If you haven't done it yet you have a ticking bomb on your network. Possible "attackers" are: an unknowing user playing with "test" installation of some freeware software that bundles generously a DHCP server, a bug in a program (no offence to the developers, but I had this problem several times with VMWare which gave IP addresses in the "real" LAN in certain configurations) or even an attacker trying to bring down your network at least for a while or, worse, do a man-in-the-middle attack substituting the real default gateway with its own, eavesdropping on your traffic.
The Cisco solution to this is called DHCP snooping. This feature filters untrusted DHCP traffic and also builds a DHCP snooping binding table.
To use DHCP snooping on the Catalyst switch you must enable it globally:
ip dhcp snoopingTo enable DHCP snooping on your VLANs:
ip dhcp snooping vlan numberFrom the DHCP snooping point of view there are 2 kinds of ports: trusted and untrusted. Trusted ports are the ones that should permit DHCP messages to pass. These are ports that are connected to legitimate DHCP servers and -very important - trunk ports, becouse they should carry DHCP traffic to DHCPD servers and clients. Untrusted ports are the rest of the ports, normal clients that act as DHCP clients.
Trusted ports should have:
ip dhcp snooping trustUntrusted ports don't need any config option.
Additional, you can configure a limit on the DHCP messages rate (per second) that can be sent on the port - usually untrusted ports. It's not recommended to configure a limit higher that 100 on untrusted ports:
ip dhcp snooping limit rate 100To enable insertion of DHCP Option 82:
ip dhcp snooping information optionA common caveat in configuring DHCP snooping is the situation when you have multiple VLANs and one DHCP server and you use ip helper-address. To pass trusted DHCP messages you must configure on the routed interface (e.g. VLAN interface):
ip dhcp relay information trustedTo see the DHCP snooping binding table (the connection between MAC addresses, IPs, lease time and port) you can issue:
sh ip dhcp snooping bindingAnother security use for DHCP snooping (if it's activated) is to do Dynamic ARP Inspection which is using the DHCP snooping binding table to discard ARP packets with invalid IP to MAC bindings in an attempt to stop man-in-the-middle attacks.
1 comments:
Hello,
Is it possible to activate dhcp snooping on wireless AP's ?
I have running dhcp snooping on catalysts but I'm not sure that it prevent a rogue dhcp server on my wireless network.
I have multi ssid in different vlans.
All vlans are uplinked between an Ap and a trusted trunk port on the catalysts.
Thank you.
Post a Comment