ccie.nyquist.eu
Search…
Table of Contents
Layer 2 Technologies
Ethernet Switching
Layer 2 WAN Protocols
IPv4
IPv4 Addressing
IPv4 Routing
IPv6
IPv6-101
IPv6 Routing
Interconnecting IPv6 and IPv4
MPLS
MPLS 101
MPLS L3 VPN
Multicast
Multicast 101
PIM 101
IGMP 101
Inter Domain Multicast
IPv6 Multicast
Multicast features on switches
Security
NAT 101
NAT for Overlapping Networks
ACLs 101
ACLs 102
Cisco IOS Firewall
Zone Based Firewall
AAA 101
Controlling CLI Access
Control Plane
Switch Security
Switchport Traffic Control
Switchport Port Security
DHCP Snooping and DAI
802.1x
Switch ACLs
IPSec VPN 101
DMVPN 101
Network Services
NTP 101
HTTP 101
File Transfer 101 – TFTP & FTP
WCCP 101
QoS
QoS 101
Classification and Marking
Congestion Management
Congestion Avoidance – WRED
Policing and Shaping
Compression and LFI
Frame Relay QoS
RSVP 101
Switching QoS
Network Optimization
NetFlow 101 – TNF – Traditional NetFlow
NetFlow 102 – FNF – Flexible NetFlow
IP SLA 101
IP Accounting 101
Logging 101
SNMP and RMON 101
Cisco CLI Tips and Tricks
AutoInstall
Enhanced Object Tracking
Powered By GitBook
DHCP Snooping and DAI

DHCP Snooping

DHCP snooping can prevent unauthorized DHCP servers to reply to DHCP requests. A switch can define interfaces as trusted or untrusted. A trusted interface is where a DHCP server should be connected. On such interfaces, DHCP server messages are allowed. On all other untrusted ports, DHCP server messages are droped. Also, while this feature runs, the switch builds a DHCP binding database, where it maps all MAC addresses to the IP addresses they received via DHCP. To enable DHCP snooping, use:
1
! 1. Enable DHCP Snooping globally
2
Sw(config)# ip dhcp snooping
3
! 2. Then enable DHCP snooping on the VLAN
4
Sw(config)# ip dhcp snooping vlan VLAN-RANGE
5
! 3. Set up the interfaces as trusted. By default they are untrusted
6
Sw(config)# interface INTERFACE
7
Sw(config-if)# ip dhcp snooping trust
Copied!

Option 82

DHCP Option 82 allows a DHCP server to identify a host by the port on the switch it connects to, in addition to the host MAC Address. To enable the switch to add the Option 82 field to the DHCP request message, use:
1
Sw(config)# ip dhcp snooping information option
Copied!
You can also limit the number of DHCP packets that are received on an interface, using:
1
Sw(config)# ip dhcp snooping limit raate PPS
Copied!
To modify the default information that is added, use:
1
Sw(config)# ip dhcp snooping information option format remote-id [string STR|HOSTNAME]
Copied!
By default, when DHCP snooping is on, a switch will drop DHCP requests with Option 82. The switch considers that only it can add this information and it considers those requests as illegitimate. This is a good idea on access switches, but on an aggregation switch, it might end up in dropping DHCP requests that had their option 82 inserted by legitimate access switches. To permit such requests, use:
1
Sw(config)# ip dhcp snooping information option allow-untrusted
Copied!
DHCP Snooping is known to add empty giaddr field in the DHCP messages, which will make most DHCP servers ignore them. There are 2 solutions: 1. make the server trust DHCP messages with empty giaddr field
1
R(config)# ip dhcp relay information trust-all
Copied!
2. disable option 82 insertion on the switches
1
Sw(config)# no ip dhcp snooping information option
Copied!

