Got it


Latest reply: Aug 23, 2018 19:44:49 684 1 1 0 0

Hello everyone,

Today I will share the information on DHCP in HCNP.

DHCP is an extension of BOOTP.

DHCP is based on the Client-Server model. 

DHCP assigns an IP address in this order

  1. If there is a manual IP address configured.

  2. IP Address assigned to the same client before.

  3. First IP Address free found.

  4. If there isn't search for the one with a timeout and conflicting addresses if there isn't an error is reported. 

Remember since the DHCP Discover goes by broadcast the Origin MAC address is the same that is delivered to the DHCP server so when the DHCP server sends the unicast has the destination address of the host in this way he knows the packet it's for him.

DHCP Working Procedure

Just as shows UP with the Discovery, Offer, Request, and Ack.

Just remember when a client logs into the network again it doesn't need to send a DHCPDISCOVER again, instead, he sends a DHCPREQUEST containing the last IP address allocated to check with the DHCP server if he could use the same. If the IP address is not free the DHCP server answer with a DHCPNAK and the host started the process from 0. 

Configuring a DHCP server in each segment of a network is uneconomical. The DHCP Relay function solves this issue.

Through a DHCP relay agent, a client can apply to the DHCP server on another network. This allows centralized management.

DHCP packets are generally broadcast and broadcast packets aren't forwarded by routers.

To make it possible need relays agents. 

DHCP relay agent must listen to all UDP packets whose destination port is 67. 

In the DHCP packet, there is a Field called giaddr this field indicates the IP address of the first DHCP relay agent. When a client broadcasts a packet this field is in 0 then fills this field with his own IP address to forward to the DHCP Server. 

If the packet is a response packet from the DHCP server, the Relay Agent broadcast or unicasts the packet to the DHCP client depending on the broadcast flag. 

DHCP Snooping

DHCP snooping ensures that DHCP clients obtain IP addresses from authorized DHCP servers and records mappings between IP addresses and MAC addresses of DHCP clients, preventing DHCP attacks on the network.

DHCP snooping acts as a firewall between DHCP clients and a DHCP server to prevent DHCP attacks on the network, ensuring security in communication services.

  • A DHCP security feature intercepts and analyzes DHCP messages transmitted between DHCP clients and a DHCP relay agent.

  • DHCP snooping creates and maintains a DCHP snooping binding table, and filters untrusted DHCP messages according to the table.

    The table contains MAC address, IP address, Lease time, VLAN ID, and interface information.

  • DHCP snooping creates a firewall between clients and the DHCP server by maintaining this binding table.

  • DHCP snooping protects DHCP enable devices against DoS attacks, bogus DHCP server attacks.

Trusted Interface

Snooping provides the trusted interface to ensure that the client obtains an IP address from an authorized server.

The interfaces that reach some DHCP servers are trusted interfaces the other ones no. If an untrusted interface receives a packet with the giaddr different of 0 this isn't analyzed.

You can set a physical interface or a VLAN as trusted or untrusted.

DCHP messages received from untrusted interfaces are directly discarded.

It is the same as STP Guard. If the port shouldn't send DHCP with the giaddr address field different of 0 this means this port shouldn't have a relay agent connected doesn't analyst and dropped. In this way avoids a DoS attack since someone could connect a DHCP relay agent and overload the network with DHCP discovery packets. 

Ip DHCP snooping trust -> Cisco command to enable the trust of DHCP packets. 

DHCP snooping records a DHCP binding table that contains the client's IP and MAC addresses, port number, and VLAN ID of the interface that received the client's request. When a client is connected an entry is created when the client goes offline the entry is deleted.

When or after a binding table is generated, DHCP snooping checks DHCP packets and compares the fields in the packet with the binding table if there is something different this packet is discarded. 

DHCP snooping is used to prevent

Denial of Service DoS

Bogus DHCP server attacks

False DHCP who answer with wrong IP, DNS and Gateway

ARP middleman attacks

The MITM disguises itself as the DHCP server for the Clients request and obtains interaction information between them

IP/MAC spoofing attacks 

DHCP snooping can be applied to both layer 2 and layer 3 devices. 

DHCP snooping binding table contains dynamic and static binding entries

  • Static Entries: They are manually entered on the inbound interface.

  • Dynamic Entries: They are generated on the inbound interface according to DHCP packets 

Static Binding:

If static IP addresses are allocated to clients you can configure static binding entries for these allocated IP addresses to prevent certain users from stealing these static IP addresses.

Dynamic Binding:

Dynamic entries in the DHCP snooping binding table do not need to be configured

They are automatically generated when DHCP snooping is enabled.

DHCP Snooping Option 82:

When this option is enabled in DHCP the DHCP Relay agent inserted in the originated DHCP packets to the DHCP Server.

Servers recognizing the Option may use the information to implement IP address or other parameter assignment policies.

Users with static IP address have not matched DHCP snooping binding entry on the switch because the user didn't obtain the IP address by DHCP so ARP or IP packet sent it from this user are discarded.  To allow the users with statically allocated IP addresses to access the network must configure a static DHCP snooping binding table. This is to avoid someone else configure a static IP address and make use of the network when he shouldn't.

So all packets need to have a Snooping Binding entry where is an entry of which IP address and Which MAC address should have this host. If the MAC address is different from the one recorded the packets are discarded. 

Application of DHCP Snooping

DHCP exhaustion attack: The attacker changes his MAC address a requests several IP addresses until the pool is over.

Solution: The MAC address limiting function can prevent this attack. Port-Security feature learned mac addresses.

ARP attacks - The system is overload with ARP requests.

In Cisco, the command is "ip arp inspection trust"

This need to enable in all ports that connect to another Switch as the "ip dhcp snooping trust"

DHCP Structure Packets

  • The DHCP packet has a Hops field this is put to 0 by the client and each relay agent that passes add 1.

      The maximum number of Relay agents allowed is 4. At the 5 relay agent is discarded.

  • Client IP Address: Used in renew, or rebinding process. In the beginning, is because the customer hasn't an IP address

  • Your IP Address: IP allocated by the DHCP Server.

  • Server IP Address: The IP address of a server.

  • Gateway IP Address: The IP address of the first relay agent.

  • Client Hardware Address: Indicates the MAC address of a client

That is all I want to share with you! Thank you!

  • x
  • convention:

Created Aug 23, 2018 19:44:49

Thanks for the DHCP advices, I think use of DHCP depends of each network, this will information helps to check the good way to use it.
View more
  • x
  • convention:


You need to log in to comment to the post Login | Register

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " User Agreement."

My Followers

Login and enjoy all the member benefits


Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Please bind your phone number to obtain invitation bonus.