Skip to main content

L2 security – DHCP Snooping.

One of the security features that protect DHCP is DHCP Snooping. The main reasons to implement it:
  • Protect the network against rogue DHCP servers
  • Limit number of requests sent by DHCP clients
Let’s test DHCP process on below case without DHCP Snooping.

                     DHCP SERVER 
                        /----\
                       |  R1  |
                        \----/
                           | / fa1/0/9                    
                        -------         
                        | SW1 |   
                        |_____|
              fa1/0/4- /      \ -fa1/0/8
                      /        \       
                     /          \
                    /            \
              /----\               /----\
             | ASA1 |             | ASA2 |
              \----/               \----/
            DHCP CLIENT1         DHCP CLIENT2

R1 (dhcp server):

!
interface GigabitEthernet0/0
 description link to MP-SW Fas 1/0/9
 ip address 192.168.1.10 255.255.255.0
!
ip dhcp excluded-address 192.168.1.1 192.168.1.30
!
ip dhcp pool DHCP-POOL
   network 192.168.1.0 255.255.255.0
!

Client 1 –ASA1 :

!
hostname asa1
!
interface Ethernet0/0
 nameif inside
 security-level 100
 ip address dhcp 
!

Client 2 –ASA2 :
 
!
hostname asa1
!
interface Ethernet0/0
 nameif inside
 security-level 100
 ip address dhcp 
!

Let’s enable interface on ASA1 and check R1(server):

r1#
Apr 21 21:02:37.354: DHCPD: Sending notification of DISCOVER:
Apr 21 21:02:37.354:   DHCPD: htype 1 chaddr 6400.f182.44e2
Apr 21 21:02:37.354:   DHCPD: remote id 020a0000c0a8010a00000000
Apr 21 21:02:37.354:   DHCPD: circuit id 00000000
Apr 21 21:02:37.354: DHCPD: Seeing if there is an internally specified pool class:
Apr 21 21:02:37.354:   DHCPD: htype 1 chaddr 6400.f182.44e2
Apr 21 21:02:37.354:   DHCPD: remote id 020a0000c0a8010a00000000
Apr 21 21:02:37.354:   DHCPD: circuit id 00000000
Apr 21 21:02:37.354: DHCPD: Adding binding to radix tree (192.168.1.40)
Apr 21 21:02:37.354: DHCPD: Adding binding to hash tree
Apr 21 21:02:37.354: DHCPD: assigned IP address 192.168.1.40 to client 0063.6973.636f.2d36.3430.302e.6631.3832.2e34.3465.322d.696e.7369.6465.2d61.7361.3100.
Apr 21 21:02:39.354: DHCPD: Sending notification of DISCOVER:
Apr 21 21:02:39.354:   DHCPD: htype 1 chaddr 6400.f182.44e2
Apr 21 21:02:39.354:   DHCPD: remote id 020a0000c0a8010a00000000
Apr 21 21:02:39.354:   DHCPD: circuit id 00000000
Apr 21 21:02:39.354: DHCPD: Seeing if there is an internally specified pool class:
Apr 21 21:02:39.354:   DHCPD: htype 1 chaddr 6400.f182.44e2
Apr 21 21:02:39.354:   DHCPD: remote id 020a0000c0a8010a00000000
Apr 21 21:02:39.354:   DHCPD: circuit id 00000000
Apr 21 21:02:39.354: DHCPD: Found previous server binding
Apr 21 21:02:39.354: DHCPD: Sending notification of ASSIGNMENT:
Apr 21 21:02:39.354:  DHCPD: address 192.168.1.40 mask 255.255.255.0
Apr 21 21:02:39.354:   DHCPD: htype 1 chaddr 6400.f182.44e2
Apr 21 21:02:39.354:   DHCPD: lease time remaining (secs) = 86400
r1#

Let’s check the interface on ASA1:

asa1# sh int ip b | i DHCP
Ethernet0/0                192.168.1.40    YES DHCP   up                    up  
asa1#

