DHCP-Snooping Configuration with Aruba Switch Series 2930, 2530.
DHCP Snooping is a Layer 2 security switch feature which blocks
unauthorized (rogue) DHCP servers from distributing IP addresses to DHCP
clients also call option 82 of this service.
We need trusted
DHCP server IP address to configure DHCP-snooping on your network.
DHCP Starvation attack is a common network
attack that targets network DHCP servers. Its primary
objective is to flood the organization’s DHCP server
with DHCP REQUEST messages using spoofed
source MAC addresses. The DHCP server will respond to all requests,
not knowing this is a DHCP Starvation attack, and assign
available IP addresses until its DHCP pool is depleted.
At this point the attacker has rendered the organization’s DHCP server
useless and can now enable his own rogue DHCP server to
serve network clients. DHCP Starvation is often
accompanied by a Man-in-the-Middle attack as
the rogue DHCP server distributes fake IP address
parameters, including Gateway & DNS IP address, so that all client traffic
passes through the attacker for inspection.
Typical Man-in-the-Middle attack. Client data streams
flow through the attacker
Using packet capture and protocol analysis tools the attacker is able to
fully reconstruct any data stream captured and export files from it. In fact
the process so simple it only requires a basic level of understanding of these
type of network tools.
In other cases the Man-in-the-Middle attack can
be used as a reconnaissance attack with the
objective to obtain information about the network infrastructure, services but
also identify hosts of high interest such as financial or database servers.
It should be by now evident how a simple attack can become a major
security threat for any organization. The above attacks are
examples on how easy hackers can infiltrate the network and
get access to valuable information by simply
connecting an unauthorized/untrusted device to an
available network port effectively bypassing firewalls and other levels of
security.
ROGUE DHCP SERVERS – A MAJOR SECURITY THREAT & SOURCE OF NETWORK DISRUPTIONS
Rogue DHCP servers are a common problem within enterprise
organizations and are not always directly related with an
attack. Rogue DHCP Servers tend to appear out of
nowhere thanks to users who connect consumer-grade network devices to the
network infrastructure unaware that they have connected an unauthorized
device with a rogue DHCP
server enabled.
The Rogue DHCP server then begins assigning
IP addresses to hosts within the network therefore causing network connectivity
problems and in many cases – major service disruptions. In a best case scenario
DHCP clients are served with an invalid IP address disconnecting them from the
rest of the network. Worst case scenario would be the clients been assigned an
IP address used by network infrastructure devices e.g the VLAN interface on the Core switch or a firewall
interface, causing serious network disruptions and conflicts.
A rogue DHCP server in action, taking control
of DHCP services
While many organizations enforce security policies that do not allow 3rd party or unauthorized
devices to be connected to their network, there are still
incidents where users who do not understand (or care about) the security
implications continue to connect these devices to the network infrastructure
without consulting their IT Department.
Educating users and enforcing security policies can
be extremely challenging which is why security mechanisms need to be in place
to help mitigate these incidents and is where DHCP Snooping comes
into the picture.
DHCP SNOOPING SUPPORT FOR Aruba 2930M, 2930F, 2530M,
2530F etc.
DHCP Snooping is available for above
switch series like 2930M, 2930F, 2530M, 2530F.
DHCP Snooping is considered a standard security feature and does
not require any additional licensing for the older switch series and new IOS operating
systems, therefore the feature is available and readily configurable on all
switches.
Examples of Aruba switch series like 2930M, 2930F, 2530M, 2530F
DHCP Snooping can be enabled globally and on
a per-VLAN basis. This means you can enable it for all
VLANs (globally) or only for specific including VLAN ranges e.g
VLANs 1-20 & VLANs 45-50.
HOW DHCP SNOOPING WORKS – DHCP
SNOOPING CONCEPTS – TRUSTED, UNTRUSTED PORTS/INTERFACES
DHCP Snooping is a Layer 2 security switch feature which
blocks unauthorized (rogue) DHCP
servers from distributing IP addresses to DHCP
clients. In fact Cisco was the first vendor to implement DHCP Snooping
as a security feature in its network switches and other vendors have since then
followed with similar features.
Note-It is important to note that DHCP snooping is an access
layer protection service. It does not belong in the core network.
The way DHCP Snooping works is fairly
straight forward. DHCP Snooping categorizes all switch ports into two simple
categories:
·
Trusted Ports
·
Untrusted Ports
A Trusted Port, also known as a Trusted
Source or Trusted Interface, is a port or source whose DHCP server
messages are trusted because it is under the organization’s administrative
control. For example, the port to which your organization’s DHCP server
connects to consider a Trusted Port. This is also shown
in the diagram below:
DHCP Snooping Concepts: Trusted and Untrusted
Ports
An Untrusted Port, also known as an Untrusted
Source or Untrusted Interface, is a port
from which DHCP server messages are not trusted. An
example on an untrusted port is one where hosts or
PCs connect to from which DHCP OFFER, DHCP ACK or DHCPNAK
messages should never be seen as these
are sent only by DHCP Servers.
How to configure DHCP-Snooping in Aruba Switch?
Answer- We have to configure DHCP-snooping to avoid unauthorized (rogue) DHCP servers
offering IP addresses to DHCP clients.
Kindly
find the below configuration: -
Step1: Aruba-tech-(config)#dhcp-snooping
authorized-server 10.20.62.11 # for Trusted DHCP Server.
Step2: Aruba-tech-(config)#dhcp-snooping
trust (trunk port) #Uplink
port will be trust port other will be untrust.
Step3: Aruba-tech-(config)#dhcp-snooping
vlan _____ #All vlan should
be call in this cmd.
Step4: Aruba-tech-(config)#dhcp-snooping #for enable DHCP-Snooping.