DHCP Snooping

Zaman,
IOS XE is a different from the “traditional” IOS operating system in terms of its architecture. IOS XE still runs the traditional IOS, but it runs as a single process (daemon) within a larger linux operating system. Notice in your output, there is an indication of this (linux):

(X86_64_LINUX_IOSD-UNIVERSALK9-M)

So, “Version 03.12.00a.S” refers to the large linux operating system, while “Version 15.4(2)S0a” refers to the IOS version being run by the IOS daemon within IOS XE. Make sense?

Here’s some more info on IOS XE if you want to read about the new architectural changes:
http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/ios-xe-3sg/QA_C67-622903.html

Hello Rene,

Can you give me please example if DHCP Snooping combine with DHCP Relay agent if use additional Switch or router.

Thanks

Hello Rudy.

A DHCP relay agent is just a router that receives a DHCP OFFER packet and forwards it to a preconfigured DHCP server that is on a different subnet than the interface on which the OFFER was received. This is a layer 3 feature since we are taking a packet that would normally be limited to a subnet and routing it to the DHCP server on another subnet.

The DHCP snooping occurs only within a subnet and cannot surpass the boundary of the subnet (the router) unless the router itself is configured with the IP address of the “DHCP snooper” as the relay agent. Although this theoretically can occur, it is not likely and it is of little value to an attacker.

So weather you have a relay agent or not, snooping will still occur and can be mitigated in the same manner.

I hope this has been helpful.

Laz

apologies to jump in on an old thread, would the cross link between the 2 distribution switches need to be enabled for IP DHCP snooping trust on both ends?

Hi Mark,
Yes, all ports in that form part of the “downstream” path FROM the trusted DHCP server also need to be marked as trusted. This would include inter-switch links. The reverse is not necessary (upstream ports to the DHCP server). The reason for this is because DHCP snooping blocks the Offer message from crossing untrusted ports. The client side of the conversation–the Discovery and Request (remember DORA for DHCP ipv4), is not affected by DHCP snooping.

Hello Rene,

Can you please provide strong details why do you have to disable option 82 on an interface? i have a little idea of what it is but i need a really good example when it need to be activated and disable.

Hello Manuel

Rene describes what option 82 does in this post very well.

As to why you should disable option 82, when DHCP snooping is enabled on a switch, option 82 is enabled by default. That is, any DHCP request packets that are sent from a host will enter the switch and will have option 82 information ADDED to the request before it is sent on to the DHCP server. Specifically, enabling DHCP snooping on the switch adds the giaddr value of 0.0.0.0 in the DHCP packet. However, the DHCP server is expecting this field to be set to that of the relay agent (a non zero value), since option 82 is used for DHCP relay. (If you’re not sure what I mean, review the post I linked to above).

The problem is that there are some DHCP servers (including Cisco IOS DHCP servers) that will reject any DHCP packet that retains the giaddr value of 0.0.0.0 in the DHCP packet.

So this is why you should use the no ip dhcp-snooping information option described by Rene. This command tells the switch NOT to add option 82 and thus, any DHCP server receiving the DHCP request will process it normally. Another solution would be to use the commandip dhcp relay information trusted on the interface of the DHCP server which will tell it to trust any relay information, that is option 82 information, provided by the packet.

I hope this has been helpful!

Laz

What will happen if a DHCP server becomes a shortage of IP Address? Suppose in a Scenario an attacker sends unlimited DHCP requests to the DHCP Server and DHCP server goes out of IP Address after assigning all of its valid IP Addresses. (Somehow attacker manages to configure its device each time such as does not have an IP Address assigned. It would be great if you can explain the attack as well. )

Were can I ask a question on your site instead of replying to a message.

Anyway, my question is, do you still need DHCP snooping if your using the ‘IP helper’ command on every vlan and no workstations exist on that vlan?

Hello Harry

When you post a question, try to find a thread that is close to the topic that you are asking about. This is the perfect thread for this question. However, if you find that there is no thread that matches your question, you can always post a new topic, and we may re-categorize it into the appropriate thread.

As for your question, keep in mind that the IP helper address command installed on the local router will just take any DHCP request that it hears on the network and forward it to the DHCP server that exists on a different subnet. This does not prevent another rogue DHCP server on the local subnet from answering the DHCP request since this request is a broadcast and can be heard on the whole subnet. This means that you will still require DHCP snooping in order to protect yourself from rogue DHCP servers.

I hope this has been helpful!

