Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2286
Views
15
Helpful
7
Replies

DHCP Snooping Configuration to Restrict DHCP Rogue Server

qaiser31639389
Level 1
Level 1

‎12-26-2020 10:10 AM

Hi All,

 

I am new to Cisco community.

 

I would like to implement DHCP snooping in our company's network to restrict rogue DHCP server, before implementation I would like to have your valuable thoughts and suggestions on below provided infrastructure details.

 

I've also attached example network/topology diagram for the better understanding of provided details.

 

My question is what will be the impact on the network, remote access VPN tele-workers and site to site VPN's connectivity, also could someone please suggest any configuration as well (thanks in advance to all participant).

 

Current Network Infrastructure Highlights

1. Cisco ASA 5525 (pair/set) configured at network perimeter acting as gateway active/standby.

 

2. Cisco 3850 switches X 2 stacked and working as distribution layer switches and also holding role of root bridge for other switches.

 

3. Cisco 2960 switches X 8 at access layer so workstations and firewalls for other departments connected (e.g. ABC & XYZ department firewalls we have at least 12 other firewalls connected with 12 different subnets).

 

4. Public IP’s NAT for ABC & XYZ networks for site to site VPN’s and remote access VPN’s (pool of IP’s defined on both firewalls for tele-workers).


5. All switchports are part of same VLAN.

 

6. The outside interfaces of both firewalls are connected in same subnet of LAN that has static IP range for firewalls and other routing devices subnet IP address range (10.40.5.0 /16).

 

7. The DNS, DHCP and other servers are also connected to same LAN and serving DHCP lease to
workstations and wi-fi users (10.40.1.1 -10.40.4.252).

 

8. Behind ABC & XYZ firewalls DHCP pools defined for local devices.

 

9. Needs to enable DHCP snooping so restrict presence of rogue DHCP.

 

10. Where to configure what on switches and also what will be the impact of DHCP
configuration on rest of the network users specially those who are tele-workers for ABC &
XYZ networks.

 

Thanks in advance to all participants.

Labels:
Preview file
132 KB
0 Helpful
7 Replies 7

marce1000
VIP
VIP

‎12-26-2020 10:41 AM

 

 - Following links contain some basic info's and concepts which require understanding before implementing DHCP snooping :

       https://www.pearsonitcertification.com/articles/article.aspx?p=2474170

       https://community.cisco.com/t5/switching/dhcp-snooping/td-p/3041302

       https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SXF/native/configuration/guide/swcg/snoodhcp.pdf

 M.

 



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

qaiser31639389
Level 1
Level 1
In response to marce1000

‎12-28-2020 05:04 PM - edited ‎12-28-2020 05:10 PM

Hi Marce1000,

 

The provided links really helped me to clear concepts.

 

Thanks.

0 Helpful

Georg Pauwen
VIP
VIP

‎12-26-2020 12:05 PM

Hello,

 

it used to be that enabling Dynamic Arp Inspection and turning off DHCP snooping caused all hosts to shut down...

 

--> When DHCP snooping is disabled and DAI is enabled, the switch shuts down all the hosts because all
ARP entries in the ARP table will be checked against a nonexistent DHCP database. 

 

So make sure that DAI doesn't work without DHCP snooping.

 

0 Helpful

paul driver
VIP
VIP

‎12-26-2020 04:49 PM - edited ‎12-26-2020 05:31 PM

Hello
Enabling dhcp snooping won't have any effect on your current network, and you don't need dynamic arp inspection (DAI) to use dhcp snooping, it can be used on its own.

As it a l2 security feature it should only be applied to the access layer switch's anyway ( no routers or l3 core) and when it is used on its own it is a good way to negate any rouge dhcp servers being introduced on your network.

Just make sure you trust any port where you expect valid dhcp messages to traverse ( ie: switch trunk uplinks, access-ports connecting valid dhcp servers/fw etc...)


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

qaiser31639389
Level 1
Level 1
In response to paul driver

‎12-28-2020 05:22 PM

Hi Paul,

 

Thanks for your reply.

 

Our DHCP servers are connected in our core switches that are L3 (also acting as root bridge in the network), spanning tree configured on all switches.

 

I will share some configuration shortly that I am writing up for the implementation, currently I'd been through some configuration examples as I would like to implement DHCP snooping for our network (network/topology diagram already shared) without any disruption to connected hosts.  

 

Thanks.

0 Helpful

qaiser31639389
Level 1
Level 1
In response to paul driver

‎12-30-2020 11:50 AM

Hi Paul,

 

I hope you had a nice festive period break.

 

Please find below the configuration that I have planned to implement on our L2 & L3 switches to restrict rogue DHCP server in the network if someone in future plug-in accidently, I hope this configuration won’t affect device (Firewalls, Switches, Printers & Wi-Fi Access points) that are configured with static IP’s also side to side VPN’s and remote access VPN’s.

 

L2 Switch Configuration

On All switch ports I’ll execute following command a part from trunk ports (client devices can reach legitimate DHCP server in the network.

L2-Switch (config) # ip dhcp snooping     
L2-Switch (config) # ip dhcp snooping vlan 1
L2-Switch (config) # no ip dhcp snooping information option   (if option 82 didn’t needed)

L2-Switch (config) #int range gi0/1 -46    (on untrusted switchports)

L2-Switch (config-if) # ip dhcp snooping limit rate 20

 

Configuration for Trunk Port / uplink to Core switch where DHCP server connected

L2-Switch (config) #int range g0/47 -48

L2-Switch (config-if) # ip dhcp snooping trust

 

L2-Switch (config) # ip dhcp snooping database tftp://10.X.X.X/tftp/SW1

 

L3 Switch Configuration

L3-Switch (config) # int gi 1/0/5

L3-Switch (config-if) # ip dhcp snooping trust          (legitimate DHCP server connected to this port)

 

Note:  Please let me know if I am missing anything in this configuration, do I actually need to configure DHCP snooping on L3 core switch a part from interface gi1/0/5 where DHCP server connected.

 

Thanks.

0 Helpful

paul driver
VIP
VIP
In response to qaiser31639389

‎12-30-2020 12:56 PM

Hello

Looks okay, but no need for any snooping on the L3 switch not even on the dhcp server port.

Just apply snooping to all host switches with the recommended rate limit for untrusted port to 15pps, and for trusted ports obviously this needs to be much higher (100+)


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card