Repeat the same for ASA2:

r1#
Apr 21 21:06:50.058: DHCPD: Sending notification of DISCOVER:
Apr 21 21:06:50.058:   DHCPD: htype 1 chaddr 6400.f182.44ec
Apr 21 21:06:50.058:   DHCPD: remote id 020a0000c0a8010a00000000
Apr 21 21:06:50.058:   DHCPD: circuit id 00000000
Apr 21 21:06:50.058: DHCPD: Seeing if there is an internally specified pool class:
Apr 21 21:06:50.058:   DHCPD: htype 1 chaddr 6400.f182.44ec
Apr 21 21:06:50.058:   DHCPD: remote id 020a0000c0a8010a00000000
Apr 21 21:06:50.058:   DHCPD: circuit id 00000000
Apr 21 21:06:50.058: DHCPD: Adding binding to radix tree (192.168.1.41)
Apr 21 21:06:50.058: DHCPD: Adding binding to hash tree
Apr 21 21:06:50.058: DHCPD: assigned IP address 192.168.1.41 to client 0063.6973.636f.2d36.3430.302e.6631.3832.2e34.3465.632d.696e.7369.6465.2d61.7361.3200.
Apr 21 21:06:52.058: DHCPD: Sending notification of DISCOVER:
Apr 21 21:06:52.058:   DHCPD: htype 1 chaddr 6400.f182.44ec
Apr 21 21:06:52.058:   DHCPD: remote id 020a0000c0a8010a00000000
Apr 21 21:06:52.058:   DHCPD: circuit id 00000000
Apr 21 21:06:52.058: DHCPD: Seeing if there is an internally specified pool class:
Apr 21 21:06:52.058:   DHCPD: htype 1 chaddr 6400.f182.44ec
Apr 21 21:06:52.058:   DHCPD: remote id 020a0000c0a8010a00000000
Apr 21 21:06:52.058:   DHCPD: circuit id 00000000
Apr 21 21:06:52.058: DHCPD: Found previous server binding
Apr 21 21:06:52.058: DHCPD: Sending notification of ASSIGNMENT:
Apr 21 21:06:52.058:  DHCPD: address 192.168.1.41 mask 255.255.255.0
Apr 21 21:06:52.058:   DHCPD: htype 1 chaddr 6400.f182.44ec
Apr 21 21:06:52.058:   DHCPD: lease time remaining (secs) = 86400
r1#

asa2# sh int ip b | i DHCP
Ethernet0/0                192.168.1.41    YES DHCP   up                    up  
asa2#

r1#sh ip dhcp binding 
Bindings from all pools not associated with VRF:
IP address          Client-ID/              Lease expiration        Type
                    Hardware address/
                    User name
192.168.1.40        0063.6973.636f.2d36.    Apr 22 2014 09:02 PM    Automatic
                    3430.302e.6631.3832.
                    2e34.3465.322d.696e.
                    7369.6465.2d61.7361.
                    3100
192.168.1.41        0063.6973.636f.2d36.    Apr 22 2014 09:06 PM    Automatic
                    3430.302e.6631.3832.
                    2e34.3465.632d.696e.
                    7369.6465.2d61.7361.
                    3200
r1#

So, we see the DHCP server works fine. It’s time to enable the DHCP Snooping feature with following requirements:
  • Switch port Fa1/0/9 should be trusted for the DHCP Server(R1)
  • Switch ports Fa1/0/4 and Fa1/0/8 should limit number of packet to 50pps
  • All remaining ports should be untrusted
  • Save dhcp bindings to file on the switch flash I add one rogue DHCP to test the security features:

       DHCP SERVER (rogue)       DHCP SERVER 
              /----\               /----\
             |  R1  |             |  R2  |
              \----/ \          /  \----/
                      \        /
       untrusted int---\______/---trusted int         
                        | SW1 |   
                        |     |
       untrusted int---/ -----\ ---untrusted int
                      /        \       
                     /          \
                    /            \
              /----\               /----\
             | ASA1 |             | ASA2 |
              \----/               \----/
            DHCP CLIENT1         DHCP CLIENT2


