Configuring IP DHCP Snooping on Cisco switch

Posted: July 27, 2015 in CISCO

DHCP snooping is a security feature that provides security by filtering untrusted DHCP messages
An untrusted message is a message that is received from outside,rogue DHCP server,that can cause traffic attacks within your
network,could cause malfunction of the network or even control it.

GNS3 doesn’t support ip dhcp snooping command,and Packet Tracer 6.1 does,but have no support for debug ip dhcp snooping packet,and the best way to see ip dhcp snooping in action is to obtain real CISCO switch

Untitled5

If you have no access to physical equipment Packet Tracer will be just fine.As dhcp server you can use Linux or Windows

DHCP server,or CISCO router or multilayer switch.

Configure DHCP_SERVER with IP address 192.168.1.1 and pool named mypool:

DHCP_SERVER#config t
DHCP_SERVER(config)#int gig0/0
DHCP_SERVER(config-if)#ip address 192.168.1.1 255.255.255.0
DHCP_SERVER(config-if)#no shut
DHCP_SERVER(config-if)#exit
DHCP_SERVER(config)#ip dhcp excluded-address 192.168.1.1
DHCP_SERVER(config)#ip dhcp excluded-address 192.168.1.2
DHCP_SERVER(config)#ip dhcp pool mypool
DHCP_SERVER(dhcp-config)#network 192.168.1.0 255.255.255.0
DHCP_SERVER(dhcp-config)#exit

Assign to client IP address:

CLIENT#config t
CLIENT(config)#int fa0/0
CLIENT(config-if)#ip address dhcp
*Mar  1 00:43:44.131: %DHCP-6-ADDRESS_ASSIGN: Interface FastEthernet0/0 assigned DHCP address 192.168.1.3, mask 255.255.255.0, hostname CLIENT

Configure “Rogue” DHCP Server:

ROGUE_DHCP#config t ROGUE_DHCP(config)#int gig0/0
ROGUE_DHCP(config-if)#ip address 192.168.1.2 255.255.255.0
ROGUE_DHCP(config-if)#no shut
ROGUE_DHCP(config-if)#exit
ROGUE_DHCP(config)#ip dhcp excluded-address 192.168.1.1
ROGUE_DHCP(config)#ip dhcp excluded-address 192.168.1.2
ROGUE_DHCP(config)#ip dhcp pool roguepool
ROGUE_DHCP(dhcp-config)#network 192.168.1.0 255.255.255.0
ROGUE_DHCP(config)#exit

Disable gig0/0 interface on “Real” DHCP server (DHCP_SERVER) and try to obtain IP address from client

CLIENT(config-if)#ip address dhcp
*Mar  1 00:43:44.131: %DHCP-6-ADDRESS_ASSIGN: Interface FastEthernet0/0 assigned DHCP address 192.168.1.3, mask 255.255.255.0, hostname CLIENT
ROGUE_DHCP(config)#do sh ip dhcp bind
IP address Client-ID/ Lease expiration Type
Hardware address
192.168.1.3 0001.9670.5601 --

As you can see,client got address from ROGUE_DHCP server

 

Preventing DHCP snooping

To enable only legitimate DHCP server to provide IP addresses we need to configure switch:

Switch#config t
Switch(config)#ip dhcp snooping vlan 1 !I have only vlan 1 configured
Switch(config)#no ip dhcp snooping information option

We enabled ip dhcp snooping on all interfaces (all ports are set to  “untrusted”-all ports won’t pass DHCP packets)

no ip dhcp snooping information option

By default, switch adds option 82 into dhcp request packet before forwarding to DHCP server.DHCP server  assigns ip addresses based on option 82 parameters and forwards packets to ip address set in giaddr field.When switch forwards dhcp packet with option 82 information, it does not change giaddr field to non-zero value, it remains to 0.0.0.0 and DHCP server expects a packet with option field should have giaddr field to some non-zero value but notices that its zero and rejects it.To avoid this behavior,we need to set no ip dhcp snooping information option.
Switch port fa0/2 is connected to our “legitimate” DHCP server and we will configure that port as “trusted”

Switch#config t
Switch(config)#int fa0/2
Switch(config-if)#ip dhcp snooping trust

Client get address from fa0/1 switch port,and,for security reasons,we set the number of dhcp request that can be received in a second,if the rate exceeds configured one,traffic is dropped.We configured 10 DHCP packets per second.

Switch(config-if)#int fa0/1
Switch(config-if)#ip dhcp snooping limit rate 10

Switch(config-if)#do sh ip dhcp snooping

Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
1
DHCP snooping is operational on following VLANs:
1
Smartlog is configured on following VLANs:
none
Smartlog is operational on following VLANs:
none
DHCP snooping is configured on the following L3 Interfaces:

Insertion of option 82 is enabled
circuit-id default format: vlan-mod-port
remote-id: 0001.96C9.0480 (MAC)
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Verification of giaddr field is enabled
DHCP snooping trust/rate is configured on the following Interfaces:

Interface Trusted Allow option Rate limit (pps)
----------------------- ------- ------------ ----------------
FastEthernet0/1    no        no            10
Custom circuit-ids:
FastEthernet0/2 yes yes unlimited

Disable again gig0/0 interface on real DHCP_SERVER,enable ip dhcp snooping debugging and try to assign IP address to the client:
dhcpdebug

Advertisements
Comments
  1. Jamie says:

    Use a 2960T switch in packet tracer, this supports the debug IP dhcp snooping event and packet commands. I also found that this switch adds the bindings to the switch whereas the multiswitch does not.

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s