DHCP is one of those basic fundamentals that all Systems and Network admins should have a firm grasp on. DHCP servers are responsible for providing PCs and devices on your network information such as IP addressing, the default gateway and DNS server information. The fact that these machines are relying on this server for such important information opens up the risk of an attacker infiltrating the network by connecting a rogue DHCP server and directing machines to use an alternate DNS server or gateway and intercepting that valuable traffic. Also far too often a young admin staff member may also accidentally plug in a device that is acting as a DHCP server which can also cause major dramas. It can be hard to eliminate these risks but you can help by implementing a solution called DHCP Snooping.
DHCP snooping can be configured on networking switches to eavesdrop on all DHCP communication on the network. Based on the contents of these DHCP messages, it populates a table with the IP addresses assigned to clients, their MAC address, their VLAN and their access port. Typically there will only be one DHCP server on a network so bu turning on DHCP snooping you only allow the port in which the DHCP server is plugged in to allow DHCP messages to be sent and received. If a device is plugged into an untrusted port then these packets will be dropped providing the network enhanced security.
To enable DHCP snooping:
SW1(config)#ip dhcp snooping
To configure the port that the DHCP server is connected in to trusted mode:
SW1(config-if#ip dhcp snooping trust
To configure DHCP snooping for a particular VLAN
SW1(config)#ip dhcp snooping vlan <vlan-id>
Caution – Its not as easy as just enabling the 1 port and trusting all other ports. Think about what other devices are on your network that need to be trusted and the flow of traffic from your DHCP server to the rest of your network.
Here’s my steps and extra steps I needed
- Enable DHCP snooping on all switches
- On all switches you must trust uplink/ trunking ports that lead to Switch containing DHCP server
- Trust etherchanel
- Trust ports with Meraki access ports. These may use DHCP if set up this way.
- If you run DHCP from a central site, trust all WAN ports connected to MPLS network.
The fundamental use case for DHCP snooping is to prevent unauthorized (rogue) DHCP servers offering IP addresses to DHCP clients. Rogue DHCP servers are often used in man in the middle or denial of service attacks for malicious purposes. It is highly recommended that you look at using this simple layer 2 security feature to protect your network.