SW1:

ip dhcp snooping vlan 1
no ip dhcp snooping information option
ip dhcp snooping database flash:DHCP.txt
ip dhcp snooping database write-delay 30
ip dhcp snooping

errdisable recovery cause dhcp-rate-limit
errdisable recovery interval 30

!
interface FastEthernet1/0/4
 description to ASA1 eth0/0
 switchport mode access
 spanning-tree portfast
 ip dhcp snooping limit rate 50
!
interface FastEthernet1/0/8
 description to ASA2 eth0/0
 switchport mode access
 spanning-tree portfast
 ip dhcp snooping limit rate 50
!
interface FastEthernet1/0/9
 description to R1-2911 gi0/0
 ip dhcp snooping trust
!
interface Vlan1
 ip address 192.168.1.100 255.255.255.0
no sh
!

*Mar  1 00:37:57.758: %DHCP_SNOOPING-4-DHCP_SNOOPING_DATABASE_FLASH_WARNING: Saving DHCP snooping bindings to flash can fill up your device causing the writes of bindings to device, to fail.
*Mar  1 00:37:58.765: %DHCP_SNOOPING-4-NTP_NOT_RUNNING: NTP is not running; reloaded binding lease expiration times are incorrect.
*Mar  1 00:37:58.773: %DHCP_SNOOPING-6-AGENT_OPERATION_SUCCEEDED: DHCP snooping database Write succeeded.
*Mar  1 00:38:01.382: %LINK-3-UPDOWN: Interface Vlan1, changed state to up
*Mar  1 00:38:01.390: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to up
MP-SW#dir | i DHCP
  371  -rwx          47   Mar 1 1993 00:38:28 +00:00  DHCP.txt
MP-SW#

MP-SW#more flash:DHCP.txt
2b915b04
TYPE DHCP-SNOOPING
VERSION 1
BEGIN
END
MP-SW#

Let’s check the status of DHCP Snooping feature:

MP-SW#sh ip dhcp snooping 
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
1
DHCP snooping is operational on following VLANs:
1
Smartlog is configured on following VLANs:
none
Smartlog is operational on following VLANs:
none
DHCP snooping is configured on the following L3 Interfaces:

Insertion of option 82 is disabled
   circuit-id default format: vlan-mod-port
   remote-id: e8ba.7091.9d00 (MAC)
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Verification of giaddr field is enabled
DHCP snooping trust/rate is configured on the following Interfaces:

Interface                  Trusted    Allow option    Rate limit (pps)
-----------------------    -------    ------------    ----------------   
FastEthernet1/0/4          no         no              50        
  Custom circuit-ids:
FastEthernet1/0/8          no         no              50        
Interface                  Trusted    Allow option    Rate limit (pps)
-----------------------    -------    ------------    ----------------   
  Custom circuit-ids:
FastEthernet1/0/9          yes        yes             unlimited
  Custom circuit-ids:
MP-SW#

Now, clear existing bindings on R1:

r1#clear ip dhcp binding *
r1#
Apr 21 21:20:27.842: DHCPD: Sending notification of TERMINATION:
Apr 21 21:20:27.842:  DHCPD: address 192.168.1.40 mask 255.255.255.0
Apr 21 21:20:27.842:  DHCPD: reason flags: destroyed 
Apr 21 21:20:27.842:   DHCPD: htype 1 chaddr 6400.f182.44e2
Apr 21 21:20:27.842:   DHCPD: lease time remaining (secs) = 85332
Apr 21 21:20:27.842: DHCPD: returned 192.168.1.40 to address pool DHCP-POOL.
Apr 21 21:20:27.842: DHCPD: Sending notification of TERMINATION:
Apr 21 21:20:27.842:  DHCPD: address 192.168.1.41 mask 255.255.255.0
Apr 21 21:20:27.842:  DHCPD: reason flags: destroyed 
Apr 21 21:20:27.842:   DHCPD: htype 1 chaddr 6400.f182.44ec
Apr 21 21:20:27.842:   DHCPD: lease time remaining (secs) = 85585
Apr 21 21:20:27.842: DHCPD: returned 192.168.1.41 to address pool DHCP-POOL.
r1#

and reset IP addresses on ASA1 and ASA2.
Let’s see what happens with the new settings when we re-enable ASA2 interface.

