DHCP Snooping

This topic is to discuss the following lesson:

Hi Rene,
question, I’m working with cisco 3550 switch, version 12.1 (13) , (C3550-I5Q3L2-M), and it doesn’t have the option # ip dhcp snooping, under # ip dhcp just have this options (conflict, database, excluded-address, limited-broadcast-address, ping, pool, relay, smart-relay). what should i do, it seems to be a version issue, what version should i upgrade the switch or any other advice.

thanks
Ramon

Hi Ramon,

It’s probably the version since the 3550 does support DHCP snooping. It’s best to get one of the “IP services” images. This is what you should do:

Go to Cisco.com -> Support.
Select the 3550.
Select Download Software.
Select one of the EMI versions.
Select Downloads.
Select IOS Software.

The latest “IP services” version is “c3550-ipservices-mz.122-44.SE6.bin” but an older version would also work.

Here’s the direct link if you want:
https://software.cisco.com/download/release.html?mdfid=275935148&softwareid=280805680&os=&release=12.2.44-SE6&relind=AVAILABLE&rellifecycle=&reltype=latest&i=!pp

Hi Rene, could you describe using your simply language, for what we need option 82?

Hi Yevgeniy,

DHCP Option 82 stands for “DHCP Relay Agent Information Option”. If you haven’t seen how DHCP relay works before, take a look at this lesson:

Option 82 was originally created for really large (WAN) networks where we have a lot of DHCP relays and central DHCP servers. The idea behind it is that the DHCP relay can add extra information which the DHCP server can use to decide which pool to use for assigning an IP address. Option 82 has a “Circuit ID” and a “Remote ID”.

The Circuit ID has information that identifies the port where the request came from. It could carry something like:

Router interface number
VLAN information
Switching Hub port number
Remote Access Server port number
Frame Relay DLCI
ATM virtual circuit number
Cable Data virtual circuit number

The remote ID adds information about the DHCP relay, it could contain something like:

Caller ID (telephone number) for dial-up connections.
username
modem ID
remote IP of point-to-point link

Option 82 is decribed in RFC 3046 in 2001 so it’s quite old. It’s not used often on (small) LAN networks.

Does this help a bit? Maybe I should do a proper lesson for option 82 with some debugs etc.

Rene

2 Likes

Hi Rene,

If we consider configuring DHCP SNOOPING on your first diagram with 4 switches and those switches are trunking, would you configure all those trunks or port-channels as dhcp snooping trusted? or will you configure the SVI’s on the Core switches as trusted? Which is the best way to configure them.
Please advise

Hi Alfredo,

Sorry for the late reply, just got back from holiday :slight_smile: It’s best to configure the uplink trunks / port-channels as trusted.

Rene

In the output of “show ip dhcp snooping” above it shows the insertion of option 82 as enabled. I thought it would not show this as you issued
the no ip dhcp snooping information option earlier?

Hi Ken,

You are right, that’s what it should show. It could be a cosmetic bug in the IOS version that I used for this example or I might have run the show command before disabling the insertion of option 82.

Here’s what it should show, just checked it on an IOS 15.x switch:

SW1#show ip dhcp snooping | include option 82
Insertion of option 82 is disabled

Rene

Hi Rene,

I have question why not apply command IP DHCP snooping trust on interface than connected to client (f0/1) .

Hi Bishoy,

We only configure interfaces as trusted if the interface is connected to an DHCP server or if it’s an uplink towards the DHCP server.

If you would configure the fa0/1 interface as trusted, the client could run a fake DHCP server which is exactly what we are trying to prevent here :slight_smile:

Rene

Hlw Rene,

It is very basic question still curious to understand. My router shows the output

Router-1#show version 
Cisco IOS XE Software, Version 03.12.00a.S - Standard Support Release
Cisco IOS Software, ASR1000 Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 15.4(2)S0a, RELEASE SOFTWARE (fc1)

I want to know ---------------

What is the meaning of Version 03.12.00a.S and Version 15.4(2)S0a ?

I am very much confused on it . Please help me to understand dear :slight_smile:

br//
zaman

Zaman,
IOS XE is a different from the “traditional” IOS operating system in terms of its architecture. IOS XE still runs the traditional IOS, but it runs as a single process (daemon) within a larger linux operating system. Notice in your output, there is an indication of this (linux):

(X86_64_LINUX_IOSD-UNIVERSALK9-M)

So, “Version 03.12.00a.S” refers to the large linux operating system, while “Version 15.4(2)S0a” refers to the IOS version being run by the IOS daemon within IOS XE. Make sense?

Here’s some more info on IOS XE if you want to read about the new architectural changes:
http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/ios-xe-3sg/QA_C67-622903.html

Hello Rene,

Can you give me please example if DHCP Snooping combine with DHCP Relay agent if use additional Switch or router.

Thanks

Hello Rudy.

A DHCP relay agent is just a router that receives a DHCP OFFER packet and forwards it to a preconfigured DHCP server that is on a different subnet than the interface on which the OFFER was received. This is a layer 3 feature since we are taking a packet that would normally be limited to a subnet and routing it to the DHCP server on another subnet.

The DHCP snooping occurs only within a subnet and cannot surpass the boundary of the subnet (the router) unless the router itself is configured with the IP address of the “DHCP snooper” as the relay agent. Although this theoretically can occur, it is not likely and it is of little value to an attacker.

So weather you have a relay agent or not, snooping will still occur and can be mitigated in the same manner.

I hope this has been helpful.

Laz

apologies to jump in on an old thread, would the cross link between the 2 distribution switches need to be enabled for IP DHCP snooping trust on both ends?

Hi Mark,
Yes, all ports in that form part of the “downstream” path FROM the trusted DHCP server also need to be marked as trusted. This would include inter-switch links. The reverse is not necessary (upstream ports to the DHCP server). The reason for this is because DHCP snooping blocks the Offer message from crossing untrusted ports. The client side of the conversation–the Discovery and Request (remember DORA for DHCP ipv4), is not affected by DHCP snooping.

Hello Rene,

Can you please provide strong details why do you have to disable option 82 on an interface? i have a little idea of what it is but i need a really good example when it need to be activated and disable.

Hello Manuel

Rene describes what option 82 does in this post very well.

As to why you should disable option 82, when DHCP snooping is enabled on a switch, option 82 is enabled by default. That is, any DHCP request packets that are sent from a host will enter the switch and will have option 82 information ADDED to the request before it is sent on to the DHCP server. Specifically, enabling DHCP snooping on the switch adds the giaddr value of 0.0.0.0 in the DHCP packet. However, the DHCP server is expecting this field to be set to that of the relay agent (a non zero value), since option 82 is used for DHCP relay. (If you’re not sure what I mean, review the post I linked to above).

The problem is that there are some DHCP servers (including Cisco IOS DHCP servers) that will reject any DHCP packet that retains the giaddr value of 0.0.0.0 in the DHCP packet.

So this is why you should use the no ip dhcp-snooping information option described by Rene. This command tells the switch NOT to add option 82 and thus, any DHCP server receiving the DHCP request will process it normally. Another solution would be to use the commandip dhcp relay information trusted on the interface of the DHCP server which will tell it to trust any relay information, that is option 82 information, provided by the packet.

I hope this has been helpful!

Laz

1 Like

What will happen if a DHCP server becomes a shortage of IP Address? Suppose in a Scenario an attacker sends unlimited DHCP requests to the DHCP Server and DHCP server goes out of IP Address after assigning all of its valid IP Addresses. (Somehow attacker manages to configure its device each time such as does not have an IP Address assigned. It would be great if you can explain the attack as well. )