Config Lab: DHCP Snooping 1
The Dynamic Host Configuration Protocol (DHCP) protocol allows DHCP Clients to lease an IP address from a DHCP server. Simple enough. However, the protocol itself is open to various cybersecurity attacks. The LAN switch DHCP Snooping feature can monitor DHCP traffic to thwart various DHCP-based attacks. In this lab, you concentrate on one subnet with a local DHCP server to enable several DHCP Snooping features.
The Lab Exercise
The Lab Exercise
Many cybersecurity attacks use established protocols, tools, and features in creative ways to achieve some goal. For instance, most end-user devices in an IP network use DHCP to lease an IP address and learn other information, like the mask, default router, and DNS server addresses. Some DHCP-based attacks send messages to mimic a DHCP server, assigning incorrect leases and giving incorrect information to legitimate DHCP clients. Sometimes the attacks act as Denial-of-Service (DoS) attacks. For instance, the attacker acts as many DHCP clients to consume all the leasable IP addresses in a subnet.
DHCP Snooping in a LAN switch monitors DHCP messages flowing in a VLAN. Depending on the configuration, the feature performs logic like this:
-
- Designate ports as either trusted or untrusted.
- Trusted ports connect to DHCP servers or to any other device that creates a path so that a DHCP server can send messages that arrive in that switch port.
- DHCP Snooping allows all DHCP messages to enter trusted ports.
- For untrusted ports – the default setting – DHCP Snooping allows messages usually sent by DHCP clients but discards messages normally sent by DHCP servers.
- Additionally, monitor the DHCP message rates to prevent DoS attacks of too many DHCP requests over some time.
This lab focuses on one VLAN (VLAN 10) and the associated subnet (172.16.10.0/24). The subnet contains two DHCP Clients, PC11 and PC12, with a local DHCP server that leases IP addresses for only subnet 172.16.10.0/24. That is, no remote subnets need to use the DHCP Server shown in the figure. The router, as commonly done, uses a static IP address.
Figure 1: Topology for this Lab
For this lab, configure DHCP Snooping on switch SW1 to protect against DHCP-based attacks. Specifically:
- Enable DHCP Snooping in VLAN 10.
- Switch SW1 operates as a layer 2 switch, not a layer 3 switch, so disable the insertion of DHCP Option 82 headers.
- Set DHCP Snooping trust settings based on the roles of the two DHCP client PCs, the router, and the DHCP server.
- Configure rate limits to protect against DHCP-based DoS attacks as follows:
- Ask DHCP Snooping to error disable ports when DHCP messages exceed a given number over some time.
- For the PC11 port, set the limit to 5 messages/second
- For the PC12 port, set the limit to 2 messages/second
- Configure DHCP Snooping to recover from the error-disabled state after 40 seconds automatically.
Initial Configurations
The initial configuration on switch SW1 places all four of its ports into the same VLAN (VLAN 10). In addition, the router has an IP address configured on its LAN interface (G0/0) so that it can ping the DHCP server’s address on the LAN. The router should also be able to ping the client PCs once they lease an IP address.
hostname SW1
!
vlan 10
!
interface range FastEthernet0/1-3
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/1
switchport access vlan 10
switchport mode access
spanning-tree portfast
Example 1: SW1 Config
hostname R1
!
interface GigabitEthernet0/0
ip address 172.16.10.1 255.255.255.0
no shutdown
!
interface GigabitEthernet0/2/0
ip address 172.16.12.1 255.255.255.0
no shutdown
!
router ospf 1
network 172.16.0.0 0.0.255.255 area 0
Example 2: R1 Config
The PCs function as DHCP clients, expecting to lease an IP address and learn their mask and default gateway settings from the DHCP server. You can assume the DHCP Server shown in the figure works. However, to be complete, Example 3 shows the IOS DHCP server configuration that you could use to support this lab. (The CPT and CML files supplied with this lab use this same configuration.)
hostname DHCP_Server
!
ip dhcp excluded-address 172.16.10.1 172.16.10.100
!
ip dhcp pool subnet1
network 172.16.10.0 255.255.255.0
dns-server 172.16.10.9
default-router 172.16.10.1
domain-name example.com
!
interface GigabitEthernet0/0
ip address 172.16.10.9 255.255.255.0
!
router ospf 1
network 0.0.0.0 255.255.255.255 area 0
Example 3: DHCP Server (IOS Router)
Answer Options - Click Tabs to Reveal
You can learn a lot and strengthen real learning of the topics by creating the configuration – even without a router or switch CLI. In fact, these labs were originally built to be used solely as a paper exercise!
