Rogue_DHCP1

(I did actually plug in a Rogue server for the sake of time this lab, but its there!)

Consider the above Topology, and how DHCP works from the Client side, that the Client accepts the first DHCP Offer message it receives – What if a Rogue DHCP Server is placed on the network segment with the intent of gathering Client Data (as it will provide the Default Gateway to send all Client traffic in its DHCP Offer that is accepted)?

Bad things will incur, this is why DHCP Snooping exists!

DHCP Snooping Fundamentals and some switch “layer” design information

DHCP Snooping works by being turned on globally, with all interfaces being “Untrusted” initially, and interfaces can be manually configured as “Trusted” by the network admin to allow traffic to flow in a Trusted manner.

The idea is that DHCP Discover packets can enter any Untrusted interface, but can only exit Trusted interfaces, which are presumably pointed at a DHCP Server (or toward it in the network path) – However the packet will be dropped if it tries to exit an Untrusted interface.

Likewise a DHCP Offer can only be accepted on “Trusted” interfaces, and can go out Untrusted interfaces to the intended Hosts, so that a “Rogue DHCP Server” cannot be plugged into whatever interface on a Switch and begin flooding DHCP Offers!

As for design – This is meant for Access Layer switches that connect directly to Hosts, because this feature is really meant from a Rogue Host from plugging into the network, configuring this in Distribution / Core layers can a lot of problems!

Take the following diagram for example of how DHCP works across a L3 boundary:

DHCP_Snoop_RTR

We know that a Router will forward any DHCP Broadcast traffic (with ip helper-address configured on the Routers ingress interface), it will forward that data on as a Unicast Packet, with a Destination IP Address / Something in the GiADD (Gateway Address) field of the packet.

This is a problem because DHCP Discover packets should have a value of 0 in this field, because it doesn’t know its DHCP Server / Gateway Address info yet, so a Switch running DHCP Snooping will see this a value other than 0 and discard the packet!

For this reason, DHCP Snooping should ONLY be configured on Access Layer / Host facing switches, and should NOT be turned on Distribution / Core layer switches!

Configuration of DHCP Snooping and interface reactions / behaviors

First you will want to configure DHCP Snooping globally, like turning on a service.

Configuration of DHCP Snooping globally:

SW1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
SW1(config)#ip dhcp ?
aaa Configure aaa attributes
binding DHCP address bindings
bootp BOOTP specific configuration
class Configure DHCP classes
conflict DHCP address conflict parameters
database Configure DHCP database agents
excluded-address Prevent DHCP from assigning certain addresses
limit Limit DHCP Lease
limited-broadcast-address Use all 1’s broadcast address
ping Specify ping parameters used by DHCP
pool Configure DHCP address pools
relay DHCP relay agent parameters
remember Remember released bindings
route Specify the type of routes for clients on
unnumbered interfaces
smart-relay Enable Smart Relay feature
snooping DHCP Snooping
subscriber-id Global subscriber-id configuration
use Configure use of certain parameters during
allocation

SW1(config)#ip dhcp snooping ?
database DHCP snooping database agent
information DHCP Snooping information
verify DHCP snooping verify
vlan DHCP Snooping vlan
<cr>

DHCP Snooping is now globally configured to be running on the switch!

Next, you must define which VLANs you want to Snoop, which can be none at all, but for this to be operational on a VLAN it must be defined!

Configuration of VLAN Snooping:

SW1(config)#ip dhcp snooping ?
database DHCP snooping database agent
information DHCP Snooping information
verify DHCP snooping verify
vlan DHCP Snooping vlan
<cr>

SW1(config)#ip dhcp snooping vlan 10 ?
<1-4094> DHCP Snooping vlan last number
smartlog Smartlog all the logged pkts
<cr>

SW1(config)#ip dhcp snooping vlan 10
SW1(config)#

Now DHCP Snooping is actively running on the switch Globally, but specifically configured to be operational on VLAN 10, which means a Trusted interface is needed that will accept DHCP Offer / DHCP Server related response traffic.

The Smartlog Feature:

SW1(config)#ip dhcp snooping vlan 10 smartlog ?
<cr>

SW1(config)#ip dhcp snooping vlan 10 smartlog

A quick mention that if you have a syslog server configured on the switch, enabled this option per VLAN will send DHCP Snooping syslog messages for that VLAN.

Configuring Trusted Interfaces and their sub-commands that are configurable

First lets say our “Legit” DHCP Server is directly connected to Fa1/0/6 on this switch:

SW1(config)#int fa1/0/6
SW1(config-if)#ip dhcp snooping ?
information DHCP Snooping information
limit DHCP Snooping limit
trust DHCP Snooping trust config
vlan DHCP Snooping vlan

SW1(config-if)#ip dhcp snooping trust ?
<cr>

SW1(config-if)#ip dhcp snooping trust
SW1(config-if)#

That is literally all there is to configuring it, again in three bullet points:

  • “ip dhcp snooping” – Issued in Global config
  • “ip dhcp snooping vlan #” To define the VLAN to Snoop
  • “ip dhcp snooping trust” on the interface connected to / pointed at the DHCP Server

Now any host that plugs into an Interface that is in VLAN 10 can only send DHCP Discovery traffic out of Int Fa1/0/6, cannot send out ANY other ports within VLAN 10, and all other VLANs on the switch are unaffected.

