The Cisco switch must have DHCP snooping for all user VLANs to validate DHCP messages from untrusted sources.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-101239	CISC-L2-000130	SV-110343r1_rule		Medium

Description
In an enterprise network, devices under administrative control are trusted sources. These devices include the switches, routers, and servers in the network. Host ports and unknown DHCP servers are considered untrusted sources. An unknown DHCP server on the network on an untrusted port is called a spurious DHCP server, any device (PC, Wireless Access Point) that is loaded with DHCP server enabled. The DHCP snooping feature determines whether traffic sources are trusted or untrusted. The potential exists for a spurious DHCP server to respond to DHCPDISCOVER messages before the real server has time to respond. DHCP snooping allows switches on the network to trust the port a DHCP server is connected to and not trust the other ports. The DHCP snooping feature validates DHCP messages received from untrusted sources and filters out invalid messages as well as rate-limits DHCP traffic from trusted and untrusted sources. DHCP snooping feature builds and maintains a binding database, which contains information about untrusted hosts with leased IP addresses, and it utilizes the database to validate subsequent requests from untrusted hosts. Other security features, such as IP Source Guard and Dynamic Address Resolution Protocol (ARP) Inspection (DAI), also use information stored in the DHCP snooping binding database. Hence, it is imperative that the DHCP snooping feature is enabled on all VLANs.

Description

In an enterprise network, devices under administrative control are trusted sources. These devices include the switches, routers, and servers in the network. Host ports and unknown DHCP servers are considered untrusted sources. An unknown DHCP server on the network on an untrusted port is called a spurious DHCP server, any device (PC, Wireless Access Point) that is loaded with DHCP server enabled. The DHCP snooping feature determines whether traffic sources are trusted or untrusted. The potential exists for a spurious DHCP server to respond to DHCPDISCOVER messages before the real server has time to respond. DHCP snooping allows switches on the network to trust the port a DHCP server is connected to and not trust the other ports. The DHCP snooping feature validates DHCP messages received from untrusted sources and filters out invalid messages as well as rate-limits DHCP traffic from trusted and untrusted sources. DHCP snooping feature builds and maintains a binding database, which contains information about untrusted hosts with leased IP addresses, and it utilizes the database to validate subsequent requests from untrusted hosts. Other security features, such as IP Source Guard and Dynamic Address Resolution Protocol (ARP) Inspection (DAI), also use information stored in the DHCP snooping binding database. Hence, it is imperative that the DHCP snooping feature is enabled on all VLANs.

STIG	Date
Cisco NX-OS Switch L2S Security Technical Implementation Guide	2020-05-07

Details

Check Text ( C-100119r1_chk )
Step 1: Review the switch configuration and verify that DHCP snooping is enabled on a per-VLAN basis as shown in the example below: vlan 1,4,6-10 ip dhcp snooping … … … ip dhcp snooping vlan 4,6-10 Note: Switchports assigned to a user VLAN would have drops in the area where the user community would reside; hence, the "untrusted" term is used. Server and printer VLANs would not be applicable. By default, DHCP snooping is disabled on all VLANs. If the switch does not have DHCP snooping enabled for all user VLANs to validate DHCP messages from untrusted sources, this is a finding.

Check Text ( C-100119r1_chk )

Step 1: Review the switch configuration and verify that DHCP snooping is enabled on a per-VLAN basis as shown in the example below:

vlan 1,4,6-10
ip dhcp snooping
…
…
…
ip dhcp snooping vlan 4,6-10

Note: Switchports assigned to a user VLAN would have drops in the area where the user community would reside; hence, the "untrusted" term is used. Server and printer VLANs would not be applicable. By default, DHCP snooping is disabled on all VLANs.

If the switch does not have DHCP snooping enabled for all user VLANs to validate DHCP messages from untrusted sources, this is a finding.

Fix Text (F-106943r1_fix)
Step 1: Enable the DHCP feature. SW1(config)# feature dhcp Step 2: Configure the switch to have DHCP snooping for all user VLANs to validate DHCP messages from untrusted sources as shown in the example below: SW1(config)# ip dhcp snooping SW1(config)# ip dhcp snooping vlan 4,6-10