How to protect DHCP using Cisco switches

Here is a simple explanation of the features that can be enabled on most Cisco switches to protect DHCP services.


Port Security
Description:
  • Count the number of MAC addresses that are seen coming from a user's switchport. If the number of MAC addresses goes above a configured limit (usually a low number), take appropriate action. This action can range from blocking any new MAC addresses to disabling the switchport.
Benefits:
  • Prevents a hacker from repeatedly spoofing their MAC address to flood the switch CAM (Content Addressable Memory) table which turns the switch into a hub, where all packets are broadcasted to all ports.

  • Prevents a hacker from "gobbling" up all available DHCP leases and leaving none for your users.

DHCP Snooping

Description:
  • This feature functions like a DHCP firewall, blocking any DHCP servers on ports that are not configured as "trusted". Only switch uplinks and DHCP server ports should be configured as trusted.
Benefits:
  • Prevents a hacker from running a rouge DHCP server and giving invalid IP address information to your users. This can be used as a DoS (Denial of Service) attack, or MitM (Man-in-the-Middle) attack.
  • Prevents users from plugging in home routers that are unknowingly running DHCP, causing your users to get bogus IP information and not be able to use the network.

IP Source Guard
Description:
  • By watching which IP addresses are assigned by DHCP, a switch can create dynamic ACL's to block all traffic except traffic from DHCP-assigned IP addresses.
Benefits:
  • Prevents a hacker from spoofing their IP address to launch an anonymous attack.

  • Prevents users from ignoring DHCP and manually configuring a static IP address.

Split-Scope DHCP

Description:
  • This is not a Cisco feature, instead it is a DHCP best practice. Split-scope involves using two DHCP servers. Each DHCP server hands out a portion (usually half) of the IP addresses in a particular network, while the other server hands out the remainder of the IP addresses in the network.
Benefits:
  • Prevents the failure of one DHCP server from disrupting DHCP services.

Comments

  1. thanks a lot
    i found my answer here!
    good luck
    A. ZALI

    ReplyDelete

Post a Comment

Popular posts from this blog

Using the Cisco console in Linux

Linux NIC teaming recommendations

What it takes to make Ubuntu ready for use