DHCP snooping

In computer networking, DHCP snooping is a series of techniques applied to ensure the security of an existing DHCP infrastructure.

When DHCP servers are allocating IP addresses to the clients on the LAN, DHCP snooping can be configured on LAN switches to harden the security on the LAN to allow only clients with specific IP and MAC addresses to have access to the network.

DHCP snooping is a series of layer-2 techniques that ensures IP integrity on a Layer 2 switched domain. It works with information from a DHCP server to:

With DHCP snooping, only a whitelist of IP addresses may access the network. The whitelist is configured at the switch port level, and the DHCP server manages the access control. Only specific IP addresses with specific MAC addresses on specific ports may access the IP network.

DHCP snooping can also prevent attackers from adding their own DHCP servers to the network. An attacker-controlled DHCP server (Rogue DHCP) could cause malfunction of the network or even control it.

DHCP snooping is an important component in the defense against ARP spoofing. ARP security checks the IP address in the Source Protocol Address field of ARP packets. If that IP address is not an address that DHCP snooping has recorded as being in use by a host connected to the ingress port of the ARP, then the ARP packet is dropped.

External links

This article is issued from Wikipedia - version of the Monday, January 25, 2016. The text is available under the Creative Commons Attribution/Share Alike but additional terms may apply for the media files.