Dhcp snooping

This article covers popular Layer 2 & Layer 3 network attacks with a focus on DHCP Starvation Attacks, Man-in-the-Middle attacks, unintentional rogue DHCP. servers & explains how security features lượt thích DHCP Snooping help protect networks from these attacks. We explain how DHCPhường Snooping works, cover DHCP Snooping terminology (trusted, untrusted ports/interfaces) & more. Finally we talk about the importance và purpose the DHCP Snooping Binding Database also used by Dynamic ARP Inspection khổng lồ prsự kiện ARP Poisoning and ARP. Spoofing attacks.

Bạn đang xem: Dhcp snooping

Topics covered include:

DHCPhường Starvation Attachồng, Man-in-the-Middle Attachồng, DHCP Hijacking và Reconnaissance Attacks

DHCP.. Starvation attack is a common network attaông chồng that targets network DHCPhường servers. Its primary objective sầu is lớn flood the organization’s DHCP server with DHCP. REQUEST messages using spoofed source MAC addresses. The DHCPhường VPS will respond khổng lồ all requests, not knowing this is a DHCPhường Starvation attack, và assign available IP. addresses until its DHCP pool is depleted.

At this point the attacker has rendered the organization’s DHCP server useless & can now enable his own rogue DHCP server lớn serve sầu network clients. DHCPhường. Starvation is often accompanied by a Man-in-the-Middle attack as the rogue DHCP. server distributes kém chất lượng IP.. address parameters, including Gateway và DNS IP address, so that all client traffic passes through the attacker for inspection.

Typical Man-in-the-Middle attaông xã. Client data streams flow through the attacker

Using packet capture và protocol analysis tools the attacker is able to lớn fully reconstruct any data stream captured & export files from it. In fact the process so simple it only requires a basic level of understanding of these type of network tools.

In other cases the Man-in-the-Middle attack can be used as a reconnaissance attack with the objective sầu lớn obtain information about the network infrastructure, services but also identify hosts of high interest such as financial or database servers.

It should be by now evident how a simple attaông xã can become a major security threat for any organization. The above sầu attacks are examples on how easy hackers can infiltrate the network và get access to valuable information by simply connecting an unauthorized/untrusted device lớn an available network port effectively bypassing bloginar.nets and other levels of security.

Rogue DHCPhường Servers – A Major Security Threat và Source of Network Disruptions

Rogue DHCP servers are a comtháng problem within enterprise organizations & are not always directly related with an attachồng. Rogue DHCPhường Servers tkết thúc lớn appear out of nowhere thanks to lớn users who connect consumer-grade network devices lớn the network infrastructure unaware that they have connected an unauthorized device with a rogue DHCPhường hệ thống enabled.

The Rogue DHCPhường. server then begins assigning IP.. addresses lớn hosts within the network therefore causing network connectivity problems và in many cases – major service disruptions. In a best case scenario DHCPhường clients are served with an invalid IP address disconnecting them from the rest of the network. Worst case scenario would be the clients been assigned an IPhường address used by network infrastructure devices e.g the VLAN interface on the Chip Core switch or a bloginar.net interface, causing serious network disruptions & conflicts.


While many organizations enforce security policies that do not allow 3rd các buổi tiệc nhỏ or unauthorized devices to be connected to their network, there are still incidents where users who vì chưng not understvà (or care about) the security implications continue lớn connect these devices to the network infrastructure without consulting their IT Department.

Educating users và enforcing security policies can be extremely challenging which is why security mechanisms need to lớn be in place lớn help mitigate these incidents and is where DHCPhường Snooping comes into the picture.

DHCPhường Snooping Support for Cisteo Catalyst và Nexus Switches. Licensing và Features

DHCPhường Snooping is available on both the Cisteo Catalyst and Cisco Nexus platform switches. Both platforms are classified as enterprise-grade switches & fully tư vấn all DHCPhường Snooping functions.

DHCPhường Snooping is considered a standard security feature & does not require any additional licensing for the older Catalyst IOS, newer Catalyst IOS XE and Nexus NS-OS operating systems, therefore the feature is available & readily configurable on all switches.

Examples of Cisteo Catalyst switches that tư vấn DHCPhường Snooping are: Cisco Catalyst 2960S, 2960-X, 3560, 3750, 3750-X, 3850, 4500, 6500, 9300, 9400 and 9500 series.

Examples of Cisco Nexus switches that tư vấn DHCP. Snooping are: Nexus 2000, 3000, 5000, 7000 và 9000 series.

DHCP. Snooping can be enabled globally and on a per-VLAN basis. This means you can enable it for all VLANs (globally) or only for specific including VLAN ranges e.g VLANs 1-trăng tròn và VLANs 45-50.

How DHCP.. Snooping Works – DHCP Snooping Concepts – Trusted, Untrusted Ports/Interfaces

DHCP Snooping is a Layer 2 security switch feature which blocks unauthorized (rogue) DHCP.. servers from distributing IPhường addresses lớn DHCPhường. clients. In fact Cisco was the first vendor to implement DHCPhường Snooping as a security feature in its network switches và other vendors have since then followed with similar features.

Xem thêm: Rắn Vào Nhà Có Điềm Gì Khi Thấy Rắn Bò Vào Nhà? Lỡ Giết Rắn Phải Làm Sao?

It is important lớn note that DHCP SNOOPING is an access layer protection service – it does not belong in the core network.

