DHCP Snooping - Cisco Switch Setting

 

안녕하세요 빛향기고운데입니다~*

 전산관리자라면 사내에 엉뚱한 DHCP서버들 때문에 Client들이 엉뚱한 IP를 부여받고 장애를 경험하신분들이

있으실 겁니다.

Cisco Switch 장비를 사용하고 계신다면 DHCP Snooping 설정을 적용하시면 원치않은 DHCP서버에서

BroadCast의 Request값을 차단하실 수 있습니다.

 

 

---

A DHCP server normally provides all the basic information a client PC needs to operate on a

network. For example, the client might receive an IP address, a subnet mask, a default gateway

address, DNS addresses, and so on.

Suppose that an attacker could bring up a rogue DHCP server on a machine in the same subnet as

that same client PC. Now when the client broadcasts its DHCP request, the rogue server could

send a carefully crafted DHCP reply with its own IP address substituted as the default gateway.

When the client receives the reply, it begins using the spoofed gateway address. Packets destined

for addresses outside the local subnet then go to the attacker’s machine first. The attacker can

forward the packets to the correct destination, but in the meantime, it can examine every packet

that it intercepts. In effect, this becomes a type of man-in-the-middle attack; the attacker is wedged

into the path and the client doesn’t realize it.

Cisco Catalyst switches can use the DHCP snooping feature to help mitigate this type of attack.

When DHCP snooping is enabled, switch ports are categorized as trusted or untrusted. Legitimate

DHCP servers can be found on trusted ports, whereas all other hosts sit behind untrusted ports.

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.1/13ew/configuration/guide/dhcp.html

 

Configuring DHCP Snooping on the Switch

When you configure DHCP snooping on your switch, you are enabling the switch to differentiate untrusted interfaces from trusted interfaces. You must enable DHCP snooping globally before you can use DHCP snooping on a VLAN. You can enable DHCP snooping independently from other DHCP features.

Once you have enabled DHCP snooping, all the DHCP relay information option configuration commands are disabled; this includes the following commands:

•ip dhcp relay information check

•ip dhcp relay information policy

•ip dhcp relay information option

•ip dhcp relay information trusted

•ip dhcp relay information trust-all

These sections describe how to configure DHCP snooping:

•Default Configuration for DHCP Snooping

•Enabling DHCP Snooping

•Configuring DHCP Snooping on Private VLAN

Default Configuration for DHCP Snooping

DHCP snooping is disabled by default. Table 19-1 shows all the default configuration values for each DHCP snooping option.

Table 19-1 Default Configuration Values for DHCP Snooping

Option

Default Value/State

DHCP snooping

Disabled

DHCP snooping information option

Enabled

DHCP snooping limit rate

Infinite (functions as if rate limiting were disabled)

DHCP snooping trust

Untrusted

DHCP snooping vlan

Disabled

If you want to change the default configuration values, see the "Enabling DHCP Snooping" section.

Enabling DHCP Snooping

To enable DHCP snooping, perform this task:

Command

Purpose

Step 1 

Switch(config)# ip dhcp snooping 

Enables DHCP snooping globally.

You can use the no keyword to disable DHCP snooping.

Step 2 

Switch(config)# ip dhcp snooping vlan number 
[number]

Enables DHCP snooping on your VLANs.

Step 3 

Switch(config)# ip dhcp snooping information 
option 

Enables DHCP Option 82 data insertion.

Step 4 

Switch(config-if)# ip dhcp snooping trust

Configures the interface as trusted or untrusted.

You can use the no keyword of to configure an interface to receive only messages from within the network.

Step 5 

Switch(config-if)# ip dhcp snooping limit rate 
rate

Configures the number of DHCP packets per second (pps) that an interface can receive.

Note You may not want to configure untrusted rate limiting to more than 100 pps.
Normally, the rate limit applies to untrusted interfaces. If you want to set up rate limiting for trusted interfaces, keep in mind that trusted interfaces aggregate all DHCP traffic in the switch, and you will need to adjust the rate limit to a higher value.

Step 6 

Switch(config)# end 

Exits configuration mode.

Step 7 

Switch# show ip dhcp snooping 

Verifies the configuration.

You can configure DHCP snooping for a single VLAN or a range of VLANs. To configure a single VLAN, enter a single VLAN number. To configure a range of VLANs, enter a beginning and an ending VLAN number.

This example shows how to enable DHCP snooping on VLANs 10 through 100:

Switch# configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Switch(config)# ip dhcp snooping

Switch(config)# ip dhcp snooping vlan 10 100

Switch(config)# ip dhcp snooping information option

Switch(config-if)# ip dhcp snooping trust

Switch(config-if)# ip dhcp snooping limit rate 100

Switch(config)# end

Switch# show ip dhcp snooping

DHCP Snooping is configured on the following VLANs:

    10 30-40 100 200-220

Insertion of option 82 information is enabled.

Interface           Trusted        Rate limit (pps)

---------           -------        ----------------

FastEthernet2/1     yes            10

FastEthernet2/2     yes            none

FastEthernet3/1     no             20

Switch# 

Configuring DHCP Snooping on Private VLAN

DHCP snooping can be enabled on private VLANs, which provide isolation between Layer 2 ports within the same VLAN. If DHCP snooping is enabled (or disabled), the configuration is propagated to both the primary VLAN and its associated secondary VLANs; you cannot enable (or disable) DHCP snooping on a primary VLAN without reflecting this configuration change on the secondary VLANs.

Configuring DHCP snooping on a secondary VLAN is still allowed, but it will not take effect if the associated primary VLAN is already configured. If this is the case, the effective DHCP snooping mode on the secondary VLAN is derived from the corresponding primary VLAN. Manually configuring DHCP snooping on a secondary VLAN will cause the switch to issue the error message:

DHCP Snooping configuration may not take effect on secondary vlan XXX 

The command show ip dhcp snooping will display all VLANs with DHCP snooping enabled, including both primary VLANs and their corresponding secondary VLANs.

Displaying DHCP Snooping Information

You can display a DHCP snooping binding table and configuration information for all interfaces on a switch.

Displaying a Binding Table

The DHCP snooping binding table for each switch contains binding entries that correspond to untrusted ports. It does not contain information about hosts interconnected with a trusted port, because each interconnected switch will have its own DHCP snooping binding table.

This example shows how to display the DHCP snooping binding information for a switch.

Switch# show ip dhcp snooping binding

MacAddress      IP Address  Lease (seconds)  Type  VLAN  Interface

-----------     -----------  ----------------  -----  -----  ------------

0000.0100.0201  10.0.0.1        1600                 dynamic     100       FastEthernet2/1

Switch#

Table 19-2 describes the fields in the show ip dhcp snooping binding command output.

Table 19-2 show ip dhcp snooping binding Command Output

Field

Description

Mac Address

Client hardware MAC address

IP Address

Client IP address assigned from the DHCP server

Lease (seconds)

IP address lease time

Type

Binding type; statically configured from CLI or dynamically learned

VLAN

VLAN number of the client interface

Interface

Interface that connects to the DHCP client host

Displaying the DHCP Snooping Configuration

This example shows how to display the DHCP snooping configuration for a switch.

Switch# show ip dhcp snooping

Switch DHCP snooping is enabled.

DHCP Snooping is configured on the following VLANs:

    10 30-40 100 200-220

Insertion of option 82 information is enabled.

Interface           Trusted        Rate limit (pps)

---------           -------        ----------------    

FastEthernet2/1     yes            10

FastEthernet3/1     yes            none

GigabitEthernet1/1  no             20

Switch#