Preventing DHCP Attacks with DHCP Snooping

Running DHCP Snooping on your network can greatly reduce the chances that an attack can stupid a rogue DHCP server to try and supply his own address for the gateway / DNS / WINS. But, probably the most common problem is when an employee that brings in an off the shelf wireless router to work and connects it to the company network.

SC#config t
SC(config)#ip dhcp snooping

Now we enable which VLANs will be protected by DHCP Snooping

SC(config)#ip dhcp snooping vlan number 100

Enable option 82, if you want relay information to be inserted in the packets

SC(config)#ip dhcp snooping information option

Only DHCP snoop trusted interfaces can response to DHCP broadcasts, thus preventing a DHCP rogue server from responding to the request

SC(config)#interface gigabitethernet 0/8
SC(config-if)#ip dhcp snooping trust

For every other interface, we should implement a DHCP rate limit, so an attacker wouldn’t be able to DoS the DHCP server by leasing every address in a pool, preventing legitimate clients from obtaining a lease. This rate limit setting is optional, but recommended, as it will provide the best protection.

SC(config-if)#interface gigabitethernet 0/9
SC(config-if)#ip dhcp snooping limit rate 3

To verify the configuration, use the command show ip dhcp snooping

SC#show ip dhcp snooping
DHCP Snooping is configured on the following VLANs:
    100
Insertion of option 82 information is enabled.
Interface           Trusted        Rate limit (pps)
—————————           ——————         ————————————————
FastEthernet0/9     yes            3

To view the current DHCP bindings, use the global configuration command show ip dhcp snooping binding.

Sep 23rd, 2010 • Posted in Catalyst, IOS, Security
No comments yet.

Leave a comment

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>