To answer, just think about the lab. Refer to your primary learning material for CCNA, your notes, and create the configuration on paper or in a text editor. Then check your answer versus the answer post, which is linked at the bottom of the lab, just above the comments section.
You can also implement the lab using the Cisco Packet Tracer network simulator. With this option, you use Cisco’s free Packet Tracer simulator. You open a file that begins with the initial configuration already loaded. Then you implement your configuration and test to determine if it met the requirements of the lab.
(Use this link for more information about Cisco Packet Tracer.)
Use this workflow to do the labs in Cisco Packet Tracer:
- Download the .pkt file linked below.
- Open the .pkt file, creating a working lab with the same topology and interfaces as the lab exercise.
- Add your planned configuration to the lab.
- Test the configuration using some of the suggestions below.
You can also implement the lab using Cisco Modeling Labs – Personal (CML-P). CML-P (or simply CML) replaced Cisco Virtual Internet Routing Lab (VIRL) software in 2020, in effect serving as VIRL Version 2.
If you prefer to use CML, use a similar workflow as you would use if using Cisco Packet Tracer, as follows:
- Download the CML file (filetype .yaml) linked below.
- Import the lab’s CML file into CML and then start the lab.
- Compare the lab topology and interface IDs to this lab, as they may differ (more detail below).
- Add your planned configuration to the lab.
- Test the configuration using some of the suggestions below.
Download this lab’s CML file!
Network Device Info:
This table lists the interfaces listed in the lab exercise documentation versus those used in the sample CML file.
Device | Lab Port | Â CML Port |
SW1 | G0/1 | G0/0 |
SW1 | F0/1 | G0/1 |
SW1 | F0/2 | G0/2 |
SW1 | F0/3 | G0/3 |
R1 | G0/2/0 | G0/2 |
R2 | G0/2/0 | G0/2 |
Lab Answers Below: Spoiler Alert
Lab Answers: Configuration (Click Tab to Reveal)
ip dhcp snooping
ip dhcp snooping vlan 10
no ip dhcp snooping information option
!
interface fastethernet0/1
ip dhcp snooping trust
!
interface GigabitEthernet0/1
! You do NOT need to trust here
Example 1: SW1 Config (First Three Requirements)
errdisable recovery cause dhcp-rate-limit
errdisable recovery interval 40
!
interface fastethernet0/2
ip dhcp snooping limit rate 5
!
interface fastethernet0/3
ip dhcp snooping limit rate 2
Example 2: SW1 Config (Final Requirement)
Commentary, Issues, and Verification Tips (Click Tabs to Reveal)
Answer Example 1 shows the configuration to meet the first three requirements. First, to enable DHCP Snooping in VLAN 10, the switch needs two global commands: ip dhcp snooping and ip dhcp snooping vlan 10. The first command enables DHCP Snooping functions, but the switch would not use DHCP Snooping in any VLANs with that command alone. The second command applies DHCP Snooping to VLAN 10.
The switch also needs a command that surprises many when first learning about DHCP Snooping: the no ip dhcp information option global command. This command reverses the switch default setting of ip dhcp information option. The logic works like this:
- LAN switches may be configured as layer 3 switches.
- When acting as a layer 3 switch, the switch may also act as a DHCP Relay Agent.
- DHCP Relay Agents make use of the DHCP Information option in DHCP messages, that is, DHCP option 82.
- The default configuration setting of ip dhcp information option tells the switch that, once DHCP Snooping is enabled, to change DHCP messages as if it were a DHCP Relay agent.
- In this lab, the switch is neither a layer 3 switch nor a DHCP Relay Agent, so you should disable the information option feature using the no ip dhcp information option global command.
As for the DHCP trust settings, the two switch ports connected to the DHCP clients can use the default setting of untrusted. However, the switch port connected to the DHCP server must be trusted (ip dhcp snooping trust) because SW1 will receive messages normally sent by DHCP servers on that port. Also, note that the switch need not trust its port G0/1 (connected to router R1) because the only DHCP server is on the same subnet. Therefore, no other useful DHCP server messages should arrive into the switch from the router.
Moving on to the remaining requirements, Answer Example 2 shows the configuration to error disable the ports connected to the two PCs. The first line enables the feature to disable the ports, while the second sets the time to wait before automatically recovering the ports (40 seconds.) Then, the two interface subcommands define the message rate threshold for incoming DHCP messages – 5/second on one port and 2/second on the other.
