Cisco’s Overview of DHCP Snooping
DHCP snooping is a DHCP security feature that provides security by filtering untrusted DHCP messages and by building and maintaining a DHCP snooping binding table. An untrusted message is a message that is received from outside the network or firewall and that can cause traffic attacks within your network.
The DHCP snooping binding table contains the MAC address, IP address, lease time, binding type, VLAN number, and interface information that corresponds to the local untrusted interfaces of a switch; it does not contain information regarding hosts interconnected with a trusted interface. An untrusted interface is an interface that is configured to receive messages from outside the network or firewall. A trusted interface is an interface that is configured to receive only messages from within the network.
DHCP snooping acts like a firewall between untrusted hosts and DHCP servers. It also gives you a way to differentiate between untrusted interfaces connected to the end-user and trusted interfaces connected to the DHCP server or another switch.
Well thanks for that extremely clear overview…….. what actually is going on? Lets say you have a switch. You hook a DHCP server up to port #1 and designate this as a “trusted” interface and all of the rest of the ports that will have devices connected to them are setup as “untrusted”. You would set this up using the commands:
*** Enable DHCP Snooping & ARP Inspection *** ip dhcp snooping vlan 100 no ip dhcp snooping information option ip dhcp snooping database flash:/dhcpdb.dat ip dhcp snooping ip arp inspection vlan 100 *** Untrusted Access Interfaces for DHCP **** Int Range Fa1/0/2 - 48 description Workstation switchport access vlan 100 switchport mode access no mdix auto Int Range Fa2/0/1 - 48 description Workstation switchport access vlan 100 switchport mode access no mdix auto *** Trusted Access Interface for DHCP *** Int Fa1/0/1 description DHCP Server switchport access vlan 100 switchport mode access no mdix auto ip dhcp snooping trust
DHCP Client requests are forwarded regardless of the trust state of the port, but DHCP server responses are dropped if the port is untrusted.
So lets say on port #2 the switch sees a DHCP discovery packet float by from a DHCP client. Because it is a broadcast message this gets flooded to all ports on the VLAN. The DHCP server connected to port #1 sees the discovery packet and sends an uninicast DHCPOFFER packet to the client. Because this originated from a “trusted” port the offer is allowed to go through. The client recieves the DHCPOFFER chooses an offer from all that it receives and responds with a DHCPREQUEST back to the DHCP server. The server then responds with a DHCPACK and includes the configuration parameters and committed network address. The switch records the client binding port, vlan, mac address, and ip, etc into its local snooping database.
So in a nutshell DHCP snooping offers some additional security to ensure only your DHCP servers are responding to DHCP client broadcasts and it also is a convenient way to keep track of what client IPs are connected to what port.
So now a real world example…..lets say my IPS detects malicious traffic from an IP address: 10.1.144.81
Below is the CLI for the switch to find a IP address
We can get the MAC, IP address, amount left on the lease, vlan #, interface on the switch from the dhcp-snooping database:
switchXYZ#sh ip dhcp snooping binding | include 10.1.144.81 00:1E:EC:1E:74:DA 10.1.144.81 15468045 dhcp-snooping 100 FastEthernet2/0/32
Below is a example displaying part of the dhcp snooping database.
switchXYZ#sh ip dhcp snooping binding MacAddress IpAddress Lease(sec) Type VLAN Interface ------------------ --------------- ---------- ------------- ---- -------------------- 00:16:D4:A5:89:22 10.1.144.64 14956850 dhcp-snooping 100 FastEthernet1/0/42 00:1C:25:98:50:43 10.1.144.87 12637737 dhcp-snooping 100 FastEthernet1/0/41 00:1E:EC:1E:74:C4 10.1.144.119 14519969 dhcp-snooping 100 FastEthernet2/0/36 00:21:97:C4:27:17 10.1.144.85 15551889 dhcp-snooping 100 FastEthernet2/0/28 00:1B:38:F1:F4:F8 10.1.144.95 6503907 dhcp-snooping 100 FastEthernet1/0/35 00:1E:EC:1E:74:DA 10.1.144.81 15468308 dhcp-snooping 100 FastEthernet2/0/32 00:1C:23:88:E9:01 10.1.144.71 11418033 dhcp-snooping 100 FastEthernet2/0/4 00:1B:38:7B:6C:7E 10.1.144.66 12013698 dhcp-snooping 100 FastEthernet1/0/1 00:1F:6C:81:2F:8B 10.1.145.60 15542941 dhcp-snooping 100 FastEthernet2/0/38 00:22:55:5E:62:CB 10.1.145.56 15542874 dhcp-snooping 100 FastEthernet1/0/36 00:1E:13:8C:D8:82 10.1.145.132 15542955 dhcp-snooping 100 FastEthernet3/0/39 Total number of bindings: 204
Once we know what port the IP address is associated with we can quickly lookup information on the port….. and if you use meaningful descriptions you could get the workstation location.
switchXYZ#sh run Typein: /2/0/32 <------ The first slash gives you a find feature, the next number and slashes are the port info Int Fa2/0/32 description Workstation Cube XYZ switchport access vlan 100 switchport mode access no mdix auto
References:
DHCP RFC
Cisco – Understanding and Configuring DHCP Snooping
I should note that there are two additional commands that should be set on interfaces that are using static IP addresses.
ip dhcp snooping truct
ip arp spoofing trust
These two functions work in conjunction with each other and I’ve had problems using the above technique for static IPs unless I set them.
Comment by Tim Lefler — April 8, 2010 @ 7:52 pm
I was very pleased to find this site.I wanted to thank you for this great read I definitely enjoying every little bit of it and I have you bookmarked to check out new stuff you post.
Comment by therichjanitor — July 4, 2010 @ 3:37 am
A topic close to my heart thanks. Needed more pictures though.
Comment by Coloring Pages — August 5, 2010 @ 2:35 pm