SW1:

MP-SW#
*Mar  1 00:55:26.754: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/8, changed state to down
*Mar  1 00:55:27.752: %LINK-3-UPDOWN: Interface FastEthernet1/0/8, changed state to down
*Mar  1 00:55:29.924: %LINK-3-UPDOWN: Interface FastEthernet1/0/8, changed state to up
*Mar  1 00:55:30.386: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Fa1/0/8 for pak.  Was Vl1
*Mar  1 00:55:30.386: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Vl1 for pak.  Was Fa1/0/8
*Mar  1 00:55:30.386: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Fa1/0/8 for pak.  Was Vl1
*Mar  1 00:55:30.386: DHCP_SNOOPING: received new DHCP packet from input interface (FastEthernet1/0/8)
*Mar  1 00:55:30.386: DHCP_SNOOPING: process new DHCP packet, message type: DHCPDISCOVER, input interface: Fa1/0/8, MAC da: ffff.ffff.ffff, MAC sa: 6400.f182.44ec, IP da: 255.255.255.255, IP sa: 0.0.0.0, DHCP ciaddr: 0.0.0.0, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: 6400.f182.44ec
*Mar  1 00:55:30.386: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (1)
*Mar  1 00:55:30.386: DHCP_SNOOPING_SW: bridge packet send packet to cpu port: Vlan1.
*Mar  1 00:55:30.931: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/8, changed state to up
*Mar  1 00:55:32.391: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Fa1/0/9 for pak.  Was Vl1
*Mar  1 00:55:32.391: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Vl1 for pak.  Was Fa1/0/9
*Mar  1 00:55:32.391: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Fa1/0/9 for pak.  Was Vl1
*Mar  1 00:55:32.391: DHCP_SNOOPING: received new DHCP packet from input interface (FastEthernet1/0/9)
*Mar  1 00:55:32.391: DHCP_SNOOPING: process new DHCP packet, message type: DHCPOFFER, input interface: Fa1/0/9, MAC da: 6400.f182.44ec, MAC sa: e8b7.4842.4c58, IP da: 192.168.1.42, IP sa: 192.168.1.10, DHCP ciaddr: 0.0.0.0, DHCP yiaddr: 192.168.1.42, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: 6400.f182.44ec
*Mar  1 00:55:32.391: DHCP_SNOOPING: direct forward dhcp replyto output port: FastEthernet1/0/8.
*Mar  1 00:55:32.391: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Fa1/0/8 for pak.  Was Vl1
*Mar  1 00:55:32.391: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Vl1 for pak.  Was Fa1/0/8
*Mar  1 00:55:32.391: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Fa1/0/8 for pak.  Was Vl1
*Mar  1 00:55:32.391: DHCP_SNOOPING: received new DHCP packet from input interface (FastEthernet1/0/8)
*Mar  1 00:55:32.391: DHCP_SNOOPING: process new DHCP packet, message type: DHCPREQUEST, input interface: Fa1/0/8, MAC da: ffff.ffff.ffff, MAC sa: 6400.f182.44ec, IP da: 255.255.255.255, IP sa: 0.0.0.0, DHCP ciaddr: 0.0.0.0, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: 6400.f182.44ec
*Mar  1 00:55:32.391: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (1)
*Mar  1 00:55:32.391: DHCP_SNOOPING_SW: bridge packet send packet to cpu port: Vlan1.
*Mar  1 00:55:32.391: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Fa1/0/9 for pak.  Was Vl1
*Mar  1 00:55:32.391: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Vl1 for pak.  Was Fa1/0/9
*Mar  1 00:55:32.391: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Fa1/0/9 for pak.  Was Vl1
*Mar  1 00:55:32.391: DHCP_SNOOPING: received new DHCP packet from input interface (FastEthernet1/0/9)
*Mar  1 00:55:32.391: DHCP_SNOOPING: process new DHCP packet, message type: DHCPACK, input interface: Fa1/0/9, MAC da: 6400.f182.44ec, MAC sa: e8b7.4842.4c58, IP da: 192.168.1.42, IP sa: 192.168.1.10, DHCP ciaddr: 0.0.0.0, DHCP yiaddr: 192.168.1.42, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: 6400.f182.44ec
*Mar  1 00:55:32.399: DHCP_SNOOPING: direct forward dhcp replyto output port: FastEthernet1/0/8.
*Mar  1 00:55:32.399: DHCP_SNOOPING: add binding on port FastEthernet1/0/8.
*Mar  1 00:55:32.399: DHCP_SNOOPING: added entry to table (index 230)

