What Is DHCP Snooping?
The Dynamic Host Configuration Protocol (DHCP) allocates IP addresses dynamically, it leases addresses to connected devices and the addresses can be reused when no longer needed.
All connected Hosts and end devices that require IP addresses obtained through DHCP must communicate with a DHCP server across the LAN.
DHCP snooping acts like a firewall between trusted DHCP servers and untrusted hosts. DHCP snooping acts as a guardian or in the form of network security.
DHCP snooping enables the switching or network device, which can be either a switch or a router, to monitor DHCP messages received from untrusted devices connected to the switching device.
When DHCP snooping is enabled on a switched network or VLAN, it examines all DHCP messages sent from untrusted hosts associated with the network or VLAN and extracts their IP addresses and lease information.
DHCP Snooping Binding Database
All extracted information will be used to build and maintain the DHCP snooping database, also known as the binding table.
Only verified hosts from this database are allowed access to the network.
The database contains an entry for each untrusted host with a leased IP address if the host is associated with a VLAN that has DHCP snooping enabled.
The database does not contain entries for hosts connected through trusted interfaces.
Each entry in the DHCP snooping binding database includes the MAC address of the host, the leased IP address, the lease time, the binding type, and the VLAN number and interface information associated with the host.
Features of DHCP snooping
•DHCP snooping validates incoming messages received from untrusted sources and filters out invalid messages.
•DHCP snooping Builds maintains and stores information about untrusted hosts these include their IP-MAC address binding, the lease time for the IP address, type of binding, VLAN name, and interface for each host.
All this information is extracted, maintained, and stored in the DHCP snooping binding database to be validated.
•DHCP snooping uses the binding database to validate subsequent requests from untrusted hosts.
Dynamic ARP inspection (DAI) and IP Source Guard also use information stored in the DHCP snooping binding database.
By default, DHCP Snooping is disabled, DHCP Snooping can be enabled on a single VLAN or a range of VLANs across the network.
DHCP Packet Validation
Switches validate DHCP packets received on the untrusted interfaces of all configured VLANs with DHCP snooping enabled.
The switch then forwards the DHCP packet or the packet will be dropped if it fails validation.
When the DHCP snooping service detects a violation, the packet is dropped, and a message is logged that includes the text :
“DHCP_SNOOPING”.
If the switch is configured to send logs to a syslog server.
Messages alert that is likely to appear:
.%DHCP_SNOOPING-5-DHCP_SNOOPING_MATCH_MAC_FAIL
The above message indicates that the source frame and embedded client hardware address in a DHCP request differ, and seems to be unfortunately common.
If you see these, consider investigating a few of them to verify that the issue is indeed a poor vendor DHCP client or IP forwarding implementation, and determine your policy going forward.
%DHCP_SNOOPING-5-DHCP_SNOOPING_UNTRUSTED_PORT
Such messages are usually serious. This message indicates that a client is being spoofed, or worse. sounds like a rogue DHCP server is in operation.
The following conditions must be met before the switch will forward a packet:
•When the switch receives a packet (with a DHCPOFFER, DHCPACK, DHCPNAK, or DHCPLEASEQUERY packet) from a DHCP server outside the network or firewall.
•The switch receives a packet from an untrusted interface, and the source MAC address and
the DHCP client hardware address do not meet validation rules. This check can only be performed if the DHCP snooping MAC address verification option is turned on.
•The switch receives a DHCPRELEASE or DHCPDECLINE message from an untrusted host with an entry in the DHCP snooping binding table, and the interface information in the binding table does not match the interface on which the message was received.
•The switch receives a DHCP packet that includes a relay agent IP address that is not 0.0.0.0.
Benefits of DHCP Snooping.
Protection Against Rogue DHCP Servers: Prevents unauthorized DHCP servers from allocating IP addresses.
Enhanced Network Stability: Reduces the risk of IP address conflicts and network connectivity issues.
Traffic Control: Helps in controlling the rate of DHCP traffic on untrusted ports to prevent DHCP flooding attacks.
In conclusion; DHCP snooping is an integral part of a layered network security strategy, particularly in environments where the network infrastructure is at risk of unauthorized DHCP server attacks.