Understanding DHCP Snooping and Basic Configurations : Cisco, Juniper and Huawei

Today I am going to talk about the DHCP Snooping concept in this article. There are lot of queries on DHCP Snooping where people want to understand why it has been used in the enterprise network. Some of the questions i will put here.

What is DHCP Snooping?
What is the different between Trusted and un-trusted hosts, Servers and Ports ?
How DHCP Snooping works ?

These are the basic questions on DHCP Snooping, let me take you guys through it.

DHCP Snooping is a feature which told you about the traffic sources and that can be trusted traffic sources or untrusted traffic sources. DHCP snooping ensures that DHCP clients obtain IP addresses from authorised DHCP servers and records mappings between IP addresses and MAC addresses of DHCP clients, preventing DHCP attacks on the network.Trusted sources can be the sources which you already allow in your network but untrusted sources will be an attack. To prevent such types of attacks in the network you can have the DHCP snooping feature which will filters messages and rate-limits traffic from untrusted sources.

If you have a network which includes switches, routers and firewalls all these sources are trusted source as they are the part of the network while traffic coming from the devices which is beyond these devices are always been a non-trusted sources. Host ports and unknown DHCP servers are also taken as or treated as untrusted sources.

If you ever encounter a DHCP server in your network without your knowledge on an untrusted port that can be a part of invalid traffic and is called a spurious DHCP server. A spurious DHCP server is any piece of equipment that is loaded with DHCP server enabled. Let me tell you some of the  examples and they are desktop systems and laptop systems that are configured with DHCP server enabled, or wireless access points honouring DHCP requests on the wired side of your network. If spurious DHCP servers remain undetected, you will have difficulties troubleshooting a network outage. You can detect spurious DHCP servers by sending dummy DHCPDISCOVER packets out to all of the DHCP servers so that a response is sent back to the switch.

In a enterprise or the service provider network, any device that is not in the service provider network is an untrusted source (such as a customer switch). Host ports are untrusted sources.
In the switch, you indicate that a source is trusted by configuring the trust state of its connecting interface.

Fig 1.1- DHCP Snooping Operation

The default trust state of all interfaces is untrusted. You must configure DHCP server interfaces as trusted. You can also configure other interfaces as trusted if they connect to devices (such as switches or routers) inside your network. You usually do not configure host port interfaces as trusted.

Hope the basic idea of DHCP snooping now you understand and how it works and what are the trusted, non-trusted ports,servers and hosts. 

Below is the basic configuration of the DHCP in your network on Cisco switches 

DHCP Snooping on Cisco Switches

Switch_NB-Cisco(config)# interface Fastethernet0/2
Switch_NB-Cisco(config-if)# ip dhcp snooping trust
Switch_NB-Cisco(config-if)# ip dhcp snooping limit rate 100
Switch_NB-Cisco(config-if)# exit
Switch_NB-Cisco(config)# ip dhcp snooping vlan 3
Switch_NB-Cisco(config)# ip dhcp snooping
Switch_NB-Cisco(config)# ip dhcp snooping information option

DHCP Snooping on Juniper Switches

Switch_NB-Juniper# set vlan vlan-name examine-dhcp
Switch_NB-Juniper# set vlan all examine-dhcp
Switch_NB-Juniper# set forwarding-classes class class-name queue-num queue-number
Switch_NB-Juniper# set vlan vlan-name examine-dhcp forwarding-class class-name
Switch_NB-Juniper# set vlan all examine-dhcp forwarding-class class-name

DHCP Snooping on Huawei Switches

[Switch_NB-Huawei] dhcp enable
[Switch_NB-Huawei] dhcp snooping enable
[Switch_NB-Huawei] interface gigabitethernet 0/0/2
[Switch_NB-Huawei-GigabitEthernet0/0/2] dhcp snooping enable
[Switch_NB-Huawei] interface gigabitethernet 0/0/1
[Switch_NB-Huawei-GigabitEthernet0/0/1] dhcp snooping trusted
[Switch_NB-Huawei] dhcp snooping check dhcp-rate enable
[Switch_NB-Huawei] dhcp snooping check dhcp-rate 90
[Switch_NB-Huawei] dhcp snooping alarm dhcp-rate enable
[Switch_NB-Huawei] dhcp snooping alarm dhcp-rate threshold 500
[Switch_NB-Huawei] interface gigabitethernet 0/0/2
[Switch_NB-Huawei-GigabitEthernet0/0/2] dhcp snooping check dhcp-request enable
[Switch_NB-Huawei-GigabitEthernet0/0/2] dhcp snooping alarm dhcp-request enable
[Switch_NB-Huawei-GigabitEthernet0/0/2] dhcp snooping alarm dhcp-request threshold 120
[Switch_NB-Huawei-GigabitEthernet0/0/2] dhcp snooping max-user-number 20
[Switch_NB-Huawei-GigabitEthernet0/0/2] dhcp snooping check dhcp-chaddr enable
[Switch_NB-Huawei-GigabitEthernet0/0/2] dhcp snooping alarm dhcp-chaddr enable
[Switch_NB-Huawei-GigabitEthernet0/0/2] dhcp snooping alarm dhcp-chaddr threshold 120