The Journey of a Network Engineer

Mar 22 2011   7:30AM GMT

Configuring IP DHCP Snooping.

Sulaiman Syed Profile: Sulaiman Syed

The other day, a smart user (i consider him evil) attached a ADSL modem to the network port. What he didn’t realize that his device was programmed to work as DHCP server. As a result, the whole vlan started getting the wrong IP address, and connectivity was lost. After investigation, we realized a rouge DHCP server, tracked it, and finally blocked the port manually.

Of course, the best was to enable DHCP snooping in the switch, and not worry about anyone attaching any funny thing to the network. To get an idea with DHCP snooping is, please read Cisco’s document. I will quote the basic idea.

DHCP snooping is a DHCP security feature that provides security by filtering untrusted DHCP messages and by building and maintaining a DHCP snooping binding table. An untrusted message is a message that is received from outside the network or firewall and that can cause traffic attacks within your network.

The DHCP snooping binding table contains the MAC address, IP address, lease time, binding type, VLAN number, and interface information that corresponds to the local untrusted interfaces of a switch; it does not contain information regarding hosts interconnected with a trusted interface. An untrusted interface is an interface that is configured to receive messages from outside the network or firewall. A trusted interface is an interface that is configured to receive only messages from within the network.

DHCP snooping acts like a firewall between untrusted hosts and DHCP servers. It also gives you a way to differentiate between untrusted interfaces connected to the end-user and trusted interfaces connected to the DHCP server or another switch.

Just following the normal command line will surely hinder the network, in fact it blocked all DHCP requests. the  information option should be disabled. That what i realized, and i found in many other forums.

Second issue i encounter, that the DHCP snooping will not be enabled on any switch with VTP mode other than transparent. What i found that it was disabled in other modes for security reasons. If a VTP domain is compromised, then the attacker can remove vlans or add vlans, thus compromising the integrity of vlans and this will cause an issue with IP DHCP snooping. Since DHCP snooping will start effecting other vlans, etc.

The following should be used to configure DHCP Snooping

ip dhcp snooping

ip dhcp snooping vlan vlan-number

no ip dhcp snooping information option

int gig 0/1 \\ this is the uplink

ip dhcp snooping trust

here is the output for various commands:

L2CS-B851-01#show ip dhcp snooping
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
DHCP snooping is operational on following VLANs:
DHCP snooping is configured on the following L3 Interfaces:

Insertion of option 82 is disabled
circuit-id default format: vlan-mod-port
remote-id: 2893.fef7.f280 (MAC)
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Verification of giaddr field is enabled
DHCP snooping trust/rate is configured on the following Interfaces:

Interface                  Trusted    Allow option    Rate limit (pps)
———————–    ——-    ————    —————-
GigabitEthernet0/1         yes        yes             unlimited
Custom circuit-ids:
L2CS-B851-01#show ip dhcp snooping statistics
Packets Forwarded                                     = 415328
Packets Dropped                                       = 7601
Packets Dropped From untrusted ports                  = 0

L2CS-B851-01#show ip dhcp snooping binding
MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface
——————  —————  ———-  ————-  —-  ——————–
00:1A:80:EE:79:8A      420810      dhcp-snooping   851   FastEthernet0/5
E0:CB:4E:06:FC:3E      372172      dhcp-snooping   851   FastEthernet0/45
00:21:9B:E2:87:C6      421750      dhcp-snooping   851   FastEthernet0/4
00:26:6C:78:00:F3     425902      dhcp-snooping   851   FastEthernet0/36
00:1B:38:AF:81:DD     423185      dhcp-snooping   851   FastEthernet0/43
Total number of bindings: 5

Applying IP dhcp snooping in the access switch is enough, as long as the uplinks are trusted. It is not required to apply these configurations to distribution switch (assuming that no one has access to them. )

Over all, this should have been used ages ago. I am very glad that i implemented this in our network.

 Comment on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: