Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6147
Views
10
Helpful
5
Replies

DHCP snooping

Go to solution
mediaworksnz
Level 1
Level 1

‎04-17-2017 09:30 PM - edited ‎03-08-2019 10:13 AM

Hello we have a fairly large network of approximately 300 Cisco switches/routers.

We are trying to improve security and were considering implementing DHCP snooping on each switch in our network (simply as a matter of good security practice)

My question is would this be a good idea ? Do most large companies use DHCP snooping or are there drawbacks that would perhaps not make it feasible ?

Thank you for any information.

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Prabath Godevithanage
Level 4
Level 4

‎04-18-2017 07:41 AM

It is one of the best practices,We have it rolled out through the access switches and no any issues. take the slow approach on your network.Leave DAP and IPSG components for later.Pick a low impacting area and apply it vlan by vlan but not all at once.try to identify your static IP devices if there's any(Printers,BMS etc.) .Also pay attention to DHCP option 82 configuration if you use it or not

***Please rate all the useful posts***
-Prabath

View solution in original post

0 Helpful

Go to solution
Julio E. Moisa
VIP
VIP

‎04-18-2017 08:01 AM

Hi

Yes, it is a good security practice to avoid any rogue dhcp server connected to the company network. DHCP snooping must be applied on the access switches only. If DHCP snooping is applied properly you will not have any problem on your network. 

Below you will find a example of configuration:

ip dhcp snooping     
ip dhcp snooping vlan X1,X2,X3,Xn
no ip dhcp snooping information option

* DHCP Snooping will be enabled once you have assigned the VLANs to be part of it. 

Untrusted ports (end users ports)

Int g1/0/x
ip dhcp snooping limit rate 20

Trusted ports (trunk interfaces)

int g1/1/x
ip dhcp snooping trust

* Remember, the ip dhcp snooping trust command line is configured on the outbound direction, in few words on the interfaces going to the Company DHCP servers. 

Check this link:

http://itsecurity.telelink.com/dhcp-attacks/

Please rate the comment if it is useful

:-)




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

View solution in original post

5 Replies 5

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni

‎04-17-2017 10:12 PM

You want to be using up to date software.  I had some issues with the earlier software many years ago.

I typically start at the core and then work outwards.  This is assuming your DHCP server(s) are at or near the core.

0 Helpful

Go to solution
jmandersson
Level 1
Level 1
In response to Philip D'Ath

‎04-17-2017 11:48 PM

Why would you have DHCP Snooping in the Core at all?

I run DHCP Snooping at a couple of hundred switches with no major issues, but I do see some minor problems mostly because bad client behaviour. MAC address validation is one example, some client with both Wireless and Wired NIC enabled uses wrong MAC-address in DHCP Requests/Informs and therefor the switch throws "%DHCP_SNOOPING-5-DHCP_SNOOPING_MATCH_MAC_FAIL: DHCP", that check can be disabled with "no ip dhcp snooping verify mac-address".

Another example is false positives regarding "%DHCP_SNOOPING-5-DHCP_SNOOPING_UNTRUSTED_PORT: DHCP_SNOOPING", also because bad client behaviour.

I would say DHCP Snooping is fairly safe to enable if you have control over where your DHCP-servers are. Dynamic ARP Inspection and IP Source Guard is a bit more problematic...

0 Helpful

Go to solution
nurbol555
Level 1
Level 1

‎04-17-2017 11:37 PM

Hi

Replacement of DHCP servers it's not kind of seriosly atack. in Largest company is using that kind of security, but most of large company doesn't do it. You can do it for your own experience, don't think it's a bad idea!

0 Helpful

Go to solution
Prabath Godevithanage
Level 4
Level 4

‎04-18-2017 07:41 AM

It is one of the best practices,We have it rolled out through the access switches and no any issues. take the slow approach on your network.Leave DAP and IPSG components for later.Pick a low impacting area and apply it vlan by vlan but not all at once.try to identify your static IP devices if there's any(Printers,BMS etc.) .Also pay attention to DHCP option 82 configuration if you use it or not

***Please rate all the useful posts***
-Prabath
0 Helpful

Go to solution
Julio E. Moisa
VIP
VIP

‎04-18-2017 08:01 AM

Hi

Yes, it is a good security practice to avoid any rogue dhcp server connected to the company network. DHCP snooping must be applied on the access switches only. If DHCP snooping is applied properly you will not have any problem on your network. 

Below you will find a example of configuration:

ip dhcp snooping     
ip dhcp snooping vlan X1,X2,X3,Xn
no ip dhcp snooping information option

* DHCP Snooping will be enabled once you have assigned the VLANs to be part of it. 

Untrusted ports (end users ports)

Int g1/0/x
ip dhcp snooping limit rate 20

Trusted ports (trunk interfaces)

int g1/1/x
ip dhcp snooping trust

* Remember, the ip dhcp snooping trust command line is configured on the outbound direction, in few words on the interfaces going to the Company DHCP servers. 

Check this link:

http://itsecurity.telelink.com/dhcp-attacks/

Please rate the comment if it is useful

:-)




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card