cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1697
Views
0
Helpful
5
Replies
Beginner

DHCP snooping

Hello we have a fairly large network of approximately 300 Cisco switches/routers.

We are trying to improve security and were considering implementing DHCP snooping on each switch in our network (simply as a matter of good security practice)

My question is would this be a good idea ? Do most large companies use DHCP snooping or are there drawbacks that would perhaps not make it feasible ?

Thank you for any information.

2 ACCEPTED SOLUTIONS

Accepted Solutions
Highlighted

It is one of the best

It is one of the best practices,We have it rolled out through the access switches and no any issues. take the slow approach on your network.Leave DAP and IPSG components for later.Pick a low impacting area and apply it vlan by vlan but not all at once.try to identify your static IP devices if there's any(Printers,BMS etc.) .Also pay attention to DHCP option 82 configuration if you use it or not

***Please rate all the useful posts***
-Prabath
VIP Advisor

Hi

Hi

Yes, it is a good security practice to avoid any rogue dhcp server connected to the company network. DHCP snooping must be applied on the access switches only. If DHCP snooping is applied properly you will not have any problem on your network. 

Below you will find a example of configuration:

ip dhcp snooping     
ip dhcp snooping vlan X1,X2,X3,Xn
no ip dhcp snooping information option

* DHCP Snooping will be enabled once you have assigned the VLANs to be part of it. 

Untrusted ports (end users ports)

Int g1/0/x
ip dhcp snooping limit rate 20

Trusted ports (trunk interfaces)

int g1/1/x
ip dhcp snooping trust

* Remember, the ip dhcp snooping trust command line is configured on the outbound direction, in few words on the interfaces going to the Company DHCP servers. 

Check this link:

http://itsecurity.telelink.com/dhcp-attacks/

Please rate the comment if it is useful

:-)

5 REPLIES 5
VIP Advisor

You want to be using up to

You want to be using up to date software.  I had some issues with the earlier software many years ago.

I typically start at the core and then work outwards.  This is assuming your DHCP server(s) are at or near the core.

Beginner

Why would you have DHCP

Why would you have DHCP Snooping in the Core at all?

I run DHCP Snooping at a couple of hundred switches with no major issues, but I do see some minor problems mostly because bad client behaviour. MAC address validation is one example, some client with both Wireless and Wired NIC enabled uses wrong MAC-address in DHCP Requests/Informs and therefor the switch throws "%DHCP_SNOOPING-5-DHCP_SNOOPING_MATCH_MAC_FAIL: DHCP", that check can be disabled with "no ip dhcp snooping verify mac-address".

Another example is false positives regarding "%DHCP_SNOOPING-5-DHCP_SNOOPING_UNTRUSTED_PORT: DHCP_SNOOPING", also because bad client behaviour.

I would say DHCP Snooping is fairly safe to enable if you have control over where your DHCP-servers are. Dynamic ARP Inspection and IP Source Guard is a bit more problematic...

Beginner

Hi

Hi

Replacement of DHCP servers it's not kind of seriosly atack. in Largest company is using that kind of security, but most of large company doesn't do it. You can do it for your own experience, don't think it's a bad idea!

Highlighted

It is one of the best

It is one of the best practices,We have it rolled out through the access switches and no any issues. take the slow approach on your network.Leave DAP and IPSG components for later.Pick a low impacting area and apply it vlan by vlan but not all at once.try to identify your static IP devices if there's any(Printers,BMS etc.) .Also pay attention to DHCP option 82 configuration if you use it or not

***Please rate all the useful posts***
-Prabath
VIP Advisor

Hi

Hi

Yes, it is a good security practice to avoid any rogue dhcp server connected to the company network. DHCP snooping must be applied on the access switches only. If DHCP snooping is applied properly you will not have any problem on your network. 

Below you will find a example of configuration:

ip dhcp snooping     
ip dhcp snooping vlan X1,X2,X3,Xn
no ip dhcp snooping information option

* DHCP Snooping will be enabled once you have assigned the VLANs to be part of it. 

Untrusted ports (end users ports)

Int g1/0/x
ip dhcp snooping limit rate 20

Trusted ports (trunk interfaces)

int g1/1/x
ip dhcp snooping trust

* Remember, the ip dhcp snooping trust command line is configured on the outbound direction, in few words on the interfaces going to the Company DHCP servers. 

Check this link:

http://itsecurity.telelink.com/dhcp-attacks/

Please rate the comment if it is useful

:-)

CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards