DHCP Snooping is a security feature of Layer 2 switches. It allows us to filter and block certain types of DHCP traffic. By using this feature, we can mitigate several security risks caused by rogue DHCP servers and attackers.
DHCP snooping works on a per-VLAN basis. By default, this feature is not enabled. To use this feature, first, we have to enable it. After enabling, we can configure it on some VLANs or all VLANs. Once configured, it actively monitors incoming traffic on all ports of the configured VLAN. If it detects any DHCP packet, based on its configuration either it allows the packet or drops the packet.
To learn how this process works in detail, you can check the previous parts of this tutorial. In this part, we will understand how to configure DHCP snooping on Cisco switches.
This tutorial is the last part of the tutorial 'DHCP (Dynamic Host Configuration Protocol) basic concepts, configurations, functions, and options Explained'. Other parts of this tutorial are the following.
What DHCP is and Types of DHCP Explained
How DHCP works explained with examples
DHCP Configuration Parameters and Settings Explained
How to Configure DHCP Server on Cisco Switches
Configure DHCP Server for multiple VLANs on the Switch
How to Configure DHCP Server on Cisco Routers
How DHCP Relay Agents work Explained
How to Configure DHCP Relay Agent on Cisco Routers
How DHCP Snooping works Explained
Packet Tracer lab setup
Create a packet tracer lab as shown in the following image.
Configure this lab as described below.
- Assign the IP address 10.0.0.1/8 to the Fa0/0 interface of router 0.
- Configure the Fa0/0 interface of the router to forward all DHCP requests to the Server0.
- Assign the IP address 20.0.0.1/8 to the Fa0/1 interface of the Router0.
- Assign the IP address 20.0.0.10/8 to the Server0.
- Configure a DHCP pool for the local network connected to the Switch0.
- Configure PCs of the local network as DHCP clients.
Configuring the router
Access the CLI prompt of the router and run the following commands.
Router>enable Router#configure terminal Router(config)#interface fastethernet 0/0 Router(config-if)#ip address 10.0.0.1 255.0.0.0 Router(config-if)#no shutdown Router(config-if)#exit Router(config)#interface fastethernet 0/1 Router(config-if)#ip address 20.0.0.1 255.0.0.0 Router(config-if)#no shutdown Router(config-if)#exit Router(config)#interface fastethernet 0/0 Router(config-if)#ip helper-address 20.0.0.10 Router(config-if)#exit Router(config)#
The following table explains the commands used in the above configuration.
| Command | Description |
| Router>enable | Enter privileged-exec mode. |
| Router#configure terminal | Enter global configuration mode. |
| Router(config)#interface [interface] [slot/number] | Enter interface configuration mode. |
| Router(config-if)#ip address [IP address] [subnet mask] | Assign an IP address to the interface. |
| Router(config-if)#ip helper-address [IP address of the DHCP server] | Configure the interface to forward DHCP requests to the DHCP server. |
| Router(config-if)#no shutdown | Enable interface. |
| Router(config-if)#exit | Exit interface configuration mode. |
Assigning a static IP address to the Server0
To assign a static IP address to the Server0, click Server0 and click the IP configuration option of the Desktop menu. In the IP configuration option, select the Static option and set the static configuration.
The following image shows this procedure.
Enabling DHCP service and adding a DHCP pool
Click the Services menu icon and click the DHCP Service in the left pane and select the on option in the right pane. Set the value in the DHCP Pool Options and click the Add button. The following image shows this procedure.
Configure DHCP clients
To configure PCs as DHCP clients, click the PC and click the IP configuration option from the Desktop menu item and select the DHCP option. The following image shows this procedure.
Verifying DHCP Server
If the DHCP server is configured properly, DHCP clients get IP addresses automatically as soon as they change their IP configuration to DHCP. The following image shows the IP configuration of the PC2 that it gets from the DHCP server.
Adding the attacker's DHCP server
To understand how DHCP snooping protects the network from a rogue DHCP server, let's add an attacker's DHCP server to our network. The following image shows our example network after adding the attacker's DHCP server.
The following image shows the static IP configuration of the attacker DHCP server.
Add a DHCP pool that replicates the DHCP pool of the original DHCP server. In this pool, change the default gateway IP to the IP address that you assigned to this server. The following image shows how to do this.
By default, the server contains a default pool and the packet tracer does not allow us to delete it. If multiple pools are configured, DHCP uses the source address to determine the correct pool. Since DHCP clients use the 0.0.0.0 address as the source address and the default pool also uses this address as the default gateway and DNS server addresses, DHCP provides the IP configuration from the default pool instead of our pool. To force DHCP to use our pool, change the default gateway IP to the IP address of the server in the default pool.
The following image shows this step.
Verifying attacker's DHCP server
The attacker's DHCP server is available in the local network. It receives DHCP requests from clients before the original DHCP server. Since the attacker's DHCP server receives the request first, it also reacts first and the client gets an IP configuration from the attacker's DHCP server.
To verify this, click a PC from the local network and change its IP configuration to Static and back to DHCP.
The following image shows how PC2 obtains a new IP configuration from the attacker's DHCP server instead of the original DHCP server upon requesting a new IP configuration.
If DHCP clients use the IP configuration provided by the attacker's DHCP server, the attacker can misuse their data without knowing them. This is known as the man-in-middle attack.
