cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1574
Views
0
Helpful
7
Replies

How to avoid a Cisco IOS based network accepting DHCP replies from a client (dhcp server running on it)

joepena2012
Level 1
Level 1

Hi all,

In one of our local networks, we have a dhcp server running on several switchports.

Now i would like to deny any DHCP server replies on all client interfaces.

DHCP snooping would not work, because of a few static IP addresses in this network.

Is there any IOS security feature available, to protect my local network, from unwanted DHCP services?

1 Accepted Solution

Accepted Solutions

Hello Dieter,

I'd like to add a word or two to the Jon's reply.

The DHCP Snooping works by limiting the DHCP messages that are either accepted or transmitted out a switch interface. Also, the DHCP Snooping makes some sanity checks on the contents of the DHCP message. The DHCP Snooping indeed builds its DHCP snooping database but until further mechanisms like IP Source Guard or Dynamic ARP Inspection are used, this database does not further prevent traffic flows so you do not have to worry about some stations having static IPs while others having their addresses assigned by DHCP.

As you probably know, the DHCP Snooping divides ports on a switch into two categories - trusted and untrusted. The trusted ports are those through which DHCP server(s) can be reached. The untrusted ports are all remaining ports, as they usually lead to end stations.

The DHCP Snooping feature drops the DHCP packets according to the following rules:

  • Server messages (OFFER, ACK, NAK, LEASEQUERY) received on an untrusted port
  • Client messages in which the chaddr field inside the message does not match the source MAC address of the frame in which the message is encapsulated
  • Client messages RELEASE and DECLINE sent by a particular client whose MAC address is, according to the DHCP snooping database, currently associated with a different port than the port through which the message arrived
  • Messages received on an untrusted port in which the giaddr field is different from 0.0.0.0 or which contain the Option 82

If a message is not dropped according to these rules, it will be forwarded as follows:

  • A client message will be forwarded out through trusted port only
  • A server message received on a trusted port will be forwarded back only to the appropriate client (the Option-82 added by the access switch helps in identifying on which port is the appropriate client connected)

As you can see, there are no problems with some stations having static IP addresses - the rules that govern the operation of the DHCP Snooping do not care about static IP assignments. I still believe that the DHCP Snooping is most probably the feature you are looking for.

Best regards,

Peter

View solution in original post

7 Replies 7

Peter Paluch
Cisco Employee
Cisco Employee

Hello Dieter,

Can you please explain in more detail why the DHCP Snooping would not be an option for you? Having some addresses assigned statically should not be a problem with DHCP Snooping.

Best regards,
Peter

Hello Peter,

i'm not completely sure.

to my knowledge for DHCP snooping you need a "dhcp snooping" database.

Only if hw- and ip-address is in this database the switch forwards packets via its backplane.

Due to a lot of static entries, i'll have a lot of clients whithout getting their IP via dhcp and so these clients will never included to the dhcp snooping database.

But to be honest, i dont know the exact functionality of dhcp snooping. Maybe i'll find a whitepaper regarding this.

Dieter

Dieter.Bez wrote:

Hello Peter,

i'm not completely sure.

to my knowledge for DHCP snooping you need a "dhcp snooping" database.

Only if hw- and ip-address is in this database the switch forwards packets via its backplane.

Due to a lot of static entries, i'll have a lot of clients whithout getting their IP via dhcp and so these clients will never included to the dhcp snooping database.

But to be honest, i dont know the exact functionality of dhcp snooping. Maybe i'll find a whitepaper regarding this.

Dieter

Dieter

You can configure your non-DHCP ports as trusted ports which would solve this problem -

https://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/46sg/configuration/guide/dhcp.html#wp1073354

Jon

Hello Jon,

thanks for your feedback.

I'm currently discussing with the local admin of this network the ways to find out all of the static configured devices.

The relevant network is in Taiwan, and i'm in Germany.

To be honest, i do not exactly know what kind of clients (DHCP or non DHCP) they are using in the relevant VLAN, and so it's difficult to figure out

which ports needs to be configured as trusted.

Hello Dieter,

I'd like to add a word or two to the Jon's reply.

The DHCP Snooping works by limiting the DHCP messages that are either accepted or transmitted out a switch interface. Also, the DHCP Snooping makes some sanity checks on the contents of the DHCP message. The DHCP Snooping indeed builds its DHCP snooping database but until further mechanisms like IP Source Guard or Dynamic ARP Inspection are used, this database does not further prevent traffic flows so you do not have to worry about some stations having static IPs while others having their addresses assigned by DHCP.

As you probably know, the DHCP Snooping divides ports on a switch into two categories - trusted and untrusted. The trusted ports are those through which DHCP server(s) can be reached. The untrusted ports are all remaining ports, as they usually lead to end stations.

The DHCP Snooping feature drops the DHCP packets according to the following rules:

  • Server messages (OFFER, ACK, NAK, LEASEQUERY) received on an untrusted port
  • Client messages in which the chaddr field inside the message does not match the source MAC address of the frame in which the message is encapsulated
  • Client messages RELEASE and DECLINE sent by a particular client whose MAC address is, according to the DHCP snooping database, currently associated with a different port than the port through which the message arrived
  • Messages received on an untrusted port in which the giaddr field is different from 0.0.0.0 or which contain the Option 82

If a message is not dropped according to these rules, it will be forwarded as follows:

  • A client message will be forwarded out through trusted port only
  • A server message received on a trusted port will be forwarded back only to the appropriate client (the Option-82 added by the access switch helps in identifying on which port is the appropriate client connected)

As you can see, there are no problems with some stations having static IP addresses - the rules that govern the operation of the DHCP Snooping do not care about static IP assignments. I still believe that the DHCP Snooping is most probably the feature you are looking for.

Best regards,

Peter

Hi Peter,

thanks for your help, you got it.

the problems i knew with dhcp snooping and static ip's were combined with "ip verify source".

Now i've configured dhcp snooping at one switch in Taiwan. and based on the experiences we'll get with this, we will roll out in the complete LAN on 12th of January.

Thanks again, this was very helpful

Dieter

Hi Jon,

thanks for your help.

now i've configured dhcp snooping.

Let's see what'll happen.