Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
625
Views
1
Helpful
10
Replies

DHCP snooping problem / untrusted port permit DHCP packet

kalmanfranko
Level 1
Level 1

‎02-21-2024 06:06 AM

Dear Community!

There is a strange thing I just can not understand related to the following scenario:

I have two VLANs (200, 201)

One rogue DHCP-server per VLAN200 and VLAN201

DHCP-clients are in VLAN200.

We have a 1941 router with two subinterfaces configured, the one dedicated to VLAN200 has an ip-helper address pointing to rogue DHCP-server of VLAN201.

We have a switch, configured fully with VLANs, trunks plus dhcp snooping, dhcp snooping vlan 200,201.

 

So the problem is that VLAN200 rogue DHCP server is unable to share DHCP for the clients in the same VLAN

But clients get DHCP from VLAN201 rogue DHCP server.

I checked show ip dhcp and all affected ports are untrusted! And yet, clients still get IP from the rogue DHCP-server from different VLAN.

Any advice or help would be appreciated.

Thank You

 

Labels:
0 Helpful
10 Replies 10

MHM Cisco World
VIP
VIP

‎02-21-2024 07:33 AM

Can you share config 

MHM

0 Helpful

kalmanfranko
Level 1
Level 1
In response to MHM Cisco World

‎02-22-2024 12:24 AM

Dear MHM!

 

Here it is:

SWITCH:

ip dhcp snooping vlan 200-201
ip dhcp snooping

CLIENTS INTERFACES:
interface FastEthernet0/1
switchport access vlan 200
switchport mode access
!
interface FastEthernet0/2
switchport access vlan 200
switchport mode access
!
TRUSTED DHCP INTERFACE
interface FastEthernet0/3
switchport access vlan 201
ip dhcp snooping trust
switchport mode access

NOTE: TRUSTED DHCP-server is shut down for testing purposes

ROGUE DHCP INTERFACES:
!
interface FastEthernet0/4
switchport access vlan 200
switchport mode access
!
interface FastEthernet0/5
switchport access vlan 201
!
UPLINK TO ROUTER:
interface GigabitEthernet0/1
ip dhcp snooping trust
switchport mode trunk
!

Switch#show ip dhcp sn
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
200-201
Insertion of option 82 is enabled
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Interface Trusted Rate limit (pps)
----------------------- ------- ----------------
FastEthernet0/4 no unlimited
FastEthernet0/1 no unlimited
FastEthernet0/2 no unlimited
FastEthernet0/3 yes unlimited
FastEthernet0/6 no unlimited
FastEthernet0/5 no unlimited
GigabitEthernet0/1 yes unlimited

 

0 Helpful

MHM Cisco World
VIP
VIP
In response to kalmanfranko

‎02-22-2024 06:20 AM

check the topology 
am I correct?
if Yes check the note I add to topology 

Screenshot (137).png

0 Helpful

kalmanfranko
Level 1
Level 1
In response to MHM Cisco World

‎02-22-2024 11:41 PM

Dear MHM!

Thank You for the quick response. The only difference between your scenario and mine is that I use router instead of L3 switch for intervlan routing purposes. Here I attach my topology:

2024-02-23 07_32_56-Cisco Packet Tracer - I__TANÍTÁS_DHCP-snooping-vlan.pkt.png

The problem in a nutshell: snooping protects the VLAN200 from internal attacks, but not from external attacks.

0 Helpful

MHM Cisco World
VIP
VIP
In response to kalmanfranko

‎02-23-2024 12:24 AM

friend 
1-the DHCP and clinet in same VLAN , here the ip dhcp snooping stop rogue by config trust port toward trust DHCP and any other port are not trust here the rogue can not answer DHCP request 
2- the DHCP and client in different VLAN, here the ip helper is protect the client from rogue, how the rogue receive the DHCP request if the relay not forward it? 

so ip dhcp snooping indeed protect internal attacks 
and relay protect external attacks 

MHM

kalmanfranko
Level 1
Level 1
In response to MHM Cisco World

‎02-23-2024 06:25 AM

Dear MHM!

Thank You for the response. Indeed, it seems quite unusual, that the attacker has the same IP as the trusted DHCP, but we are testing a scenario where the trusted device becomes unreacheable (following a DDOS attack or something similar) and the attacker sets the same IP as the trusted one. So, the question is: why does untrusted VLAN201 ports let DHCP-offers from the rogue-DHCP device to VLAN200 devices? (Extra: it is not shown in my topology but later we added DHCP-client devices to VLAN201, and as expected, they did not get DHCP-offers from VLAN201 rogue-DHCP - they were safed by snooping.)

0 Helpful

MHM Cisco World
VIP
VIP
In response to kalmanfranko

‎02-23-2024 11:52 PM

now assume that the Attacker use same IP of DHCP and DHCP is under DDoS still if the port connect to hacker DHCP is not trust the DHCP not work. 

Screenshot (138).png

0 Helpful

David Ruess
VIP
VIP

‎02-21-2024 04:26 PM - edited ‎02-21-2024 04:27 PM

Hello,

Its seems you may not quite understand how DHCP snooping works (or I didn't understand your problem fully). DHCP snooping is meant to prevent a DHCP server from sending its messages (Offer/ACK) on untrusted ports. The way you describe your configuration it seems both VLAN 200 and 201 devices are using their respective sub interfaces as their DG to get an IP address. As you mentioned you have the "Rogue" DHCP server configured as a helper address under the respective interfaces. If this is correct then that wont work. Think about how DHCP snooping works. Only trusted ports are allowed to send DHCP server message types. So if your Rogue DHCP server is coming form the same interface (trunk to router using subinterfaces) then its definitely allowed. DHCP snooping prevents DHCP Server messages on UNTRUSED ports only. So if your Rogue DHCP server is sending its messages to the same port the legitimate DHCP server is sending them to and its a trusted port then it will be allowed. The DHCP snooping has no way of determining what's rogue and what isn't if both devices are sending on a trusted port. Untrusted ports are allowed to forward Server and client messages but only allowed to receive client message type (Discover/Request).

 

Hope that helps and if I am mistaken in your config can you please clarify.

 

-David

0 Helpful

kalmanfranko
Level 1
Level 1
In response to David Ruess

‎02-22-2024 12:50 AM

Dear David!

 

Thank You for responding. Indeed, my description was not 100% clear. In short, the problem is that the attacking DHCP server is able to provide DHCP services to another VLAN and is unable to do so to its own VLAN via the untrusted port. Above I have attached the switch configuration, which shows that only the router-facing trunk port and the trusted DHCP server-facing port are trusted, the rest are untrusted. My question is, is there any way to prevent the attacking DHCP server from providing DHCP services not only to its own VLAN, but also to another VLAN? (Ip-helper address points to the good DHCP server, but assume that the attacker IP is the same, and the trusted DHCP server becomes unreachable)

 

0 Helpful

David Ruess
VIP
VIP
In response to kalmanfranko

‎02-22-2024 08:07 AM - edited ‎02-22-2024 08:08 AM

If you have the interface connected to the server as not trusted then the DHCP Server messages should not eb going through. Try to run a debug ip dhcp snooping packet on your switch to see how its being processed. Here is what my output looked like:

DavidRuess_0-1708617725061.png

Once I enabled DHCP snooping trust on the interface the output looked like this:

DavidRuess_1-1708617797509.png

Processed as normal.

Also as @MHM Cisco World mentioned you should disable option 82 with the command:

no ip dhcp snooping information option

-David

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card