Protecting your network against rogue DHCP servers

If you haven't done it yet you have a ticking bomb on your network. Possible "attackers" are: an unknowing user playing with "test" installation of some freeware software that bundles generously a DHCP server, a bug in a program (no offence to the developers, but I had this problem several times with VMWare which gave IP addresses in the "real" LAN in certain configurations) or even an attacker trying to bring down your network at least for a while or, worse, do a man-in-the-middle attack substituting the real default gateway with its own, eavesdropping on your traffic.

The Cisco solution to this is called DHCP snooping. This feature filters untrusted DHCP traffic and also builds a DHCP snooping binding table.

To use DHCP snooping on the Catalyst switch you must enable it globally:

ip dhcp snooping

To enable DHCP snooping on your VLANs:

ip dhcp snooping vlan number

From the DHCP snooping point of view there are 2 kinds of ports: trusted and untrusted. Trusted ports are the ones that should permit DHCP messages to pass. These are ports that are connected to legitimate DHCP servers and -very important - trunk ports, becouse they should carry DHCP traffic to DHCPD servers and clients. Untrusted ports are the rest of the ports, normal clients that act as DHCP clients.

Trusted ports should have:

ip dhcp snooping trust

Untrusted ports don't need any config option.

Additionally, you can configure a limit on the DHCP messages rate (per second) that can be sent on the port - usually untrusted ports. It's not recommended to configure a limit higher that 100 on untrusted ports:

ip dhcp snooping limit rate 100

To enable insertion of DHCP Option 82:

ip dhcp snooping information option

A common caveat in configuring DHCP snooping is the situation when you have multiple VLANs and one DHCP server and you use ip helper-address. To pass trusted DHCP messages you must configure on the routed interface (e.g. VLAN interface):

ip dhcp relay information trusted

To see the DHCP snooping binding table (the connection between MAC addresses, IPs, lease time and port) you can issue:

sh ip dhcp snooping binding

Another security use for DHCP snooping (if it's activated) is to do Dynamic ARP Inspection which is using the DHCP snooping binding table to discard ARP packets with invalid IP to MAC bindings in an attempt to stop man-in-the-middle attacks.


2 Responses to " Protecting your network against rogue DHCP servers "

j4v1v1 said... July 10, 2008 at 8:17 PM


Is it possible to activate dhcp snooping on wireless AP's ?

I have running dhcp snooping on catalysts but I'm not sure that it prevent a rogue dhcp server on my wireless network.

I have multi ssid in different vlans.
All vlans are uplinked between an Ap and a trusted trunk port on the catalysts.

Thank you.

Pasqu said... January 8, 2013 at 11:47 PM

I just wrote a software for Windows that help people to configure Catalyst switch and also port security function like DHCP snooping.
It's available for free at
It's the first release so any suggestion or question is appreciated.

Post a Comment

Follow by Email

Sponsored Links