Solved

IP DHCP Snooping

Posted on 2013-10-28
21
647 Views
Last Modified: 2013-10-30
Hello,

I enabled ip dhcp snooping to prevent dhcp broadcast on my switch and allowed one interface for my dhcp server.

But when I plug in a dhcp enabled router (Netgear) clients will get IP from the router, not from my dhcp server.

My configuration is :

ip dhcp snooping
ip dhcp snooping vlan 1

interface fa0/25
ip dhcp snooping trust

Am I doing something wrong?

Thanks.
0
Comment
Question by:Infamus
  • 9
  • 8
  • 4
21 Comments
 
LVL 26

Expert Comment

by:Soulja
ID: 39606747
Are all host's only on vlan 1?
0
 
LVL 26

Expert Comment

by:Soulja
ID: 39606748
Can you post sh ip dhcp snooping?
0
 
LVL 12

Author Comment

by:Infamus
ID: 39606767
Yes, all hosts are on vlan 1.

Switch#sh vlan brief

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Fa0/1, Fa0/2, Fa0/3, Fa0/4
                                                Fa0/5, Fa0/6, Fa0/7, Fa0/8
                                                Fa0/9, Fa0/10, Fa0/11, Fa0/12
                                                Fa0/13, Fa0/14, Fa0/15, Fa0/16
                                                Fa0/17, Fa0/18, Fa0/19, Fa0/20
                                                Fa0/21, Fa0/22, Fa0/23, Fa0/24
                                                Fa0/25, Fa0/26, Fa0/27, Fa0/28
                                                Fa0/29, Fa0/30, Fa0/31, Fa0/32
                                                Fa0/33, Fa0/34, Fa0/35, Fa0/36
                                                Fa0/37, Fa0/38, Fa0/39, Fa0/40
                                                Fa0/41, Fa0/42, Fa0/43, Fa0/44
                                                Fa0/45, Fa0/46, Fa0/47, Fa0/48
                                                Gi0/1, Gi0/2, Gi0/3, Gi0/4
109  VLAN0109                         active
209  VLAN0209                         active
1002 fddi-default                     act/unsup
1003 trcrf-default                    act/unsup
1004 fddinet-default                  act/unsup
1005 trbrf-default                    act/unsup



Switch#sh ip dhcp snooping
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
1
DHCP snooping is operational on following VLANs:
1
DHCP snooping is configured on the following L3 Interfaces:

Insertion of option 82 is disabled
   circuit-id default format: vlan-mod-port
   remote-id: 04c5.a4ac.ae80 (MAC)
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Verification of giaddr field is enabled
DHCP snooping trust/rate is configured on the following Interfaces:

Interface                  Trusted    Allow option    Rate limit (pps)
-----------------------    -------    ------------    ----------------
FastEthernet0/25           yes        yes             unlimited
  Custom circuit-ids:
0
 
LVL 26

Expert Comment

by:Soulja
ID: 39606795
Hmmm... interesting. I can't see how the clients are getting the requests from the router. Config looks ok.

What are your logs showing?
0
 
LVL 26

Accepted Solution

by:
Soulja earned 300 total points
ID: 39606804
Post :

show ip dhcp snooping statistics detail
0
 
LVL 12

Author Comment

by:Infamus
ID: 39606832
Yeah, I even configured ip helper-address on interface vlan 1 but still not good.

Client is getting ip from legit dhcp server and rogue dhcp server back and forth but looks like it is getting the IP from the rougue dhcp server more often.

Here is my entire config:

Switch#sh run
Building configuration...

Current configuration : 5224 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Switch
!
boot-start-marker
boot-end-marker
!
!
username admin privilege 15 password 7 080D1C4D02540C035F1E1C55
no aaa new-model
system mtu routing 1500
vtp domain test
vtp mode transparent
ip subnet-zero
!
!
ip dhcp snooping vlan 1
no ip dhcp snooping information option
ip dhcp snooping
ip domain-name test.com
!
!
crypto pki trustpoint TP-self-signed-2762780288
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2762780288
revocation-check none
rsakeypair TP-self-signed-2762780288

spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
vlan 109,209
!
!
interface FastEthernet0/1
switchport mode access
!
interface FastEthernet0/2
switchport mode access
!
interface FastEthernet0/3
switchport mode access
!
interface FastEthernet0/4
switchport mode access
!
interface FastEthernet0/5
switchport mode access
!
interface FastEthernet0/6
switchport mode access
!
interface FastEthernet0/7
switchport mode access
!
interface FastEthernet0/8
switchport mode access
!
interface FastEthernet0/9
switchport mode access
!
interface FastEthernet0/10
switchport mode access
!
interface FastEthernet0/11
switchport mode access
!
interface FastEthernet0/12
switchport mode access
!
interface FastEthernet0/13
switchport mode access
!
interface FastEthernet0/14
switchport mode access
!
interface FastEthernet0/15
switchport mode access
!
interface FastEthernet0/16
switchport mode access
!
interface FastEthernet0/17
switchport mode access
!
interface FastEthernet0/18
switchport mode access
!
interface FastEthernet0/19
switchport mode access
!
interface FastEthernet0/20
switchport mode access
!
interface FastEthernet0/21
switchport mode access
!
interface FastEthernet0/22
switchport mode access
!

interface FastEthernet0/24
switchport mode access
!
interface FastEthernet0/25
switchport mode access
ip dhcp snooping trust
!
interface FastEthernet0/26
switchport mode access
!
interface FastEthernet0/27
switchport mode access
!
interface FastEthernet0/28
switchport mode access
!
interface FastEthernet0/29
switchport mode access
!
interface FastEthernet0/30
switchport mode access
!
interface FastEthernet0/31
switchport mode access
!
interface FastEthernet0/32
switchport mode access
!
interface FastEthernet0/33
switchport mode access
!
interface FastEthernet0/34
switchport mode access
!
interface FastEthernet0/35
switchport mode access
!
interface FastEthernet0/36
switchport mode access
!
interface FastEthernet0/37
switchport mode access
!
interface FastEthernet0/38
switchport mode access
!
interface FastEthernet0/39
switchport mode access
!
interface FastEthernet0/40
switchport mode access
!
interface FastEthernet0/41
switchport mode access
!
interface FastEthernet0/42
switchport mode access
!
interface FastEthernet0/43
switchport mode access
!
interface FastEthernet0/44
switchport mode access
!
interface FastEthernet0/45
switchport mode access
!
interface FastEthernet0/46
switchport mode access
!
interface FastEthernet0/47
switchport mode access
!
interface FastEthernet0/48
switchport mode access
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface GigabitEthernet0/3
!
interface GigabitEthernet0/4
!
interface Vlan1
ip address 192.168.102.1 255.255.255.0
ip helper-address 192.168.102.254
no ip route-cache
!
ip http server
ip http secure-server
!
control-plane
!
!
line con 0
line vty 0 4
login local
transport input ssh
line vty 5 15
login local
transport input ssh
!
End
0
 
LVL 12

Author Comment

by:Infamus
ID: 39606838
Switch#sh ip dhcp snooping statistics detail
Packets Processed by DHCP Snooping                    = 0
Packets Dropped Because
   IDB not known                                       = 0
   Queue full                                          = 0
   Interface is in errdisabled                         = 0
   Rate limit exceeded                                 = 0
   Received on untrusted ports                         = 0
   Nonzero giaddr                                      = 0
   Source mac not equal to chaddr                      = 0
   No binding entry                                    = 0
   Insertion of opt82 fail                             = 0
   Unknown packet                                      = 0
   Interface Down                                      = 0
   Unknown output interface                            = 0
   Misdirected Packets                                 = 0
  Packets with Invalid Size                           = 0
0
 
LVL 18

Expert Comment

by:Akinsd
ID: 39606952
DHCP snooping does not block broadcast.

After turning on DHCP snooping, you need to go under the switches and make the switch ports dhcp untrusted ports. You will only trust the trunk port where the traffic from your dhcp server connects to.

By default pcs will default to the closest DHCP server  for obvious reasons - they received arp response from that server 1st. IP helper only helps if there is no DHCP server on the same vlan as your network.
0
 
LVL 12

Author Comment

by:Infamus
ID: 39607083
I thought globally enabling ip dhcp snooping will make all the ports untrusted ports and to allow a port to be trusted, you have to configure ip dhcp snooping trust.

I don't see a command which you can untrust an interface.

