{"id":703,"date":"2017-04-18T18:18:00","date_gmt":"2017-04-18T18:18:00","guid":{"rendered":"https:\/\/jay-miah.co.uk\/?p=703"},"modified":"2024-11-17T18:27:23","modified_gmt":"2024-11-17T18:27:23","slug":"dhcp-snooping-concept-implementation","status":"publish","type":"post","link":"https:\/\/jay-miah.co.uk\/index.php\/dhcp-snooping-concept-implementation\/","title":{"rendered":"DHCP Snooping Concept\/Implementation"},"content":{"rendered":"

DHCP Snooping is a layer 2 security technology built into the IOS of a switch. The switch will drop DHCP Server messages in order to prevent unauthorized\/rogue DHCP servers from offering IP addresses to DHCP clients. This is a very valuable security measure that can be used to help mitigate the network from attacks.<\/p>\n

DHCP requests are processed as follows<\/p>\n

D \u2013 Discover \u2013 Client sends a discover packet looking for available DHCP servers<\/p>\n

O \u2013 Offer \u2013 Server sends an offer packet back to the client<\/p>\n

R \u2013 Request \u2013 Client sends a request packet to the server<\/p>\n

A \u2013 Ack \u2013 Server sends an acknowledgement back to the client<\/p>\n

<\/p>\n

DHCP Snooping works by being enabled globally on the switch where all ports become untrusted, it is then enabled on the VLAN and then trusted ports are set to allow DHCP server messages. We can also take it a step further and configure additional parameters, like DHCP rate limit which can slow down a DHCP starvation attack.<\/p>\n

Once enabled DHCP snooping says \u2013 if I see any DHCP\u00a0\u201cOffer\u201d\u00a0or\u00a0\u201cAck\u201d\u00a0coming into any untrusted ports, I will drop the packet. However if I see any\u00a0\u201cDiscover\u201d\u00a0or\u00a0\u201cRequest\u201d\u00a0packets they will still be allowed.<\/p>\n

If any type of DHCP packets come in on a trusted port they will be allowed, trusted ports will mostly be trunk ports that lead to the real DHCP server and also an access port that the DHCP server is connected to. Trusted ports don\u2019t need to be all trunk ports, I have seen some situations where engineers set all their trunks to be trusted, this is something that needs to be identified during the design phase.<\/p>\n

DHCP snooping stores all the mappings of the layer 2 and layer 3 addresses into a database which is by default stored in the switches flash, This table can be used to validate which IPs have been issued by the real DHCP Server, it can also be used to implement\u00a0\u201cDynamic ARP\u201d\u00a0inspection which is used to mitigate\u00a0\u201cARP related attacks\u201d\u00a0it is recommended by Cisco to store this database centrally to ensure security and preserve the disk space of the switch.<\/p>\n

DHCP snooping should be enabled only on access layer switches that connect back to the user community, it is rarely required on the distribution or core layer unless user devices are connected back to these layers- if you are using a Cisco validated design or Cisco\u2019s LAN campus design this should not be the case.<\/p>\n

By using DHCP snooping we can mitigate a\u00a0\u201cMan in the Middle Attack\u201d\u00a0where a malicious user would use a rogue DHCP server to issue users on a network an IP address making themselves the default gateway and routing traffic for the users. The malicious user would then be able to capture all the traffic as it passes through them, and the users would not be aware. Port security should be used in conjunction with DHCP snooping to prevent a\u00a0\u201cDHCP Starvation Attack\u201d\u00a0this way the number of requests for IP addresses from the real DHCP server is not exhausted as part of a DOS attack before a malicious user uses a rouge DHCP server.<\/p>\n

We can also mitigate an accidental network outage where a user plugs in a rogue DHCP server not realising the device is handing out IP addresses to users, these users would then potentially loose network connectivity to the LAN and WAN services.<\/p>\n

Configuration example 1:<\/strong><\/p>\n

The topology below was setup using GNS3, all the devices are IOU devices that are acting as the roles specified. Currently DHCP is setup correctly for VLAN 1 the DHCP client is able to receive a valid IP from the server. In this setup we will use a single switch and single VLAN to show how DHCP snooping would block Server messages.<\/p>\n

