DHCP snooping

- [Instructor] DHCP Snooping is a way that we can protect our network clients from malicious DHCP traffic. This is a layer 2 security mechanism that will drop traffic deemed to be from a rogue or unauthorized DHCP server. With DHCP Snooping, we have ports designated as being either trusted or untrusted. Trusted ports would be those that uplink to a legitimate DHCP server on the network, and all other ports would be untrusted, effectively blocking rogue DHCP servers on our network. This is done by utilizing the DHCP Snooping Binding Database which is simply a table containing Mac to IP address bindings of trusted hosts that have least IP addresses. DHCP Snooping goes hand in hand with Dynamic ARP inspection or DAI. And that's a feature we'll examine in a future video. For now, let's take a look at configuring DHCP Snooping on a Cisco Catalyst switch, which is really simple to do. You can see that our lab topology has a switch connecting us out to a host device, and the host device is obtaining an IP address via DHCP. We also have a DHCP server in the network providing network address information and that server is connected to gig 0/0 on our switch. We want to configure DHCP Snooping so that only our gig 0/0 interface is allowed to carry traffic that hands out DHCP information. And that's the port where our legitimate DHCP server is connected. That way if someone attaches another device into the switch that is configured for DHCP, whether that's accidental or intentional our DHCP bindings are going to be protected and that traffic will not be allowed. So first thing let's jump over to our DHCP server, which in this case is a router configured to handout DHCP information, let's say show ip dhcp pool. You can see that our current least address count is at zero, and that means we don't have any clients which have obtained DHCP information from the server. So let's actually jump over to our client's PC, and we can very simply do that by saying ip dhcp, when we do that, we going to walk through the discovery process, you see the D-O-R-A in our output, meaning that we have walked through the discover, offer, request, and acknowledge phases of the DHCP and we obtained an address. If we say, show ip, we can verify that we do indeed have an IP address at 10.1.1.51, we see our DHCP server listed at 10.1.1.1, so that all looks good. If we go back to our server and we again say show ip dhcp pool, now you'll see that we do have a leased address. So this client has obtained DHCP information from our server. Let's go over to our switch now and let's configure DHCP Snoopy. So first of all, on a global level, we need to enable DHCP Snooping with a command ip dhcp snooping and that enables this command globally. But we also need to make that operational on a specific vlan as well. So we can again say ip dhcp snooping, and if we look at contextual help one of those options is vlan. So we can enable this for a specific vlan, we'll follow that with the vlan number or the range of vlans that we want to protect, we can do that either way, in this case, every interface here on this switch is still in vlan 1, which is the default behavior when we boot up with a default config in place. So I'm just going to say vlan 1. Again you can set multiple discontinuous vlans, you can set a continuous range or you can set a single vlan as needed. Now, by turning that on, we have effectively said that all of the ports in vlan 1 are now set to an untrusted state. So at the moment, the DHCP offer message from the server can't arrive. Because that's considered to be an untrusted port. We need to indicate our gig 0/0 interface on the switch as being trusted. And that's because our legitimate DHCP server resides on that port. In fact, if we go to our virtual PC and we again try to run ip dhcp, if we try to get a new address we're going to see that will fail. We see that stuck with a series of Ds indicating that we can't get past the discover phase in DHCP. And eventually we'll be told that we can't find the DHCP server, we see that on the screen here. So let's go back to our switch, let's go under interface gig 0/0, and we can create a trusted port by saying ip dhcp snooping, and if we look at contextual help, one of those options is trust, which is what we want. This indicates that we trust DHCP messages arriving on the gig 0/0 interface. Let's break out of here and let's say show ip dhcp snooping, and we can see information about our configuration here. We can see that DHCP snooping is enabled, we see that that is enabled on vlan 1, see that listed here, the list of vlans that that is configured for, we see a single trusted interface, we see the trusted designation that says yes for gig 0/0 so that looks good. If we go back to our virtual PC, we again try to obtain a DHCP address we should have success this time, we do see it walk through all of the phases and that looks much better. This time we are able to communicate with our DHCP server and obtain addressing information. Now, one other option we can do to further protect our ports is to write limits the maximum amount of DHCP traffic allowed on those ports. So let's go back to our switch and let's go ahead and do that for a range of interfaces. Let's say interface range, gig 0/1 through 3. So again, we would typically do this for all of our untrusted ports, and let's say ip dhcp snooping, and if we look at our contextual help once more we have the option limit, which is what we want to use, and we'll follow that with the key word rate and help once more, will show us our rate limit. We can set that from 1 to 2048. So this allows us to specify the number of packets per second, that we will accept. I'm just going to use 100, it's probably much too low for an enterprise environment by the way, that'll be just fine for this lab. So if we do that, let's break out and let's again say show ip dhcp snooping, and now we see that in addition to our single trusted port gig 0/0 we also have three rate limited ports gig 0/1 through 0/3. We see that it is right limited to 100 and we do see that that is in PPS, packets per seconds. We can see our DHCP Snooping binding table by saying show ip dhcp snooping binding, and you can see this contains our Mac to IP address information for the virtual PC. We see the Mac address for that PC, we see it obtained to the IP address, 10.1.1.51, we see that it is on vlan 1 connected to gig 0/1 and we see our lease time listed here. So that's a look at DHCP Snooping on a Cisco Catalyst switch.