There is four packet transfer b/w client and dhcp server during initial negotiation
1st : client send DHCP Discover to dhcp server
2nd: server send DHCP Offer to client
3rd: client send DHCP Request to server
4th: finally server send DHCP Ack to client
its means server send only 2 packet, 2nd and 4th,
so in our n/w environment, we know on which port our DHCP server connected, make that port “trusted”, means only on that port our switch accept “DHCP Offer” and “DHCP Ack” packet
Then if malicious attacker, try to put any rogue DHCP server in place in any port, switch not let it allow to communicate for dhcp offer and ack, means , it protect use from rogue dhcp attack
How to enable above Security in cisco switch : DHCP Snooping
Note: it have tested in cisco catalyst 2950 switch
#conf t
(config)#ip dhcp snooping
(config)#ip dhcp snooping vlan 10
think fa0/10 is a port where our real dhcp server is connected
(config)#int fa0/10
(config-if)#description connect to trusted dhcp server
(config-if)#ip dhcp snooping trust
We can also limit port to allow maximum 10 or any other number per second for dhcp discover to prevent from dhcp starvation attack
(config)# int range fa0/1 – 9
(config-if-range)#ip dhcp snooping limit rate 10
show commands to check snooping status and request under snooping
#show ip dhcp snooping
#show ip dhcp snooping binding
Must put entry in DHCP router, below commands
R1# ip dhcp relay information trust-all
This command instructs the DHCP server that blank giaddr is acceptable, even if option 82 is set.
