface will be dropped. I hope this lesson has been useful for you to understand DHCP snooping.
hostname SW1
!
ip dhcp snooping vlan 1
no ip dhcp snooping information option
ip dhcp snooping
!
interface FastEthernet0/1
ip dhcp snooping limit rate 10
!
interface FastEthernet0/2
ip dhcp snooping trust
!
interface Vlan1
ip address dhcp
!
end
No comments:
Post a Comment