Home   | CCNA Certification  |   CCNP Training   | CompTIA |  Boot Camps  |  Free Tutorials   | MS Vista | About Me
 

Get My Exclusive FREE 7-Part Report,
"How To Pass The CCNA", Daily FREE
Cisco And CompTIA Exam Questions,
And All The Latest Certification News
In My Daily Newsletter!

Privacy Policy

Name:
Email:
  More Testimonials >
Visit my blog for free daily Cisco CCNA and CCNP certification questions, my latest free articles and tutorials, and more!


 

CCNA Security And BCMSN Certification Exam Tutorial :

Understanding And Configuring DHCP Snooping

By Chris Bryant, CCIE #12933

 

Understanding the possible avenues of attack for a network intruder is vital to both passing the CCNA Security and CCNP BCMSN exam and to successfully defending your network. Intruders can actually use protocols used in every network - DHCP and ARP, just to name two - to attack other parts of the network.

It may be hard to believe, but something as innocent as DHCP can actually lead to trouble for your network.  When a host sends out a DHCPDiscovery packet, it listens for DHCPOffer packets - and accepts the first Offer it gets!

Initial DHCP Process

.

Part of that DHCPOffer is the address to which the host should set its default gateway.  In this network, there's no problem, because there's only one DHCP Server.  The host will receive the DHCPOffer and set its default gateway accordingly.  What if a DHCP server that does not belong on our network - a rogue DHCP server - is placed on that subnet?

Rogue DHCP Server

.

Now we've got a real problem, because that host is going to use the information in the first DHCPOffer packet it receives - and if the host uses the Offer from the rogue DHCP server, the host will actually set its default gateway to the rogue server's IP address! 

The rogue server could also have the host set its DNS server address to the rogue server's address as well.  This opens the host and the network to several nasty kinds of attacks.

DHCP Snooping serves as a kind of firewall between hosts and untrusted DHCP servers.  DHCP Snooping classifies interfaces on the switch into one of two categories - trusted and untrusted.

Trusted interfaces are those that will receive messages within the network; untrusted interfaces are those that are allowed to receive messages from within the network.   DHCP messages on trusted interfaces will be allowed to pass through the switch; not only will DHCP messages received on untrusted interfaces be dropped by the switch, the interface itself will be placed into err-disabled state.

DHCP Snooping In Action

Now, you're probably asking "How does the switch determine which ports are trusted and which ports are untrusted?"  By default, the switch considers all ports untrusted - which means we better remember to configure the switch to trust some ports when we enable DHCP Snooping!

First, we need to enable DHCP Snooping on the entire switch:

SW1(config)#ip dhcp snooping

You must then identify the VLANs that will be using DHCP Snooping.   Let's use IOS Help to look at the other options available.

SW1(config)#ip dhcp snooping ?
  database     DHCP snooping database agent
  information  DHCP Snooping information
  verify       DHCP snooping verify
  vlan         DHCP Snooping vlan
  <cr>

SW1(config)#ip dhcp snooping vlan ?
 WORD  DHCP Snooping vlan fist number or vlan range, example: 1,3-5,7,9-11

Note that you can use commas and dashes to define a range of VLANs for DHCP Snooping.  We'll now enable DHCP Snooping for VLAN 4.

SW1(config)#ip dhcp snooping vlan 4

Assuming we have a trusted DHCP server off port 0/10, we would then trust that port with the following command:

SW1(config-if)#ip dhcp snooping trust

From your previous studies, you're familiar with the DHCP Relay Agent Information option.  Usually referred to as Option 82 (we still don't know what happened to the first 81 options), this option can be disabled or enabled with the following command:

SW1(config)#ip dhcp snooping information option

DHCP Snooping is verified with the show ip dhcp snooping command.

SW1#show ip dhcp snooping
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs: 4
Insertion of option 82 is enabled
   circuit-id format: vlan-mod-port
    remote-id format: MAC
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Interface                    Trusted     Rate limit (pps)
------------------------     -------     ----------------
FastEthernet0/10             yes         unlimited

Note the "rate limit" for the untrusted port is set to "unlimited".  That rate limit refers to the number of DHCP packets the interface can accept in one second (packets per second). 

Mastering DHCP Snooping is an important part of passing both the CCNA Security and BCMSN exam - and here's more information on how to pass these tough exams!

 

CCNA Security Exam Success Begins By Clicking That Link!

Click This Link To Start Preparing To Pass The BCMSN Exam Today!

 

To Your Certification Exam Success,

Chris Bryant

CCIE #12933

chris@thebryantadvantage.com

 

The Ultimate CCNA Study Package | The Ultimate CCNA Study Guide

Binary Math And Subnetting Mastery

Cisco Rack Rentals

CCNP BSCI Exam Study Package

CCNP BCMSN Exam Study Package

CCNP BCRAN Exam Study Package

CCNP CIT Exam Study Package | CCNP BSCI Exam Study Guide

CCNA CBT Video Boot Camp | CCNP BSCI Video Boot Camp

Cisco Training Tutorials And Cisco Certification Articles

CCNP CBT BCMSN Video Boot Camp | CCNP CBT BCRAN Video Boot Camp

CompTIA Network+ Exam Study Package

CompTIA Security+ Exam Study Package

CompTIA A + Certification Exam Study Package

CCNA Training Store | CCNP Certification Training Store

CompTIA Certification Training Store

Cisco Lab Router And Switch Home Lab Help

Site Map | Home Page | Testimonials

Microsoft Windows Vista Certification Updates And News

The Bryant Advantage Blog | About Chris Bryant, CCIE #12933