Wednesday, 15 March 2017

Setting up DHCP snooping a long side a DHCP relay agent (Option 82 / giaddr)

DHCP snooping allows the switch to maintain it's own (binding) table that links a MAC address to an IP, switchport, vlan and lease time a long with restricting specific ports that send DHCP server messages.

This is performed to attempt to mitigate any rouge DHCP servers on the network - however a lot of other services such as DAI also depend on DHCP snooping.

We should firstly enable DHCP snooping with:

ip dhcp snooping

DHCP snooping is configured on a per-VLAN basis - however we must firstly define which VLAN we want to enable it on:

ip dhcp snooping vlan 100

We can then review the VLAN's and trusted ports with:

do show ip dhcp snooping

and assign the port connected to the DHCP server as a 'trusted' port:

int gi0/15
desc DHCP_Server
ip dhcp snooping trusted

We can now plug the DHCP server into gi0/15 (vlan 100) and a client machine gi0/2 (vlan 100) - on the client tail the syslog / messages log:

tail -f /var/log/messages &

remove any existing leases with:

sudo dhclient -r

and attempt to lease an address with:

sudo dhclient

Once the client machine has obtained an IP address we can then review the binding database with:

show ip dhcp snooping binding

Let's now move the DHCP server patch cable into gi0/16 (which is not currently trusted.)

We'll also enable dhcp snooping packet debugging so we can identify if the switch is dropping the DHCP packets:

debug ip dhcp snooping packet

Again - release and renew the ip on the client machine and tail /var/log/messages:

and you should see a series of DHCPDISCOVER messages - however nothing being offered from the DHCP server - these packets should have been blocked by DHCP snooping - we should see the packets being dropped in the console e.g.:

*Mar  1 01:11:11.722: DHCP_SNOOPING_SW: bridge packet output port set is null, packet is dropped.

Note: If you are using a DHCP relay agent (ip helper-address) - you should be aware that 'Option 82' / the 'giaddr' (gateway) address is modified when relaying DHCP requests and as such will be seen as inconsistent by the DHCP snooping service - so in order to work-around this we can disable Option 82 for the DHCP relay agent with:

no ip dhcp snooping information option


Post a Comment