What is DHCP Snooping?


DHCP is one of the most important protocols for our network. With DHCP we can configure IP configurations of our nodes in the network. This DHCP configurations can be done with various DHCP messages. But sometimes these messages can be used for some malicious attacks. So, what is DHCP Snooping? DHCP Snooping is used on switches to detect such malicious attacks. Basically, this mechanism listens the DHCP messages of “untrusted” ports, records port and device information, according to the verification, it determines the harmful ones and prevent.

In this lesson, we will learn What is DHCP Snooping? And in another lesson, we will configure DHCP Snooping on Cisco Packet Tracer.




How can an Attacker Manuplate DHCP Messages?


Many things! As you know, DHCP Server gives IP configurations to our network devices. Think about it, what if a malicious atttacker gives this IP addresses? If an attacker uses a DHCP software and take over your DHCP messaging, he/she can assign your IP addresses. He/She can do this by replying a DHCP Discover messages earlier than your real DHCP Server. He/she can give his/her IP address as a gateway for you. And then? Your all traffic o through his/her device. This is one of the way that a man-in-the-middle attack occurs.


A DHCP attacker can also manuplate your real DHCP Server’s pool.  He/she can send a lot of DHCP Discover messages and get your IP addresses in DHCP Pool. Whenever your DHCP pool exhaust, IP configurations in the network can not be done.



What is the Role of DHCP Snooping?


DHCP Snooping is the inspector and a guardian of our network here. It is configured on switches. It Works as a firewall between DHCP Server and other part of the network.  Here, DHCP Snooping tracks all the DHCP Discover and DHCP Offer messages coming from “untrusted” ports.

According to this DHCP security system, there are two port types. These port types are:

  • Trusted Ports
  • Untrusted Ports


Trusted ports are the ports that is set as verified at the beginning, This means that, any DHCP messages are accepted from this interface.


Untrusted ports are the ports that is set as unverified at the beginning. This means that, “be careful for the packets coming from this interface”.




At the beginning of the configuration, the required ports set as “untrusted”. This ports are generally user ports. Simply, we configure all the ports rather than DHCP Server in the network as “untrusted” with DHCP Snooping. Because, we would like to receive DHCP messages only form real DHCP Server of the network. Here, the ports connected to the DHCP Server, will be ”trusted” ports.




Another thing that we can d with DHCP Snooping is, limiting the DHCP Discover messages by “rate-limit”. This prevent our DHCP Pool from any exhaust. As we mentioned above, some attackers’ aim is directly the IP Pool of the DHCP Server.


DHCP Snooping fills a table named “DHCP Binding Table”.  Accordig to this table, only the verified  hosts are accepted to the network. Here, these entries are full of the devices connected to “untrusted” ports. There is no info about trusted ports in this “DHCP Binding Table”.


In the “DHCP Binding Table”, important information of the hosts are recorded. These information includes:

  • Interface
  • MAC Addresses
  • IP Address
  • VLAN
  • Binding Type
  • Leased Time


By default DHCP Snooping is not active. Toı use DHCP Snooping, we should enable it. By the way, DHCP Snooping can be enabled either for a single VLAN or for a range of VLANs.


What if DHCP Snooping Detects a Malicious Attack?


As we mentioned above, DHCP Snooping checks the untursted ports and their DHCP behaviours. Even if itdetects aa malicious behaviour, in other words any DHCP violation, the message is dropped and a message logged. These mesages can be like below:



This message shows that a DHCP Offer message come from an untursted port. This is a very serious problem. In other words, somebody are trying to be your new DHCP Server, a rogue DHCP Server.



This message shows any MAC mismatch between Source of Ethernet frame and Client. In other words, there is a mmismatch in “DHCP Binding Table”.


DHCP Option 82

Lesson tags: DHCP, attacks
Back to: CCNP Enterprise 350-401 ENCOR > Security

Leave a Reply

Your email address will not be published. Required fields are marked *

CCNP Enterprise 350-401 ENCOR