Complete LAB Config can be downloaded here \u2013<\/p>\n

DHCP-Server<\/p>\n

Core-SW<\/p>\n

<\/p>\n

Step 1.<\/strong>\u00a0Let\u2019s Validate DHCP is working<\/p>\n

On the DHCP client we can see that there is a valid IP address on interface\u00a0\u201cEthernet0\/0\u201d\u00a0which is setup to receive it IP via DHCP.<\/p>\n

<\/p>\n

On the DHCP server we can see that\u00a0\u201c192.168.1.9\u201d\u00a0has been issued to a client with the MAC listed in the DHCP binding table.<\/p>\n

<\/p>\n

Step 2.<\/strong>\u00a0Lets configure DHCP snooping on the\u00a0\u201cCore-SW\u201d<\/p>\n

#conf t\u00a0\u2013 Enter global configuration mode<\/p>\n

#ip dhcp snooping\u00a0\u2013 enable DHCP snooping globally on the switch<\/p>\n

#ip dhcp snooping vlan 1\u00a0\u2013 enable DHCP snooping for VLAN 1<\/p>\n

#int e0\/1\u00a0\u2013 Enter configuration mode for Ethernet 0\/1 (DHCP client connected port)<\/p>\n

#ip dhcp snooping limit rate 10\u00a0\u2013 Set a rate limit on DHCP packets per second to 10<\/p>\n

#exit<\/p>\n

<\/p>\n

Step 3.<\/strong>\u00a0On the Client reset the network settings and verify that an IP is no longer available due to DHCP snooping, as we haven\u2019t trusted the port that the DHCP server is connected to we shouldn\u2019t see any IPs coming through to clients.<\/p>\n

<\/p>\n

On the DHCP server we can see that there are no bindings as the server messages are not going through to the clients and the switch is dropping the packets.<\/p>\n

<\/p>\n

If we do a debug on the switch we can see what the switch is doing.<\/p>\n

#debug ip dhcp snooping packet<\/p>\n

From the output below we can see that the switch is receiving the\u00a0\u201cDHCPDISCOVER\u201d\u00a0packets and forwarding it on to\u00a0\u201cVLAN1\u201d\u00a0via a broadcast but we can\u2019t see any Offer packets coming back into the switch.<\/p>\n

<\/p>\n

Step 4.<\/strong>\u00a0Let\u2019s trust the port that is connected to the DHCP server so that the server messages can go through to the switch on this port.<\/p>\n

#Conf t<\/p>\n

#int e0\/0<\/p>\n

#ip dhcp snooping trust<\/p>\n

<\/p>\n

Instantly after trusting the port that is connected to the DHCP server the client is able to obtain an IP address.<\/p>\n

<\/p>\n

On the server we can see the DHCP binding for the IP address issued to the client.<\/p>\n

<\/p>\n

On the switch we can see now see the\u00a0\u201cDiscover\u201d\u00a0\u201cOffer\u201d\u00a0\u201cRequest\u201d\u00a0and\u00a0\u201cAck\u201d\u00a0messages going back and forth. <\/p>\n

Looking at the DHCP snooping binding table on the switch we can see the trusted and untrusted ports participating in DHCP snooping. All other ports on the switch will be un-trusted.<\/p>\n

<\/p>\n

We can also check the DHCP snooping binding table to see what IP address is mapped to which MAC address. This is the table that can also be used for\u00a0\u201cDynamic ARP inspection\u201d.<\/p>\n

<\/p>\n

Configuration Example 2:<\/strong><\/p>\n

In the Topology below we will look at a design that uses both a distribution and access layer, so something a little bit more real life. We will include a couple of VLANs to separate the DHCP server and user community, previously we used a flat VLAN so the DHCP server and client were on the same broadcast domain, in this example we will need to send the DHCP packets as unicast by configuring a\u00a0\u201cip-helper address\u201d. The blue circles are the ports that we will configure as trusted ports for DHCP snooping and the Access layer switches will all participate in DHCP snooping. We won\u2019t run DHCP snooping on the switch labelled\u00a0\u201cCORE-01\u201d\u00a0as this will be our collapsed core.<\/p>\n

Everything has been configured correctly and DHCP is already working let\u2019s validate the configuration and take a look at how to implement DHCP snooping.<\/p>\n

