DHCP Snooping

Hello Mahmut

The client should be getting an IP address if the DHCP server is configured correctly. Can you take a look and verify that the configuration is the same as that in the lesson?

If DHCP snooping is not enabled, then the Attacker will try to provide an IP address for the client. This means that instead of the legitimate DHCP server giving an address, the attacker provides the address, and can give incorrect information to the host. So if snooping is not configured, the client should still get an IP address, either from the attacker of the DHCP server. Check your configuration and if you have any other questions let us know!

I hope this has been helpful!

Laz

When you enable dhcp snooping on a switch. And that switch is also the DHCP server - I’m guessing you simply do not configure a trusted interface ?

Hello Charles

Yes, that is the case. If the switch itself is the DHCP server, then you won’t want to accept any DHCP offers on any of its ports, since any such messages would come from a rogue DHCP server.

I hope this has been helpful!

Laz

Hi Laz,

1)Here we are enabling dhcp snooping for vlan1 but i think it’s depend on to which vlan interface belong is or it will always be vlan 1, kindly suggest?

2)Suppose we are having a switch itself as as DHCP server then is their still need to configure trusted & untrusted interfaces and rate limit per interfaces?

please suggest in this case how offer message will be forward to requested client.

Hello Pradyumna

The DHCP snooping is enabled on the VLAN of your choice. For the example in the lesson, Rene is using VLAN 1 because all of the ports on the switch are configured on that VLAN. You can choose to enable it on other VLANs if your ports are on a different VLAN.

Even if you have configured the switch itself as a DHCP server, you should still use trusted and untrusted ports simply because you are protecting your network from other rogue DHCP servers that may send DHCP messages on the switch’s ports. If the switch is the only DHCP server on your network, you may find that you will configure all ports on the switch as untrusted, since you wouldn’t expect to receive any DHCP discover messages on any other ports.

I hope this has been helpful!

Laz

Thanks for explanation Laz but actually we don’t know that is any other DHCP server present in network or not b/c rogue server might be there then in this case how would we use concept of trusted and untrusted?

Hello Pradyumna

If the only DHCP server you will be using is the switch, then you can make ALL ports on the switch untrusted. That way, if any rogue DHCP server is connected, the switch will not propagate their malicious DHCP messages further.

If you configure a second legitimate DHCP server on the network, only then would you make a port on the switch trusted, so that messages from that DHCP server will be propagated as expected.

I hope this has been helpful!

Laz

Hi all,
I’m configuring DHCP Snooping on multiple AccessSwitches in the same network.
Do i need to apply the following command on al switches? or only on 1 switch, like a VTP server?
ip dhcp snooping vlan 62,64,68,67,101,130-136,140-149
Below a example of my config on 3 switches.

/// DHCP SNOOPING Config
SW01

ip dhcp snooping
ip dhcp snooping vlan 62,64,68,67,101,130-136,140-149 **this command.....**
no ip dhcp snooping information option
interface GigabitEthernet1/0/24
 ip dhcp snooping trust

SW02

ip dhcp snooping
no ip dhcp snooping information option
interface GigabitEthernet1/0/25
 ip dhcp snooping trust

SW03

ip dhcp snooping
no ip dhcp snooping information option
interface GigabitEthernet1/0/24
 ip dhcp snooping trust

Hello Carlos

This is an excellent question, and it helps clarify the way that DHCP snooping is implemented on a multi-switch network. The DHCP snooping commands that you implement on a switch remain local to that switch. This means that you must apply the ip dhcp snooping vlan command on every switch that you want to enable it on, and for every VLAN that you want it enabled on.

It is important to make sure that you have enabled it on all the same VLANs on all the switches in your topology in order to ensure that all the network is consistently protected against related DHCP attacks.

I hope this has been helpful!

Laz

Hi Laz,
Thanks for your answer! So if i want to use DHCP snooping i need to configure it on all switches because it will use a local database.

Hi Lazaros,

In the lessons they teach us how to apply trust to one link connected to a server and switch for dhcp snooping and arp but what links should I make trusted for snooping and arp for this network attached with a dhcp server on the far right of the network

Network1377×729 73.3 KB

Hello Daniel

When determining which ports to make trusted and which to make untrusted, the general rule is this:

• Ports to which hosts connect should be untrusted
• Ports connected to other switches that you would expect DHCP offers to be sent through should be trusted
• Port connected directly to the DHCP server should be tursted. Take a look at this diagram from the lesson:

image680×644 102 KB

You can see that all ports “facing” the DHCP server, and through which you can expect DHCP offer messages to pass through to reach the hosts, are made trusted.

On a network like yours, you should make the port that connects the DHCP server trusted, as well as all of the trunks interconnecting the three switches, excluding Fa0/23 and Fa0/3 on the right switch, which face away from the DHCP server.

I hope this has been helpful!

