DHCP Snooping

Hi Ken,

You are right, that’s what it should show. It could be a cosmetic bug in the IOS version that I used for this example or I might have run the show command before disabling the insertion of option 82.

Here’s what it should show, just checked it on an IOS 15.x switch:

SW1#show ip dhcp snooping | include option 82
Insertion of option 82 is disabled

Rene

Hi Rene,

I have question why not apply command IP DHCP snooping trust on interface than connected to client (f0/1) .

Hi Bishoy,

We only configure interfaces as trusted if the interface is connected to an DHCP server or if it’s an uplink towards the DHCP server.

If you would configure the fa0/1 interface as trusted, the client could run a fake DHCP server which is exactly what we are trying to prevent here :slight_smile:

Rene

Hlw Rene,

It is very basic question still curious to understand. My router shows the output

Router-1#show version 
Cisco IOS XE Software, Version 03.12.00a.S - Standard Support Release
Cisco IOS Software, ASR1000 Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 15.4(2)S0a, RELEASE SOFTWARE (fc1)

I want to know ---------------

What is the meaning of Version 03.12.00a.S and Version 15.4(2)S0a ?

I am very much confused on it . Please help me to understand dear :slight_smile:

br//
zaman

Zaman,
IOS XE is a different from the “traditional” IOS operating system in terms of its architecture. IOS XE still runs the traditional IOS, but it runs as a single process (daemon) within a larger linux operating system. Notice in your output, there is an indication of this (linux):

(X86_64_LINUX_IOSD-UNIVERSALK9-M)

So, “Version 03.12.00a.S” refers to the large linux operating system, while “Version 15.4(2)S0a” refers to the IOS version being run by the IOS daemon within IOS XE. Make sense?

Here’s some more info on IOS XE if you want to read about the new architectural changes:
http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/ios-xe-3sg/QA_C67-622903.html

Hello Rene,

Can you give me please example if DHCP Snooping combine with DHCP Relay agent if use additional Switch or router.

Thanks

Hello Rudy.

A DHCP relay agent is just a router that receives a DHCP OFFER packet and forwards it to a preconfigured DHCP server that is on a different subnet than the interface on which the OFFER was received. This is a layer 3 feature since we are taking a packet that would normally be limited to a subnet and routing it to the DHCP server on another subnet.

The DHCP snooping occurs only within a subnet and cannot surpass the boundary of the subnet (the router) unless the router itself is configured with the IP address of the “DHCP snooper” as the relay agent. Although this theoretically can occur, it is not likely and it is of little value to an attacker.

So weather you have a relay agent or not, snooping will still occur and can be mitigated in the same manner.

I hope this has been helpful.

Laz

apologies to jump in on an old thread, would the cross link between the 2 distribution switches need to be enabled for IP DHCP snooping trust on both ends?

Hi Mark,
Yes, all ports in that form part of the “downstream” path FROM the trusted DHCP server also need to be marked as trusted. This would include inter-switch links. The reverse is not necessary (upstream ports to the DHCP server). The reason for this is because DHCP snooping blocks the Offer message from crossing untrusted ports. The client side of the conversation–the Discovery and Request (remember DORA for DHCP ipv4), is not affected by DHCP snooping.

Hello Rene,

Can you please provide strong details why do you have to disable option 82 on an interface? i have a little idea of what it is but i need a really good example when it need to be activated and disable.

Hello Manuel

Rene describes what option 82 does in this post very well.

As to why you should disable option 82, when DHCP snooping is enabled on a switch, option 82 is enabled by default. That is, any DHCP request packets that are sent from a host will enter the switch and will have option 82 information ADDED to the request before it is sent on to the DHCP server. Specifically, enabling DHCP snooping on the switch adds the giaddr value of 0.0.0.0 in the DHCP packet. However, the DHCP server is expecting this field to be set to that of the relay agent (a non zero value), since option 82 is used for DHCP relay. (If you’re not sure what I mean, review the post I linked to above).

The problem is that there are some DHCP servers (including Cisco IOS DHCP servers) that will reject any DHCP packet that retains the giaddr value of 0.0.0.0 in the DHCP packet.

So this is why you should use the no ip dhcp-snooping information option described by Rene. This command tells the switch NOT to add option 82 and thus, any DHCP server receiving the DHCP request will process it normally. Another solution would be to use the commandip dhcp relay information trusted on the interface of the DHCP server which will tell it to trust any relay information, that is option 82 information, provided by the packet.

