What is the purpose of DHCP snooping?
Dynamic Host Configuration Protocol (DHCP) snooping is a security feature implemented in network switches to prevent malicious or unauthorized DHCP activity within a network. DHCP is a protocol that automatically assigns IP addresses and other network configuration information to devices on a network.
- Switch Operation Modes:
- Trusted and Untrusted Ports: DHCP snooping classifies switch ports as either trusted or untrusted. Trusted ports are typically connected to legitimate DHCP servers, while untrusted ports are connected to end-user devices. The switch uses this classification to apply DHCP snooping policies selectively.
- DHCP Snooping Database:
- Database Creation: The switch maintains a DHCP snooping binding database that stores information about the mapping between MAC addresses, IP addresses, lease information, and the interface on which the device is connected. This database is dynamically updated as DHCP transactions occur.
- Inspection of DHCP Messages:
- DHCP Message Types: The switch monitors DHCP messages (DHCPDISCOVER, DHCPOFFER, DHCPREQUEST, DHCPACK, DHCPNAK) passing through its ports.
- Source IP Address Verification: The source IP address of DHCP messages is checked to ensure that it matches the DHCP server's known and legitimate IP address.
- Option-82 Information:
- Insertion of Option-82: DHCP snooping often uses Option-82, a DHCP option that allows the switch to add information about the source of the DHCP request (e.g., the interface and switch where the request was received).
- Rate Limiting:
- Control of DHCP Request Rate: DHCP snooping can implement rate limiting to prevent DHCP request flooding attacks. This limits the number of DHCP requests a port can process within a specified time period.
- Dynamic Binding Updates:
- Database Updates: When a DHCP transaction is successfully verified, the switch updates its DHCP snooping database with the relevant information, such as the IP address assigned to the device, the MAC address, lease duration, and the associated interface.
- Logging and Alerts:
- Logging: DHCP snooping events, such as unauthorized DHCP server detection or DHCP binding changes, can be logged for auditing and monitoring purposes.
- Alerts: Administrators can receive alerts or notifications when suspicious DHCP activity is detected.