Solved: DHCP Snooping - DHCP Rate Limit

Anup Sasikumar · ‎06-25-2013

Hi all,

Could you please help me with these DHCP Rate Limit queries ?

1. Does DHCP Rate Limit Err-Disabled detection gets enabled automatically when IP DHCP Snooping is enabled globally ?

2. What is default rate after which the port go to Err-Disbaled if no custom dhcp rate limit is set on the interface ?

Is there a recommended limit ?

3. There have been conitnous DHCP Rate Limit Err- Disabled alerts from ports on the Switches in the infrastructure , from most of the access switches in the infrastructure. The rate is set at 10 on every switch interface. What can be the sudden reason of receiveing DHCP packets from every Access port ?

Can it be due to connectivity issues to DHCP Server and the clients are constantly trying to find the DHCP Server using Discover ?

Please help !

Anup

Regards,
Anup

Peter Paluch · ‎06-25-2013

Hi Anup,

1. Does DHCP Rate Limit Err-Disabled detection gets enabled automatically when IP DHCP Snooping is enabled globally ?

No. The DHCP Snooping rate limiting is disabled by default, and has to be enabled explicitly. Read more here:

http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/15.0_2_se/command/reference/cli1.html#wp11898499

2. What is default rate after which the port go to Err-Disbaled if no custom dhcp rate limit is set on the interface ?

Is there a recommended limit ?

This is very difficult to say. A single DHCP station has no need to generate more than roughly 10 DHCP messages within a second. So on a port towards a single station, I do not see a need to allow for more than 10 DHCP messages. Ports that aggregate more flows can be substantially harder to estimate.

3. There have been conitnous DHCP Rate Limit Err- Disabled alerts from  ports on the Switches in the infrastructure , from most of the access  switches in the infrastructure. The rate is set at 10 on every switch  interface. What can be the sudden reason of receiveing DHCP packets from  every Access port ?

Normally, this should not occur. I have sometimes seen that a typo somewhere in the configuration of the DHCP server has caused the DHCP client to acquire settings, then find out these settings are invalid, and immediately restart the entire sequence - generating quite significant amount of DHCP traffic. A common error was:

ip dhcp pool SomePool

...

default-router 10.0.0.1 255.255.255.0

...

Notice the "255.255.255.0" argument in the default-router command - it is superfluous (gateways are never specified using their netmask) but it often escapes your attention. Multiple arguments in the default-router command are treated as multiple IP gateway addresses, and obviously, 255.255.255.0 is not a valid IP gateway address. Similar problems can ensue with, say, dns-server command or similar setting.

Can it be due to connectivity issues to DHCP Server and the clients are  constantly trying to find the DHCP Server using Discover ?

I honestly do not think so. Clients retransmit their DHCP requests infrequently - in orders of seconds or tens of seconds. There is no way a well-behaved DHCP client would send 10 or more DHCP messages in a single second.

Best regards,

Peter

View solution in original post

Peter Paluch · ‎06-25-2013

Hi Anup,

1. Does DHCP Rate Limit Err-Disabled detection gets enabled automatically when IP DHCP Snooping is enabled globally ?

No. The DHCP Snooping rate limiting is disabled by default, and has to be enabled explicitly. Read more here:

http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/15.0_2_se/command/reference/cli1.html#wp11898499

2. What is default rate after which the port go to Err-Disbaled if no custom dhcp rate limit is set on the interface ?

Is there a recommended limit ?

This is very difficult to say. A single DHCP station has no need to generate more than roughly 10 DHCP messages within a second. So on a port towards a single station, I do not see a need to allow for more than 10 DHCP messages. Ports that aggregate more flows can be substantially harder to estimate.

3. There have been conitnous DHCP Rate Limit Err- Disabled alerts from  ports on the Switches in the infrastructure , from most of the access  switches in the infrastructure. The rate is set at 10 on every switch  interface. What can be the sudden reason of receiveing DHCP packets from  every Access port ?

