DHCP snooping

From Wikipedia, the free encyclopedia

When DHCP servers are allocating IP addresses to the clients on the LAN, DHCP snooping can be configured on LAN switches to bolster the security on the LAN to only allow clients with specific IP/MAC addresses to have access to the network.

DHCP snooping is a series of layer 2 techniques. It works with information from a DHCP server to:

  • Track the physical location of hosts.
  • Ensure that hosts only use the IP addresses assigned to them.
  • Ensure that only authorized DHCP servers are accessible.

In short, DHCP snooping ensures IP integrity on a Layer 2 switched domain.

With DHCP snooping, only a whitelist of IP addresses may access the network. The whitelist is configured at the switch port level, and the DHCP server manages the access control. Only specific IP addresses with specific MAC addresses on specific ports may access the IP network.

DHCP snooping also stops attackers from adding their own DHCP servers to the network. An attacker could set up a server to wreak havoc in the network or even control it.

Contents

[edit] Preventing ARP Spoofing

ARP spoofing is a common method of attacking a network by stealing the IP address of a network server and sniffing the traffic passed to it. Some switch vendors have devised a defense against this form of attack that imposes very strict control over what ARP packets are allowed into the network. Allied Telesis switches have a sub-feature of DHCP Snooping, known as ARP Security[1], while the equivalent feature on Cisco devices is called Dynamic ARP Inspection.[2].

ARP security can guard against this poisoning by its strict control of what ARP packets are allowed to be forwarded. ARP security checks the IP address in the Source Protocol Address field of ARP packets.

If that IP address is not an address that DHCP snooping has recorded as being in use by a host connected to the ingress port of the ARP, then the ARP is dropped.

Therefore, ARP security makes it impossible for a host to poison the ARP caches of other hosts, as the switch will only allow through ARP packets that have genuine information in the Source Protocol Address field.

[edit] See also

[edit] References

  1. ^ How to Secure a L3 Network
  2. ^ Dynamic ARP Inspection configuration guide

[edit] External links

  • Configure your Catalyst to be more secure [1]