Preventing Rogue DHCP Servers using DHCP Snooping
When someone plugs a small consumer grade router into your network the problems can become disastrous for end users on your network trying to access shared resources. Having a 192.168.1.0/24 IP Address in a corporate network subnetted to 10.41.181.0/24 can cause a boat load of help desk calls. This lab will discuss how you can prevent major network issues by someone plugging a small router with DHCP Services into your network.
- Core Knowledge
- Lab Topology
- Initial Configs
- Lab Objectives
- Lab Instruction
Core Knowledge and Real World Scenarios
One of the biggest problems caused in an office environment is someone who has only one or two ports to plug in network devices so they plug in a linksys router or something of that nature to get additional ports. Of course if BPDU Guard and Port Security is not enabled this not only opens multiple layer 2 vulnerabilities but also now causes a problem with rouge DHCP servers on the LAN segment.
Rogue DHCP Servers on the network create multiple problems. First being that legimate users cannot access corporate network resources if their IP Addressing is not identical to the corporate IP Addressing. For example, the Rogue DHCP Server hands out a 192.168.1.0/24 IP Address whereas to access the corporate network you need to be in the 10.41.181.0/24 network using 10.41.181.1 as the default gateway. This would prevent users from accessing file servers, internet and more.
If the person who plugged in this rogue DHCP server knew what they were doing they could use the router as a man in the middle attack device handing out one range of IP Addresses with the default gateway of the small router then passing the legitimate traffic to the corporate network using a corporate network IP Address and PAT. During this entire time all packets are replicated to the attackers PC for packet analysis.
While most engineers do not think of these types of scenarios and are not proactive when it comes to these types of attacks but rather reactive. Many people have a natural thought process to think that oh this would never happen in my network but if you ask your best friend “Google” you will find several news articles talking network intrusions.
When it comes to IT Security, most people have the wrong mentality all together. Just because you’ve never seen it or heard of it happening does not mean it will ever happen to you. You have to think proactive which is the mind set of having security and not needing it, then needing security and not having it.
Rogue DHCP Server MIM attacks are very simple in nature and can easily be prevented with the correct understanding and configuration.
From a Cisco Catalyst Switch perspective there are just a few commands you primarily need to know. The first command is ip dhcp snooping which is executed in global config just to enable IP DHCP Snooping. This command does not instantly enable DHCP Snooping, you must still define which VLAN’s DHCP Snooping will be enforced on by using the ip dhcp snooping vlan # command.
Next off we need to define a trusted port in which the port is authorized to send DHCP Server response frames. This however is based on rather or not your switch is operating in Layer 2 or Layer 3.
If your switch is operating in Layer 2, you must define the trusted port using the ip dhcp snooping trust command under interface configuration mode.
If your switch is operating in Layer 3 and you have IP DHCP Helper addresses configured on the SVI Interfaces (VLAN Interfaces), then the trusted port is not required as the switch its self will respond to the DHCP request. This type of configuration is more commonly seen in real world networks.
Whenever a DHCP Request comes from a host machine on the network where DHCP Snooping is enabled, the switch will permit trusted dhcp server response(s) only and record that respond in the DHCP Snooping bind database. This database is dynamic by default however if you want the bindings to survive switch reloads you must configure a location for the DHCP Snooping database such as flash:
If you wish to view your current DHCP Snooping bindings you’ll use the show ip dhcp snooping binding command in privileged mode.
This may be required based on your network architecture.
Familiarize yourself with the list of command(s) compiled below;
| Command | Description |
|---|---|
| show ip dhcp snooping binding | This command when executed in user/privileged mode displays information regarding DHCP Snooping binding. |
| ip dhcp snooping | This command when executed in global configuration mode enables DHCP Snooping on the switch. |
| ip dhcp snooping vlan {1-4094} | This command when executed in global configuration mode enables DHCP Snooping for the given VLAN(s). |
| ip dhcp snooping trust | This command when executed in interface configuration mode tells the switch to trust any DHCP Server responses coming from the configured interface. |
| ip dhcp snooping database flash:snoop.db | This command when executed in global configuration configures a flash based consistent binding database. |
To get started with this lab exercise please review the lab topology and prerequisites prior to loading initial configs and attempting the objective(s).
Lab Logical Topology
The following logical topology is used in all labs found through out Section 1 of the CCNA Security Workbook;
To view the physical cabling topology please visit the Topology page.
Lab Device Initial Configurations
The following initial configurations are provided as a base configuration to start the lab with. You may copy and paste these configurations directly into the terminal window of Stub Lab devices.
Before you Start
This lab requires that you have access to a real Cisco Catalyst Series Switch. You cannot complete this lab using a NM-16ESW in GNS3. If you do not have a Cisco Catalyst Switch you can reserve free lab time on the Stub Lab to have access to four Cisco Catalyst 3560 Series switches which can be used to complete this lab.
Loading the initial configuration may save you time. You can do this by copying and pasting the initial configurations provided in this lab into the terminal window of their respective device(s).
Lab Objectives
In this lab you will complete the following objectives.
- On SW1 configure DHCP Snooping for VLAN 1 and create a consistent database file in flash called snoop.db
- Configure FastEthernet0/0 on R1 to request a DHCP IP Address.
- Verify DHCP Snooping configuration on SW1 by viewing the binding database.
One More Thing…
It is recommended that you attempt to complete these lab objectives the first time without looking at the Lab Instruction section.
If you are a student preparing for the Cisco CCNA Security Certification Exam than you are more likely to remember how to complete these objectives if you attempt to complete them the first time on your own with the use of the core knowledge section found in this lab. You should only resort to the Lab Instruction section to verify your work.
Lab Instruction
You must load the initial configurations before you can follow this lab instruction as SW1 has been pre-configured with a DHCP scope on VLAN_1 using the network 10.1.1.0/24
Objective 1. – On SW1 configure DHCP Snooping for VLAN 1 and create a consistent database file in flash called snoop.db
SW1>enable SW1#config t Enter configuration commands, one per line. End with CNTL/Z. SW1(config)#ip dhcp snooping SW1(config)#ip dhcp snooping vlan 1 SW1(config)#ip dhcp snooping database flash:snoop.db SW1(config)#exit SW1(config)#
Objective 2. – Configure FastEthernet0/0 on R1 to request a DHCP IP Address.
R1>enable R1#config t Enter configuration commands, one per line. End with CNTL/Z. R1#(config)#interface FastEthernet0/0 SW1(config-if)#ip address dhcp SW1(config-if)#no shut %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up SW1(config)#exit %DHCP-6-ADDRESS_ASSIGN: Interface FastEthernet0/0 assigned DHCP address 10.1.1.2, mask 255.255.255.0, hostname R1 SW1#
Objective 3. – Verify DHCP Snooping configuration on SW1 by viewing the binding database.
SW1#show ip dhcp snooping binding
MacAddress IpAddress Lease(sec) Type VLAN Interface
------------------ --------------- ---------- ------------- ---- --------------------
00:23:5E:01:F7:E8 10.1.1.2 86082 dhcp-snooping 1 FastEthernet0/1
Total number of bindings: 1
SW1#
