Introduction of DHCP Snooping
Analyzing and keeping into the consideration about the internal network connectivity methodology; it’s generally not a good idea for organization to allow BYOD to connect it via internal network; it represents deprived administration because due to this practice security loophole may create , which then can provide backdoor access for un-authenticated guest users that would effect badly for the production networks.
Thus a network administrator should take necessary steps to overcome this issue,despite of several solutions to overcome the issue, one common and unique solution is DHCP Snooping,which can be configured in network switches by trusting onto a DHCP server address; as per security perspective, we can use DHCP snooping to secure a network by controlling traffic from untrusted clients.
By facilitating switches for DHCP snooping, the switch starts building a binding database which contains the IP address, hardware address, VLAN and interface from which the client is connected by “snooping or we can say Interfering” on DHCP connections.
Ideally, DHCP Snooping blocks all DHCP broadcast packets except those which are on the trusted ports configured on the switch which means ultimately that if a DHCP server is on trusted port, the DHCP requests will be able to reach the authentication server, otherwise it will be discarded.
DHCP snooping is an example to protect against man in the middle attack. By default IGMP is the L3 function but it can also be configured on Layer -2 switches if IGMP snooping feature enabled on L2 switches .
DHCP Snooping on a HP switches:
The dhcp-snooping command configures DHCP Snooping.
• ProCurve(config)# dhcp-snooping authorized-server 172.18.x.x ( setting authorized server )
• ProCurve(config)# dhcp-snooping trust 1,2,3,4 ( taking ports 1,2,3 and 4 as trusted)
• ProCurve(config)# dhcp-snooping vlan 1-3 (Activating DHCP snooping on VLAN1, 2, and 3)
• ProCurve(config)# dhcp-snooping
Configuration example with Cisco Switches
Switch(config)# interface Fastethernet0/1
Switch(config-if)# ipdhcp snooping trust
Switch(config-if)# ipdhcp snooping limit rate 100
Switch(config)# ipdhcp snooping vlan 1
Switch(config)# ipdhcp snooping
Switch(config)# ipdhcp snooping information option
Switch# show ipdhcp snooping
Switch# show ipdhcp snooping binding
There are some other option available as well tostop un-authorized access to internal network, i.e. we can implement wireless intrusion detection system or IP source guard. But DHCP snooping is the effective one.