User Tools

Site Tools


tech:network:cisco:dhcp-snooping:dhcp-snooping

Cisco: DHCP Snooping

Blueprint

  • CCIE R&S
    • Written v5.1
      • 5.0 Infrastructure Security
        • 5.2 Network security
          • 5.2.a [iii] DHCP snooping
    • Lab v5.0
      • 4.0 Infrastructure Security
        • 4.2 Network security
          • 4.2.a [iii] DHCP snooping

DHCP Snooping Lab

Base Configuration

  • SW1
configure terminal
!
vtp mode transparent
!
vlan 128
exit
!
ip routing
!
spanning-tree portfast default
!
interface FastEthernet 1/0/1
 switchport mode access
 switchport access vlan 128
exit
interface FastEthernet 1/0/2
 switchport mode access
 switchport access vlan 130
exit
interface FastEthernet 1/0/5
 switchport mode access
 switchport access vlan 128
exit
!
end
  • R1
configure terminal
!
interface FastEthernet 0/0
 ip address dhcp
 no shutdown
!
ip route 0.0.0.0 0.0.0.0 10.0.128.1
!
end
  • R2
configure terminal
!
interface FastEthernet 0/0
 ip address dhcp
 no shutdown
!
ip route 0.0.0.0 0.0.0.0 10.0.130.1
!
end
  • R3
configure terminal
!
service dhcp
!
ip dhcp excluded-address 10.0.128.1 10.0.128.9
ip dhcp excluded-address 10.0.128.192 10.0.128.254
!
ip dhcp pool SALES
 network 10.0.128.0 255.255.255.0
 default-router 10.0.8.1
!
interface FastEthernet 0/0
 ip address 10.0.128.3 255.255.255.0
 no shutdown
!
ip route 0.0.0.0 0.0.0.0 10.0.128.1
!
end

DHCP Relay Agent

sudo apt install isc-dhcp-server
/etc/dhcp/dhcpd.conf
option domain-name "pg1x.net";
option domain-name-servers 8.8.8.8, 8.8.4.4, 1.1.1.1;
 
authoritative;
 
# NOP provide topology informatin only
subnet 10.0.4.0 netmask 255.255.255.0 {
}
 
subnet 10.0.128.0 netmask 255.255.255.0 {
  range 10.0.128.10 10.0.128.191;
  option routers 10.0.128.1;
  option subnet-mask 255.255.255.0;
}
 
subnet 10.0.130.0 netmask 255.255.255.0 {
  range 10.0.130.10 10.0.130.191;
  option routers 10.0.130.1;
  option subnet-mask 255.255.255.0;
}

Netplan VLAN Configuration

Netplan

/etc/netplan/01-netcfg.yaml
network:
  version: 2
  renderer: networkd
  ethernets:
    enp1s0f0:
      dhcp4: no
      dhcp6: no
      routes:
        - to: 10.0.128.0/17
          via: 10.0.128.1
          metric: 0
  vlans:
    vlan128:
      id: 128
      link: enp1s0f0
      addresses: [ 10.0.128.254/24 ]
    vlan130:
      id: 130
      link: enp1s0f0
      addresses: [ 10.0.130.254/24 ]
sudo netplan apply
ip address show
root@kozue:~# ip address show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: enp1s0f0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:1b:21:31:13:9b brd ff:ff:ff:ff:ff:ff
    inet6 fe80::21b:21ff:fe31:139b/64 scope link 
       valid_lft forever preferred_lft forever
3: enp1s0f1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether 00:1b:21:31:13:9a brd ff:ff:ff:ff:ff:ff
(snip)
5: vlan128@enp1s0f0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 00:1b:21:31:13:9b brd ff:ff:ff:ff:ff:ff
    inet 10.0.128.254/24 brd 10.0.128.255 scope global vlan128
       valid_lft forever preferred_lft forever
    inet6 fe80::21b:21ff:fe31:139b/64 scope link 
       valid_lft forever preferred_lft forever
6: vlan130@enp1s0f0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 00:1b:21:31:13:9b brd ff:ff:ff:ff:ff:ff
    inet 10.0.130.254/24 brd 10.0.130.255 scope global vlan130
       valid_lft forever preferred_lft forever
    inet6 fe80::21b:21ff:fe31:139b/64 scope link 
       valid_lft forever preferred_lft forever
sudo systemctl restart isc-dhcp-server
sudo systemctl status isc-dhcp-server
root@kozue:~# systemctl restart isc-dhcp-server
root@kozue:~# systemctl status isc-dhcp-server
● isc-dhcp-server.service - ISC DHCP IPv4 server
   Loaded: loaded (/lib/systemd/system/isc-dhcp-server.service; enabled; vendor preset: enabled)
   Active: active (running) since Mon 2019-09-09 22:21:08 JST; 4s ago
     Docs: man:dhcpd(8)
 Main PID: 2312 (dhcpd)
    Tasks: 1 (limit: 4285)
   CGroup: /system.slice/isc-dhcp-server.service
           └─2312 dhcpd -user dhcpd -group dhcpd -f -4 -pf /run/dhcp-server/dhcpd.pid -cf /etc/dhcp/dhcpd.conf

