Skip to main content

Layer 2 Security Features: DHCP SNOOPING

Image
By

DHCP Snooping is one of the security features operating at layer 2, it has to be applied in the access layer which directly serves the end hosts.DHCP snooping helps to mitigate the attacks from the rogue dhcp server to assign IP addresses to the endhosts. It should be enabled to meet the security compliance for the organization. Given below are the two scenarios discussed about those attacks. Scenario-1 is not the intention of the user to attack the network and Scenario-2 is a hacker attempting to steal the information.

Scenario-1:Company-A  has a  strict restricted policy for the employees personal laptops to connect to the network. User-A who recently joined in the organisation was not aware of the policy and connected his laptop to the network, immediately user-A laptop responding to the dhcp messages from other host because its configured with a dhcp server and started assigning the IP address of the core network, this leads to the major outage of the network because those IP addresses are conflicting with the core network IP address like SVI IP address in the core switches.

Scenario-2:Somehow a hacker entered into the organisation and started  dhcp starvation attack by connecting his laptop  to the network . DHCP starvation works by sending multiple dhcp requests with the fake source IP address to the legitimate dhcp server which cause the server to offer all the  IP addresses and cause the pool to depleted and it would cause no IP addresses to be available to serve the endhosts, now the rogue dhcp server will start offering the fake IP addresses with the gateway itself so all the traffic will divert to the hacker laptop which leads to the MITM attack to steal the information and to redirect to the fake websites. 


To protect the network from the above scenarios, dhcp snooping should be enabled in the switches. Trust and untrust are the two terms used in the dhcp snooping configuration. Trust should be enabled on the ports from where the dhcp server messages would receive - ex DHCP offer, dhcp ack and dhcp nack messages will receive from only the dhcp server so the associated port must be configured with the trust and untrust should be enabled on the ports where it is connected to the endhosts which would not work as a dhcp server. Given below are the examples of the dhcp snooping configuration in the switch.

Note: "ip dhcp snooping trust" command should be configured in the trust interface which is connected to the dhcp server and not mandatory to configure the other interfaces as an untrust interface, by default once you enable the ip dhcp snooping then all the interfaces are considered as an untrust interface.



To begin enabling DHCP snooping, use the global command ip dhcp snooping as shown in Figure 1.

Figure 1 Global enablement of DHCP snooping on a Cisco switch.

Next, configure the VLANs you want to protect, using the command ip dhcp snooping vlan 99. In Figure 2, we're monitoring only VLAN 99, but we could easily include a range or sequence of VLANs, as shown in Figure 3.

Figure 2 Single VLAN example.

Figure 3 Multiple VLAN example.

Finally, we need to tell the switch the port to which our trusted DHCP server is directly connected, as shown in Figure 4.

Figure 4 Trusted port configuration for a legitimate DHCP server.

That's it for a basic configuration on a Cisco switch. To verify proper operation, use the IOS command show ip dhcp snooping as shown in Figure 5.

Figure 5 Verification of proper DHCP snooping configuration.

When DHCP Snooping is enabled it will begin to build a dynamic database containing an entry for each untrusted host with a leased IP address if the host is associated with a VLAN that has DHCP Snooping enabled. No entries are created for hosts connected to trusted interfaces.

Each entry in the binding database contains the following information:

  • MAC address of the untrusted host
  • Leased IP address of the untrusted host
  • Lease time
  • Binding type

VLAN number & interface the untrusted host is associated with

As untrusted hosts are assigned IP addresses from the trusted DHCP server the switch will automatically create new entries, update and cleanup the DHCP Snooping Binding Database.

For example, when an IP address lease expires or the switch receives a DHCPRELEASE message from the untrusted host, it will remove the specific entry from the database. On the other hand an entry will be created in the database if the switch sees a DHCPACK message from the trusted DHCP server acknowledging the assignment of an IP address to an untrusted host.

The show ip dhcp snooping binding command displays all entries inside the DHCP Snooping Binding Database:


Cat3560-Switch# show ip dhcp snooping binding


MacAddress                IpAddress          Lease(sec)       Type            VLAN    Interface

------------------                ---------------            ----------          -------------        ----      --------------------

D0:76:58:0C:BB:80    192.168.3.50         85228         dhcp-snooping     4       GigabitEthernet0/5


Total number of bindings: 1

 The DHCP Snooping Binding Database is also used by other Layer2/3 security features such as Dynamic ARP Inspection which help protect the network against ARP Poisoning & ARP Spoofing attacks.


Labels:

Popular posts from this blog

UPGRADING EOS in the ARISTA Switches

By
UPGRADING EOS in the ARISTA Switches: EOS is the Firmware for Arista Switches whereas IOS for Cisco. This blog post shows the detailed procedures to follow and to upgrade the EOS in the Arista Switches. This Post was supports for any platform or the Version you are going to upgrade in the Arista Switches. This Post was divided into three parts : Pre-Upgrade Process Upgrade Process Post-Upgrade Process PRE-UPGRADING-PROCESS: 1       1)        Check the Upgrade Path tool by clicking the below link. https://www.arista.com/en/support/mlag-portal/mlaglist and confirm it is in mlag issu compatible 2)       Check if the  STP agent is restartable by giving the command switch-1# show spanning-tree bridge detail | grep agent Stp agent restartable                      :            True NOTE :    A switch can continue supporting MLAG when its peer is offline if the STP agent is restartable. When one peer is offline, data traffic flows from the devices through the
Read more

DIFFERENCE BETWEEN THE LAN AND WAN (local area network ,wide area network

By
Improve The other difference between LAN and WAN, is the speed of the network . The maximum speed of a LAN can be 1000 megabits per second, while the speed of a WAN can go up to 150 megabits per second. This means the speed of a WAN, is one-tenth of the speed of a LAN. A WAN is usually slower because it has lower bandwidth. Computers in a LAN can share a printer, if they are all in the same LAN. On the other hand, a WAN cannot share a printer, so a computer in one country cannot use a printer in another country. A LAN does not need a dedicated computer to direct traffic to and from the Internet, unlike a WAN that needs a special-purpose computer, whose only purpose is to send and receive data from the Internet. Another LAN vs. WAN comparison is the cost of the network. A WAN is more expensive than a LAN. It is easier to expand a LAN than a WAN. The equipment needed for a LAN is a network interface card (NIC), a switch and a hub. On the other hand, the equipment needed to connec
Read more

FORTIGATE ACTIVE PASSIVE UPGRADE

By
FORTIGATE ACTIVE PASSIVE UPGRADE : This blog post shows the detailed procedures to follow and to upgrade the firmware in the Fortigate Firewall. This Post was supports for any platform or the Version you are going to upgrade in the Fortigate Firewall This Post was divided into three parts : Pre-Upgrade Process Upgrade Process Post-Upgrade Process PRE UPGRADE STEPS: 1   1)     Go to the below website and check the Upgrade Path https://docs.fortinet.com/upgrade-tool 2)        Next Login to the Fortigate Console and check the HA Status ( it is to be In sync and higher Priority enabled for the required primary device) 3)        Login to the Console and give the command Config global – get sys ha status Also check session pickup is in enable to avoid session interruptions in failover. 4)        Download all the Firmware’s and the md5 files in the list and check with the software MD5sum.exe to avoid the download errors. NOTE : Must and should configuration backup have t
Read more