DHCP snooping technical analysis and configuration details

The security and stability of the network are top priorities for us. We can also see the corresponding embodiment in DHCP applications. DHCP Snooping technology is a manifestation of DHCP security features. Here we will introduce in detail its technology and configuration content.

I. Introduction to DHCP snooping Technology

DHCP Snooping) is a DHCP security feature. The Cisco switch supports enabling the DHCP listening Feature Based on each VLAN. With this feature, the switch can intercept all DHCP packets in the L2 VLAN.

By enabling the DHCP listener feature, the switch limits the user port to a non-trusted port) to only send DHCP requests and discard all other DHCP packets from the user port, such as DHCP Offer packets. In addition, not all DHCP requests from user ports are allowed to pass, and the switch will compare the source MAC address and content in the packet header of the DHCP request packet) the hardware address of the DHCP client is the CHADDR field). Only the same request message is forwarded. Otherwise, the request is discarded. This prevents DHCP depletion attacks. The trusted port can receive all DHCP packets. By setting only the port connecting a vswitch to a valid DHCP server as a trusted port and other ports as untrusted ports, you can prevent the user from forging a DHCP server to attack the network. The DHCP listener can also speed up DHCP packets on the port. By limiting the speed of each untrusted port, the broadcast attack of valid DHCP request packets can be blocked. DHCP listening also plays an important role in creating a DHCP listening Binding table DHCP Snooping Binding ). Once a client connected to an untrusted port obtains a valid DHCP Offer, the switch automatically adds a binding entry to the DHCP listener binding table, the information includes the Client IP address, MAC address, port number, VLAN number, and lease period of the untrusted port.

Ii. DHCP snooping Configuration
 

 
 

  
  
Switch (config) # ip dhcp snooping // enable DHCP Snooping
  
  
Switch (config) # ip dhcp snooping vlan 10 // set the VLAN to which the DHCP Snooping function will act
  
  
Switch (config) # ip dhcp snooping verify mac-adress
  
  
 
  
  
// Check whether the source MAC and CHADDR fields of the DHCP request received by the untrusted port are the same to prevent DHCP depletion attacks. This function is enabled by default.
  
  
 
  
  
Switch (config-if) # ip dhcp snooping trust
  
  
 
  
  
// The configuration interface is a trusted interface for DHCP listening. All interfaces are untrusted by default.
  
  
 
  
  
Switch (config-if) # ip dhcp snooping limit rate 15
  
  
 
  
  
// Limits the DHCP packet rate for untrusted ports to 15 packets per second. By default, 15 packets per second.) If this statement is not applicable, the show ip dhcp snooping result does not list ports without this statement. The optional speed range is 1-2048.
  
  
 
  
  
Suggestion: After configuring the DHCP packet speed limit for the port, it is best to configure the following two commands:
  
  
Switch (config) # errdisable recovery cause dhcp-rate-limit
  
  
// Enable the disabled port to automatically recover from the err-disable status due to the DHCP packet speed limit.
  
  
 
  
  
Switch (config) # errdisable recovery interval 30
  
  
// Set the recovery time. After the port is set to err-disable, it can be restored after 30 seconds.
  
  
 
  
  
Switch (config) # ip dhcp snooping information option
  
  
// Set whether or not the DHCP packet received by the non-trusted port of the switch is inserted into Option 82, which is enabled by default.
  
  
Switch (config) # ip dhcp snooping information option allow-untrusted
  
  
// Set the aggregation switch to receive DHCP packets with option 82 from the access switch received from the untrusted Port
  
  
 
  
  
Switch # ip dhcp snooping binding 000f. 1fc5. 1008 vlan 10 192.168.10.131 interface fa0/2 expiry 692000 // privileged MODE Command; manually add a DHCP listener binding entry; expiry is the time value, that is, the lease period in the listener binding table)
  
  
Switch (config) # ip dhcp snooping database
  
  
Flash: dhcp_snooping.db
  
  
// Save the DHCP listener binding table in flash. The file name is dhcp_snooping.db.
  
  
 
  
  
Switch (config) # ip dhcp snooping database
  
  
Tftp: // 192.168.2.5/Switch/dhcp_snooping.db
  
  
// Save the DHCP listener binding table to the tftp server; 192.168.2.5 is the address of the tftp server, which must be determined beforehand. The Switch in the URL is the next folder on the tftp server. The saved file name is dhcp_snooping.db. When you change the storage location, the "write" operation is executed immediately.
  
  
 
  
  
Switch (config) # ip dhcp snooping database write-delay 30
  
  
 
  
  
// After the update of the DHCP listening binding table, wait for 30 seconds and then write the file. The default value is 300 seconds. The optional value range is 15-seconds.
  
  
Switch (config) # ip dhcp snooping database timeout 60
  
  
// Indicates that after the DHCP listener fails to write data to the bound table, it attempts to write data again until the attempt is stopped 60 seconds later. The default value is 300 seconds. The value range is 0-seconds.
  
  
 
  
  
Note: In fact, when the DHCP listener binding table changes, it will first wait for the write-delay time and then perform the write operation. If the write operation fails, such as the failure of the tftp server ), then wait for the timeout time and try again in this time period. Stop the Write Attempt after the timeout time. However, because the listening binding table has changed, you can wait for the write-delay time to execute the write operation again ...... Continues until the write operation is successful.
  
  
Switch # renew ip dhcp snooping database flash: dhcp_snooping.db
  
  
 
  
  
/Privileged command; read the DHCP listener binding table from the saved database file immediately.