DHCP Snooping and DAI
DHCP Snooping
DHCP snooping can prevent unauthorized DHCP servers to reply to DHCP requests. A switch can define interfaces as trusted or untrusted. A trusted interface is where a DHCP server should be connected. On such interfaces, DHCP server messages are allowed. On all other untrusted ports, DHCP server messages are droped. Also, while this feature runs, the switch builds a DHCP binding database, where it maps all MAC addresses to the IP addresses they received via DHCP. To enable DHCP snooping, use:
Option 82
DHCP Option 82 allows a DHCP server to identify a host by the port on the switch it connects to, in addition to the host MAC Address. To enable the switch to add the Option 82 field to the DHCP request message, use:
You can also limit the number of DHCP packets that are received on an interface, using:
To modify the default information that is added, use:
By default, when DHCP snooping is on, a switch will drop DHCP requests with Option 82. The switch considers that only it can add this information and it considers those requests as illegitimate. This is a good idea on access switches, but on an aggregation switch, it might end up in dropping DHCP requests that had their option 82 inserted by legitimate access switches. To permit such requests, use:
DHCP Snooping is known to add empty giaddr field in the DHCP messages, which will make most DHCP servers ignore them. There are 2 solutions: 1. make the server trust DHCP messages with empty giaddr field
2. disable option 82 insertion on the switches
DHCP Snooping Binding Database
Information regarding the legitimate hosts on the network are stored in the DHCP Snooping Biding Database. This database contains the MAC address and the IP address that was offered in the DHCP process. This database is lost upon restart. To prevent this, you can specify a DHCP Snooping Binding Database Agent, after which you can set a location where to save this database:
You can also add static information to the database, using:
To verify, use:
IP Source Guard
You can limit traffic on an untrusted port to a single source IP or MAC address, the ones that are found in the Snooping Binding Database for the specified port. A port ACL is applied to the interface in order to block all other traffic. This ACL will take precedence over any other router ACL or VLAN map that might affect the port. To enable IP Source Guard, use one of the following:
If using the port-security option, the MAC address in the DHCP packet is not learned as a secure address. It will be learned only when it starts to send non-DHCP traffic. To verify, use:
If DHCP is not an option, or there are static hosts, you can enable IP Source Guard even for them, using:
This will track the first non-DHCP MAC it receives and will only let it send and receive packets.
Dynamic ARP Inspection (DAI)
DAI intercept ARP Replies and will drop those for which the MAC-IP binding is not found in the DHCP Snooping Binding Database. This means that you need to enable DHCP Snooping in order to run Dynamic ARP Inspection. To enable DAI, use:
DAI intercepects ARP replies only on untrusted interfaces. To set an interfaces as trusted, use:
To verify, use:
You can set a limit for the number of ARP requests that you receive on a port:
If the rate goes over the limit, the port is errdisabled. To auto enable it, use:
ARP ACLs
When DHCP is not available, you can still enable ARP inspection using ARP ACLs. To set up an ARP ACL, first define it:
Then apply the ACL on a VLAN:
Extra Validations
Apart from discarding ARP packets with invalid IP-to-MAC bindings, DAI can perform additional validation checks on ARP packets:
Last updated