Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1756
Views
25
Helpful
9
Replies

DHCP Gleaning - Are logs still generated for violations?

Matthias.G
Level 1
Level 1

‎08-05-2022 03:04 AM

I am aware that DHCP Snooping will usually drop the packet and generate a log when something like a DHCP Offer is being transferred through an untrusted interface. Through scripting, this log can be detected by the switch and forwarded to an admins email address. My requirements are to have the switches do all of this, except for dropping any packets, meaning this solution should:

- Detect DHCP messages going through untrusted ports

- Notify administrators but allow the packet to pass

I learned about DHCP gleaning, which seems to fit this desciption perfectly, though I was not able to learn from the article wether logs will still be generated, so that I can arrange for it to be forwarded to an admin?

Labels:
9 Replies 9

MHM Cisco World
VIP
VIP

‎08-05-2022 04:04 AM

config ACL permit for UDP 17 with Log 
this make SW detect DHCP UDP message but not drop it. 

0 Helpful

Peter Paluch
Cisco Employee
Cisco Employee
In response to MHM Cisco World

‎08-05-2022 04:22 PM

Hello MHM,

What you suggest is a good starting point but the problem is that ACLs cannot distinguish between different DHCP message types. Matthias is looking for a way to identify messages originated by DHCP servers (Offer, Ack, Nak) arriving on untrusted ports. ACLs can't be used for that as they would match all DHCP messages, not just server-based. The only approximation would be their source and destination UDP port - for a message sent out from a server to a client, the source UDP port would be 67 and the destination port would be 68. That's as granular as it gets, though.

Best regards,
Peter

0 Helpful

MHM Cisco World
VIP
VIP
In response to Peter Paluch

‎08-05-2022 04:27 PM

Yes but the direction can use for detect the DHCP message from Server, 
Discover & request is Outbound 
Offer ACK NAK is Inbound 

0 Helpful

Peter Paluch
Cisco Employee
Cisco Employee
In response to MHM Cisco World

‎08-06-2022 12:41 AM

Hi MHM,

I don't think I follow you. So let's assume a sample scenario: You have a switchport, say, Gi1/0/1, that is only supposed to be connecting to a DHCP client, but you need to find out if there may be a rogue DHCP server connected to this port, too. How would you then create your ACLs and apply them to this switchport to distinguish server messages from client messages? A working example of those configurations would be the easiest to discuss further.

Thank you!

Best regards,
Peter

0 Helpful

Peter Paluch
Cisco Employee
Cisco Employee

‎08-05-2022 04:18 PM

Matthias,

What switch and IOS version would you be using? Doing some internal research, but it seems that on IOS-XE platforms, DHCP Gleaning is not supported even if the CLI commands are available.

Best regards,
Peter

Matthias.G
Level 1
Level 1
In response to Peter Paluch

‎08-08-2022 12:39 AM

Hello Peter,

first of all, thanks. Various 2960X models are in use, some examples being WS-C2960X-48FPD-L, 2960CX-8PC-L, 2960X-24PSQ-L and they run anything between 15.2(7)E4 - 15.2(7)E7, though most of them use E6. The customer has a couple 9200 stacks and about twenty 3560/3560CX mini-switches as well but we may focus on the 2960X first. Still, it'd be nice to know if there is a workaround for IOS-XE devices.

To be more clear about the requirements, the customer would like to have the option to determine the source of a DHCP Offer that was sent over an untrusted port using log-messages and then check up on the source and wether it is a threat on his own.

Best regards,

Matthias

MHM Cisco World
VIP
VIP

‎08-08-2022 02:10 AM

ip dhcp snooping detect spurious vlan <<- check this feature to detect spurious DHCP Server

Matthias.G
Level 1
Level 1
In response to MHM Cisco World

‎08-08-2022 04:49 AM

Thanks MHM. The customers N5K Core seems to block usage of most commands in global config mode but I looked it up in this document and it seems the command is not available on N5Ks:

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5600/sw/command/reference/security/7x/n5600-sec-cr/n5600-sec_cmds_i.html

I checked on 2960X and 9200 models as well:

WS-C2960X-48FPD-L(config)#ip dhcp snooping ?
database "DHCP snooping database agent"
glean "DHCP read only snooping"
information "DHCP Snooping information"
verify "DHCP snooping verify"
vlan "DHCP Snooping vlan"
wireless "DHCP snooping wireless"
<cr>

C9200L-24P-4X(config)#ip dhcp snooping ?
acl "DHCP Snooping mac acl"
database "DHCP snooping database agent"
glean "DHCP read only snooping"
information "DHCP Snooping information"
verify "DHCP snooping verify"
vlan "DHCP Snooping vlan"
wireless "DHCP snooping wireless"
<cr>

MHM Cisco World
VIP
VIP
In response to Matthias.G

‎08-08-2022 05:20 AM

I will then check for other solution 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card