Configure DHCP Snooping on Cisco Switches

This tutorial explains how to configure DHCP Snooping on Cisco switches through a packet tracer example. Learn DHCP snooping configuration in detail through examples.

DHCP Snooping is a security feature of Layer 2 switches. It allows us to filter and block certain types of DHCP traffic. By using this feature, we can mitigate several security risks caused by rogue DHCP servers and attackers.

DHCP snooping works on a per-VLAN basis. By default, this feature is not enabled. To use this feature, first, we have to enable it. After enabling, we can configure it on some VLANs or all VLANs. Once configured, it actively monitors incoming traffic on all ports of the configured VLAN. If it detects any DHCP packet, based on its configuration either it allows the packet or drops the packet.

To learn how this process works in detail, you can check the previous parts of this tutorial. In this part, we will understand how to configure DHCP snooping on Cisco switches.

Packet Tracer lab setup

Create a packet tracer lab as shown in the following image.

practice lab packet tracer

Configure this lab as described below.

  • Assign the IP address 10.0.0.1/8 to the Fa0/0 interface of router 0.
  • Configure the Fa0/0 interface of the router to forward all DHCP requests to the Server0.
  • Assign the IP address 20.0.0.1/8 to the Fa0/1 interface of the Router0.
  • Assign the IP address 20.0.0.10/8 to the Server0.
  • Configure a DHCP pool for the local network connected to the Switch0.
  • Configure PCs of the local network as DHCP clients.

Configuring the router

Access the CLI prompt of the router and run the following commands.

Router>enable
Router#configure terminal
Router(config)#interface fastethernet 0/0
Router(config-if)#ip address 10.0.0.1 255.0.0.0
Router(config-if)#no shutdown
Router(config-if)#exit
Router(config)#interface fastethernet 0/1
Router(config-if)#ip address 20.0.0.1 255.0.0.0
Router(config-if)#no shutdown
Router(config-if)#exit
Router(config)#interface fastethernet 0/0
Router(config-if)#ip helper-address 20.0.0.10
Router(config-if)#exit
Router(config)#

The following table explains the commands used in the above configuration.

Command Description
Router>enable Enter privileged-exec mode.
Router#configure terminal Enter global configuration mode.
Router(config)#interface [interface] [slot/number] Enter interface configuration mode.
Router(config-if)#ip address [IP address] [subnet mask] Assign an IP address to the interface.
Router(config-if)#ip helper-address [IP address of the DHCP server] Configure the interface to forward DHCP requests to the DHCP server.
Router(config-if)#no shutdown Enable interface.
Router(config-if)#exit Exit interface configuration mode.

Assigning a static IP address to the Server0

To assign a static IP address to the Server0, click Server0 and click the IP configuration option of the Desktop menu. In the IP configuration option, select the Static option and set the static configuration.

The following image shows this procedure.

assigning static ip on switch

Enabling DHCP service and adding a DHCP pool

Click the Services menu icon and click the DHCP Service in the left pane and select the on option in the right pane. Set the value in the DHCP Pool Options and click the Add button. The following image shows this procedure.

adding dhcp pool and enabling dhcp service

Configure DHCP clients

To configure PCs as DHCP clients, click the PC and click the IP configuration option from the Desktop menu item and select the DHCP option. The following image shows this procedure.

configure dhcp client

Verifying DHCP Server

If the DHCP server is configured properly, DHCP clients get IP addresses automatically as soon as they change their IP configuration to DHCP. The following image shows the IP configuration of the PC2 that it gets from the DHCP server.

verifying dhcp server

Adding the attacker's DHCP server

To understand how DHCP snooping protects the network from a rogue DHCP server, let's add an attacker's DHCP server to our network. The following image shows our example network after adding the attacker's DHCP server.

adding attackers dhcp server

The following image shows the static IP configuration of the attacker DHCP server.

configure static ip on attacker dhcp server

Add a DHCP pool that replicates the DHCP pool of the original DHCP server. In this pool, change the default gateway IP to the IP address that you assigned to this server. The following image shows how to do this.

configure dhcp pool on attacker device

By default, the server contains a default pool and the packet tracer does not allow us to delete it. If multiple pools are configured, DHCP uses the source address to determine the correct pool. Since DHCP clients use the 0.0.0.0 address as the source address and the default pool also uses this address as the default gateway and DNS server addresses, DHCP provides the IP configuration from the default pool instead of our pool. To force DHCP to use our pool, change the default gateway IP to the IP address of the server in the default pool.

The following image shows this step.

adjusting dhcp pool on packet tracer

Verifying attacker's DHCP server

The attacker's DHCP server is available in the local network. It receives DHCP requests from clients before the original DHCP server. Since the attacker's DHCP server receives the request first, it also reacts first and the client gets an IP configuration from the attacker's DHCP server.

To verify this, click a PC from the local network and change its IP configuration to Static and back to DHCP.

The following image shows how PC2 obtains a new IP configuration from the attacker's DHCP server instead of the original DHCP server upon requesting a new IP configuration.

verifying dhcp attack

If DHCP clients use the IP configuration provided by the attacker's DHCP server, the attacker can misuse their data without knowing them. This is known as the man-in-middle attack.

To learn this attack in more detail, please check the previous part of this tutorial. The previous part of this tutorial explains the man-in-middle attack in detail with an example.

Configuring DHCP snooping on the switch

Configuring DHCP snooping on the switch involves the following steps.

  • By default, DHCP snooping is disabled on Cisco switches. To use this feature, first, we have to enable it.
  • DHCP snooping works a per-VLAN basic. Once DHCP snooping is enabled, we have to specify the VLAN on which we want to apply this. You can specify a single VLAN or multiple VLANs. To configure a single VLAN, enter a single VLAN number. To configure a range of VLANs, enter a beginning and an ending VLAN number or a dash and range of VLANs.
  • DHCP snooping treats all ports of the specified VLAN as the untrusted ports. An untrusted port is a port that does not accept DHCP server messages. In other words, if a device is connected to an untrusted port, it can obtain IP configuration from the DHCP server but it cannot offer an IP configuration.
  • If a DHCP server is connected to the port, we have to configure that port as the trusted port. A trusted port is a port that accepts DHCP server messages. In other words, a DHCP server can provide IP configuration only if it is connected to a trusted port.

The following table lists the commands that are used to configure and verify DHCP snooping on Cisco switches.

Command Description
Switch(config)# ip dhcp snooping To enable DHCP snooping globally.
Switch(config)# ip dhcp snooping vlan number [number] To enable DHCP snooping on the specified VLAN.
Switch(config-if)# ip dhcp snooping trust To configure the interface as a trusted interface.
Switch(config-if)# ip dhcp snooping limit rate [rate] To limit the number of DHCP packets that the interface can receive in a second.
Switch# show ip dhcp snooping To view DHCP snooping configuration and status
Switch# debug ip dhcp snooping event To debug DHCP snooping events.
Switch# debug ip dhcp snooping packet To view DHCP messages and packets.

The following commands configure DHCP snooping on the switch of our example network.

Switch>enable
Switch#configure terminal
Switch(config)#ip dhcp snooping
Switch(config)#ip dhcp snooping vlan 1
Switch(config)#interface fa0/4
Switch(config-if)#ip dhcp snooping trust
Switch(config-if)#exit
Switch(config)#exit
Switch#

The following image shows the above commands on the packet tracer.

dhcp snooping configuration

Let's understand the above configuration in detail.

We used the first and second commands to enter global configuration mode. We used the third command to enable the DHCP snooping.

VLAN 1 is the default VLAN on Cisco switches. By default, all ports belong to this VLAN. Since DHCP snooping works on VLANs and we did not create any VLAN in our example, we implemented DHCP snooping on the default VLAN using the fourth command.

In our example, the original DHCP is connected to the interface Fa0/4. We used the fifth command to enter the interface configuration mode of the Fa0/4 interface. In interface configuration mode, we used the sixth command to configure the interface as the trusted interface.

We used the last command to exit interface configuration mode.

Once DHCP snooping is enabled, only the DHCP server that is connected to the trusted interface can provide IP configuration. To verify this, let's obtain a new IP configuration on a PC of the local network.

The following image shows how PC2 obtains a new IP configuration from the original DHCP server.

verifying dhcp snooping

Viewing DHCP snooping configuration

To view DHCP snooping configuration and statistics, use the 'show ip dhcp snooping' command in privileged-exec mode.

The following image shows the output of this command.

show ip dhcp snooping command

DHCP rate limit

By default, DHCP snooping does not limit the number of DHCP packets that an interface can receive. Since untrusted interfaces connect to DHCP clients, to enhance the security you can limit the number of DHCP packets on these interfaces.

The recommended rate limit for each untrusted port is 15 packets per second. Generally, the rate limit is applied to untrusted interfaces. But if required, you can also configure it on a trusted interface.

To configure DHCP snooping rate limit on an interface, use the 'ip dhcp snooping limit rate [number]' command in interface configuration mode of the interface.

The following image shows how to set the rate limit on the Fa0/1 interface and verifies the same.

ip dhcp snooping limit rate command

Debugging DHCP snooping

To debug DHCP snooping events and packets, use the 'debug ip dhcp snooping event' and 'debug ip dhcp snooping packet' commands in privileged-exec mode. To disable debugging, use the keyword 'no' before the same commands.

The following image shows how to enable and disable the debugging of DHCP snooping.

dbugging dhcp snooping

Downloading the practice lab used in this tutorial

If you want to download the practice lab used in this tutorial, you can download it from the following links. Each link provides the practice lab in a different stage.

Practice lab without any configuration

This lab does not contain any configuration. Use this lab, if you want to configure the lab from the starting as explained in this tutorial.

Practice lab with working DHCP server

In this lab, the DHCP server, router, and DHCP clients are configured but, the attacker's DHCP server is not connected to the network. Use this lab, if you want to practice by adding and configuring an attacker's DHCP server.

Practice lab with both DHCP servers

In this lab, both the original and attacker's DHCP servers are configured but DHCP snooping on the switch is not configured. Use this lab, if you only want to practice of the DHCP snooping.

Configured practice lab

This lab contain all configuration. Use this lab for your references or to cross-check your configuration.

If you download and use the lab used in this tutorial, wait for a minute after loading the lab on the packet tracer. Switches take about 45 - 50 seconds to initialize. Due to this reason, all DHCP requests that were made before the switch initialized fail. If you see a DHCP fail message, it means PC tried to obtain a new IP configuration when the switch was initialing. To get a new IP configuration, change IP configuration to static and back to DHCP. This will force the PC to obtain a new IP configuration.

That's all for this tutorial. If you like this tutorial, please don't forget to share it with friends through your favorite social network.

ComputerNetworkingNotes CCNA Study Guide Configure DHCP Snooping on Cisco Switches