Cisco switch DHCP Snooping Function

I. FAQs about using the DHCP service

Setting up a DHCP server can automatically assign network parameters such as IP addresses, masks, default gateways, and DNS servers to the client, simplifying
Network Configuration improves management efficiency. However, some problems exist in the management of the DHCP service.
Common examples include:
· DHCP Server impersonating
· DHCP Server DOS attacks, such as DHCP depletion attacks
· Some users randomly specify IP addresses, resulting in IP address conflicts
1. DHCP Server impersonate
Because there is no authentication mechanism between the DHCP server and the client, if a DHCP server is randomly added to the network
You can assign IP addresses and other network parameters to the client. If the DHCP server is assigned an incorrect IP address and other network parameters
Data, which will cause great harm to the network.
2. DHCP Server DoS Attacks
Usually, the DHCP server checks the CHADDR field in the DHCP request message sent by the client to determine the MAC address of the client.
Address. Under normal circumstances, the CHADDR field is the same as the actual MAC address of the client sending the request message.
Attackers can use MAC spoofing to send DHCP requests. However, this attack can use the port security feature of the Cisco switch.
To prevent. Port Security allows each Port to use only a unique MAC address. However, if the attacker does not
Modify the source MAC address of the DHCP request packet, but modify the CHADDR field in the DHCP packet to perform the attack.
It does not work.
Because the DHCP server considers that different CHADDR values indicate that requests come from different clients, attackers can
The address pool on the DHCP server is exhausted, and thus the network cannot be provided to other normal users.
Network address, which is a DHCP depletion attack. DHCP depletion attacks can be pure DOS attacks or forged DHCP servers.
Server. When the normal DHCP server is paralyzed, attackers can establish forged DHCP servers to serve customers in the LAN.
The user provides an address to forward the information to the malicious computer to be intercepted.
Even if the source MAC address and CHADDR field of the DHCP request message are correct
If a large number of messages are sent, the network bandwidth will be exhausted to form another Denial-of-Service attack.
3. The client can specify the IP address at will.
The client does not have to use the DHCP service. It can set IP addresses in a static way. If any,
This will greatly increase the possibility of network IP address conflict.

II. Introduction to DHCP Snooping Technology

DHCP Snooping is a DHCP security feature. Cisco switches can be enabled based on each VLAN
DHCP listening features. With this feature, the switch can intercept all DHCP packets in the L2 VLAN.
DHCP listeners divide vswitch ports into two types
Untrusted port: Usually the port connecting to the terminal device, such as a PC or a network printer.
Trusted port: the port connecting to the valid DHCP server or the upstream port of the aggregation Switch
By enabling the DHCP listener feature, the vswitch limits user ports (untrusted ports) to send only DHCP requests and discards
All other DHCP packets on the user port, such as DHCP Offer packets. Besides, not all DHCP requests from user ports
Both are allowed, and the switch will compare the source MAC address of the DHCP request packet (in the packet header) and (in the packet content)
The DHCP Client's hardware address (that is, the CHADDR field) is forwarded only when the two are the same. Otherwise, the request is discarded.
This prevents DHCP depletion attacks.
The trusted port can receive all DHCP packets. Set only the port connecting the vswitch to the valid DHCP server as the trusted port.
Other ports are set as untrusted ports to prevent users from forging DHCP servers to attack the network.
The DHCP listener can also speed up DHCP packets on the port. You can limit the speed of each untrusted port.
Stop broadcast attacks against valid DHCP request packets.
DHCP listening also plays an important role in creating a DHCP listening Binding table ). I
Once a client connected to an untrusted port obtains a valid DHCP Offer, the switch is automatically in the DHCP listener binding table.
Add a binding entry that includes the Client IP address, MAC address, port number, VLAN number, and lease period of the untrusted port.
. For example:
Switch # show ip dhcp snooping binding
MacAddress IpAddress Lease (sec) Type VLAN Interface
----------------------------------------------------------------------------
00: 0F: 1F: C5: 10: 08 192.168.10.131 682463 dhcp-snooping 10 FastEthernet0/1
This DHCP listener binding table provides a basis for further deploying IP Source Protection (IPSG) and dynamic ARP detection (DAI.
Note:
I. The untrusted port only allows the client's DHCP request packet to pass. This is only relative to the DHCP packet. Other non-
DHCP packets can still be forwarded normally. This means that the client can access the network through a non-trusted port by statically specifying an IP address.
Because the static client does not send DHCP packets, no records of the static client are recorded in the DHCP listener binding table.
The client information of the trusted port is not recorded in the DHCP listener binding table. If a client is connected to a trusted port,
Even if the IP address is obtained through a normal DHCP method, no records of the client are recorded in the DHCP listener binding table.
If the client is required to access the network only by dynamically obtaining the IP address, IPSG and DAI technologies must be used.