DHCP Snooping

By daxm

DHCP snooping seems to me to be a strange security enhancement. Though I do agree that securing against a rogue DHCP server is important the way Cisco implements it is odd.

In order for DHCP snooping to work at least 3 configurations are  needed:

1) Enable DHCP snooping on the switch — (config)#ip dhcp snooping

2) All ports are “untrusted” by default.  Specify which port are “trusted”.  A trusted interfaces consist of interfaces along the path to the DHCP server.  So, trunk ports and the actual port connecting to the DHCP server need to be configured as trusted ports.  — (config-if)#ip dhcp snooping trust

3) Identify which VLANs DHCP snooping will monitor. — (config)#ip dhcp snooping vlan <num>

4) (Optional?)  After configuring the above commands in my local (home) network I noticed that my DHCP requests were not being answered.  Thanks to a buddy of mine (Thanks Walt!) he showed me that the DHCP snooping process was adding Option 82 to my DHCP requests by default.  Apparently my DHCP server didn’t like that option because as soon as I disabled Option 82 from being sent my DHCP requests were being answered. — (config)#no ip dhcp snooping information option

The following commands are associated with verifying that DHCP snooping is configured correctly:

show ip dhcp snooping

daxm-home-switch#show ip dhcp snooping
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
none
DHCP snooping is operational on following VLANs:
none
DHCP snooping is configured on the following L3 Interfaces:

Insertion of option 82 is disabled
circuit-id default format: vlan-mod-port
remote-id: 0022.56f9.6400 (MAC)
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Verification of giaddr field is enabled
DHCP snooping trust/rate is configured on the following Interfaces:

Interface                  Trusted    Allow option    Rate limit (pps)
———————–    ——-    ————    —————-
FastEthernet1/0/2          yes        yes             unlimited
Custom circuit-ids:
daxm-home-switch#

show ip dhcp snooping binding

daxm-home-switch#show ip dhcp snooping binding
MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface
——————  —————  ———-  ————-  —-  ——————–
00:50:56:00:00:01   192.168.1.34     3570        dhcp-snooping   1     FastEthernet1/0/1
Total number of bindings: 1

daxm-home-switch#

show ip dhcp snooping statistics

daxm-home-switch#show ip dhcp snooping statistics
Packets Forwarded                                     = 219
Packets Dropped                                       = 1
Packets Dropped From untrusted ports                  = 0
daxm-home-switch#

show ip dhcp snooping database

daxm-home-switch#show ip dhcp snooping database
Agent URL :
Write delay Timer : 300 seconds
Abort Timer : 300 seconds

Agent Running : No
Delay Timer Expiry : Not Running
Abort Timer Expiry : Not Running

Last Succeded Time : None
Last Failed Time : None
Last Failed Reason : No failure recorded.

Total Attempts       :        0   Startup Failures :        0
Successful Transfers :        0   Failed Transfers :        0
Successful Reads     :        0   Failed Reads     :        0
Successful Writes    :        0   Failed Writes    :        0
Media Failures       :        0

daxm-home-switch#

###########################################################################

Here is what a DHCP process looks like from my Linux box (when the Option 82 is disabled):

user@user-desktop:~$ sudo /etc/init.d/networking restart

* Reconfiguring network interfaces…

There is already a pid file /var/run/dhclient.eth2.pid with pid 2475
killed old client process, removed PID file
Internet Systems Consortium DHCP Client V3.1.2
Copyright 2004-2008 Internet Systems Consortium.
All rights reserved.
For info, please visit http://www.isc.org/sw/dhcp/

Listening on LPF/eth2/00:50:56:00:00:01
Sending on   LPF/eth2/00:50:56:00:00:01
Sending on   Socket/fallback
DHCPRELEASE on eth2 to 192.168.1.1 port 67
Internet Systems Consortium DHCP Client V3.1.2
Copyright 2004-2008 Internet Systems Consortium.
All rights reserved.
For info, please visit http://www.isc.org/sw/dhcp/

Listening on LPF/eth2/00:50:56:00:00:01
Sending on   LPF/eth2/00:50:56:00:00:01
Sending on   Socket/fallback
DHCPDISCOVER on eth2 to 255.255.255.255 port 67 interval 3
DHCPOFFER of 192.168.1.34 from 192.168.1.1
DHCPREQUEST of 192.168.1.34 on eth2 to 255.255.255.255 port 67
DHCPACK of 192.168.1.34 from 192.168.1.1
bound to 192.168.1.34 — renewal in 1593 seconds.
[ OK ]
user@user-desktop:~$

And here is what happens when I re-enable the Option 82 (By the way, my DHCP server is a Cisco ASA 5505 running the latest code):

user@user-desktop:~$ sudo /etc/init.d/networking restart
* Reconfiguring network interfaces…

There is already a pid file /var/run/dhclient.eth2.pid with pid 2620
killed old client process, removed PID file
Internet Systems Consortium DHCP Client V3.1.2
Copyright 2004-2008 Internet Systems Consortium.
All rights reserved.
For info, please visit http://www.isc.org/sw/dhcp/

Listening on LPF/eth2/00:50:56:00:00:01
Sending on   LPF/eth2/00:50:56:00:00:01
Sending on   Socket/fallback
DHCPRELEASE on eth2 to 192.168.1.1 port 67
Internet Systems Consortium DHCP Client V3.1.2
Copyright 2004-2008 Internet Systems Consortium.
All rights reserved.
For info, please visit http://www.isc.org/sw/dhcp/

Listening on LPF/eth2/00:50:56:00:00:01
Sending on   LPF/eth2/00:50:56:00:00:01
Sending on   Socket/fallback
DHCPDISCOVER on eth2 to 255.255.255.255 port 67 interval 5
DHCPDISCOVER on eth2 to 255.255.255.255 port 67 interval 10
DHCPDISCOVER on eth2 to 255.255.255.255 port 67 interval 14
DHCPDISCOVER on eth2 to 255.255.255.255 port 67 interval 14
DHCPDISCOVER on eth2 to 255.255.255.255 port 67 interval 18
^C
user@user-desktop:~$

As you may note I eventually used Ctrl-C to kill the process as this will go on forever.

Related to DHCP snooping is DAI (Dynamic ARP Inspection).  I’ll make notes on that in an upcoming post.  🙂



About...

This author published 11 posts in this site.

Share

FacebookTwitterEmailWindows LiveTechnoratiDeliciousDiggStumbleponMyspaceLikedin

Leave a comment