To learn this attack in more detail, please check the previous part of this tutorial. The previous part of this tutorial explains the man-in-middle attack in detail with an example.
Configuring DHCP snooping on the switch
Configuring DHCP snooping on the switch involves the following steps.
- By default, DHCP snooping is disabled on Cisco switches. To use this feature, first, we have to enable it.
- DHCP snooping works a per-VLAN basic. Once DHCP snooping is enabled, we have to specify the VLAN on which we want to apply this. You can specify a single VLAN or multiple VLANs. To configure a single VLAN, enter a single VLAN number. To configure a range of VLANs, enter a beginning and an ending VLAN number or a dash and range of VLANs.
- DHCP snooping treats all ports of the specified VLAN as the untrusted ports. An untrusted port is a port that does not accept DHCP server messages. In other words, if a device is connected to an untrusted port, it can obtain IP configuration from the DHCP server but it cannot offer an IP configuration.
- If a DHCP server is connected to the port, we have to configure that port as the trusted port. A trusted port is a port that accepts DHCP server messages. In other words, a DHCP server can provide IP configuration only if it is connected to a trusted port.
The following table lists the commands that are used to configure and verify DHCP snooping on Cisco switches.
| Command | Description |
| Switch(config)# ip dhcp snooping | To enable DHCP snooping globally. |
| Switch(config)# ip dhcp snooping vlan number [number] | To enable DHCP snooping on the specified VLAN. |
| Switch(config-if)# ip dhcp snooping trust | To configure the interface as a trusted interface. |
| Switch(config-if)# ip dhcp snooping limit rate [rate] | To limit the number of DHCP packets that the interface can receive in a second. |
| Switch# show ip dhcp snooping | To view DHCP snooping configuration and status |
| Switch# debug ip dhcp snooping event | To debug DHCP snooping events. |
| Switch# debug ip dhcp snooping packet | To view DHCP messages and packets. |
The following commands configure DHCP snooping on the switch of our example network.
Switch>enable Switch#configure terminal Switch(config)#ip dhcp snooping Switch(config)#ip dhcp snooping vlan 1 Switch(config)#interface fa0/4 Switch(config-if)#ip dhcp snooping trust Switch(config-if)#exit Switch(config)#exit Switch#
The following image shows the above commands on the packet tracer.
Let's understand the above configuration in detail.
We used the first and second commands to enter global configuration mode. We used the third command to enable the DHCP snooping.
VLAN 1 is the default VLAN on Cisco switches. By default, all ports belong to this VLAN. Since DHCP snooping works on VLANs and we did not create any VLAN in our example, we implemented DHCP snooping on the default VLAN using the fourth command.
In our example, the original DHCP is connected to the interface Fa0/4. We used the fifth command to enter the interface configuration mode of the Fa0/4 interface. In interface configuration mode, we used the sixth command to configure the interface as the trusted interface.
We used the last command to exit interface configuration mode.
Once DHCP snooping is enabled, only the DHCP server that is connected to the trusted interface can provide IP configuration. To verify this, let's obtain a new IP configuration on a PC of the local network.
The following image shows how PC2 obtains a new IP configuration from the original DHCP server.
Viewing DHCP snooping configuration
To view DHCP snooping configuration and statistics, use the 'show ip dhcp snooping' command in privileged-exec mode.
The following image shows the output of this command.
DHCP rate limit
By default, DHCP snooping does not limit the number of DHCP packets that an interface can receive. Since untrusted interfaces connect to DHCP clients, to enhance the security you can limit the number of DHCP packets on these interfaces.
The recommended rate limit for each untrusted port is 15 packets per second. Generally, the rate limit is applied to untrusted interfaces. But if required, you can also configure it on a trusted interface.
To configure DHCP snooping rate limit on an interface, use the 'ip dhcp snooping limit rate [number]' command in interface configuration mode of the interface.
The following image shows how to set the rate limit on the Fa0/1 interface and verifies the same.
Debugging DHCP snooping
To debug DHCP snooping events and packets, use the 'debug ip dhcp snooping event' and 'debug ip dhcp snooping packet' commands in privileged-exec mode. To disable debugging, use the keyword 'no' before the same commands.
The following image shows how to enable and disable the debugging of DHCP snooping.
Downloading the practice lab used in this tutorial
If you want to download the practice lab used in this tutorial, you can download it from the following links. Each link provides the practice lab in a different stage.
Practice lab without any configuration
This lab does not contain any configuration. Use this lab, if you want to configure the lab from the starting as explained in this tutorial.
Practice lab with working DHCP server
In this lab, the DHCP server, router, and DHCP clients are configured but, the attacker's DHCP server is not connected to the network. Use this lab, if you want to practice by adding and configuring an attacker's DHCP server.
Practice lab with both DHCP servers
In this lab, both the original and attacker's DHCP servers are configured but DHCP snooping on the switch is not configured. Use this lab, if you only want to practice of the DHCP snooping.
This lab contain all configuration. Use this lab for your references or to cross-check your configuration.
If you download and use the lab used in this tutorial, wait for a minute after loading the lab on the packet tracer. Switches take about 45 - 50 seconds to initialize. Due to this reason, all DHCP requests that were made before the switch initialized fail. If you see a DHCP fail message, it means PC tried to obtain a new IP configuration when the switch was initialing. To get a new IP configuration, change IP configuration to static and back to DHCP. This will force the PC to obtain a new IP configuration.