Complete LAB Configuration can be downloaded here<\/strong>\u00a0\u2013<\/p>\n

CORE-SW<\/a><\/p>\n

SERVER-SW<\/a><\/p>\n

ACCESS-SW-1<\/a><\/p>\n

ACCESS-SW-2<\/a><\/p>\n

DHCP-SR-VLAN1<\/a><\/p>\n

<\/p>\n

Step 1.<\/strong>\u00a0Validation:<\/p>\n

The two PC\u2019s in VLAN 10 and VLAN 20 have valid IP addresses from their respective VLAN pool \u2013<\/p>\n

PC-VLAN10<\/strong><\/p>\n

<\/p>\n

PC-VLAN20<\/strong><\/p>\n

<\/p>\n

On the DHCP Server we can see the IP address that have been handed out<\/p>\n

<\/p>\n

Step 2.<\/strong>\u00a0Lets configure DHCP snooping on the \u201cSERVER-SW\u201d, this is where the DHCP server is connected on.<\/p>\n

#conf t\u00a0\u2013 Enter global configuration mode<\/p>\n

#ip dhcp snooping\u00a0\u2013 enable DHCP snooping globally on the switch<\/p>\n

#ip dhcp snooping vlan 1\u00a0\u2013 enable DHCP snooping for VLAN 1 as this is the only VLAN coming off this switch. The DHCP server is on VLAN 1.<\/p>\n

#exit<\/p>\n

<\/p>\n

Step 3.<\/strong>\u00a0Lets verify \u2013 the DHCP server is now not going to be able to send out any server messages as all the ports have become untrusted.<\/p>\n

On the\u00a0\u201cSERVER-SW\u201d\u00a0we can see that\u00a0\u201cDHCPDISCOVER\u201d\u00a0messages are getting flooded.<\/p>\n

<\/p>\n

Clients in either VLAN are no longer able to receive an address<\/p>\n

<\/p>\n

Step 4.<\/strong>\u00a0Lets setup the trusted ports to allow the DHCP server messages through the\u00a0\u201cSERVER-SW\u201d.<\/p>\n

#conf t<\/p>\n

#int e0\/0\u00a0\u2013 DHCP Server<\/p>\n

#ip dhcp snooping trust<\/p>\n

#int e3\/3\u00a0\u2013 Trunk towards\u00a0\u201cCORE-SW\u201d<\/p>\n

#Ip dhcp snooping trust<\/p>\n

#exit<\/p>\n

<\/p>\n

We can see on the DHCP server that the clients are now once again able to obtain IP addresses from the Server.<\/p>\n

<\/p>\n

Lets take a look at the DHCP snooping configuration, we can see that DHCP snooping is enabled globally, and that DHCP snooping is enabled for\u00a0\u201cVLAN 1\u201d. From the table we can see that\u00a0\u201cE0\/0 and E3\/3\u201d\u00a0are both listed as trusted ports. You may also notice\u00a0\u201cInsertion of option 82 is enabled\u201d\u00a0more on this further down.<\/p>\n

<\/p>\n

Step 5.<\/strong>\u00a0Although we have configured DHCP snooping on the\u00a0\u201cSERVER-SW\u201d\u00a0we still need to secure the\u00a0\u201cACCESS-SW-1\u2033\u00a0and\u00a0\u201cACCESS-SW-2\u201d\u00a0and set the trusted ports.<\/p>\n

ACCESS-SW-1<\/strong><\/p>\n

#conf t<\/p>\n

#ip dhcp snooping<\/p>\n

#ip dhcp snooping vlan 10,20<\/p>\n

#int e3\/1<\/p>\n

#ip dhcp snooping trust<\/p>\n

#exit<\/p>\n

<\/p>\n

ACCESS-SW-2<\/strong><\/p>\n

#conf t<\/p>\n

#ip dhcp snooping<\/p>\n

#ip dhcp snooping vlan 10,20<\/p>\n

#int e3\/2<\/p>\n

#ip dhcp snooping trust<\/p>\n

#exit<\/p>\n

<\/p>\n

Now that all three of the access switches have DHCP snooping enabled there seems to be an additional issue as the client devices can no longer obtain an IP address from the Server,<\/p>\n

All three of the access switches are getting flooded with these messages indicating that the packets are being dropped.<\/p>\n

