Header GIF
Site is Under Maintenance
Please come back again in...
00 Days
00 Hours
00 Minutes
00 Seconds
Home
• Networking Fundamentals Tutorial •
• Protecting L2 •

Preventing Rogue DHCP Servers Using DHCP Snooping Tutorial

### Preventing Rogue DHCP Servers Using DHCP Snooping

Dynamic Host Configuration Protocol (DHCP) snooping is a network security feature that acts as a safeguard against rogue DHCP servers within a network. By configuring DHCP snooping on network switches, you can ensure that only authorized DHCP servers can allocate IP addresses to clients, thus preventing attacks such as IP address spoofing.

This tutorial will guide you through the steps to configure DHCP snooping on a Cisco switch, along with relevant terminal commands and examples.

#### Understanding DHCP Snooping

DHCP snooping works by building a binding database that keeps track of which MAC addresses are assigned to which IP addresses. It differentiates between trusted and untrusted ports on the switch. Trusted ports are usually those connecting to legitimate DHCP servers, while untrusted ports connect to end-user devices.

### Steps to Configure DHCP Snooping

#### 1. Enable DHCP Snooping Globally

To start, you need to enable DHCP snooping on your switch. This command is issued in global configuration mode.

```plaintext
Switch# configure terminal
Switch(config)# ip dhcp snooping
```

#### 2. Enable DHCP Snooping for Specific VLANs

After enabling DHCP snooping globally, you need to specify which VLANs will be protected by this feature.

```plaintext
Switch(config)# ip dhcp snooping vlan 10
```

Replace `10` with the appropriate VLAN ID where you want DHCP snooping enabled.

#### 3. Configure Trusted Ports

Next, you need to designate the port connected to your legitimate DHCP server as a trusted port. This prevents the switch from filtering DHCP messages on that port.

```plaintext
Switch(config)# interface gigabitethernet 1/0/1
Switch(config-if)# ip dhcp snooping trust
Switch(config-if)# exit
```

Replace `gigabitethernet 1/0/1` with the actual interface connected to your DHCP server.

#### 4. Configure Untrusted Ports

All other ports should remain untrusted by default. You can verify that a port is untrusted by using the command:

```plaintext
Switch(config)# interface gigabitethernet 1/0/2
Switch(config-if)# no ip dhcp snooping trust
Switch(config-if)# exit
```

This command explicitly confirms that the interface is untrusted. However, you can skip this step if you haven't previously configured it as trusted, as all ports default to untrusted.

#### 5. Verify DHCP Snooping Configuration

After setting up DHCP snooping, verify the configuration to ensure it is working as intended.

```plaintext
Switch# show ip dhcp snooping
```

This command will display the DHCP snooping status and the VLANs that have DHCP snooping enabled.

#### 6. Display DHCP Snooping Binding Database

To view the DHCP binding database that tracks which IP addresses are assigned to which MAC addresses, use the following command:

```plaintext
Switch# show ip dhcp snooping binding
```

This will output a list showing the MAC address, IP address, lease time, VLAN, and interface of the clients that have received DHCP leases.

#### 7. Configure Rate Limiting (Optional)

To further enhance security, you can implement rate limiting on untrusted ports to mitigate DHCP starvation attacks. This restricts the number of DHCP requests that can be sent per second.

```plaintext
Switch(config)# interface gigabitethernet 1/0/2
Switch(config-if)# ip dhcp snooping limit rate 10
Switch(config-if)# exit
```

This command limits the interface to 10 DHCP packets per second. Adjust the rate according to your network requirements.

#### 8. Enable Logging (Optional)

For better monitoring, consider enabling logging for DHCP snooping events. This will help you track any rogue DHCP servers that may attempt to assign IP addresses.

```plaintext
Switch(config)# ip dhcp snooping log-verbosity level 7
```

This command sets the log level to the most verbose, allowing you to capture detailed logging information regarding DHCP snooping events.

### Conclusion

By following these steps, you can effectively prevent rogue DHCP servers from operating within your network using DHCP snooping. This configuration ensures that only trusted DHCP servers can assign IP addresses, thereby securing your network against potential attacks.

Regularly monitor the DHCP binding database and logs to keep an eye on the network health. Make sure to adapt configurations to meet the specific needs and architecture of your network.

Rate This Article

Thanks for reading: Preventing Rogue DHCP Servers Using DHCP Snooping Tutorial, Sorry, my English is bad:)

Getting Info...

About the Author

I'm Aevon...Just a gal with an insane passion for all things cybersecurity. 17 years in the industry and still love what I'm doing.
#• Networking Fundamentals Tutorial • #• Protecting L2 •

Post a Comment

Cookie Consent
We serve cookies on this site to analyze traffic, remember your preferences, and optimize your experience.
More Details
Oops!
It seems there is something wrong with your internet connection. Please connect to the internet and start browsing again.
AdBlock Detected!
We have detected that you are using adblocking plugin in your browser.
The revenue we earn by the advertisements is used to manage this website, we request you to whitelist our website in your adblocking plugin.
Site is Blocked
Sorry! This site is not available in your country.