cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
222
Views
25
Helpful
9
Replies

DHCP Gleaning - Are logs still generated for violations?

Matthias.G
Beginner
Beginner

I am aware that DHCP Snooping will usually drop the packet and generate a log when something like a DHCP Offer is being transferred through an untrusted interface. Through scripting, this log can be detected by the switch and forwarded to an admins email address. My requirements are to have the switches do all of this, except for dropping any packets, meaning this solution should:

- Detect DHCP messages going through untrusted ports

- Notify administrators but allow the packet to pass

I learned about DHCP gleaning, which seems to fit this desciption perfectly, though I was not able to learn from the article wether logs will still be generated, so that I can arrange for it to be forwarded to an admin?

9 Replies 9

MHM Cisco World
Advisor
Advisor

config ACL permit for UDP 17 with Log 
this make SW detect DHCP UDP message but not drop it. 

Peter Paluch
Hall of Fame Cisco Employee Hall of Fame Cisco Employee
Hall of Fame Cisco Employee

Hello MHM,

What you suggest is a good starting point but the problem is that ACLs cannot distinguish between different DHCP message types. Matthias is looking for a way to identify messages originated by DHCP servers (Offer, Ack, Nak) arriving on untrusted ports. ACLs can't be used for that as they would match all DHCP messages, not just server-based. The only approximation would be their source and destination UDP port - for a message sent out from a server to a client, the source UDP port would be 67 and the destination port would be 68. That's as granular as it gets, though.

Best regards,
Peter

Yes but the direction can use for detect the DHCP message from Server, 
Discover & request is Outbound 
Offer ACK NAK is Inbound 

Peter Paluch
Hall of Fame Cisco Employee Hall of Fame Cisco Employee
Hall of Fame Cisco Employee

Hi MHM,

I don't think I follow you. So let's assume a sample scenario: You have a switchport, say, Gi1/0/1, that is only supposed to be connecting to a DHCP client, but you need to find out if there may be a rogue DHCP server connected to this port, too. How would you then create your ACLs and apply them to this switchport to distinguish server messages from client messages? A working example of those configurations would be the easiest to discuss further.

Thank you!

Best regards,
Peter

Peter Paluch
Hall of Fame Cisco Employee Hall of Fame Cisco Employee
Hall of Fame Cisco Employee

Matthias,

What switch and IOS version would you be using? Doing some internal research, but it seems that on IOS-XE platforms, DHCP Gleaning is not supported even if the CLI commands are available.

Best regards,
Peter