As outlined in my previous post (Understanding DHCP) DHCP discovery & DHCP request packets coming from a client destine to layer 2/3 broadcast. Therefore these packets will reach every host in that subnet. So anyone in that subnet can act as rouge-DHCP server & potentially issue the wrong IP to end users.
Most of the home grade DSL routers could act as DHCP server & if end user connect these sorts of thing into their office network, sometimes without their knowledge these devices issue IP to real users. In my campus environment this has happened couple of times where students in colleges connect these sorts of devices into the network & breaks some other users network connectivity. Therefore it is important to improve your network security to prevent those sorts of network failures. The solution is to implement “DHCP snooping“.
Without DHCP snooping, you saw last time all 4 DHCP packet types (Discovery, Offer, Request, ACK) are broadcast in vlan 13 subnet & all trunk links. Here is the capture output on Fa 0/20 filtered for DHCP packets.
Let’s enable DHCP snooping on the switch globally “ip dhcp snooping” & then on vlan 13 “ ip dhcp snooping vlan 13” commands. Now if you look at same capture output on fa0/20, you will not see any DHCP packets. But if you look at fa0/19 packet capture you will see something like this.
This proves that client PC is sending DHCP discovery msg, but switch not forward it to anywhere. This is normal behavior of this feature where it will not forward DHCP broadcast messages to any ports unless you configure them as trusted ports. You can configure a switch port as trusted port by “ip dhcp snooping trust” command. Then the question is which ports you need to trust in a access layer switch. Answer is ports where it can reach DHCP server (normally uplink trunks to distribution layer). In our case fa0/20 & lets see what happen when we trust that port for DHCP snooping. You can verify the DHCP snooping status of a switch by issuing “show ip dhcp snooping” command.
CAT3(config)#do sh ip dhcp snooping Switch DHCP snooping is enabled DHCP snooping is configured on following VLANs:13 DHCP snooping is operational on following VLANs:13 DHCP snooping is configured on the following L3 Interfaces: Insertion of option 82 is enabled circuit-id default format: vlan-mod-port remote-id: 0024.137b.5a00 (MAC) Option 82 on untrusted port is not allowed Verification of hwaddr field is enabled Verification of giaddr field is enabled DHCP snooping trust/rate is configured on the following Interfaces: Interface Trusted Allow option Rate limit (pps) ----------------------- ------- ------------ ---------------- FastEthernet0/20 yes yes unlimited Custom circuit-ids:
Still I have no luck, I cannot see my client PC is getting an IP address yet, I can see DHCP discover message sent out from fa0/20, but no response. Why is that ? But this time if I look at this discovery message I noticed some differences compare to previous times. It include option 82 in bootp options.
This is another default behavior of this feature. It will include DHCP option 82 in these discovery packets. Unless your DHCP server configured to accept this information it will not respond to these DHCP messages. Configuring DHCP option 82 is vary depend on DHCP server type (Microsoft, Cisco IOS, Linux, etc). Is there any otherway get around this ? Yes, you can change the behaviour of adding this option on the CAT3 by issuing “no ip dhcp snooping information option” command. Once you do this you will see something like this on packet capture & your client PC will get an IP.
If you look at DHCP discovery message again you will see there is no DHCP option 82 under the bootp section. Here is the discovery message this time.
So finally we achieved the outcome of not forwarding any DHCP broadcast messaged to the any switchport other than ports configured for DHCP snooping trust. In summary this is what you have to do on CLI to enable this feature on a cisco switch.
ip dhcp snooping
ip dhcp snooping vlan y <– you can add multiple vlans if needed
no ip dhcp snooping information option
!
interface x/x <- uplink trunk port where DHCP server reachable
ip dhcp snooping trust
You can see dhcp binding table entries by using “show ip dhcp snooping binding” command in CLI
CAT3#sh ip dhcp snooping binding MacAddress IpAddress Lease(sec) Type VLAN Interface ------------------ --------------- ---------- ------------- ---- -------------------- 00:1C:23:2A:1C:EE 10.10.13.11 82404 dhcp-snooping 13 FastEthernet0/19 Total number of bindings: 1
Since this is more or less a security feature, I do not expect in CCIE wireless exam to test this feature configurations in detail. I will write a post about DHCP-Option 82 in Cisco IOS DHCP server as it is more relevant to CCIE wireless.
This feature has few other tweaks that you can learn those by reading the configuration guide(http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_52_se/configuration/guide/swdhcp82.html#wp1078853). Also here are some other useful blog post describing this feature I thought useful to note here.
1. Five Things to Know About DHCP Snooping
2. Understanding DHCP Snooping – Part One: The Problem
3. Understanding DHCP Snooping – Part Two: Single Switch Operation
4. Understanding DHCP Snooping – Part Three: Multi Switch Operation
5. Understanding DHCP Snooping – Part Four: Operation with DHCP-Relays
Related Posts
1. Understanding DHCP
2. Understanding DHCP Option 43
3. Understanding DHCP Option 82
4. WLC – DHCP Option 82 Configuration Example
mrn-cciew 
Hello Rasika,
Do you know if using “no ip dhcp snooping information option” on each switch can affect other features like DAI or IPSG?
