cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
210
Views
25
Helpful
9
Replies

DHCP Gleaning - Are logs still generated for violations?

Matthias.G
Beginner
Beginner

I am aware that DHCP Snooping will usually drop the packet and generate a log when something like a DHCP Offer is being transferred through an untrusted interface. Through scripting, this log can be detected by the switch and forwarded to an admins email address. My requirements are to have the switches do all of this, except for dropping any packets, meaning this solution should:

- Detect DHCP messages going through untrusted ports

- Notify administrators but allow the packet to pass

I learned about DHCP gleaning, which seems to fit this desciption perfectly, though I was not able to learn from the article wether logs will still be generated, so that I can arrange for it to be forwarded to an admin?

9 Replies 9

MHM Cisco World
Advisor
Advisor

config ACL permit for UDP 17 with Log 
this make SW detect DHCP UDP message but not drop it. 

Peter Paluch
Hall of Fame Cisco Employee Hall of Fame Cisco Employee
Hall of Fame Cisco Employee

Hello MHM,

What you suggest is a good starting point but the problem is that ACLs cannot distinguish between different DHCP message types. Matthias is looking for a way to identify messages originated by DHCP servers (Offer, Ack, Nak) arriving on untrusted ports. ACLs can't be used for that as they would match all DHCP messages, not just server-based. The only approximation would be their source and destination UDP port - for a message sent out from a server to a client, the source UDP port would be 67 and the destination port would be 68. That's as granular as it gets, though.

Best regards,
Peter

Yes but the direction can use for detect the DHCP message from Server, 
Discover & request is Outbound 
Offer ACK NAK is Inbound 

Peter Paluch
Hall of Fame Cisco Employee Hall of Fame Cisco Employee
Hall of Fame Cisco Employee

Hi MHM,

I don't think I follow you. So let's assume a sample scenario: You have a switchport, say, Gi1/0/1, that is only supposed to be connecting to a DHCP client, but you need to find out if there may be a rogue DHCP server connected to this port, too. How would you then create your ACLs and apply them to this switchport to distinguish server messages from client messages? A working example of those configurations would be the easiest to discuss further.

Thank you!

Best regards,
Peter

Peter Paluch
Hall of Fame Cisco Employee Hall of Fame Cisco Employee
Hall of Fame Cisco Employee

Matthias,

What switch and IOS version would you be using? Doing some internal research, but it seems that on IOS-XE platforms, DHCP Gleaning is not supported even if the CLI commands are available.

Best regards,
Peter

Hello Peter,

first of all, thanks. Various 2960X models are in use, some examples being WS-C2960X-48FPD-L, 2960CX-8PC-L, 2960X-24PSQ-L and they run anything between 15.2(7)E4 - 15.2(7)E7, though most of them use E6. The customer has a couple 9200 stacks and about twenty 3560/3560CX mini-switches as well but we may focus on the 2960X first. Still, it'd be nice to know if there is a workaround for IOS-XE devices.

To be more clear about the requirements, the customer would like to have the option to determine the source of a DHCP Offer that was sent over an untrusted port using log-messages and then check up on the source and wether it is a threat on his own.

Best regards,

Matthias

MHM Cisco World
Advisor
Advisor

ip dhcp snooping detect spurious vlan <<- check this feature to detect spurious DHCP Server

Thanks MHM. The customers N5K Core seems to block usage of most commands in global config mode but I looked it up in this document and it seems the command is not available on N5Ks:

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5600/sw/command/reference/security/7x/n5600-sec-cr/n5600-sec_cmds_i.html

I checked on 2960X and 9200 models as well:

WS-C2960X-48FPD-L(config)#ip dhcp snooping ?
database "DHCP snooping database agent"
glean "DHCP read only snooping"
information "DHCP Snooping information"
verify "DHCP snooping verify"
vlan "DHCP Snooping vlan"
wireless "DHCP snooping wireless"
<cr>

C9200L-24P-4X(config)#ip dhcp snooping ?
acl "DHCP Snooping mac acl"
database "DHCP snooping database agent"
glean "DHCP read only snooping"
information "DHCP Snooping information"
verify "DHCP snooping verify"
vlan "DHCP Snooping vlan"
wireless "DHCP snooping wireless"
<cr>

I will then check for other solution 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers