Cisco CCNA Packet Tracer Ultimate labs: DHCP Snooping: Answers Part 1

Packet Tracer file (PT Version 7.1): https://goo.gl/HzpBDW
Get the Packet Tracer course for only $10 by clicking here: https://goo.gl/vikgKN
Get my ICND1 and ICND2 courses for $10 here: https://goo.gl/XR1xm9 (you will get ICND2 as a free bonus when you buy the ICND1 course).

For lots more content, visit http://www.davidbombal.com – learn about GNS3, CCNA, Packet Tracer, Python, Ansible and much, much more.

#CCNA #PacketTracer #CCENT

DHCP snooping is a security feature that acts like a firewall between untrusted hosts and trusted DHCP servers. The DHCP snooping feature performs the following activities:

•Validates DHCP messages received from untrusted sources and filters out invalid messages.

•Rate-limits DHCP traffic from trusted and untrusted sources.

•Builds and maintains the DHCP snooping binding database, which contains information about untrusted hosts with leased IP addresses.

•Utilizes the DHCP snooping binding database to validate subsequent requests from untrusted hosts.

Other security features, such as dynamic ARP inspection (DAI), also use information stored in the DHCP snooping binding database.

DHCP snooping is enabled on a per-VLAN basis. By default, the feature is inactive on all VLANs. You can enable the feature on a single VLAN or a range of VLANs.

The DHCP snooping feature is implemented in software on the route processor (RP). Therefore, all DHCP messages for enabled VLANs are intercepted in the PFC and directed to the RP for processing.

Trusted and Untrusted Sources
The DHCP snooping feature determines whether traffic sources are trusted or untrusted. An untrusted source may initiate traffic attacks or other hostile actions. To prevent such attacks, the DHCP snooping feature filters messages and rate-limits traffic from untrusted sources.

In an enterprise network, devices under your administrative control are trusted sources. These devices include the switches, routers, and servers in your network. Any device beyond the firewall or outside your network is an untrusted source. Host ports and unknown DHCP servers are generally treated as untrusted sources.

A DHCP server that is on your network without your knowledge on an untrusted port is called a spurious DHCP server. A spurious DHCP server is any piece of equipment that is loaded with DHCP server enabled. Some examples are desktop systems and laptop systems that are loaded with DHCP server enabled, or wireless access points honoring DHCP requests on the wired side of your network. If spurious DHCP servers remain undetected, you will have difficulties troubleshooting a network outage. You can detect spurious DHCP servers by sending dummy DHCPDISCOVER packets out to all of the DHCP servers so that a response is sent back to the switch.

In a service provider environment, any device that is not in the service provider network is an untrusted source (such as a customer switch). Host ports are untrusted sources.

In the switch, you indicate that a source is trusted by configuring the trust state of its connecting interface.

The default trust state of all interfaces is untrusted. You must configure DHCP server interfaces as trusted. You can also configure other interfaces as trusted if they connect to devices (such as switches or routers) inside your network. You usually do not configure host port interfaces as trusted.

Transcription:

Okay so let’s configure DHCP snooping.
Before I do that, once again, on the clients or PCs, when I use the command ipconfig /renew
we can see that the PCs are getting IP addresses from the rogue DHCP server.

In some cases, they get an IP address from the enterprise server, but in other cases they get an IP address from the rogue DHCP server.

Here’s PC 1, rogue DHCP server, IP address has been allocated.
Typically, it’s the server that replies first and here you can see the PC got an IP address from the enterprise DHCP server.

So in simulation mode, when I use of the command ipconfig /renew
we can see that the DHCP message is sent to the switch, is flooded to both servers.
A DHCP message is sent from the rogue server to the client and the client receives this DHCP message from the rogue server.

We can see it’s a broadcast from the rogue DHCP server. IP address is 10.1.100.201
On the rogue DHCP server, we can see that that’s the IP address of the rogue server.

My packet tracer simulation broke there.

So let’s do that again. On PC 2 ipconfig /renew
Message is sent to the switch it’s flooded out.
In this example, DHCP message from the enterprise server is sent to the PC.
We can see that the source IP address is 10.1.1.200

In the inbound PDU we can see that as well. Client sends a reply, but notice the rogue server is also sending DHCP messages into the network…

subscribe
  • David Bombal

Search

Categories

Recent Posts

Is this your Biggest Security Threat? Rogue AI Agents Are Coming for you …
What happens when it’s stolen or lost? #iphone #android #google #yubikey
Top 3 Skills for 2025! (includes FREE courses)
Cisco Certification Updates: What you need to know.
Will this Tiny Chip Change EVERYTHING in Quantum Computing?
Is it time to Stop Trusting VPN Companies? Host Your Own (WireGuard getting started guide)
PewDiePie Just Switched to Linux… Here’s Why You Should Too
AI Won’t Take Your Job… But THIS Will
Tails Linux USB with Persistence (Be invisible online in 5 minutes)
What happens when there is no DHCP server?