, ,

As outlined in my previous post (Understanding DHCP)  DHCP discovery & DHCP request packets coming from a client destine to layer 2/3 broadcast. Therefore these packets will reach every host in that subnet. So anyone in that subnet can act as rouge-DHCP server & potentially issue the wrong IP to end users.

Most of the home grade DSL routers could act as DHCP server & if end user connect these sorts of thing into their office network, sometimes without their knowledge these devices issue IP to real users. In my campus environment this has happened couple of times where students in colleges connect these sorts of devices into the network & breaks some other users network connectivity. Therefore it is important to improve your network security to prevent those sorts of network failures. The solution is to implement “DHCP snooping“.DHCP-Snooping-01

Without DHCP snooping, you saw last time all 4 DHCP packet types (Discovery, Offer, Request, ACK)  are broadcast in vlan 13 subnet & all trunk links. Here is the capture output on Fa 0/20 filtered for DHCP packets.DHCP-Snooping-02

Let’s enable DHCP snooping on the switch globally “ip dhcp snooping” & then on vlan 13 “ ip dhcp snooping vlan 13” commands. Now if you look at same capture output on fa0/20, you will not see any DHCP packets. But if you look at fa0/19 packet capture you will see something like this.DHCP-Snooping-03

This proves that client PC is sending DHCP discovery msg, but switch not forward it to anywhere. This is normal behavior of this feature where it will not forward DHCP broadcast messages to any ports unless you configure them as trusted ports. You can configure a switch port as trusted port by “ip dhcp snooping trust” command. Then the question is which ports you need to trust in a access layer switch. Answer is ports where it can reach DHCP server (normally uplink trunks to distribution layer). In our case fa0/20 & lets see what happen when we trust that port for DHCP snooping. You can verify the DHCP snooping status of a switch by issuing “show ip dhcp snooping” command.

CAT3(config)#do sh ip dhcp snooping
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:13
DHCP snooping is operational on following VLANs:13
DHCP snooping is configured on the following L3 Interfaces:
Insertion of option 82 is enabled
   circuit-id default format: vlan-mod-port
   remote-id: 0024.137b.5a00 (MAC)
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Verification of giaddr field is enabled
DHCP snooping trust/rate is configured on the following Interfaces:

Interface                  Trusted    Allow option    Rate limit (pps)
-----------------------    -------    ------------    ----------------   
FastEthernet0/20           yes        yes             unlimited
  Custom circuit-ids:

Still I have no luck, I cannot see my client PC is getting an IP address yet, I can see DHCP discover message sent out from fa0/20, but no response. Why is that ? But this time if I look at this discovery message I noticed some differences compare to previous times. It include option 82 in bootp options.DHCP-Snooping-04

This is another default behavior of this feature. It will include DHCP option 82 in these discovery packets. Unless your DHCP server configured to accept this information it will not respond to these DHCP messages. Configuring DHCP option 82 is vary depend on DHCP server type (Microsoft, Cisco IOS, Linux, etc). Is there any otherway get around this ? Yes, you can change the behaviour of adding this option on the CAT3 by issuing “no ip dhcp snooping information option” command. Once you do this you will see something like this on packet capture & your client PC will get an IP.DHCP-Snooping-05

If you look at DHCP discovery message again you will see there is no DHCP option 82 under the bootp section. Here is the discovery message this time.DHCP-Snooping-06

So finally we achieved the outcome of not forwarding any DHCP broadcast messaged to the any switchport other than ports configured for DHCP snooping trust. In summary this is what you have to do on CLI to enable this feature on a cisco switch.

ip dhcp snooping
ip dhcp snooping vlan y <– you can add multiple vlans if needed
no ip dhcp snooping information option
interface x/x <- uplink trunk port where DHCP server reachable
 ip dhcp snooping trust

You can see dhcp binding table entries by using “show ip dhcp snooping binding” command in CLI

CAT3#sh ip dhcp snooping binding 
MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface
------------------  ---------------  ----------  -------------  ----  --------------------
00:1C:23:2A:1C:EE      82404       dhcp-snooping   13    FastEthernet0/19
Total number of bindings: 1

Since this is more or less a security feature, I do not expect in CCIE wireless exam to test this feature configurations in detail. I will write a post about DHCP-Option 82 in Cisco IOS DHCP server as it is more relevant to CCIE wireless.

This feature has few other tweaks that you can learn those by reading the configuration guide(http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_52_se/configuration/guide/swdhcp82.html#wp1078853). Also here are some other useful blog post describing this feature I thought useful to note here.

1. Five Things to Know About DHCP Snooping
2. Understanding DHCP Snooping – Part One: The Problem
3. Understanding DHCP Snooping – Part Two: Single Switch Operation
4. Understanding DHCP Snooping – Part Three: Multi Switch Operation
5. Understanding DHCP Snooping – Part Four: Operation with DHCP-Relays

Related Posts

1. Understanding DHCP
2. Understanding DHCP Option 43
3. Understanding DHCP Option 82
4. WLC – DHCP Option 82 Configuration Example