*Mar  1 00:55:32.399: DHCP_SNOOPING: dump binding entry: Mac=64:00:F1:82:44:EC Ip=192.168.1.42 Lease=86400      Type=dhcp-snooping Vlan=1 If=FastEthernet1/0/8
*Mar  1 00:55:32.399: DHCP_SNOOPING_SW no entry found for 6400.f182.44ec 0.0.0.1 FastEthernet1/0/8
*Mar  1 00:55:32.399: DHCP_SNOOPING_SW host tracking not found for update add dynamic (192.168.1.42, 0.0.0.0, 6400.f182.44ec) vlan 1
*Mar  1 00:55:45.762: DHCP_SNOOPING: checking expired snoop binding entries
*Mar  1 00:56:02.405: %DHCP_SNOOPING-4-NTP_NOT_RUNNING: NTP is not running; reloaded binding lease expiration times are incorrect.
MP-SW#

R1:

r1#
Apr 21 21:38:59.554: DHCPD: checking for expired leases.
Apr 21 21:39:10.398: DHCPD: Sending notification of DISCOVER:
Apr 21 21:39:10.398:   DHCPD: htype 1 chaddr 6400.f182.44ec
Apr 21 21:39:10.398:   DHCPD: remote id 020a0000c0a8010a00000000
Apr 21 21:39:10.398:   DHCPD: circuit id 00000000
Apr 21 21:39:10.398: DHCPD: Seeing if there is an internally specified pool class:
Apr 21 21:39:10.398:   DHCPD: htype 1 chaddr 6400.f182.44ec
Apr 21 21:39:10.398:   DHCPD: remote id 020a0000c0a8010a00000000
Apr 21 21:39:10.398:   DHCPD: circuit id 00000000
Apr 21 21:39:10.398: DHCPD: Adding binding to radix tree (192.168.1.42)
Apr 21 21:39:10.398: DHCPD: Adding binding to hash tree
Apr 21 21:39:10.398: DHCPD: assigned IP address 192.168.1.42 to client 0063.6973.636f.2d36.3430.302e.6631.3832.2e34.3465.632d.696e.7369.6465.2d61.7361.3200.
Apr 21 21:39:12.398: DHCPD: Sending notification of DISCOVER:
Apr 21 21:39:12.398:   DHCPD: htype 1 chaddr 6400.f182.44ec
Apr 21 21:39:12.398:   DHCPD: remote id 020a0000c0a8010a00000000
Apr 21 21:39:12.398:   DHCPD: circuit id 00000000
Apr 21 21:39:12.398: DHCPD: Seeing if there is an internally specified pool class:
Apr 21 21:39:12.398:   DHCPD: htype 1 chaddr 6400.f182.44ec
Apr 21 21:39:12.398:   DHCPD: remote id 020a0000c0a8010a00000000
Apr 21 21:39:12.398:   DHCPD: circuit id 00000000
Apr 21 21:39:12.398: DHCPD: Found previous server binding
Apr 21 21:39:12.402: DHCPD: Sending notification of ASSIGNMENT:
Apr 21 21:39:12.402:  DHCPD: address 192.168.1.42 mask 255.255.255.0
Apr 21 21:39:12.402:   DHCPD: htype 1 chaddr 6400.f182.44ec
Apr 21 21:39:12.402:   DHCPD: lease time remaining (secs) = 86400
Apr 21 21:40:59.554: DHCPD: checking for expired leases.
r1#