There is one other interface level command to know about!

Just because the Rogue Device cannot act as a Rogue DHCP Server, does not mean it cannot cause other harm, and that is where the “limit” sub-command comes into play:

SW1(config-if)#ip dhcp snooping ?
information DHCP Snooping information
limit DHCP Snooping limit
trust DHCP Snooping trust config
vlan DHCP Snooping vlan

SW1(config-if)#ip dhcp snooping limit ?
rate DHCP Snooping limit

SW1(config-if)#ip dhcp snooping limit rate ?
<1-2048> DHCP snooping rate limit

SW1(config-if)#ip dhcp snooping limit rate 5
<cr>

SW1(config-if)#ip dhcp snooping limit rate 5

The default PPS is 100 for all Interfaces that DHCP Snooping is operational on, however the Rogue Device can still Access the DHCP Server from an Untrusted interface, and could still potentially run a program to hit the DHCP Server with Discover packets at the fastest rate the interface will allow – This can take down the DHCP Server / Drain the DHCP Pool configured on the DHCP Server.

For this reason it is a good idea security-wise to configure Host interfaces with a much lower limit, and perhaps a higher PPS limit for Trusted interfaces.

The Evil Option 82 and the havoc it can reek on our network!

When you enable DHCP Snooping Globally, you enable a behavior called “Option 82” on the switch, which instructs the switch to inject its own information into the DHCP Discovery packet (such as VLAN, MAC Addr, Etc) that it uses to validate a Response that contains the same info

However if another switch doing DHCP Snooping receives a packet with Option 82 (Information) field populated on a Packet, it will drop that packet, so it will generally need to be disabled unless the switch plugs directly into the DHCP Server!

That being said, it is best practice to disable that feature as it enables itself when DHCP Snooping is enabled globally, so we need to know how to turn it off or packets will drop!

Turning off Option 82 from Global Config:

SW1(config)#no ip dhcp snooping ?
database DHCP snooping database agent
information DHCP Snooping information
verify DHCP snooping verify
vlan DHCP Snooping vlan
<cr>

SW1(config)#no ip dhcp snooping information ?
option DHCP Snooping information option

SW1(config)#no ip dhcp snooping information option ?
allow-untrusted DHCP Snooping information option allow-untrusted
format Option 82 information format
<cr>

SW1(config)#no ip dhcp snooping information option
SW1(config)#

This turns off “Option 82” after “ip dhcp snooping” is enabled globally, this is actually technically how you would turn back ON option 82 if disabled, with the no from the front removed (of course) if tasked on exam day.

Different Verification commands for DHCP Snooping

The tables in the verification commands always paste a little cruddy from CLI to WordPress, but I’ll do my best to straight it out for clarity sake and highlight the important info we will look for from the output of “sh ip dhcp snooping” :

SW1(config)#do sh ip dhcp snooping
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
10
DHCP snooping is operational on following VLANs:
10
Smartlog is configured on following VLANs:
none
Smartlog is operational on following VLANs:
none
DHCP snooping is configured on the following L3 Interfaces:

Insertion of option 82 is disabled
circuit-id default format: vlan-mod-port
remote-id: 1ce6.c7c1.c800 (MAC)
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Verification of giaddr field is enabled
DHCP snooping trust/rate is configured on the following Interfaces:

Interface                    Trusted       Allow option     Rate limit (pps)
———————–            ——-                 ————                 —————-
FastEthernet1/0/6       yes                      yes                     Unlimited
Custom circuit-ids:
SW1(config)#

So we see it is Enabled Globally, configured / operational for VLAN 10, Option 82 is disabled, and shows you the information on Trusted interfaces.

The Rate limit (PPS) is the default of a Trusted port, again under the assumption a Trusted port is only pointed toward the DHCP Server, so I would focus on limiting PPS rates on Untrusted ports to avoid Packet Flood to the DHCP Server as mentioned above.

“show ip dhcp snooping binding” to get more details on DHCP hosts:

SW1#sh ip dhcp snooping binding
MacAddress           IpAddress   Lease(sec)       Type             VLAN      Interface
——————                —————     ———-         ————-             —-      ——————–
00:1E:F7:97:F1:4B    10.0.10.102    604778     dhcp-snooping   10    FastEthernet1/0/1
00:1B:53:36:F2:CD   10.0.10.101    604629     dhcp-snooping   10    FastEthernet1/0/2
Total number of bindings: 2

SW1#

This gives you the Host information such as MAC / IP / Lease time remaining / VLAN # / Interface host is off of – Basically everything DHCP can with some DHCP info as well!

Some final small details for DHCP Snooping with this Topology

Rogue_DHCP1

Remember, NO ports are trusted, so whether Access or Trunk ports – Enable Trust!

Don’t forgot the “ip helper-address” for traversing Layer 3 boundaries.

If you are having trouble getting DHCP to work with DHCP Snooping is configured, be sure to check the interfaces along the path are in the VLAN being Snooped, and that the port is configured as Trusted if it is facing a DHCP Server.

There is actually a lot to check there, so I’d suggest labbing this one out quite a bit, I learned a lot of concepts failing at getting DHCP working between two IOS devices with DHCP Snooping enabled but what I found is good to know for exam day!

Finally, DHCP Snooping being enabled is necessary for the following topic of Dynamic ARP, which I will get to at a later time because this topic is oooooover!