DHCP snooping is a security feature on switches. It filters out DHCP messages that are received on untrusted ports.

Note

DHCP snooping only filters DHCP messages, naturally. All other messages are unaffected.

All ports are untrusted by default. It is up to the engineers/administrators to configure which ports are trusted. Commonly, uplink ports are trusted and downlink ports are untrusted.

  • Uplink port - a port that leads to the DHCP server or relay agent
  • Downlink port - a port that leads towards end hosts

DHCP snooping can protect against DHCP starvation and DHCP poisoning attacks.

Operations

It may be helpful to review the common DHCP messages.

  • If a DHCP message is received on a trusted port, forward it without inspection.
  • If a DHCP message is received on an untrusted port, inspect it and do the following:
    • If it is a DHCP Server message (OFFER, ACK, or NAK), discard it.
    • If it is a DHCP Client message, perform these checks:
      • DISCOVER/REQUEST messages: Check if the frame’s source MAC address and the DHCP message’s CHADDR fields match.
        • Match = forward
        • Mismatch = discard
      • RELEASE/DECLINE messages: Check if the packet’s source IP address and the receiving interface match the entry in the DHCP Snooping Binding Table.
        • Match = forward
        • Mismatch = discard

Binding Table

When a client successfully leases an IP address from a server a new entry is created in this table.


Rate Limiting

DHCP Snooping can be used to limit the rate at which DHCP messages are allowed to enter an interface. If the rate exceeds some (configurable) limit, the interface is err-disabled. As with Port Security the interface can then be re-enabled manually, or automatically with errdisable recovery (see Errdisable Recovery).

Rate limiting can help mitigate starvation attacks.


Option 82 (Information Option)

There are many optional fields that can be included in DHCP messages. Option 83, also known as the ‘DHCP relay agent information option’ is one such option.

Option 82 provides additional information about which DHCP relay agent received the client’s message, on which interface, in which VLAN, etc. Typically, this option is added by relay agents to messages they are forwarding to a remote DHCP server.

However, when DHCP snooping is enabled, by default all Cisco switches will add Option 82 to all messages they receive from clients, even if they aren’t acting as a relay agent. Furthermore, Cisco switches will drop DHCP messages with Option 82 that are received on an untrusted port.

You can stop devices from adding Option 82 to DHCP messages with this command:

  • (config)#no ip dhcp snooping information option

Verification

Configuration

Cisco IOS

DHCP Snooping must be enabled globally on the device and on specific VLANs in order to work.

  • (config)#ip dhcp snooping
    • Enable DHCP snooping on the switch.
  • (config)#ip dhcp snooping vlan vlan-number
    • Enable DHCP snooping on the specified VLAN
  • (config)#no ip dhcp snooping information option
  • (config-if)#ip dhcp snooping trust
    • Configure the current interface as a trusted port.
    • All ports are untrusted by default. To set a trusted port to untrusted, prepend no to this command.

Rate Limiting Configuration

  • (config-if)#ip dhcp snooping limit rate messages-per-second
    • Specify a maximum rate that DHCP messages will be allowed in the interface.

Errdisable Recovery


Footnotes

CHADDR: Client Hardware ADDRess. A field in DHCP messages that stores the client’s MAC address. Useful because if the network uses a DHCP Relay then the frame’s source MAC field will have the relay’s MAC address.