Let’s check the binding table on SW1:

MP-SW#sh ip dhcp snooping binding 
MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface
------------------  ---------------  ----------  -------------  ----  --------------------
64:00:F1:82:44:EC   192.168.1.42     86203       dhcp-snooping   1     FastEthernet1/0/8
Total number of bindings: 1

MP-SW#more flash:DHCP.txt         
2b915f22
TYPE DHCP-SNOOPING
VERSION 1
BEGIN
192.168.1.42 1 6400.f182.44ec 2B92B083 Fa1/0/8                           7e0e6b4a
END
MP-SW#

I try now to do the same with ASA1 (re-enable and reset IP address):

MP-SW#
*Mar  1 01:01:29.083: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Fa1/0/4 for pak.  Was Vl1
*Mar  1 01:01:29.083: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Vl1 for pak.  Was Fa1/0/4
*Mar  1 01:01:29.083: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Fa1/0/4 for pak.  Was Vl1
*Mar  1 01:01:29.083: DHCP_SNOOPING: received new DHCP packet from input interface (FastEthernet1/0/4)
*Mar  1 01:01:29.083: DHCP_SNOOPING: process new DHCP packet, message type: DHCPDISCOVER, input interface: Fa1/0/4, MAC da: ffff.ffff.ffff, MAC sa: 6400.f182.44e2, IP da: 255.255.255.255, IP sa: 0.0.0.0, DHCP ciaddr: 0.0.0.0, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: 6400.f182.44e2
*Mar  1 01:01:29.083: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (1)
*Mar  1 01:01:29.083: DHCP_SNOOPING_SW: bridge packet send packet to cpu port: Vlan1.
*Mar  1 01:01:31.088: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Fa1/0/9 for pak.  Was Vl1
*Mar  1 01:01:31.088: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Vl1 for pak.  Was Fa1/0/9
*Mar  1 01:01:31.088: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Fa1/0/9 for pak.  Was Vl1
*Mar  1 01:01:31.088: DHCP_SNOOPING: received new DHCP packet from input interface (FastEthernet1/0/9)
*Mar  1 01:01:31.088: DHCP_SNOOPING: process new DHCP packet, message type: DHCPOFFER, input interface: Fa1/0/9, MAC da: 6400.f182.44e2, MAC sa: e8b7.4842.4c58, IP da: 192.168.1.43, IP sa: 192.168.1.10, DHCP ciaddr: 0.0.0.0, DHCP yiaddr: 192.168.1.43, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: 6400.f182.44e2
*Mar  1 01:01:31.088: DHCP_SNOOPING: direct forward dhcp replyto output port: FastEthernet1/0/4.
*Mar  1 01:01:31.088: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Fa1/0/4 for pak.  Was Vl1
*Mar  1 01:01:31.088: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Vl1 for pak.  Was Fa1/0/4
*Mar  1 01:01:31.088: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Fa1/0/4 for pak.  Was Vl1
*Mar  1 01:01:31.088: DHCP_SNOOPING: received new DHCP packet from input interface (FastEthernet1/0/4)
*Mar  1 01:01:31.088: DHCP_SNOOPING: process new DHCP packet, message type: DHCPREQUEST, input interface: Fa1/0/4, MAC da: ffff.ffff.ffff, MAC sa: 6400.f182.44e2, IP da: 255.255.255.255, IP sa: 0.0.0.0, DHCP ciaddr: 0.0.0.0, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: 6400.f182.44e2
*Mar  1 01:01:31.096: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (1)
*Mar  1 01:01:31.096: DHCP_SNOOPING_SW: bridge packet send packet to cpu port: Vlan1.
*Mar  1 01:01:31.096: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Fa1/0/9 for pak.  Was Vl1
*Mar  1 01:01:31.096: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Vl1 for pak.  Was Fa1/0/9
*Mar  1 01:01:31.096: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Fa1/0/9 for pak.  Was Vl1
*Mar  1 01:01:31.096: DHCP_SNOOPING: received new DHCP packet from input interface (FastEthernet1/0/9)
*Mar  1 01:01:31.096: DHCP_SNOOPING: process new DHCP packet, message type: DHCPACK, input interface: Fa1/0/9, MAC da: 6400.f182.44e2, MAC sa: e8b7.4842.4c58, IP da: 192.168.1.43, IP sa: 192.168.1.10, DHCP ciaddr: 0.0.0.0, DHCP yiaddr: 192.168.1.43, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: 6400.f182.44e2
*Mar  1 01:01:31.096: DHCP_SNOOPING: direct forward dhcp replyto output port: FastEthernet1/0/4.
*Mar  1 01:01:31.096: DHCP_SNOOPING: add binding on port FastEthernet1/0/4.
*Mar  1 01:01:31.096: DHCP_SNOOPING: added entry to table (index 178)