Known Issues in this Lab
This section of each Config Lab Answers post hopes to help with those issues by listing any known issues with Packet Tracer related to this lab. In this case, the issues are:
Number | Summary | Detail |
1 | Core feature config only | CPT supports the configuration of core DHCP Snooping features, but not all features. For example, CPT does not support the errdisable and ip dhcp snooping limit commands. |
2 | Incorrect show ip dhcp snooping binding output | On real gear, this command lists only non-default settings. In CPT, the output varies and often includes default settings. |
3 | Sparse show ip dhcp snooping output | Real gear displays more detailed output as compared to CPT. |
4 | CPT feature platform differences | In CPT, the 2960 and 3650 switch models provide some DHCP Snooping support. However, the support levels differ, with some differences in show commands. In our testing, the feature could be configured on both models but only worked when using 2960s. |
Why Would Cisco Packet Tracer Have Issues?
(Note: The below text is the same in every Config Lab.)
Cisco Packet Tracer (CPT) simulates Cisco routers and switches. However, CPT does not run the same software that runs in real Cisco routers and switches. Instead, developers wrote CPT to predict the output a real router or switch would display given the same topology and configuration – but without performing all the same tasks, an actual device has to do. On a positive note, CPT requires far less CPU and RAM than a lab full of devices so that you can run CPT on your computer as an app. In addition, simulators like CPT help you learn about the Cisco router/switch user interface – the Command Line Interface (CLI) – without having to own real devices.
CPT can have issues compared to real devices because CPT does not run the same software as Cisco devices. CPT does not support all commands or parameters of a command. CPT may supply output from a command that differs in some ways from what an actual device would give. Those differences can be a problem for anyone learning networking technology because you may not have experience with that technology on real gear – so you may not notice the differences. So this section lists differences and issues that we have seen when using CPT to do this lab.
Beyond comparing your answers to this lab’s Answers post, you can test in Cisco Packet Tracer (CPT) or Cisco Modeling Labs (CML). In fact, you can and should explore the lab once configured. Note that CPT supports IP DHCP Snooping configuration better than it supports the show commands, at least at CPT Version 8.0 used when developing this lab. To that end, if testing with CPT, you can focus your testing on whether the function works. With real gear and CML, you can focus more on show commands.
- First, before enabling DHCP Snooping, confirm DHCP works.
- After opening the .pkt file, the PCs should lease an IP address. Confirm that works first.
- From the PCs, use ipconfig /all, ipconfig /release, and ipconfig /renew to confirm the PCs leased an IP address, released it back to the server, and then renewed the lease.
- Enable DHCP Snooping as planned and confirm DHCP still works.
- Configure the lab as per your plan.
- Repeat the ipconfig /release and ipconfig /renew commands to force DHCP to lease the address again. If you configured DHCP Snooping correctly, DHCP should still work.
- Attempt the following show commands. Compare the output to the CCNA 200-301 Cert Guide Chapter 8 Examples (or later equivalent edition’s chapter.)
- Show ip dhcp snooping to display interface DHCP Snooping settings.
- Show ip dhcp snooping binding to display the DHCP Snooping Binding table.
in SW1 config you write:
interface GigabitEthernet0/1
! You do NOT need to trust here
Why don’t we need to trust this interface?
I guess it is because the dhcp server is in the same subnet that the clients. Therefore, there is no reason to allow dhcp server traffic comming from the router interface.
Exactly! 🙂
Hi,
In the LAB configuration answer, under Example 1: SW1 Config (First Three Requirements) section, I think the global command do disable DHCP Option 82 is misconfigured. I think the correct command should be:
no ip dhcp snooping information option
Regards,
Mauricio.
Mauricio,
Yep, I agree. The commands were missing a word. I think I caught them all – should be fixed now. Thanks much.
Wendell
When I try to enter the errdisable commands the cli says Unrecognized command. I am entering it from (config) mode and it is not there, does not show up with ? mark either. I tried entering it with int g0/1 (config-if) mode and it is not there either.
Hi Taylor,
Yep, PT doesn’t support them. Please refer to the “Known Packet Tracer Issues” tab whenever you try a command you think should work but doesn’t – we’ve tried to collect known issues there. FYI.
Wendell
The latest version of Packet Tracer seems to require a slightly different command to disable the insertion of DHCP Option 82 headers. (no ip dhcp snooping information option) Either that, or there’s a typo.
Hi Emma,
Packet Tracer is good, lab text was bad. It was missing “snooping” in the middle of the command. I seem to have a mental block with that command in particular. Anyway… fixed now. Thanks again.