DHCP snooping allows the switch to maintain it's own (binding) table that links a MAC address to an IP, switchport, vlan and lease time a long with restricting specific ports that send DHCP server messages.
This is performed to attempt to mitigate any rouge DHCP servers on the network - however a lot of other services such as DAI also depend on DHCP snooping.
We should firstly enable DHCP snooping with:
ip dhcp snooping
DHCP snooping is configured on a per-VLAN basis - however we must firstly define which VLAN we want to enable it on:
ip dhcp snooping vlan 100
We can then review the VLAN's and trusted ports with:
do show ip dhcp snooping
and assign the port connected to the DHCP server as a 'trusted' port:
int gi0/15
desc DHCP_Server
ip dhcp snooping trusted
We can now plug the DHCP server into gi0/15 (vlan 100) and a client machine gi0/2 (vlan 100) - on the client tail the syslog / messages log:
tail -f /var/log/messages &
remove any existing leases with:
sudo dhclient -r
and attempt to lease an address with:
sudo dhclient
Once the client machine has obtained an IP address we can then review the binding database with:
show ip dhcp snooping binding
Let's now move the DHCP server patch cable into gi0/16 (which is not currently trusted.)
We'll also enable dhcp snooping packet debugging so we can identify if the switch is dropping the DHCP packets:
debug ip dhcp snooping packet
Again - release and renew the ip on the client machine and tail /var/log/messages:
and you should see a series of DHCPDISCOVER messages - however nothing being offered from the DHCP server - these packets should have been blocked by DHCP snooping - we should see the packets being dropped in the console e.g.:
*Mar 1 01:11:11.722: DHCP_SNOOPING_SW: bridge packet output port set is null, packet is dropped.
Note: If you are using a DHCP relay agent (ip helper-address) - you should be aware that 'Option 82' / the 'giaddr' (gateway) address is modified when relaying DHCP requests and as such will be seen as inconsistent by the DHCP snooping service - so in order to work-around this we can disable Option 82 for the DHCP relay agent with:
no ip dhcp snooping information option
0 comments:
Post a Comment