*Mar  1 01:01:31.096: DHCP_SNOOPING: dump binding entry: Mac=64:00:F1:82:44:E2 Ip=192.168.1.43 Lease=86400      Type=dhcp-snooping Vlan=1 If=FastEthernet1/0/4
*Mar  1 01:01:31.096: DHCP_SNOOPING_SW no entry found for 6400.f182.44e2 0.0.0.1 FastEthernet1/0/4
*Mar  1 01:01:31.096: DHCP_SNOOPING_SW host tracking not found for update add dynamic (192.168.1.43, 0.0.0.0, 6400.f182.44e2) vlan 1
*Mar  1 01:01:45.759: DHCP_SNOOPING: checking expired snoop binding entries
MP-SW#

MP-SW#sh ip dhcp snooping binding 
*Mar  1 01:05:40.724: %SYS-5-CONFIG_I: Configsh ip dhcp snooping binding 
*Mar  1 01:05:45.757: DHCP_SNOOPING: checking expired snoop binding entries
MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface
------------------  ---------------  ----------  -------------  ----  --------------------
64:00:F1:82:44:E2   192.168.1.43     86143       dhcp-snooping   1     FastEthernet1/0/4
64:00:F1:82:44:EC   192.168.1.42     85785       dhcp-snooping   1     FastEthernet1/0/8
Total number of bindings: 2

MP-SW#more flash:DHCP.txt
2b916089
TYPE DHCP-SNOOPING
VERSION 1
BEGIN
192.168.1.43 1 6400.f182.44e2 2B92B1EA Fa1/0/4                           945fb01f
192.168.1.42 1 6400.f182.44ec 2B92B084 Fa1/0/8                           124bc5fa
END
MP-SW#

r1#sh ip dhcp binding 
Bindings from all pools not associated with VRF:
IP address          Client-ID/              Lease expiration        Type
                    Hardware address/
                    User name
192.168.1.42        0063.6973.636f.2d36.    Apr 22 2014 09:39 PM    Automatic
                    3430.302e.6631.3832.
                    2e34.3465.632d.696e.
                    7369.6465.2d61.7361.
                    3200
192.168.1.43        0063.6973.636f.2d36.    Apr 22 2014 09:45 PM    Automatic
                    3430.302e.6631.3832.
                    2e34.3465.322d.696e.
                    7369.6465.2d61.7361.
                    3100
r1#

As we see both DHCP clients obtained IP addresses and everything is saved in the DHCP snooping table and file.

Now it’s time to check what happens if we enable the rogue DHCP server which is connected to untrusted port (R2 – SW1 Fa1/0/11). I’m going to clear all bindings, reset all IPs on ASAs and disable switch port for R1 to be sure the DHCP clients will speak with R2.