DHCP Snooping Binding Database

Information regarding the legitimate hosts on the network are stored in the DHCP Snooping Biding Database. This database contains the MAC address and the IP address that was offered in the DHCP process. This database is lost upon restart. To prevent this, you can specify a DHCP Snooping Binding Database Agent, after which you can set a location where to save this database:
1
Sw(config)# ip dhcp snooping database PROTOCOL://FISER
Copied!
You can also add static information to the database, using:
1
Sw(config)# ip dhcp snooping binding MAC vlan VLAN-ID inteface INTERFACE expiry SEC
Copied!
To verify, use:
1
Sw# show ip dhcp snooping database [detail]
Copied!

IP Source Guard

You can limit traffic on an untrusted port to a single source IP or MAC address, the ones that are found in the Snooping Binding Database for the specified port. A port ACL is applied to the interface in order to block all other traffic. This ACL will take precedence over any other router ACL or VLAN map that might affect the port. To enable IP Source Guard, use one of the following:
1
Sw(config-if)# ip verify source
2
!Enables IP address filtering
3
Sw(config-if)# ip verify source port-security
4
!Enables both IP and MAC address filtering
Copied!
If using the port-security option, the MAC address in the DHCP packet is not learned as a secure address. It will be learned only when it starts to send non-DHCP traffic. To verify, use:
1
Sw# show ip source binding [IP-ADDR] [MAC] [dhcp-snooping|static] [interface] INTERFACE [vlan VLAN-ID]
Copied!
If DHCP is not an option, or there are static hosts, you can enable IP Source Guard even for them, using:
1
Sw(config-if)# ip verify source tracking port-security
Copied!
This will track the first non-DHCP MAC it receives and will only let it send and receive packets.

Dynamic ARP Inspection (DAI)

DAI intercept ARP Replies and will drop those for which the MAC-IP binding is not found in the DHCP Snooping Binding Database. This means that you need to enable DHCP Snooping in order to run Dynamic ARP Inspection. To enable DAI, use:
1
Sw(config)# ip arp inspection vlan VLAN-RANGE
Copied!
DAI intercepects ARP replies only on untrusted interfaces. To set an interfaces as trusted, use:
1
Sw(config-if)# ip arp inspection trust
2
! Usually only host interfaces are set as trusted
Copied!
To verify, use:
1
Sw# show ip arp inspection {interfaces | [statistics] vlan VLAN-RANGE}
Copied!
You can set a limit for the number of ARP requests that you receive on a port:
1
Sw(config)# ip arp inspection limit {rate PPS [burst interval SEC]|none}
2
!Default: 15 PPS for untrusted interfaces
Copied!
If the rate goes over the limit, the port is errdisabled. To auto enable it, use:
1
Sw(config)# errdisable recovery cause arp-inspection interval INTERVAL
Copied!

ARP ACLs

When DHCP is not available, you can still enable ARP inspection using ARP ACLs. To set up an ARP ACL, first define it:
1
Sw(config)#arp access-lists ACL-NAME
2
Sw(config-arpacl)# permit ip host SRC-IP mac host SRC-MAC [log]
Copied!
Then apply the ACL on a VLAN:
1
Sw(config)# ip arp inspection filter ACL-NAME vlan VLAN-RANGE[static]
2
! static - adds an explicit deny to the end of the ARP ACL-NAME
Copied!

Extra Validations

Apart from discarding ARP packets with invalid IP-to-MAC bindings, DAI can perform additional validation checks on ARP packets:
1
Sw(config)# ip arp inspection validate {[src-mac]|[dst-mac][ip]}
2
! src-mac: checks the source MAC address in the Ethernet header against the sender MAC address in the ARP body
3
! dst-mac: check the destination MAC address in the Ethernet header against the target MAC address in ARP body
4
! ip: checks the ARP body for invalid IP addresses, like 0.0.0.0 or 255.255.255.255
Copied!
Previous
Switchport Port Security
Next
802.1x
Last modified 6mo ago
Copy link
Contents
DHCP Snooping
Option 82
DHCP Snooping Binding Database
IP Source Guard
Dynamic ARP Inspection (DAI)
ARP ACLs
Extra Validations