Laz

Hi Lazaros,

I am still a little confused. I tried using packet tracer to test the configs but it is buggy, so based on my current network the commands and ports should be as follows for dhcp snooping and dai:

SW2:
config>
ip dhcp snooping
no ip dhcp snooping information option
ip dhcp snooping vlan 5-13

(I have the other vlans active on far right switch SW1 should I put all vlans on network in general under this command? = vlan 5-16)

int gi0/2> ip dhcp snooping trust

(because I have a dhcp pool and router on a stick comming from here with dhcp relay for vlans on the far right network)

int range fa0/20-21> ip dhcp snooping trust

(the two ports connected to trunks on switch two)

SW3
Config>

 ip dhcp snooping 
no ip dhcp snooping information option
ip dhcp snooping vlan 5, 13
**int fa0/23**> ip dhcp snooping trust

(on port connected to switch 3)

SW1
ip dhcp snooping 
no ip dhcp snooping information option 
ip dhcp snooping vlan 5, 13, 14, 15, 16

(Like above, not sure here if I need to include vlans that exist on other side of network on SW2 like vlans 11 and 12 even if they arent being used in active ports on this switch as I do have hsrp enable?)

int gi0/1>ip dhcp snooping trust

(Should I also put on this port link to router because I have MGT vlan 13 pool coming from RTR2 on left?)

int fa0/10> ip dhcp snooping trust

RTR2
Config> ip dhcp relay information trust-all

(I have to enact this command on my router because I have ip helper-addresses for my vlans to the server right? Is there anything else I need to command on the routers for dhcp snooping or dai for my network?)

RTR1
Config> ip dhcp relay information trust-all

DAI
SW2
Config> ip arp inspection vlan 5-13
int gi0/2 >ip arp inspection trust
int range fa0/20-21> ip arp inspection trust

SW3
Config> ip arp inspection vlan 5, 13
int fa0/23>ip arp inspection trust

SW1
Config>ip arp inspection vlan 5, 13, 14, 15, 16
int gi0/1>ip arp inspection trust
int fa0/10>ip arp inspection trust

My Network Overview1806×648 97.8 KB

Hi Lazaros I was wondering if you had a chance to check out my dai/snooping setup

Hello Daniel

For the most part it looks OK, but I have the following comments:

The first thing you have to do is see where your DHCP server is. You say it is RTR2. Now what path do you expect your DHCP messages to take? Will all of them go via SW2 or will some also traverse RTR1 and go to SW1 that way using an ip helper address? If both directions will be taken, then you must also add an ip dhcp snooping trust command on fa0/20 of SW3 (I see it in the diagram, but not in the config), and you must enable snooping on all the VLANs for which you deliver a DHCP pool. This way you cover all VLANs in which you expect DHCP messages, and all interfaces on which you expect DHCP messages.

Now, for example, if you have a switch, like SW2 where it doesn’t have any VLANs 14, 15, and 16, you don’t need to add snooping on those VLANs, even if they exist on SW1, UNLESS SW2 is transmitting any of these VLANs and carrying DHCP messages to hosts on these VLANs on other switches.

The rest looks correct. When you say it is unstable, what behaviour do you observe?

I hope this has been helpful!

Laz

Hi Lazaros sorry for taking so long to get back I have been off the forum for a while thanks for all the recent answers. Packet tracer didnt allow me to use the command ip dhcp relay information trust-all or it didnt work correctly. I have to enact that on RTR2 because I have helper address commands for int gi0/2. The external server on the far right of my network is providing the dhcp addressing, but for the management vlan 13 I have RTR2 on the left as a dhcp server with a pool setup. It is kinda messy but I wanted to experiment with all the different ways of doing dhcp. Still I am unsure of the ip dhcp relay information trust all command?

Hello Daniel

Thanks for the update! Unfortunately, packet tracer does not cover the full range of commands available in real devices, so the more complex you go, the more possibility there is that there will be something missing… like the ip dhcp relay information trust-all command as you mention…

Typically it’s a good idea to consolidate all of your DHCP services in one server, or if you have a backup server, to have it in the same subnet. THis is not a hard and fast rule, but a general guideline. If you choose to have two or more DHCP servers in different locations on the network, you will have to ensure that you have trusted ports everywhere where you may receive DHCP messages.

As for the ip dhcp relay information trust-all command, the following Cisco documentation puts it this way:

• By default, if the gateway address is set to all zeros in the DHCP packet and the relay agent information option is already present in the packet, the DHCP relay agent will discard the packet. Use the ip dhcp relay information trust-all command to override this behavior and accept the packets.
• This command is useful if there is a switch in between the client and the relay agent that may insert option 82. Use this command to ensure that these packets do not get dropped.
• You can configure an individual interface as a trusted source of the DHCP relay information option by using the ip dhcp relay information trusted interface configuration mode command.

I hope this has been helpful!

Laz

Hi @lagapidis ,

I am wondering how a switch identifies DHCP packets when DHCP snooping is enabled on an untrusted interface. Does it inspect the entire header to match the UDP ports 67, 68 for each and every frame received on this interface instead of just the layer 2 header to perform switching?

Hello Raghu

This is an excellent question. An untrusted port will drop DHCP offer messages. It can also rate-limit DHCP discover messages. In order to identify a DHCP message, and to identify its type as well, a DHCP snooping enabled device must identify the message as a DHCP message AND identify the type of DHCP message as well.

This means that the DHCP message must be decapsulated all the way to the DHCP information. This means it is decapsulated beyond the Transport Layer, and the DHCP message itself must be read.

If you only examine UDP ports, you still don’t know what kind of DHCP message it is so you’re still not sure what to do with it. Also, you can configure other applications and services to use these ports as well, so there is no guarantee that you are dealing with DHCP messages simply from the UDP port used.

I hope this has been helpful!

Laz

Thanks Lazaros!

So putting that command on my router if it has helper ip addressing when using dhcp snooping is the correct response if using the external server to the right? Sorry the Cisco docs were a bit confusing