I hope this has been helpful!

Laz

What will happen if a DHCP server becomes a shortage of IP Address? Suppose in a Scenario an attacker sends unlimited DHCP requests to the DHCP Server and DHCP server goes out of IP Address after assigning all of its valid IP Addresses. (Somehow attacker manages to configure its device each time such as does not have an IP Address assigned. It would be great if you can explain the attack as well. )

Were can I ask a question on your site instead of replying to a message.

Anyway, my question is, do you still need DHCP snooping if your using the ‘IP helper’ command on every vlan and no workstations exist on that vlan?

Hello Harry

When you post a question, try to find a thread that is close to the topic that you are asking about. This is the perfect thread for this question. However, if you find that there is no thread that matches your question, you can always post a new topic, and we may re-categorize it into the appropriate thread.

As for your question, keep in mind that the IP helper address command installed on the local router will just take any DHCP request that it hears on the network and forward it to the DHCP server that exists on a different subnet. This does not prevent another rogue DHCP server on the local subnet from answering the DHCP request since this request is a broadcast and can be heard on the whole subnet. This means that you will still require DHCP snooping in order to protect yourself from rogue DHCP servers.

I hope this has been helpful!

Laz

Hi Rene ,

If there are multiple switches involved and linked up to the switch where the DHCP server is connected . In this scenario , Just curious on the command “no ip dhcp snooping information option” , do i need to apply this command across all the switches which are toward to the DHCP server ? Or just apply only the switch where the DHCP server is connected ? I believe is all the switches , am i correct ?

Hello Vilson

Yes, you are correct, if you are encountering problems with the DHCP discover message, then you must include this command no ip dhcp snooping information option on all switches through which DHCPDISCOVER, DHCPOFFER and other DHCP messages will be sent. Otherwise, the option may be added for DHCP messages traversing those particular switches causing problems for the hosts connected to them.

I hope this has been helpful!

Laz

Hi
If we have 4 vlans and 2 switches connected with trunk…do we need 4 dhcp servers to assign ips to hosts in different vlans???
Which vlan we need to put dhcp sever in ???if we want to use different pools on dhcp server???if thats possible???

Thanks lazaros…

Hello Sumant

This is a very good question. When a DHCP discover is sent, it is confined to the broadcast domain or the LAN segment of the DHCP sender. This means that if there is no DHCP server on that subnet, no one will answer.

If there were no solution to this problem, then you would indeed require a DHCP server on each subnet or VLAN. However, there is a solution to this issue, and that is the use of a DHCP relay agent. This allows there to be a single DHCP server on the network that will respond to DHCP requests from multiple VLANs, and which includes multiple pools to provide addresses from. More information about the DHCP relay agent (also known as the IP helper address configuration) can be found at the following lesson:

I hope this has been helpful!

Laz

Thanks lazaros

That means we need subinterfaces on router and put the gateway ip address (subinterface ip)for particular vlan in gidr field…and need to configure 4 different pools in dhcp server for 4 different vlans…
I hopw i am right.if now please corect me…i will try to do a lab as well…
Again thanks for your easy explanation…

Hello Sumant

Take a look at the following diagram:

Here we have an L3 switch that has three VLANs configured on it. We want each VLAN to be assigned an IP address in the range shown, but we want to create only a single DHCP server. We have a DHCP server with an IP address of 172.16.55.20 which is completely outside of the VLANS we want to serve. In order for DHCP broadcast packets to reach this DHCP server, we configure the following command on the interface of the L3 that functions as the default gateway of EACH VLAN. So, on the VLAN 10, VLAN 20 and VLAN 30 interfaces, we enter the command ip helper address 172.16.55.20.

The result will be that any broadcast DHCP requests sent by a host on VLAN 20 for example, will reach all hosts in that VLAN including the gateway, that is, the VLAN 10 interface. This interface is configured to send such traffic in unicast form to the IP address of the DHCP server. The server receives this traffic, sees from which subnet the request is being made, and finds a free IP address within the scope that corresponds to that subnet. The response is unicast to the L3 switch, and is then broadcast to the appropriate subnet to reach the requesting host.

So you don’t need to configure subinterfaces. All you need is to ensure that the default gateway of the subnet you are configuring will have the ip helper address command to relay packets to the appropriate DHCP server.

I hope this has been helpful!

Laz

1 Like