DHCP snooping is a relatively new feature that exists in most switch feature sets. While it may have different names from one switch vendor to another, the concept remains the same. DHCP snooping allows network administrators to force the allocation of IP space on specific switch ports to only be provisioned through DHCP from an approved DHCP vendor in the network. DHCP snooping assists administrators with endpoint IP allocation and network protection from rogue DHCP servers without disrupting how users view IP address space.

This relatively new feature has a number of benefits. First, by protecting against static IP assignment, administrators are able to track endpoints connecting to switch access ports through vended DHCP leases. Secondly, this feature can prevent IP conflicts from developing in DHCP IP space due to users statically assigning a previously vended DHCP address. Preventing unwanted static IP addresses helps secure your network and also allows for newer security technologies like Network Access Control (NAC) to function smoothly.

While DHCP snooping can protect against endpoints connecting to the network with a static IP, it can also protect your network from rogue DHCP servers. A few years ago, a couple of wireless access points had a bug where the wired interface would start responding to DHCP requests and vending out IP space that was designated for wireless users. Back then, the only way to protect against this was fine grained allocation of subnets and VLANs as well as significant manual labor to isolate the device and shut off the offending port. Today, with DHCP snooping, DHCP responses vended from unauthorized DHCP sources in the network are considered invalid and endpoints with bogus IP addresses are not allowed to access the network.

Network security must always be balanced with network usability. For users requiring a consistent IP address while using DHCP snooping, DHCP reservations are recommended. This not only allows for centralized tracking, but also administratively designated IP allocation. A consistent IP can be changed simply be altering the IP address reserved for a given MAC address in the DHCP server. Alternatively, you could also selectively disable DHCP snooping on a port by port basis.

DHCP snooping enables administrators to protect against unwanted static IP designation, protect their networks from rogue DHCP servers, and further centralizes IP address management and designation for further ease of use and management. It also works hand in hand with NAC products to deliver a secure and easy alternative for layer 3 enforcement of network compliance policy.

Note that in some cases (citing Cisco here), DHCP snooping will have to be enabled with “DHCP snooping MAC address verification” to perform packet level verification matching to ensure that all packets are sent with the MAC address to which DHCP was assigned.

Tags: ,