Thanks!
Hi Florin,
I haven’t test this feature in depth, in my production I have enable this feature for small area of buildings.
But haven’t enable DAI or IPSG to give you a proper answer
HTH
Rasika
Thanks, I will see what I can find out.
Hello Rasika,
I am trying to implement DHCP snooping over wireless.
Out wireless clients are not able to acquire an IP address from VLAN 169 and 176.
Our WLC uplink port is configured as trunk and WLC management interface tagged to management VLAN (32) with WLC uplink port configuration:
switchport mode trunk
switchport trunk native vlan 999 (dummy VLAN) >>>Distribution Switch>>>>Nexus 7k CS1 <<<>>> Nexus 7k CS2 >>>> Distribution Switch>>> Server Farm Switch >>>> DHCP Server.
ip dhcp snooping enabled on CS1 and CS2 on VLANs 169 and 176, I have disabled DHCP Proxy option in the WLC as mentioned from supportforums.
Without DHCP snooping, everything works fine. My question is what interfaces should I add “ip dhcp snooping trust” command and should I really disable DHCP proxy in the WLC?
As far as I know, trusting the WLC uplink with “ip dhcp snooping trust” command would be a security issue since wireless NICs can act as DHCP server as well and since trusted would allow an attacker to compromise DHCP requests from our legit DHCP server.
Hoping for your favorable response.
Thanks!
Regards,
Jogh
Edit: Network Topology:
WLC>>>Distribution Switch>>>>Nexus 7k CS1 <<>> Nexus 7k CS2 >>>> Distribution Switch>>> Server Farm Switch >>>> DHCP Server
Thanks!
Jogh
Hi Jogh,
Since your DHCP clients (for wireless) seen on the network at your Distribution switch, DHCP snooping needs to be enable on that switch. (not CS1 or CS2).
Also DHCP server is reachable via CS1 & CS2, you need to trust interfaces going to CS1 or CS2 from your distribution switch.
HTH
Rasika
Hi Rasika,
Thank you for your response.
Based on my understanding, what you are saying is that the uplink interface of the Dist Switch connected to the WLC that goes to the core switch should be trusted as well?
How about the uplink interface of the switch where the APs are connected?
However, I was just wondering why DHCP snooping works fine on wired clients, wherein it was enabled on the Core Switches.
Also, does disabling DHCP proxy in the WLC helps?
Thanks,
Jogh
Hi @jogh could i get your mail? I got same problem , you may help me
Hi Rasika,
Please see diagram for your reference. WLAN is the WLC (apologies for that) and icons with Circles inside are the Nexus 7K’s.
Question is where should I apply “ip dhcp snooping trust” command and “ip dhcp snooping”?
https://imageshack.com/i/mreagjp
Thanks.
Hi Jogh,
I would think you need to configure DHCP snooping on 172.20.30.5 (WLC connected switch) & trust uplink port goes to 7K (172.20.0.7).
This is the switch where wired network will see all wireless clients DHCP request coming from (due to capwap tunnel all your access switches won’t see any internal IP packets)
HTH
Rasika
Hi Rasika,
Will try your suggestions and get back to you once I made it work.
May I ask as well, in the WLC connected switch (172.20.30.5), should I need to apply “no ip dhcp snooping information option” command?
Thank you.
Jogh
I am not too sure, I would think WLC will add DHCP option 82 for the wireless client DHCP request & not the switch.
Anyway you can try it without that first & then with that & see the difference.
Keep us posted
HTH
Rasika
Hi Rasika,
To give you an update, DHCP snooping already worked following your recommendations.
Thank you very much for your help!
Regards,
Jogh
Glad to hear that & thanks for keep us posted
Rasika
You’re my hero, Rasika! This Option 82 behaviour has been the last thing catching me out with this platform. 🙂
Hi James,
Glad you found it useful :).. Thanks for the feedback..
Rasika
thank you!!
I’m studying for my ccna right now with the OCG from Odom.
And even on that book they not tell you that the switch DON’t forward the DISCOVER packets on an untrusted port.
They only tell you that an untrusted port can’t* send a OFFER or ACKNOWLEDGEMENT. so thanks!
Thank you for the compliments
Glad to see these posts helps
Rasika
Hi
Please let me know for the below scenaio, why and how the IP address is allocated to the Host.
I have the below scenario.
Host Router(Relay)Switch with DHCP snoopingDHCP server
On the DHCP snooping switch, for which combination of Untrusted/Trusted ports,the IP address is allocated to the Host.
Combinations on Snooping switch::
Relay side port DHCP server side port
————————————————–
untrust trust
trust trust
trust untrust
untrust untrust
Scenario :
Host —- Router(Relay) —– Switch with DHCP snooping—–DHCP server
Great Post! thank for your time!
Thank you Luis
Rasika
If DHCP Snooping is enabled on a switch and I have AP’s in Flexconnect, locally switched and a central DHCP server.
What is the best practice for the switchports that are access points connected to. Do we even need that trust command on those ports?