The way DHCP Snooping works is fairly straight forward. DHCP Snooping categorizes all switchports into lớn two simple categories:

Trusted PortsUntrusted Ports

A Trusted Port, also known as a Trusted Source or Trusted Interface, is a port or source whose DHCP VPS messages are trusted because it is under the organization’s administrative sầu control. For example, the port to lớn which your organization’s DHCP VPS connects to is considered a Trusted Port. This is also shown in the diagram below:


An Untrusted Port, also known as an Untrusted Source or Untrusted Interface, is a port from which DHCP hệ thống messages are not trusted. An example on an untrusted port is one where hosts or PCs connect to lớn from which DHCPhường OFFER, DHCP ACK or DHCPNAK messages should never be seen as these are sent only by DHCP Servers.

Traffic Dropped by DHCP Snooping, DHCP Snooping Violations - Syslog Messages

When enabling DHCPhường Snooping the switch will begin to drop specific type of DHCP. traffic in order lớn protect the network from rogue DHCPhường servers. Here is a list of the type of traffic DHCP Snooping will drop:

DHCP Snooping will drop DHCP messages DHCPACK, DHCPNAK, DHCPOFFER originating from a DHCP hệ thống that is not trusted – that is, connected khổng lồ an untrusted port.DHCP Snooping will drop DHCP. messages that release or decline an offer if these messages are not originating from the port where the original DHCPhường conversation was held. This stops attackers from trying to lớn terminate or decline a DHCP offer on behalf of the actual DHCP client.DHCPhường Snooping will drop DHCP.. messages where the Source MAC address & client MAC address are not identical (see DHCP_SNOOPING-5-DHCP_SNOOPING_MATCH_MAC_FAIL below).

When DHCPhường Snooping detects a violation the DHCPhường. packet(s) triggering the event is dropped và a message is logged in the switch’s log. The message can contain one of the following entries:

%DHCP_SNOOPING-5-DHCP_SNOOPING_UNTRUSTED_PORT: DHCP Snooping has detected DHCP VPS messages from an untrusted port. This is a serious violation and usually points to lớn a rogue DHCPhường server operating on an untrusted port.

Source MAC address of an Ethernet frameClient MAC address in the DHCP.. message must always match

The IP DHCP. Snooping Binding Database – Dynamic ARP.. Inspection

When DHCP Snooping is enabled it will begin to lớn build a dynamic database containing an entry for each untrusted host with a leased IP address if the host is associated with a VLAN that has DHCP.. Snooping enabled. No entries are created for hosts connected to lớn trusted interfaces.

Each entry in the binding database contains the following information:

MAC address of the untrusted hostLeased IP.. address of the untrusted hostLease timeBinding typeVLAN number & interface the untrusted host is associated with

As untrusted hosts are assigned IP addresses from the trusted DHCP server the switch will automatically create new entries, update and cleanup the DHCPhường Snooping Binding Database.

For example, when an IP address lease expires or the switch receives a DHCPRELEASE message from the untrusted host, it will remove sầu the specific entry from the database. On the other hand an entry will be created in the database if the switch sees a DHCPACK message from the trusted DHCPhường. server acknowledging the assignment of an IP. address to lớn an untrusted host.

The show ip dhcp snooping binding comm& displays all entries inside the DHCP Snooping Binding Database:

Cat3560-bloginar.net# show ip dhcp snooping bindingMacAddress IpAddress Lease(sec) Type VLAN Interface------------------ --------------- ---------- ------------- ---- --------------------D0:76:58:0C:BB:80 85228 dhcp-snooping 4 GigabitEthernet0/5Total number of bindings: 1

The DHCP Snooping Binding Database is also used by other Layer2/3 security features such as Dynamic ARPhường Inspection which help protect the network against ARPhường. PoisoningARP. Spoofing attacks.

IPhường DHCP Snooping configuration for Cisteo Catalyst và Cisteo Nexus switching platforms will be covered extensively in an upcoming technical article.

Dynamic ARP Inspection, ARP Poisoning, ARP. Spoofing attacks will be covered in an upcoming security article.

DHCP Snooping Option 82 – Relay Agent Information

The DHCPhường. Option 82, aka Relay Agent Information Option, was originally created by RFC 3046 khổng lồ allow the DHCP relay agent (e.g switch or router) to identify itself and the DHCP client that sent the DHCP messages. DHCPhường. Option 82 is used in large metropolirã Ethernet-access deployments where DHCP is required to lớn centrally manage the IP addresses for a large number of subscribers.

When DHCP. Snooping is enabled on a Cisco Catalyst or Nexus switch, it will insert the Option 82 field inlớn the client’s DHCPhường message:


DHCP Option 82 is not often used within organizations but it does provide an additional layer of protection if the DHCPhường server supports it. For example the DHCP Server on Windows Server 2012 or 2016 supports Option 82 allowing administrators lớn create DHCPhường Policies that control the assignment of IPhường addresses khổng lồ specific switches within the network.


Analyzing the structure of DHCP Option 82 is out of this article’s scope but will be covered in great depth in an upcoming article.

Read our article "DHCPhường Option 82 Message Format, Analysis. DHCP Snooping Option 82 Injection và Removal Method, Trusted – Untrusted Switch Ports" for in-depth analysis of DHCP Option 82.


Man-in-the-Middle attacks & network disruptions from rogue DHCP. servers is a serious network security threat organizations are faced lớn giảm giá khuyến mãi with on a daily basis. In this article we explained how Man-in-the-Middle attacks allow attackers to lớn gain visibility of your network & can potentially lead exposing sensitive data flowing between servers & clients. We explained what DHCPhường Snooping is, examined how DHCPhường. Snooping works and how it can effectively protect the network from these attacks. We looked at the type of traffic dropped by DHCPhường snooping, violation warnings and also explained the purpose và operation of the DHCP Snooping Binding Database. Finally we touched on the DHCPhường Snooping Option 82.