SW1:

*Mar  1 01:32:06.213: %LINK-3-UPDOWN: Interface FastEthernet1/0/8, changed state to up
*Mar  1 01:32:07.220: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/8, changed state to up
*Mar  1 01:32:08.562: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Fa1/0/8 for pak.  Was Vl1
*Mar  1 01:32:08.562: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Vl1 for pak.  Was Fa1/0/8
*Mar  1 01:32:08.562: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Fa1/0/8 for pak.  Was Vl1
*Mar  1 01:32:08.562: DHCP_SNOOPING: received new DHCP packet from input interface (FastEthernet1/0/8)
*Mar  1 01:32:08.562: DHCP_SNOOPING: process new DHCP packet, message type: DHCPDISCOVER, input interface: Fa1/0/8, MAC da: ffff.ffff.ffff, MAC sa: 6400.f182.44ec, IP da: 255.255.255.255, IP sa: 0.0.0.0, DHCP ciaddr: 0.0.0.0, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: 6400.f182.44ec
*Mar  1 01:32:08.562: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (1)
*Mar  1 01:32:08.562: DHCP_SNOOPING_SW: bridge packet send packet to cpu port: Vlan1.

On R2 I can’t see any DHCP packets what means the switch discards all of them due to untrusted state of the switch port. The rogue server is not able to send DHCP offer.
Labels:

Comments

Post a Comment

Popular posts from this blog

What should you know about HA 'override enabled' setting on Fortigate?

High availability is mandatory in most of today's network designs. Only very small companies or branches can run their business without redundancy. When you have Fortigate firewall in your network you have many options to increase network availability. You can use Fortigate Clustering Protocol ( FGCP ) or Virtual Router Redundancy Protocol ( VRRP ). FGCP has two modes: 'override' disabled (default) and 'override' enabled . I'm not going to explain how to set up HA as you can find many resources on Fortinet websites: https://cookbook.fortinet.com/high-availability-two-fortigates-56/ https://cookbook.fortinet.com/high-availability-with-fgcp-56/ Let's recap what is the main difference between them. The default HA setting is 'override' disabled and this is an order of selection an active unit: 1) number of monitored interfaces - when both units have the same number of working (up) interfaces check next parameter 2) HA uptime - an
8 comments
Read more

MAC Authentication Bypass

One of the method to control your network is using MAB feature. It is helpful in case you have devices without dot1x functionality. Today I will try to implement basic configuration and analyze log messages. There is only one switch SW1 and one device attached to port Fa1/0/2.   ! aaa new - model aaa authentication dot1x default group radius ! ! int Fas1 / 0 / 2 authentication host - mode single - host authentication port - control auto mab ! I haven’t configured ACS yet but let’s see what error message I receive:   SW1 ( config - if ) # mab - ev ( Fa1 / 0 / 2 ): Received MAB context create from AuthMgr mab - ev ( Fa1 / 0 / 2 ): Created MAB client context 0x1100000F mab : initial state mab_initialize has enter mab - ev ( Fa1 / 0 / 2 ): Sending create new context event to EAP from MAB for 0x1100000F ( 0000.0000 . 0000 ) mab - sm ( Fa1 / 0 / 2 ): Received event 'MAB_START' on handle 0x1100000F mab : during state mab_initia
Post a Comment
Read more

Inpection of asymmetric sessions on FortiGate

There is one feature available on FortiGate, and I think you should know it, as it modifies a bit what we know about stateful firewalls. In past every packet was treated individually and you had to create policies in both directions. With stateful firewalls we can track connections, and by checking couple of attributes, we can treat them as part of the same session. For example when you initiate connection from a host1 to host2, the returning connection from host2 to host1 will be treated as part of the same connection (session). They have to have the same source/destination and destination/source IPs, port numbers and interfaces.There is an exception from this rule and FortiGate in some specific cases can accept connections on port which was not used in the initial connection. Let me explain how it works on the below example:      The host1 has a default gateway on R1 (10.0.1.2), but you may notice that it is not the optimal path to host2 subnet. When we analyze the packet flo
1 comment
Read more