Laz

Hi Rene ,

If there are multiple switches involved and linked up to the switch where the DHCP server is connected . In this scenario , Just curious on the command “no ip dhcp snooping information option” , do i need to apply this command across all the switches which are toward to the DHCP server ? Or just apply only the switch where the DHCP server is connected ? I believe is all the switches , am i correct ?

Hello Vilson

Yes, you are correct, if you are encountering problems with the DHCP discover message, then you must include this command no ip dhcp snooping information option on all switches through which DHCPDISCOVER, DHCPOFFER and other DHCP messages will be sent. Otherwise, the option may be added for DHCP messages traversing those particular switches causing problems for the hosts connected to them.

I hope this has been helpful!

Laz

Hi
If we have 4 vlans and 2 switches connected with trunk…do we need 4 dhcp servers to assign ips to hosts in different vlans???
Which vlan we need to put dhcp sever in ???if we want to use different pools on dhcp server???if thats possible???

Thanks lazaros…

Hello Sumant

This is a very good question. When a DHCP discover is sent, it is confined to the broadcast domain or the LAN segment of the DHCP sender. This means that if there is no DHCP server on that subnet, no one will answer.

If there were no solution to this problem, then you would indeed require a DHCP server on each subnet or VLAN. However, there is a solution to this issue, and that is the use of a DHCP relay agent. This allows there to be a single DHCP server on the network that will respond to DHCP requests from multiple VLANs, and which includes multiple pools to provide addresses from. More information about the DHCP relay agent (also known as the IP helper address configuration) can be found at the following lesson:

I hope this has been helpful!

Laz

Thanks lazaros

That means we need subinterfaces on router and put the gateway ip address (subinterface ip)for particular vlan in gidr field…and need to configure 4 different pools in dhcp server for 4 different vlans…
I hopw i am right.if now please corect me…i will try to do a lab as well…
Again thanks for your easy explanation…

Hello Sumant

Take a look at the following diagram:

Here we have an L3 switch that has three VLANs configured on it. We want each VLAN to be assigned an IP address in the range shown, but we want to create only a single DHCP server. We have a DHCP server with an IP address of 172.16.55.20 which is completely outside of the VLANS we want to serve. In order for DHCP broadcast packets to reach this DHCP server, we configure the following command on the interface of the L3 that functions as the default gateway of EACH VLAN. So, on the VLAN 10, VLAN 20 and VLAN 30 interfaces, we enter the command ip helper address 172.16.55.20.

The result will be that any broadcast DHCP requests sent by a host on VLAN 20 for example, will reach all hosts in that VLAN including the gateway, that is, the VLAN 10 interface. This interface is configured to send such traffic in unicast form to the IP address of the DHCP server. The server receives this traffic, sees from which subnet the request is being made, and finds a free IP address within the scope that corresponds to that subnet. The response is unicast to the L3 switch, and is then broadcast to the appropriate subnet to reach the requesting host.

So you don’t need to configure subinterfaces. All you need is to ensure that the default gateway of the subnet you are configuring will have the ip helper address command to relay packets to the appropriate DHCP server.

I hope this has been helpful!

Laz

1 Like

Hello everyone,

I made some complex LAB with components which lack basic features like DHCP relay.

The only possible way to relay dhcp requests was by using an GRE tunnel towards the destination DHCP server.

The tunnel was between the DHCP server and MLS (L3 Switch).

The relay agent worked great via the VTI but after adding the DHCP SNOOPING feature on the MLS, each of the remote dhcp request that came through the same DHCP vlan that I created, they have arrived to the MLS that connected to the outside network and had the VTI tunnel for relaying the dhcp request to the dhcp server via the VTI, but therefore configuring it with the DHCP SNOOPING security mechanism , suddenly the dhcp request packets stopped being relayed to the dhcp server through the VTI, only through the trusted Physical Interface that I configured, which then unfortunatly couldn’t get relayied by the next hop router because it wasn’t supporting that dhcp relaying feature.

direclty connected hosts that connected to the same MLS switch did got relayed through the tunnel, only hosts that was sitting behind another switch couldn’t cross the network via the VTI toward the DHCP server.

Is that behavior right that made the MLS stop forwarding dhcp requests through the VTI from remote hosts?
or maybe it is a bug caused by IOSv L2 Switch in GNS3?
Why couldn’t I configure the VTI itself as a trusted dhcp snooping interface as it might solve the problem?
when disabling the physical interface from being trusted toward the dhcp server, packet from direcly connected hosts still got relayed through the tunnel VTI but then the dhcp offer got blocked caused by the physical interface being an untrusted port even though the offer messages also traversed to the MLS via the tunnel.

