Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1030
Views
0
Helpful
7
Replies

How to avoid a Cisco IOS based network accepting DHCP replies from a client (dhcp server running on it)

Go to solution
joepena2012
Level 1
Level 1

‎12-28-2009 03:09 AM - edited ‎03-06-2019 09:05 AM

Hi all,

In one of our local networks, we have a dhcp server running on several switchports.

Now i would like to deny any DHCP server replies on all client interfaces.

DHCP snooping would not work, because of a few static IP addresses in this network.

Is there any IOS security feature available, to protect my local network, from unwanted DHCP services?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee
In response to joepena2012

‎12-28-2009 03:56 PM

Hello Dieter,

I'd like to add a word or two to the Jon's reply.

The DHCP Snooping works by limiting the DHCP messages that are either accepted or transmitted out a switch interface. Also, the DHCP Snooping makes some sanity checks on the contents of the DHCP message. The DHCP Snooping indeed builds its DHCP snooping database but until further mechanisms like IP Source Guard or Dynamic ARP Inspection are used, this database does not further prevent traffic flows so you do not have to worry about some stations having static IPs while others having their addresses assigned by DHCP.

As you probably know, the DHCP Snooping divides ports on a switch into two categories - trusted and untrusted. The trusted ports are those through which DHCP server(s) can be reached. The untrusted ports are all remaining ports, as they usually lead to end stations.

The DHCP Snooping feature drops the DHCP packets according to the following rules:

  • Server messages (OFFER, ACK, NAK, LEASEQUERY) received on an untrusted port
  • Client messages in which the chaddr field inside the message does not match the source MAC address of the frame in which the message is encapsulated
  • Client messages RELEASE and DECLINE sent by a particular client whose MAC address is, according to the DHCP snooping database, currently associated with a different port than the port through which the message arrived
  • Messages received on an untrusted port in which the giaddr field is different from 0.0.0.0 or which contain the Option 82

If a message is not dropped according to these rules, it will be forwarded as follows:

  • A client message will be forwarded out through trusted port only
  • A server message received on a trusted port will be forwarded back only to the appropriate client (the Option-82 added by the access switch helps in identifying on which port is the appropriate client connected)

As you can see, there are no problems with some stations having static IP addresses - the rules that govern the operation of the DHCP Snooping do not care about static IP assignments. I still believe that the DHCP Snooping is most probably the feature you are looking for.

Best regards,

Peter

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee

‎12-28-2009 03:48 AM

Hello Dieter,

Can you please explain in more detail why the DHCP Snooping would not be an option for you? Having some addresses assigned statically should not be a problem with DHCP Snooping.

Best regards,
Peter

0 Helpful

Go to solution
joepena2012
Level 1
Level 1
In response to Peter Paluch

‎12-28-2009 08:04 AM

Hello Peter,

i'm not completely sure.

to my knowledge for DHCP snooping you need a "dhcp snooping" database.

Only if hw- and ip-address is in this database the switch forwards packets via its backplane.

Due to a lot of static entries, i'll have a lot of clients whithout getting their IP via dhcp and so these clients will never included to the dhcp snooping database.

But to be honest, i dont know the exact functionality of dhcp snooping. Maybe i'll find a whitepaper regarding this.

Dieter

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to joepena2012

‎12-28-2009 09:32 AM 

Dieter.Bez wrote:
Hello Peter,
i'm not completely sure.
to my knowledge for DHCP snooping you need a "dhcp snooping" database.
Only if hw- and ip-address is in this database the switch forwards packets via its backplane.
Due to a lot of static entries, i'll have a lot of clients whithout getting their IP via dhcp and so these clients will never included to the dhcp snooping database.
But to be honest, i dont know the exact functionality of dhcp snooping. Maybe i'll find a whitepaper regarding this.
Dieter

Dieter

You can configure your non-DHCP ports as trusted ports which would solve this problem -

https://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/46sg/configuration/guide/dhcp.html#wp1073354

Jon

0 Helpful

Go to solution
joepena2012
Level 1
Level 1
In response to Jon Marshall

‎12-28-2009 12:07 PM

Hello Jon,

thanks for your feedback.

I'm currently discussing with the local admin of this network the ways to find out all of the static configured devices.

The relevant network is in Taiwan, and i'm in Germany.

To be honest, i do not exactly know what kind of clients (DHCP or non DHCP) they are using in the relevant VLAN, and so it's difficult to figure out

which ports needs to be configured as trusted.

0 Helpful

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee
In response to joepena2012

‎12-28-2009 03:56 PM

Hello Dieter,

I'd like to add a word or two to the Jon's reply.

The DHCP Snooping works by limiting the DHCP messages that are either accepted or transmitted out a switch interface. Also, the DHCP Snooping makes some sanity checks on the contents of the DHCP message. The DHCP Snooping indeed builds its DHCP snooping database but until further mechanisms like IP Source Guard or Dynamic ARP Inspection are used, this database does not further prevent traffic flows so you do not have to worry about some stations having static IPs while others having their addresses assigned by DHCP.

As you probably know, the DHCP Snooping divides ports on a switch into two categories - trusted and untrusted. The trusted ports are those through which DHCP server(s) can be reached. The untrusted ports are all remaining ports, as they usually lead to end stations.

The DHCP Snooping feature drops the DHCP packets according to the following rules:

  • Server messages (OFFER, ACK, NAK, LEASEQUERY) received on an untrusted port
  • Client messages in which the chaddr field inside the message does not match the source MAC address of the frame in which the message is encapsulated
  • Client messages RELEASE and DECLINE sent by a particular client whose MAC address is, according to the DHCP snooping database, currently associated with a different port than the port through which the message arrived
  • Messages received on an untrusted port in which the giaddr field is different from 0.0.0.0 or which contain the Option 82

If a message is not dropped according to these rules, it will be forwarded as follows:

  • A client message will be forwarded out through trusted port only
  • A server message received on a trusted port will be forwarded back only to the appropriate client (the Option-82 added by the access switch helps in identifying on which port is the appropriate client connected)

As you can see, there are no problems with some stations having static IP addresses - the rules that govern the operation of the DHCP Snooping do not care about static IP assignments. I still believe that the DHCP Snooping is most probably the feature you are looking for.

Best regards,

Peter

0 Helpful

Go to solution
joepena2012
Level 1
Level 1
In response to Peter Paluch

‎12-29-2009 12:47 AM

Hi Peter,

thanks for your help, you got it.

the problems i knew with dhcp snooping and static ip's were combined with "ip verify source".

Now i've configured dhcp snooping at one switch in Taiwan. and based on the experiences we'll get with this, we will roll out in the complete LAN on 12th of January.

Thanks again, this was very helpful

Dieter

0 Helpful

Go to solution
joepena2012
Level 1
Level 1
In response to Jon Marshall

‎12-29-2009 01:05 AM

Hi Jon,

thanks for your help.

now i've configured dhcp snooping.

Let's see what'll happen.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card