Intro
You can use DHCP snooping
to help avoid the Denial of Service attacks that result from unauthorized users
adding a DHCP server to the network that then provides invalid configuration
data to other DHCP clients on the network.
DHCP snooping accomplishes this by allowing you to distinguish between trusted
ports (connected to a DHCP server or switch) and untrusted ports connected to
end-users. DHCP packets are forwarded between trusted ports without inspection.
DHCP packets received on other switch ports are inspected before being
forwarded. Packets from untrusted sources are dropped.
Condition for Dropping a Packet Types
A packet from a DHCP server
received on an untrusted port DHCPOFFER,
DHCPACK, DHCPNACK
If the switch is configured
with a list of authorized DHCP DHCPOFFER,
DHCPACK, DHCPNACK
server addresses and a packet
is received from a DHCP
server on a trusted port with
a source IP address that is not
in the list of authorized DHCP
server addresses.
Unless configured to not
perform this check, a DHCP packet N/A
received on an untrusted port
where the DHCP client
hardware address field does
not match the source MAC
address in the packet
Unless configured to not
perform this check, a DHCP packet N/A
containing DHCP relay
information (option 82) received from
an untrusted port
A broadcast packet that has a
MAC address in the DHCP DHCPRELEASE,
DHCPDECLINE
binding database, but the port
in the DHCP binding database
is different from the port on
which the packet is received
Configuration restrictions and guidelines
When you configure DHCP snooping, follow these
restrictions and guidelines:
· DHCP
snooping operates between the DHCP client and DHCP server, or between the DHCP
client and DHCP relay agent. It does not operate between the DHCP server and
DHCP relay agent.
· The
DHCP snooping enabled device cannot act as a DHCP server or DHCP relay agent.
· The
trusted port and the port connected to the DHCP client must be in the same
VLAN.
· You can
configure Layer 2 Ethernet interfaces and Layer 2 aggregate interface as
trusted interfaces.
· When a
Layer 2 Ethernet interface is added to an aggregation group, the DHCP snooping
configuration on the interface does not take effect. After the interface is
removed from the aggregation group, the configuration takes effect.
HPN Procurve Switches
Enable Globally
dhcp-snooping
Enable Per vlan
dhcp-snooping
vlan 1
dhcp-snooping
vlan 10
dhcp-snooping
vlan 40
dhcp-snooping
vlan 50
Designate authorized servers
dhcp-snooping
authorized-server 10.11.12.13
dhcp-snooping
authorized-server 10.15.20.25
dhcp-snooping
authorized-server 10.20.30.40
dhcp-snooping
authorized-server 10.9.8.7
Apply to uplink interface to the Core switch
interface
Trk1
dhcp-snooping trust
exit
To
display the DHCP snooping configuration:
# show dhcp-snooping
DHCP Snooping Information
DHCP Snooping : Yes
Enabled Vlans : 1 10 40 50
Verify MAC : No
Option 82 untrusted policy : drop
Option 82 Insertion : No
Option 82 remote-id : mac
Store lease database : Not configured
Port Trust
----- -----
1 No
2 No
.
.
Trk1
Yes
To
display statistics about the DHCP snooping process:
# show dhcp-snooping stats
Packet type Action Reason Count
----------- ------- ----------------------------
---------
Server forward from trusted port 8
Client forward to trusted port 8
Server drop received on untrusted port
2
Server drop unauthorized server
0
Client drop destination on untrusted port 0
Client drop untrusted option 82 field
0
Client drop bad DHCP release request
0
Client drop failed verify MAC check
0
Example HPN Comware 12500 Configuration Procedure
(Derived from "H3C S12500 DHCP Snooping Configuration Examples" online manual)
Figure 1
Configure DHCP Server Switch A
# Enable DHCP.
[SwitchA] dhcp enable
# Configure DHCP address pool 1.
[SwitchA]
dhcp server ip-pool 1
[SwitchA-dhcp-pool-1]
network 10.1.0.0 24
[SwitchA-dhcp-pool-1]
quit
# Create VLAN 10, specify an IP address for VLAN-interface 10, and add GigabitEthernet 3/0/1 to VLAN 10.
[SwitchA]
vlan 10
[SwitchA-vlan101]
port GigabitEthernet 3/0/1
[SwitchA-vlan10]
interface Vlan-interface 10
[SwitchA-Vlan-interface10]
ip address 10.1.0.2 24
[SwitchA-Vlan-interface10]
undo shutdown
[SwitchA] interface GigabitEthernet3/0/1
[SwitchA-GigabitEthernet3/0/1]
undo shutdown
Configure DHCP Snooping Switch B
# Add all ports to VLAN 10. (Details not shown.)
# Enable DHCP snooping.
[SwitchB] dhcp-snooping
# Configure GigabitEthernet 3/0/1 as trusted.
[SwitchB]
interface GigabitEthernet 3/0/1
[SwitchB-GigabitEthernet3/0/1]
dhcp-snooping trust
[SwitchB-GigabitEthernet3/0/1]
undo shutdown
# Enable ARP detection.
[SwitchB]
vlan 10
[SwitchB-vlan10]
arp detection enable
# Configure GigabitEthernet 3/0/1 as an ARP trusted interface.
[SwitchB]
interface GigabitEthernet 3/0/1
[SwitchB-GigabitEthernet3/0/1]
arp detection trust
Verifying the configuration
After
the configuration, DHCP clients can obtain IP addresses only from the
authorized DHCP server (Switch A).
# Display information about trusted ports.
<SwitchB>
display dhcp-snooping trust
DHCP
Snooping is enabled.
DHCP
Snooping trust becomes active.
Interface
Trusted
=========================
============
GigabitEthernet3/0/1
Trusted
The
DHCP snooping device checks the validity of ARP packets received on
GigabitEthernet 3/0/2 and GigabitEthernet 3/0/3, and then performs user
validity check based on DHCP snooping entries.
# Display all ARP detection-enabled VLANs.
<SwitchB>
display arp detection
ARP
detection is enabled in the following VLANs:
10
# Display DHCP snooping entries.
<SwitchB>
display dhcp-snooping
DHCP
Snooping is enabled.
The
client binding table for all untrusted ports.
Type
: D--Dynamic , S--Static , R--Recovering
Type
IP Address MAC Address
Lease VLAN SVLAN Interface
====
=============== ============== ============ ==== ===== =================
D
10.1.0.3 0000-0101-010b 85999 10 N/A GigabitEthernet3/0/2
---
1 dhcp-snooping item(s) found ---
No comments:
Post a Comment
Please add comments so I may update the material to accommodate platform modification to various commands. Also if you have some real-world caveats, do please share.