I hope someone could help me here and search for an answer or already knows the answer.

Thanks you very much!

Hello Nitay

Hmm, if I have understood your description correctly, this is an interesting setup. It’s a good idea to try to avoid connecting a DHCP server over a tunnel, simply in order to eliminate points of failure. It would be preferable to configure the MLS to function as a DHCP server for the particular subnets it serves. Now if that’s not possible, then we would weigh the risks of setting it up as you have done.

Now, concerning DHCP snooping, you should keep the following in mind:

  1. For DHCP snooping to function properly, all DHCP servers must be connected to the switch through trusted interfaces.
  2. A switch will drop a DHCP packet when A DHCP relay agent forwards a DHCP packet that includes a relay-agent IP address that is not 0.0.0.0, or the relay agent forwards a packet that includes option-82 information to an untrusted port.

Now I haven’t configured DHCP snooping with a VTI, so from your comment “Why couldn’t I configure the VTI itself as a trusted dhcp snooping interface as it might solve the problem?” I assume it is not possible.

The problem you describe here shouldn’t have to do with any of the VTI configurations. If this is the case, and hosts local to the MLS are able to get their addresses, then you should check the DHCP snooping configuration of the trunk that connects the two switches. Whatever features are available to hosts directly connected to the MLS should be available to those on connected switches, if the trunking and the snooping configs are correct. I suggest you focus your troubleshooting on those connections between the switches.

I hope some of this will give you some insight into continuing your troubleshooting this problem. Keep us posted and let us know of your progress.

Laz

Thanks you very much Laz,

You understood my explanation in the right way.

Indeed when configured the other remote switches that are connected to the relay-agent MLS through trunk , they forwarded the packets to the MLS.

after that, the MLS relayed those packets through the physical interface instead through the tunnel.

I could configure the MLS as the dhcp server but it’s not right as the DHCP service provided by the another domain.

all of the switches were configured with ip dhcp snooping correctly with trust interfaces toward the main MLS that relayed the packets via the tunnel.

The MLS was configured with the same dhcp snooping while the trusted port pointing toward the dhcp server.

all of the switches configured with the command no ip dhcp snooping information option because the MLS did blocked at first the dhcp requests and logged that those packets had some problem.

I will post here my configuration on the MLS partly, and will explain what i did:

vlan 3111  //native vlan for the L2 backbone domain
   name native
vlan 10
   name DHCP
int vlan 3111
   ip address 10.1.1.1 255.0.0.0
   no shut
   ip router isis
int vlan 10
   ip address 213.57.100.2 255.255.255.0
   no shut
   ip helper-address 192.168.0.1       // dhcp server's tunnel IP

int gig0/0   // connection to unsupported dhcp relay router towards the ISP
   switchport
   sw encapsulation dot1q
   sw mode trunk
   ip dhcp snooping trust
   
int gig0/0.10
   encapsulation dot1q 10

int gig0/1 + gig0/2 + gig0/3    // backbone connection ports
   switchport
    sw encapsulation dot1q
    sw mode trunk
    sw trunk native vlan 3111
    mpls ip
    no shut

router isis
   is-type level-2-only
   net 49.0000.1111.1111.1111.00
   passive-interface vlan 10  

mpls ldp router-id vlan 3111 force

int gig3/3   // dhcp customer port
  switchport
   sw access vlan 10
   no shut

ip dhcp snooping
ip dhcp snooping vlan 10
no ip dhcp snooping information option

int tunnel 0
   ip address 192.168.0.2 255.255.255.0
   tunnel source vlan 3111
   tunnel dest 213.57.13.254  // dhcp server's public IP


ip route 0.0.0.0 0.0.0.0 213.57.100.1   // route to the ISP's unsupported dhcp relay router only through the DHCP segment which sits on vlan 10

Hello Nitay

Hmm, that’s interesting. After doing some research I have been unable to find any information about using DHCP relay over a tunnel while implementing snooping. It may be that snooping will only be implemented on physical or VLAN interfaces, and cannot be applied to tunnel interfaces.

Is this in your GNS3 configuration? I’d like to see this implemented with real devices to see what the results would be. I wonder if @ReneMolenaar has any experience with this specific setup?

Sorry I haven’t been able to be more helpful!

Laz

1 Like