DHCP Snooping

• DHCP snooping prevents the damage inflicted by several attacks that use DHCP.
• DHCP snooping causes a switch to examining DHCP messages & filter the inappropriate.
• DHCP snooping builds a table of IP address & port mappings
• this table builds based on the known DHCP messages
• this table is called the  DHCP snooping binding table.
• This DHCP snooping binding table can be used by DAI & IP source Guard feature.
• DHCP snooping defeats certain attacks (man in the middle attack using DHCP) by considering port as untrusted.
• All DHCP messages on trusted ports are only allowed by DHCP snooping.
• To this DHCP clients should exist on untrusted ports.
• As a result, the switch filters incoming DHCP messages that are only sent by servers.
• From design point of view unused & unsecured user ports would be configured as untrusted to DHCP snooping.
• DHCP snooping examine the DHCP client messages on untrusted ports because other attacks can be made using DHCP client messages.
• DHCP servers identify clients based on their client hardware address as listed in the DHCP request.
• 
  

DAI Commands

Command	Purpose
Ip arp inspection vlan vlan-range	Global command to enable DAI on this switch for the specified VLANs
[no] ip arp inspection trust	Interface subcommand that enable or disable DAI on the interface.
Ip arp inspection filter arp-acl-name vlan vlan-range [static]	Global command to refer to an ARP ACL that defines static IP/MAC address to be checked by DAI for that VLAN (step-2)
Ip arp inspection validate {[src-mac] [dst-mac] [ip]}	Enables additional optional checking of ARP messages (per step 3-5) in the preceding list)
Ip arp inspection limit {rate pps [burst interval seconds] | none }	Limits the ARP message rate to prevent DoS attacks carried out by sending a large number or ARPs.

• DAI automatically sets a limit of 15 ARP messages per port per second to mitigate that risk
• ip arp inspection limit  uses to change these default value
  

DAI logical Steps in finding inappropriate messages

• If an ARP reply lists a source ip address that was not DHCP assigned to a device off that port, DAI filters the ARP reply.
• DAI also uses a list of statically defined IP/MAC address combinations for comparision.
• For a recievied ARP reply, 
• DAI compares the source MAC address in the ethernet header to the source MAC address in ARP message.
• These MACs should be equal in normal ARP replies.
• If they are not, DAI filters the ARP message.
• Like in above step DAI compares the destination Ethernet MAC and the target MAC listed in the ARP body.
• DAI checks for unexpected IP addresses listed in the ARP message, such as 0.0.0.0, 255.255.255.25, multicasts, & so on.