Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1108
Views
0
Helpful
5
Replies

dhcp snooping discussion

sunil-koul
Level 1
Level 1

‎06-14-2012 04:19 AM - edited ‎03-07-2019 07:14 AM

          can anybody explain with an example use of dhcp snooping?       

Labels:
0 Helpful
5 Replies 5

smehrnia
Level 7
Level 7

‎06-14-2012 04:40 AM

Hi Snuil,

DHCP snooping is a DHCP security feature that provides security by filtering untrusted DHCP messages and by building and maintaining a DHCP snooping binding table. An untrusted message is a message that is received from outside the network or firewall and that can cause traffic attacks within your network.

An untrusted interface is an interface that is configured to receive messages from outside the network or firewall. A trusted interface is an interface that is configured to receive only messages from within the network.

The DHCP snooping binding table contains the MAC address, IP address, lease time, binding type, VLAN number, and interface information that corresponds to the local untrusted interfaces of a switch; it does not contain information regarding hosts interconnected with a trusted interface.

DHCP snooping acts like a firewall between untrusted hosts and DHCP servers. It also gives you a way to differentiate between untrusted interfaces connected to the end-user and trusted interfaces connected to the DHCP server or another switch.

plz Rate if it helped.

Soroush.

Hope it Helps!

Soroush.
0 Helpful

sunil-koul
Level 1
Level 1
In response to smehrnia

‎06-14-2012 04:56 AM

sorry this i have read already from cisco site but need practical example where we use it.

0 Helpful

smehrnia
Level 7
Level 7
In response to sunil-koul

‎06-14-2012 05:10 AM

aha, got you... thought u had conceptual problem.

we use DHCP snooping to address bellow attacks in our Layer 2 Network, so we use it where there are risks of these kind of rogue activities:

DHCP address exhaustion attack — This type of attack focuses on depleting the address pool on the DHCP server, thus causing a denial of service attack. In a DHCPDISCOVER message broadcast out from a client, there is a field called chaddr which is the client hardware address or MAC address. The chaddr field is set to the source MAC address of the client by default.  If an attacker constantly keeps changing his MAC address, he could keep requesting different addresses from the DHCP pool and eventually deplete it.  Fortunately, port-security helps mitigate this attack.  However, if a client keeps the same MAC address but simply changes the chaddr field to something unique on every request, an attacker could just as well exhaust all DHCP addresses in the pool without causing a port-security violation.  The pool could become depleted and legitimate users may not be able to obtain address leases.

IP Address Hijacking — Normally, when a client is done with an address leased to it via DHCP, it sends a DHCPRELEASE to the server to notify the server that it can go ahead and add that IP address back into the pool of available addresses.  An attacker that has knowledge of an authorized IP addressed leased through DHCP could send a packet to the server with the DHCPRELEASE field set to that authorized IP address.  The attacker could attempt to release that IP address and then take over the IP address on the network. At a minimum, the attacker could be disrupting network communications.

plz Rate if it helped.

Soroush.

Hope it Helps!

Soroush.
0 Helpful

sunil-koul
Level 1
Level 1
In response to smehrnia

‎06-14-2012 05:32 AM

this helped me but have confusion like interfaces connected to end users are untrusted and interface connected to dhcp servers are trusted so how it helps to give the ip addresses to valid client.

0 Helpful

Sandeep Choudhary
VIP Alumni
VIP Alumni
In response to sunil-koul

‎06-14-2012 06:14 AM

Hi Sunil,

I got this material from internet for you.

So here we go, with the configuration of DHCP snooping on a Cisco Switch. This feature protects the network by allowing the Cisco Switches to accept DHCP response message only from the authorized servers connected to the trusted interfaces in a Cisco Switch.

All Switch to  Switch connections are configured as 802.1 1Q Trunk ports.

IP Address and HSRP Details for the Core

IP Address and HSRP Details for the Core Switches http://http.cdnlayer.com/itke/blogs.dir/58/files/2008/11/dhcp-snooping2.jpgFrom the above scenario we have two Cisco 6513 Series Switches as a Core/ Distribution with three VLANS one for management of Switches VLAN 50,VLAN 100 for all the servers and VLAN 101 for clients. Two Cisco 3560 Series Switches as Server Farm Switches and a Cisco 3560 Series Switch as an Access Switch.There are two DHCP servers with an IP address 10.0.1.100 and 10.0.1.101 connected with Server Farm Switches with HP NIC teaming. We configure DHCP Snooping based on above scenario.

The first step to configure DHCP Snooping is to turn on DHCP snooping in all Cisco Switches using the “ip dhcp snooping” command.

All Cisco Switches (config)#ip dhcp snooping Second step is to configure the trusted interfaces, from the above scenario all trunk ports are configured as trusted ports as well as the interfaces G0/7,(ITKESF01 50.0.0.6),  G0/17,(ITKESF02 50.0.0.7),  G0/9 ITKESF01 50.0.0.6)  and G0/18 ITKESF02 50.0.0.7)  connected to DHCP servers with IP 10.0.1.100 and 10.0.1.101. Lets configure all trunk ports in ITKEBB01

ITKEBB01(config)#interface range  gigabitEthernet 3/21 - 23

ITKEBB01 (config-if)#ip dhcp snooping trust

Now let’s configure all trunk ports in ITKEBB02

ITKEBB02(config)#interface range  gigabitEthernet 3/21 - 23 ITKEBB02 (config-if)#ip dhcp snooping trust

ITKEBB02 (config)#interface gigabitEthernet 3/16

ITKEBB02 (config-if)#ip dhcp snooping trust

Now let’s configure the trusted ports for the DHCP servers

ITKESF01(config)#interface gigabitEthernet 0/7

ITKESF01 (config-if)#ip dhcp snooping trust

ITKESF01(config)#interface gigabitEthernet 0/17 ITKESF01 (config-if)#ip dhcp snooping trust

ITKESF02(config)#interface gigabitEthernet 0/9

ITKESF02 (config-if)#ip dhcp snooping trust

ITKESF02(config)#interface gigabitEthernet 0/18 ITKESF02 (config-if)#ip dhcp snooping trust

Now let’s configure the trunk ports  Access Switch ITKEAS01

ITKEAS01(config)#interface range  gigabitEthernet 0/49 - 52

ITKEAS01 (config-if)#ip dhcp snooping trust

Finally we are going to configure VLANS for DHCP snooping DHCP snooping will used on all the VLANs (VLAN 100 & 101)except management VLAN 50 . Also we will limit the requests rate received in the Access Switch (ITKEAS01) ALL SWITCHES(config)# ip dhcp snooping VLAN 100,101

ITKEAS01(config)#interface range  gigabitEthernet 0/1 - 48

ITKEAS01 (config-if)#ip dhcp snooping limit rate 20 http://http.cdnlayer.com/itke/blogs.dir/58/files/2008/11/dhcp-snooping3.jpg

Displaying the DHCP snooping

Reagrds

Please rate of it helps.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card