© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Layer 2 Security Configuring DHCP Snooping
© 2007 Cisco Systems, Inc. All rights reserved.SNRS v DHCP Attacks DHCP Server DHCP requests with spoofed MAC addresses Attacker attempting to starve DHCP server Attacker attempting to set up rogue DHCP server Untrusted
© 2007 Cisco Systems, Inc. All rights reserved.SNRS v DHCP Snooping Rouge DHCP Attacker Client Legitimate DHCP Server DHCP snooping allows the configuration of ports as trusted or untrusted. Untrusted ports cannot process DHCP replies. Configure DHCP snooping on uplinks to a DHCP server. Do not configure DHCP snooping on client ports.
© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Mitigating DHCP Attacks Here are two ways to mitigate DHCP spoofing and starvation attacks: Port security DHCP snooping
© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Configuration Guidelines Globally enable first Not active until enabled on a VLAN Configure DHCP server and relay agent first Configure DHCP addresses and options first DHCP option 82 not supported if relay agent is enabled but snooping is disabled
© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Commands to Mitigate DHCP Starvation Attacks switch(config)# ip dhcp snooping switch(config)# ip dhcp snooping vlan 90 switch(config)# interface FastEthernet 0/5 switch(config-if)# ip dhcp snooping trust switch(config-if)# ip dhcp snooping limit rate 300 switch(config-if)# end Fa0/5 DHCP Server Any port configured for unauthenticated access VLAN 90
© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Verifying DHCP Snooping switch# show ip dhcp snooping switch# show ip dhcp snooping binding switch# show ip dhcp snooping binding Fa0/5 DHCP Server
© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Examples switch# show ip dhcp snooping Switch DHCP snooping is enabled DHCP snooping is configured on following VLANs: 90 Insertion of option 82 is enabled Interface Trusted Rate limit (pps) FastEthernet0/5 yes 300
© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Examples (Cont.) switch# show ip dhcp binding IP address Hardware address Lease expiration Type a de Feb :00 AM Automatic switch# show ip dhcp binding IP address Hardware address Lease expiration Type c7.f Infinite Manual By IP Address By Subnet switch # show ip dhcp binding Bindings from all pools not associated with VRF: IP address Client-ID/ Lease expiration Type Hardware address/ User name / f.2d64. Mar :36 AM Automatic 656d d47. 4c4f c
© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Summary DHCP attacks are another type of Layer 2 (switch) attack. DHCP snooping is a DHCP security feature that provides network security. Two ways to mitigate DHCP attacks are port security and DHCP snooping. There are several guidelines for configuring DHCP snooping. You must first globally enable DHCP snooping. There are two commands given to verify DHCP snooping configuration and operation.
© 2007 Cisco Systems, Inc. All rights reserved.SNRS v