The other day, a smart user (i consider him evil) attached a ADSL modem to the network port. What he didn’t realize that his device was programmed to work as DHCP server. As a result, the whole vlan started getting the wrong IP address, and connectivity was lost. After investigation, we realized a rouge DHCP server, tracked it, and finally blocked the port manually.
Of course, the best was to enable DHCP snooping in the switch, and not worry about anyone attaching any funny thing to the network. To get an idea with DHCP snooping is, please read Cisco’s document. I will quote the basic idea.
DHCP snooping is a DHCP security feature that provides security by filtering untrusted DHCP messages and by building and maintaining a DHCP snooping binding table. An untrusted message is a message that is received from outside the network or firewall and that can cause traffic attacks within your network.
The DHCP snooping binding table contains the MAC address, IP address, lease time, binding type, VLAN number, and interface information that corresponds to the local untrusted interfaces of a switch; it does not contain information regarding hosts interconnected with a trusted interface. An untrusted interface is an interface that is configured to receive messages from outside the network or firewall. A trusted interface is an interface that is configured to receive only messages from within the network.
DHCP snooping acts like a firewall between untrusted hosts and DHCP servers. It also gives you a way to differentiate between untrusted interfaces connected to the end-user and trusted interfaces connected to the DHCP server or another switch.
Just following the normal command line will surely hinder the network, in fact it blocked all DHCP requests. the information option should be disabled. That what i realized, and i found in many other forums.
Second issue i encounter, that the DHCP snooping will not be enabled on any switch with VTP mode other than transparent. What i found that it was disabled in other modes for security reasons. If a VTP domain is compromised, then the attacker can remove vlans or add vlans, thus compromising the integrity of vlans and this will cause an issue with IP DHCP snooping. Since DHCP snooping will start effecting other vlans, etc.
The following should be used to configure DHCP Snooping
ip dhcp snooping
ip dhcp snooping vlan vlan-number
no ip dhcp snooping information option
int gig 0/1 \\ this is the uplink
ip dhcp snooping trust
here is the output for various commands:
L2CS-B851-01#show ip dhcp snooping
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
DHCP snooping is operational on following VLANs:
DHCP snooping is configured on the following L3 Interfaces:
Insertion of option 82 is disabled
circuit-id default format: vlan-mod-port
remote-id: 2893.fef7.f280 (MAC)
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Verification of giaddr field is enabled
DHCP snooping trust/rate is configured on the following Interfaces:
Interface Trusted Allow option Rate limit (pps)
———————– ——- ———— —————-
GigabitEthernet0/1 yes yes unlimited
L2CS-B851-01#show ip dhcp snooping statistics
Packets Forwarded = 415328
Packets Dropped = 7601
Packets Dropped From untrusted ports = 0
L2CS-B851-01#show ip dhcp snooping binding
MacAddress IpAddress Lease(sec) Type VLAN Interface
—————— ————— ———- ————- —- ——————–
00:1A:80:EE:79:8A 10.80.51.38 420810 dhcp-snooping 851 FastEthernet0/5
E0:CB:4E:06:FC:3E 10.80.51.99 372172 dhcp-snooping 851 FastEthernet0/45
00:21:9B:E2:87:C6 10.80.51.80 421750 dhcp-snooping 851 FastEthernet0/4
00:26:6C:78:00:F3 10.80.51.174 425902 dhcp-snooping 851 FastEthernet0/36
00:1B:38:AF:81:DD 10.80.51.186 423185 dhcp-snooping 851 FastEthernet0/43
Total number of bindings: 5
Applying IP dhcp snooping in the access switch is enough, as long as the uplinks are trusted. It is not required to apply these configurations to distribution switch (assuming that no one has access to them. )
Over all, this should have been used ages ago. I am very glad that i implemented this in our network.