DHCP snooping and ARP poisoning

To understand the DHCP snooping, it is essential to grasp the role of the DHCP (Dynamic Host Control Protocol). The DHCP's main core function and responsibility is to automate IP addressing to devices in the network. If you would like to learn more about dynamic addressing, you can read an article explaining how DHCP works.

DHCP snooping protection is the security feature that protects DHCP services from fraud in the network. Its purpose is to prevent malicious or unauthorised DHCP service, providing false IP addresses to network clients. As I mentioned, the DHCP snooping feature works on layer 2 switches.The attacker is directly connected to our local switch, often with a faked MAC address (about protection to faked MAC addresses, I will explain it later in this paper).

As shown in picture 1 above, router 1 had been configured with DHCP service supplying IP addresses to both networks: 192.168.20.0 and 10.1.1.0. The command on picture 2,  ip dhcp pool, demonstrates actively using two pools with leased IP addresses.

R1#show ip dhcp pool

Pool Client-A :

Utilization mark (high/low) : 100 / 0

Subnet size (first/next): 0 / 0

Total addresses : 254

Leased addresses : 2

Pending event : none

1 subnet is currently in the pool :

Current index IP address range Leased addresses

192.168.20.13 192.168.20.1 - 192.168.20.254 2

Pool Client-B :

Utilization mark (high/low) : 100 / 0

Subnet size (first/next) : 0 / 0

Total addresses : 254

Leased addresses : 3

Pending event : none

1 subnet is currently in the pool :

Current index IP address range Leased addresses

10.1.1.14 10.1.1.1 - 10.1.1.254 2

Let's have a make-brainstorm exercise and imagine that someone is physically connected to switch 2 on subnet 10.1.1.0. Developing this idea further, he or she (attacker) has launched a program to start another DHCP service. Now, when launched, the programme is running, and an attacker is able to lease the IP addresses on the same subnet 10.1.1.0.

After the attacker installed a new DHCP service on our local subnet, we added a new user to Switch 2. The newly connected PC is trying to find a DHCP service to dynamically obtain the IP address. Since the attacker (with his DHCP service) sits on the same subnet, there is a high probability that a new user will take the lease from the nearest available DHCP, which is the attacker's device. As a result, the security had been breached.

The script below with a few command lines shows that the newly added PC automatically obtained an IP address from the faked DHCP server.

Attacker#show ip dhcp binding

Bindings from all pools not associated with VRF:

IP address Client-ID/ Lease expiration Type

Hardware address/

User name

10.1.1.4 0100.5079.6668.56 Feb 27 2025 11:22 PM Automatic

In this way, the attacker sits between a new user and router 1 (R1). We need to be conscious that the default gateway for the new user is not the router's 1 IP address of 10.1.1.1 but changed to 10.1.1.2. This is because of intentional modifications coming from the faked The goal for the attacker is to forward all packets through its device. So, the attacker can read and copy the traffic from snooped clients.

To prevent this type of network vulnerability, we must apply the snooping tool available on the Cisco switches. It filters the DORA messages (DORA Discover and DORA Request, including Release and Decline messages) on untrusted ports.

In detail, switch blocks: Discover, Request, Release, and Decline messages on untrusted ports from the clients. This ensures that only authorised devices are able to communicate on the network. Additionally, the switch compares the MAC addresses to the list of approved devices (snooping table) before allowing communication on Release and Decline messages. How is the snooping table created? The trusted port allows for all DORA communications between the client and DHCP server. Therefore, when a new lease is obtained, the record is updated in the snooping table.

For the Discover and Request messages, the switch will match the MAC address of the DHCP header to the Ethernet header. We know that the DHCP message is encapsulated in the frame, so the switch can easily make a comparison.

Trusted ports allow the full DORA communication between device and switch.

Let's activate the snooping feature on switch 2 with a couple of lines of code.

Switch-2(config)#ip dhcp snooping

Switch-2(config)#int g0/0

Switch-2(config-if)#ip dhcp snooping trust

Switch-2(config-if)#

The first line of code is entered in the global configuration. It initiates the snooping feature for all ports on the switch. The next lines show that interface GigabitEthernet 0/0 is configured to trust DHCP packets.

The good manner is to check that the implemented configuration properly works on the device we made changes to. Thus, a thorough testing process with the command show ip dhcp snooping should confirm that prevention from the potential snooping is in place.

Switch-2#show ip dhcp snooping

Switch DHCP snooping is enabled

Switch DHCP gleaning is disabled

DHCP snooping is configured on following VLANs:

none

DHCP snooping is operational on following VLANs:

none

DHCP snooping is configured on the following L3 Interfaces:

Insertion of option 82 is enabled

circuit-id default format: vlan-mod-port

remote-id: 5080.1000.4c00 (MAC)

Option 82 on untrusted port is not allowed

Verification of hwaddr field is enabled

Verification of giaddr field is enabled

DHCP snooping trust/rate is configured on the following Interfaces:

Interface Trusted Allow option Rate limit (pps)

----------------------- ------- ------------ ----------------

GigabitEthernet0/0 yes yes unlimited

Custom circuit-ids:

Switch-2#

The second line from this script shows that snooping has been applied on switch 2. The interface GigabitEthernet 0/0 is trusted.

Following this snooping protection update, the newly added PC (client) will only be able to access the IP address from the trusted port that is en route to our authorised server.

VPCS> ip dhcp

DORA IP 10.1.1.14/24 GW 10.1.1.1

VPCS>

In the end, we need to add one more global setting in our DHCP snooping configuration. Because the switch-2 is not a dedicated multilayer switch with a forwarding relay of DHCP requests. It is recommended to disable feature 82 from the snooping settings since this feature is enabled by default.

It means that option 82 will not be added to the DHCP message. Adding option 82 from the non-routing switch (L3) to the DHCP message could confuse some DHCP servers.This adjustment will help streamline the DHCP process and ensure smooth communication between devices on different subnets.

Switch-2(config)#no ip dhcp snooping information option

Summary

DHCP snooping is a security feature that protects networks from malicious or unauthorised DHCP servers, preventing attackers from assigning false IP addresses to clients. DHCP (Dynamic Host Configuration Protocol) automates IP address assignment, but without proper security, attackers can set up rogue DHCP servers to intercept and manipulate network traffic.

An attacker can connect to a switch, launch a rogue DHCP service, and assign incorrect IP addresses, effectively positioning themselves between the client and the legitimate router. This allows them to eavesdrop on network traffic and execute ARP poisoning attacks.

To prevent such threats, DHCP snooping is configured on Layer 2 switches, filtering untrusted DHCP messages and ensuring only authorised servers assign IP addresses. The switch maintains a snooping table that verifies MAC addresses before allowing communication. By marking trusted ports, only legitimate DHCP messages are forwarded, securing the network.

Additionally, disabling option 82 in non-routing switches ensures smoother DHCP communication without unnecessary complications. Properly configuring DHCP snooping enhances security, protecting networks from unauthorised IP address distribution and potential cyber threats.