Sep 09 22:21:08 kozue dhcpd[2312]: Sending on   LPF/eno2/4c:52:62:27:6a:99/10.0.4.0/24
Sep 09 22:21:08 kozue dhcpd[2312]: 
Sep 09 22:21:08 kozue dhcpd[2312]: No subnet declaration for enp1s0f0 (no IPv4 addresses).
Sep 09 22:21:08 kozue dhcpd[2312]: ** Ignoring requests on enp1s0f0.  If this is not what
Sep 09 22:21:08 kozue dhcpd[2312]:    you want, please write a subnet declaration
Sep 09 22:21:08 kozue dhcpd[2312]:    in your dhcpd.conf file for the network segment
Sep 09 22:21:08 kozue dhcpd[2312]:    to which interface enp1s0f0 is attached. **
Sep 09 22:21:08 kozue dhcpd[2312]: 
Sep 09 22:21:08 kozue dhcpd[2312]: Sending on   Socket/fallback/fallback-net
Sep 09 22:21:08 kozue dhcpd[2312]: Server starting service.

Configure DHCP Snooping

  • SW1
configure terminal
!
ip dhcp snooping
ip dhcp snooping vlan 128,130
!
ip dhcp snooping information option
!
interface FastEthernet 1/0/1
 switchport mode access
 switchport access vlan 128
 ip dhcp snooping limit rate 5
exit
!
interface FastEthernet 1/0/2
 switchport mode access
 switchport access vlan 130
 ip dhcp snooping limit rate 5
exit
!
interface FastEthernet 1/0/5
 switchport trunk encapsulation dot1q 
 switchport mode trunk
 switchport trunk allowed vlan 128,130
 ip dhcp snooping trust
exit
!
interface FastEthernet 1/0/23
 switchport trunk encapsulation dot1q 
 switchport mode trunk
 switchport trunk allowed vlan 128,130
 ip dhcp snooping trust
exit
!
end
  • SW2
configure terminal
!
ip dhcp snooping
ip dhcp snooping vlan 128,130
!
ip dhcp snooping information option
!
ip dhcp snooping information option allow-untrusted
!
interface FastEthernet 1/0/24
 switchport trunk encapsulation dot1q 
 switchport mode trunk
 switchport trunk allowed vlan 128,130
 ip dhcp snooping trust
exit
!
end
  1. if SW2 not configured. all DHCP packets tranfered.
  2. if SW1 f1/0/23 port not configured ip dhcp snooping trust, do not send traffic from SW1 to SW2.
  3. if SW2 not configured ip dhcp snooping information option allow-untrusted, DHCP option 82 frame dropped
  4. if SW2 f1/0/24 port not configured ip dhcp snooping trust DHCP client packet not transfer to DHCP server because not trusted port.

For packet capture

monitor session 1 source interface Fa1/0/23
monitor session 1 destination interface Fa1/0/12

Console Log SW1

Console Log SW2

References

tech/network/cisco/dhcp-snooping/dhcp-snooping.txt · Last modified: 2019/09/15 15:45 by wnoguchi