DHCP Snooping

From cwhite's wiki
Jump to: navigation, search

DHCP Snooping Security

Rate limit

ip dhcp snooping limit rate <PPS>

Below is an example of what you will see in the logs if the switch receives more than 8 DHCP PPS. The interface will be put into an err-disabled state.

*Mar  7 07:08:06.332: %DHCP_SNOOPING-4-DHCP_SNOOPING_ERRDISABLE_WARNING: DHCP Snooping received 8 DHCP packets on interface Fa0/1
*Mar  7 07:08:06.332: %PM-4-ERR_DISABLE: dhcp-rate-limit error detected on Fa0/1, putting Fa0/1 in err-disable state
*Mar  7 07:08:06.341: %DHCP_SNOOPING-4-DHCP_SNOOPING_RATE_LIMIT_EXCEEDED: The interface Fa0/1 is receiving more than the threshold set
fl-sw2#
*Mar  7 07:08:07.347: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to down
fl-sw2#
*Mar  7 07:08:08.345: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to down

Troubleshooting

Below is a few issues I have ran into while working with DHCP Snooping, IPSG and DAI.

Case 1

While doing some testing, I switched a host from obtaining their IP address via DHCP, to static and then back to DHCP (only on the switch side). I did not touch any settings on the host while doing this so the whole time it was using DHCP.

When switching the host back to DHCP, I had an issue where the host was not able to ping out. This is because when you setup a static binding, it removes the entry from the DHCP snooping database. When I removed the static source binding on the switch, the host was not able to ping out. This is due to the entry being removed from the DHCP snooping DB and the host didn't request an IP address because the lease time is 86400 seconds or 1 day. To fix this issue, on the host, you just need to release and renew the IP address so that DHCP snooping can add the entry to the DB.

1. The switch port is configured for DHCP snooping and has no static bindings. The host requests an IP address and the entry is added to the DB.

fl-sw2#show ip dhcp snooping binding 
MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface
------------------  ---------------  ----------  -------------  ----  --------------------
52:54:00:53:49:2D   172.16.30.12     86384       dhcp-snooping   9     FastEthernet0/1

2. The host and switchport are setup with a static binding. This causes the entry in the DHCP snooping DB to be removed. At this point, the host is still able to ping out since it's lease has not expired and there is a static entry configured on the switch.

fl-sw2(config)#ip source binding 5254.0053.492D vlan 9 172.16.30.12 interface Fa0/1

fl-sw2#show ip dhcp snooping binding 
MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface
------------------  ---------------  ----------  -------------  ----  --------------------
Total number of bindings: 0

fl-sw2#show ip source binding 
MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface
------------------  ---------------  ----------  -------------  ----  --------------------
52:54:00:53:49:2D   172.16.30.12     infinite    static          9     FastEthernet0/1
Total number of bindings: 1

3. As soon as I remove the static binding, the host is unable to ping anything.

fl-sw2(config)#no ip source binding 5254.0053.492D vlan 9 172.16.30.12 interface Fa0/1 

fl-sw2(config)#do show ip dhcp binding
Bindings from all pools not associated with VRF:
IP address          Client-ID/	 	    Lease expiration        Type
		    Hardware address/
		    User name


*Mar  2 04:08:05.174: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa0/1, vlan 9.([5254.0053.492d/172.16.30.12/0000.0000.0000/172.16.30.1/04:08:05 UTC Tue Mar 2 1993])
*Mar  2 04:08:06.180: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa0/1, vlan 9.([5254.0053.492d/172.16.30.12/0000.0000.0000/172.16.30.1/04:08:06 UTC Tue Mar 2 1993])
*Mar  2 04:08:07.187: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa0/1, vlan 9.([5254.0053.492d/172.16.30.12/0000.0000.0000/172.16.30.1/04:08:07 UTC Tue Mar 2 1993])

4. To fix this issue, on the host, release and renew the DHCP lease and the entry will be added to the DHCP snooping DB again.

fl-sw2#show ip dhcp snooping binding 
MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface
------------------  ---------------  ----------  -------------  ----  --------------------
52:54:00:53:49:2D   172.16.30.12     86374       dhcp-snooping   9     FastEthernet0/1
Total number of bindings: 1