DHCP works like this, its a 4 step process.
- The Client PC will search the network for a DHCP Server
- "Any DHCP Servers out there?"
- The DHCP Server will reply back with an offer
- "Yeah I'm here. 10.10.10.32 is available, do you want it?"
- The Client PC will then officially request the IP that has been offered
- "Yes DHCP Server, thank you I will use this IP address"
- The DHCP Server will then Acknowledge the Client PC's use of the IP.
- "Ok, thanks."
- The Client PC will search the network for a DHCP Server
- "Any DHCP Servers out there?"
- BOTH of the DHCP Server will respond
- The DHCP Server will reply back with an offer
- "Yeah I'm here. 10.10.10.32 is available, do you want it?"
- The Rogue DHCP Server will reply back with an offer
- "Yeah I'm here. 10.10.10.92 is available, do you want it?
- The Client PC will respond to whichever DHCP Offer is received FIRST, then officially request the IP that has been offered. In this case we'll say the Rogue DHCP Server was faster.
- "Yes Rogue DHCP Server, thank you I will use this IP address"
- The Client PC will then ignore the DHCP offer from the DHCP Server entirely.
- The Rogue DHCP Server will then Acknowledge the Client PC's use of the IP.
- "Ok, thanks."
The problem now is that the Client PC was granted permission onto the network by a rogue non-authorized device. There are a lot of problems this could cause as the DHCP server provides not only an IP address, but also the default gateway, DNS servers, along with optional settings like which voice server to utilize.
The best case scenario really is the Client PC may not have access to any of their resources. The reason this is good is because its easy to spot, and easy to fix.
The worst case scenario is that the Client PC could be using this rogue device as its gateway meaning it could be performing man-in-the-middle attacks on all connectivity to and from this host. They could even be recording call data from voice traffic.
Basically, you enable snooping globally then you call out specifically which interfaces are actually connected to the authorized DHCP Server. This way when a Rouge DHCP Servers tries to send an offer the port will be shutdown to keep it from performing DHCP on the network.
- The Client PC will search the network for a DHCP Server
- "Any DHCP Servers out there?"
- BOTH of the DHCP Server will respond
- The DHCP Server will reply back with an offer
- "Yeah I'm here. 10.10.10.32 is available, do you want it?"
- The Rogue DHCP Server will reply back with an offer
- "Yeah I'm here. 10.10.10.92 is available, do you want it?
- The switch will shutdown the port connected to the Rogue DHCP Server, and this traffic will never get to the Client PC.
- The Client PC will then officially request the IP that has been offered
- "Yes DHCP Server, thank you I will use this IP address"
- The DHCP Server will then Acknowledge the Client PC's use of the IP.
- "Ok, thanks."
On Cisco Switches you'll want to perform the following:
Cisco IOS
ip dhcp snooping (global command) Enables dhcp snooping globally.
ip dhcp snooping trust (interface command) Identifies which interfaces are expected to have DHCP Offers coming from them.
ip dhcp snooping vlan <#,#,#> (interface command) Permits DHCP offers only for VLANs specific on trusted interfaces
Cisco NXOS
feature dhcp Enables DHCP globally, which is a prerequisite for DHCP snooping.
ip dhcp snooping (global command) Enables dhcp snooping globally.
ip dhcp snooping trust (interface command) Identifies which interfaces are expected to have DHCP Offers coming from them.
ip dhcp snooping vlan <#,#,#> (interface command) Permits DHCP offers only for VLANs specific on trusted interfaces
All