This is a new format of blog post I’m trying out. The idea is to put key points about a technology into easily digestible bullet points. I’ll draw from textbook knowledge and real-world experience to sum up the “what” and the “why”. If you know “what” and “why”, the “how” becomes an exercise in syntax which you can look up, so I probably won’t belabor individual coding steps as much. I might also toss in a few things I learned from real-world deployments.
This overview of DHCP snooping is in the context of Cisco Catalyst switches running IOS, although I suspect DHCP snooping in other vendors’ switches will function similarly.
1. What is DHCP snooping? DHCP snooping is a layer 2 security technology built into the operating system of a capable network switch that drops DHCP traffic determined to be unacceptable. The fundamental use case for DHCP snooping is to prevent unauthorized (rogue) DHCP servers offering IP addresses to DHCP clients. Rogue DHCP servers are often used in man in the middle or denial of service attacks for malicious purposes. However, the most common DoS scenario is that of an end-user plugging in a consumer-grade router at their desk, ignorant that the device they plugged in is a DHCP server by default.
2. What traffic will DHCP snooping drop?
- DHCP snooping will drop DHCP messages from a DHCP server that is not trusted. Trusted DHCP servers are identified by configuring a switchport’s DHCP snooping trust state. DHCP server messages can flow through switchports that have a DHCP snooping trusted state. DHCP server messages will be dropped if attempting to flow through a switchport that is not trusted.
- DHCP messages where the source MAC and embedded client hardware MAC do not match will also be dropped, although this protection can be defeated; badly written vendor IP implementations can cause this to happen with a surprising amount of frequency, the most common scenario being a DHCP request for one interface being forwarded through another interface on that same device.
- DHCP snooping will also drop messages that release a lease or decline an offer, if the release or decline message is received on a switchport other than the port that the original DHCP conversation was held. This prevents a third party from terminating a lease or declining a DHCP offer on behalf of the actual DHCP client.
3. How does DHCP snooping track information? DHCP snooping stores its observations in a database containing the client MAC address, DHCP assigned IP address, remaining lease time, VLAN, and switchport. The database is a simple flat-file that can be stored in device flash. However, flash is limited in size; as such, it’s considered best-practice to store the DHCP snooping off-box in a remote location, such as a TFTP server. Storing the DHCP snooping database off-box also guarantees that the DHCP snooping database would survive a catastrophic switch failure. In the Cisco IOS realm, note that other switch security services such as IP source guard and dynamic ARP inspection will use the DHCP snooping database, although it is possible to configure IPSG and DAI to function using static entries.
4. What happens when a DHCP snooping violation occurs? When the DHCP snooping service detects a violation, the packet is dropped, and a message is logged that includes the text “DHCP_SNOOPING”. If your switch is configured to send logs to a syslog server, you could consider escalating DHCP snooping alerts, as certain kinds of violations warrant further investigation.
- %DHCP_SNOOPING-5-DHCP_SNOOPING_MATCH_MAC_FAIL messages are potentially safe to ignore. This message indicates that the source frame and embedded client hardware address in a DHCP request differ, and seems to be unfortunately common. If you see these, consider investigating a few of them to verify that the issue is indeed a poor vendor DHCP client or IP forwarding implementation, and determine your policy going forward.
- %DHCP_SNOOPING-5-DHCP_SNOOPING_UNTRUSTED_PORT messages are, in my opinion, serious business. These messages indicate that a client is being spoofed, or worse (and more likely), a rogue DHCP server is in operation.
5. Where should I deploy DHCP snooping? From a network design perspective, DHCP snooping is an access layer security feature. Therefore, DHCP snooping’s most likely positioning is that of wiring closet switches or IDFs, but any switch containing access ports in a VLAN serviced by DHCP is a potential candidate. When deploying DHCP snooping, you need to set up the trusted ports (the ports through which legitimate DHCP server messages will flow) before enabling DHCP snooping on the VLAN you wish to protect. This is most often the uplink from the access layer switch to the next layer up, probably your core or aggregation layer if you’re still using the traditional layered design the vast majority of purposefully engineered campus networks have in place today. Note that if you are using layer 3 uplinks to your access layer as opposed to layer 2 802.1q trunks, the layer 3 uplinks will relay DHCP server messages without being defined as trusted.
- Understanding DHCP Snooping (Cisco Catalyst 3560X/3750X Official IOS 15.0(2)SE Documentation)
- CCNP Studies: Configuring DHCP Snooping (PacketPushers.net)
- Understanding DHCP Snooping for Port Security on EX-series Switches (Juniper Networks Technical Documentation)