<\/p>\n

This to me is indicating a problem with\u00a0\u201cOption 82\u201d\u00a0which is enabled by default when DHCP snooping is being used,<\/p>\n

The DHCP relay agent information (option 82) feature enables the DHCP relay agents (Catalyst switches) to include information about itself and the attached client when it forwards DHCP requests from a DHCP client to a DHCP server.<\/p>\n

The DHCP server can use this information to assign IP addresses, perform access control, and set quality of service (QoS) and security policies (or other parameter-assignment policies) for each subscriber of a service-provider network.<\/p>\n

When DHCP snooping is enabled on a switch, it automatically enables option 82.<\/p>\n

If the DHCP server is not configured to handle the packets with option 82, it ceases to allocate the address to that request.<\/p>\n

In order to resolve this issue, we need to disable the subscriber identification option (82) in the switches (relay agents) with the global configuration command,\u00a0\u201cno ip dhcp relay information option\u201d.<\/p>\n

Step 6.<\/strong>\u00a0Let\u2019s disable option 82 on all\u00a0\u201cACCESS\u201d\u00a0switches.<\/p>\n

SERVER-SW<\/strong><\/p>\n

#conf t<\/p>\n

#no ip dhcp snooping information option<\/p>\n

<\/p>\n

ACCESS-SW-1<\/strong><\/p>\n

#conf t<\/p>\n

#no ip dhcp snooping information option<\/p>\n

<\/p>\n

ACCESS-SW-2<\/strong><\/p>\n

#conf t<\/p>\n

#no ip dhcp snooping information option<\/p>\n

<\/p>\n

And on the\u00a0\u201cCORE-SW\u201d\u00a0we need to allow it to receive DHCP packets that contain relay information option with zero giaddr<\/p>\n

CORE-SW<\/strong><\/p>\n

#conf t<\/p>\n

#ip dhcp relay information trust-all<\/p>\n

<\/p>\n

Step 7.<\/strong>\u00a0\u00a0Now let\u2019s take a look at the clients \u2013 the clients are now able to obtain an IP address from the DHCP Server.<\/p>\n

<\/p>\n

On the DHCP Server we can see the leased addresses in the DHCP binding table.<\/p>\n

<\/p>\n

If we take a look at the DHCP snooping configuration on the\u00a0\u201cACCESS-SW-1\u201d, we can see that DHCP Snooping is enabled globally, DHCP Snooping is enabled for\u00a0\u201cVLAN 10,20\u201d, Option 82 is\u00a0\u201cdisabled\u201d\u00a0and the trusted port set is\u00a0\u201cE3\/1\u201d<\/p>\n

<\/p>\n

If we take a look at the binding table we can see the L2 and L3 mappings on the local DHCP snooping database.<\/p>\n

<\/p>\n

On the DHCP Snooping configuration for\u00a0\u201cACCESS-SW-2\u201d\u00a0we can see that DHCP Snooping is enabled globally, DHCP Snooping is also enabled for\u00a0\u201cVLAN 10,20\u201d, option 82 is\u00a0\u201cdisabled\u201d\u00a0and the trusted port is set to allow DHCP server messages is\u00a0\u201cE3\/2\u201d<\/p>\n

<\/p>\n

Again if we take a look at the Snooping binding table we can see the mappings for\u00a0\u201cPC-VLAN20\u201d <\/p>\n

 <\/p>\n","protected":false},"excerpt":{"rendered":"

DHCP Snooping is a layer 2 security technology built into the IOS of a switch. The switch will drop DHCP Server messages in order to<\/p>\n","protected":false},"author":1,"featured_media":705,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5,6,9],"tags":[83,84,85,86,87,82],"class_list":["post-703","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-network","category-security","category-switching","tag-dhcp-snooping","tag-dhcp-snooping-database","tag-dhcp-starvation-attack","tag-mitm","tag-security","tag-tagsdhcp"],"_links":{"self":[{"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/posts\/703","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/comments?post=703"}],"version-history":[{"count":1,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/posts\/703\/revisions"}],"predecessor-version":[{"id":746,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/posts\/703\/revisions\/746"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/media\/705"}],"wp:attachment":[{"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/media?parent=703"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/categories?post=703"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/tags?post=703"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}