Thanks.
0
 
LVL 26

Expert Comment

by:Soulja
ID: 39607213
Yes. Ports are untrusted by default.
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 12

Author Comment

by:Infamus
ID: 39607227
Soulja,

Any ideas by looking at the config?

Thanks.
0
 
LVL 26

Expert Comment

by:Soulja
ID: 39607657
You don't need the ip helper if the dhcp server is on the same vlan. Othrr than that the config looks good to me.

Can you apply spanning tree portfast to your ports. That helps with dhcp.
0
 
LVL 18

Assisted Solution

by:Akinsd
Akinsd earned 200 total points
ID: 39607762
I don't see a command which you can untrust an interface.

Open in new window

Yes ports are untrusted by default but the only reason a DHCP response will be received by your devices is if the port was trusted.

To untrust the port, here is the command
no ip dhcp snooping trust

Only the port where your DHCP traffic passes through should be trusted.

Ensure that DHCP Snooping MAC Address Verification is enabled (enabled by default) to ensure that arp responses will only be allowed from your server

show running-config dhcp

If disabled for any weird reason, enable it with the following command
ip dhcp snooping verify mac-address

http://packetpushers.net/ccnp-studies-configuring-dhcp-snooping/
0
 
LVL 12

Author Comment

by:Infamus
ID: 39608601
I enabled spanning tree and port-security as well but still no luck.

I will try manually entering no ip dhcp snooping trust on the rest of the port and see what happens.
0
 
LVL 26

Expert Comment

by:Soulja
ID: 39608671
@Akinsd

The ports are untrusted by default. The only time you would apply:

no ip dhcp snooping trust

is if you appied ip dhcp snooping trust to the interface. In this case Fa0/25.

I see what your methodology is regarding this though. If that does fix the problem, I stand corrected.
0
 
LVL 26

Expert Comment

by:Soulja
ID: 39608674
I enabled spanning tree and port-security as well but still no luck.

When you say you enabled spanning tree do you mean the port-fast feature I was asking you to enable?

Also, why port security in this case?
0
 
LVL 18

Expert Comment

by:Akinsd
ID: 39608685
[b]Yes ports are untrusted by default[/b] but the only reason a DHCP response will be received by your devices is if the port was trusted.

Open in new window


Either that OR the port where the rogue dchp connects to is trusted OR something weird is happening


Also run this command
show dhcp server


Review this 4-minute video and compare your setup
http://www.youtube.com/watch?v=2eNsoS9Ri6w
0
 
LVL 12

Author Comment

by:Infamus
ID: 39608980
Yup, looks like that is what I exactly did.

As you can see from my config, only fa0/25 is trusted and it is the port which valid DHCP server is connected.

I will open up a TAC case tomorrow and see what they can find.

I will update this thread once I get a resolution to keep you guys updated.

The points will be distributed to both of you since you did your best to help me out before closure of this thread.

Thanks.
0
 
LVL 12

Author Comment

by:Infamus
ID: 39608989
Soulja,

Yes, I configured spanning-tree portfast on all the ports.

I added port security just in case, I'm just trying everything that I can think of.

Thanks.
0
 
LVL 18

Expert Comment

by:Akinsd
ID: 39610707
What is the output of show dhcp server

Try this also
Disconnect the rogue switch, then reload (reboot) the switch while the correct dhcp server is connected.
Show dhcp server

Do pcs get IP if only the trusted dhcp is connected?
0
 
LVL 12

Author Comment

by:Infamus
ID: 39612616
Ok, guys.

I got this resolved.

The firmware version which was 12.2(50r)SE1 does not support ip dhcp snooping.

After upgrading to 12.2(58r)SE2, it is working now.

Normally if the feature is not available, you won't see the command and the weird thing was that it took the command and applied globally.

Thanks guys for all your help.
0

Featured Post

New My Cloud Pro Series - organize everything!

With space to keep virtually everything, the My Cloud Pro Series offers your team the network storage to edit, save and share production files from anywhere with an internet connection. Compatible with both Mac and PC, you're able to protect your content regardless of OS.

Join & Write a Comment

#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
This subject  of securing wireless devices conjures up visions of your PC or mobile phone connecting to the Internet through some hotspot at Starbucks. But it is so much more than that. Let’s look at the facts: devices#sthash.eoFY7dic.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now