Normally, this should not occur. I have sometimes seen that a typo somewhere in the configuration of the DHCP server has caused the DHCP client to acquire settings, then find out these settings are invalid, and immediately restart the entire sequence - generating quite significant amount of DHCP traffic. A common error was:

ip dhcp pool SomePool

...

default-router 10.0.0.1 255.255.255.0

...

Notice the "255.255.255.0" argument in the default-router command - it is superfluous (gateways are never specified using their netmask) but it often escapes your attention. Multiple arguments in the default-router command are treated as multiple IP gateway addresses, and obviously, 255.255.255.0 is not a valid IP gateway address. Similar problems can ensue with, say, dns-server command or similar setting.

Can it be due to connectivity issues to DHCP Server and the clients are  constantly trying to find the DHCP Server using Discover ?

I honestly do not think so. Clients retransmit their DHCP requests infrequently - in orders of seconds or tens of seconds. There is no way a well-behaved DHCP client would send 10 or more DHCP messages in a single second.

Best regards,

Peter

Anup Sasikumar · ‎06-25-2013

Hi Peter ,

Thank you so much for the informative post !

DHCP Snooping and Rate Limiting have always been so confusing for me , now it 's all clear :-)

Very much appreaciate for taking your time off to explain it in detail !

Anup

Regards,
Anup

Peter Paluch · ‎06-25-2013

Anup,

You are heartily welcome.

Best regards,

Peter

Anup Sasikumar · ‎07-01-2013

Hi Peter,

Just a quick query

Would I be able to enable DHCP Rate limit on specific interfaces without enabling IP DHCP Snooping globally ?

Regards,
Anup

Peter Paluch · ‎07-01-2013

Hello Anup,

I am not sure if you can do DHCP rate limiting without actually running DHCP Snooping - to be honest, I have never tried it, and I have a feeling it won't work.

What you can do, though: you can configure the rate limiting even on DHCP Snooping trusted ports - so a solution could be to configure all ports as trusted. Trusted ports are effectively exempted from DHCP Snooping: they do not create any mappings in the DHCP Snooping database so the additional incurred load on the switch should be relatively minimal, and yet it should allow you to configure the rate limiting.

Do you have an option of testing this?

Best regards,

Peter

Anup Sasikumar · ‎07-08-2013

Hi Peter,

Sorry for the late reply .

Since I am in the L1 role I dont have the privilleges to make configuration changes on devices but I will sure recommend the L2 guys on what can be done.

Would it be wise to configure Trusted ports for DHCP rate limit as these can be connected to DHCP Servers where lot of DHCP traffic comes through . May be DHCP rate limit can be set to a higher value and everything would work perfect right ?

Regards,
Anup

Peter Paluch · ‎07-13-2013

Hello Anup,

I am sorry for responding that lately. Please accept my sincere apologies.

Would it be wise to configure Trusted ports for DHCP rate limit as these  can be connected to DHCP Servers where lot of DHCP traffic comes  through.

Configuring trusted DHCP ports with DHCP rate limiting is a hard task in my opinion, because these ports aggregate multiple DHCP conversations and thus the number of observed messages can be very high, depending on the circumstances. Consider a port towards a DHCP server in a network with 200 clients. If all 200 clients boot up at the same time, you can expected several hundreds of DHCP messages to be validly carried by this port without meaning that this is an attack. So you would configure the rate limit to, say, 400. However, after the network boots up and stabilizes, an attacker might come in and using the rate of 50-100 DHCP messages per second, he can exhaust your DHCP pool within seconds or minutes without the DHCP rate limiting ever kicking in.

So you see, setting a high rate limit on a trusted port may prevent you against false positives but at the same time, it makes you less sensitive against abnormal behavior.

DHCP rate limits are best configured on ports towards DHCP clients, as you can be far more specific about the DHCP message rates there.

Best regards,

Peter

oliverg@STL · ‎01-24-2020

How can I test for this kind of a settings error without having access to the settings themselves. We have had the error that this solution fits for about a year and have reported it many times and gotten nowhere with our network support. How can I test for this incorrect setting or other similar settings errors so we can bring some evidence to our requests for help.