Wednesday, August 17, 2016


DHCP Snooping

First let’s review how DHCP operate normally
                                                              We got a laptop for example DHCP Client and when it comes up on the network it needs ip address information. It might need an “IP address, Subnet mask, a DNS server and Default gateway and might need another piece of information

DHCP uses something called the “DORA” Process
There are four different messages exchanged between DHCP Client and DHCP Server



                                          Here Just assume that DHCP server and client in same subnet and we going to send broadcast “it’s says “DHCP Discover” broadcast and that’s received by the DHCP Server and it respond within Offer “DHCP Offer “that’s the “O” in DORA process. The offer is identifying this specific DHCP server. At this point the client knows the ip address of this “Corporate DHCP Server”. Then we would complete the DORA process, the client would send the “R” the “Request” saying “hey can I have some ip address information”, then the “A” in DORA is the “Acknowledgement”
                                 The big point there is that the “D” in DORA process is to send a broadcast and the broadcast goes everywhere within Vlan by default 

What if we have malicious user introduce a “Rouge DHCP Server” on the network.
                                                   When this DHCP Client sends out its DHCP Discover message. The “Legitimate(True) DHCP Server” and the Rouge DHCP Server would get that, and they both respond, what if the rouge DHCP Server responded quicker, then the corporate DHCP Server. Well our client its gonna go whichever server responded quicker
                                                       If we did have Rouge DHCP server on the network. Statically it would respond before the corporate DHCP Server at certain percentage of time, and we would have these DHCP Clients learning their ip address information from the rouge DHCP Server and what harm could cause
                                                           Well this rouge DHCP Server could be sending information “saying that the default gateway for client” is actually the attacker device. The attacker could be intercepted all these traffic coming from the client, and then they would forward traffic on its way, so though the client didn’t realize anything wrong. That’s the one way of launching the “Man in Middle Attack” where the attacker is convincing the client to send traffic through the attacker device

Way to Prevent that, is to use feature Cisco gives us on over cisco catalyst switches called “DHCP snooping”
What we can do is, go in and say “which ports are “Trusted” and which ports are “Untrusted”
                                           We would say that “we wanna to trust ports that were uplink ports that’s guide us to our legitimate(True) DHCP server” But we would not trust other ports. That way when DHCP client send out its Discover message
And which received by the legitimate(True) DHCP server and Rouge DHCP server. 
                                                         When the Rouge DHCP server responded within offer, it would be rejected by that untrusted port running a DHCP snooping.
                                                          Meanwhile the legitimate(True) DHCP Offer message would make it back to the client and client would get authenticated information
Configuration of DHCP Snooping in Cisco Catalyst Switch

Now Add one extra layer of Protection
                                                     In addition to having Rouge DHCP server on the network, another DHCP Threat called DDOS(Denial-of-Service) Attack. We can have somebody that start flooding our legitimate(True) DHCP server with overwhelming number of DHCP discover message. We can do our untrusted ports typically we can limit maximum amount of dhcp traffic going to be allowed that port. We can set DHCP rate limit on untrusted port.

Conclusion: - That’s a look how we can add a couple of layer of DHCP Protection to our network using great little feature “DHCP Snooping”


  1. Thanks it is very useful

  2. Your explanation of DORA is not correct. DHCP server sends the IP address for the client already in Offer. Be aware of giving false information!!!