Detections
Analytics

3.3.1 Configure DHCP Trust - ip dhcp snooping vlan

Information

You can configure whether DHCP snooping trusts traffic sources. An untrusted source may initiate traffic attacks or other hostile actions. To prevent such attacks, DHCP snooping filters messages from untrusted sources.

In an enterprise network, a trusted source is a device that is under your administrative control. These devices include the switches, routers, and servers in the network. Any device beyond the firewall or outside the network is an untrusted source. Generally, host ports are treated as untrusted sources.

Rationale:

In a service provider environment, any device that is not in the service provider network is an untrusted source (such as a customer switch). Host ports are untrusted sources.

In the Cisco NX-OS device, you indicate that a source is trusted by configuring the trust state of its connecting interface.

The default trust state of all interfaces is untrusted. You must configure DHCP server interfaces as trusted. You can also configure other interfaces as trusted if they connect to devices (such as switches or routers) inside your network. You usually do not configure host port interfaces as trusted.

Impact:

If DHCP Trust is not configured, all ports are trusted to provide DHCP services.

This situation enables a malicious attacker to provide incorrect DHCP information, for instance an attacker could:

provide a malicious host IP as the default gateway, putting that host into a 'Monkey in the Middle' position, able to intercept or modify traffic.

Provide a malicious host as a proxy, via DHCP option 252 (commonly called a 'WPAD attack'). This routes all browser traffic to that malicious host (for browsers that use the system setting for proxy)

The final scenario is an end-user bringing in a rogue dhcp server in the form of an access point or switch that they've purchased themselves. The impact of this is usually that the entire subnet will be DOS'd - normally impacted workstations will have a different subnet (192.168.0.0/24 ort 192.168.1.0/24), with the rogue device as the default gateway.

Configuring DHCP trust not only sends an alert to the log server or SIEM, it also puts the rogue DHCP port into ERR-DISABLE mode.

Solution

First, enable DHCP Snooping

switch(config)#ip dhcp snooping

Next, enable DHCP Snooping on target VLANs

switch(config)# ip dhcp snooping vlan 100,200,250-252

Configure Interface as Trusted

switch(config)# interface port-channel 5
switch(config)# ip dhcp snooping trust

On a distribution or access switch (for instance in a wiring closet or branch office), typically only the uplink ports are configured as trusted - the ports leading towards the DHCP server
On a datacenter switch, especially with virtualization, usually multiple ports are candidates for where the DHCP servers may appear on, all possible ports that may have a DHCP server on them should be trusted.

Default Value:

Untrusted

See Also

https://workbench.cisecurity.org/files/3102

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6, CSCv7|11

Plugin: Cisco

Control ID: f2d7f4a5e958d6604e1c80863a2584da2867fad88a48163d8a9507153c42dba4