You can use DHCP snooping to help avoid the Denial of Service attacks that result from unauthorized users adding a DHCP server to the network that then provides invalid configuration data to other DHCP clients on the network. DHCP snooping accomplishes this by allowing you to distinguish between trusted ports connected to a DHCP server or switch and untrusted ports connected to end-users. DHCP packets are forwarded between trusted ports without inspection. DHCP packets received on other switch ports are inspected before being forwarded. Packets from untrusted sources are dropped. Conditions for dropping packets are shown below.
Condition for dropping a packet
Condition for Dropping a Packet | Packet Types |
---|---|
A packet from a DHCP server received on an untrusted port | DHCPOFFER, DHCPACK, DHCPNACK |
If the switch is configured with a list of authorized DHCP server addresses and a packet is received from a DHCP server on a trusted port with a source IP address that is not in the list of authorized DHCP server addresses. | DHCPOFFER, DHCPACK, DHCPNACK |
Unless configured to not perform this check, a DHCP packet received on an untrusted port where the DHCP client hardware address field does not match the source MAC address in the packet | N/A |
Unless configured to not perform this check, a DHCP packet containing DHCP relay information (option 82) received from an untrusted port | N/A |
A broadcast packet that has a MAC address in the DHCP binding database, but the port in the DHCP binding database is different from the port on which the packet is received | DHCPRELEASE, DHCPDECLINE |
DHCP snooping is enabled globally by entering this command:
Use the no
form of the command to disable DHCP snooping.
Syntax:
To display the DHCP snooping configuration, enter this command:
Output for the show dhcp-snooping command
HP Switch(config)# show dhcp-snooping DHCP Snooping Information DHCP Snooping : Yes Enabled Vlans : Verify MAC : Yes Option 82 untrusted policy : drop Option 82 Insertion : Yes Option 82 remote-id : mac Store lease database : Not configured Port Trust ----- ----- 5 No 6 No
To display statistics about the DHCP snooping process, enter this command:
An example of the output is shown below.
Output for the show DHCP snooping statistics command
HP Switch(config)# show dhcp-snooping stats Packet type Action Reason Count ----------- ------- ---------------------------- ----- server forward from trusted port 8 client forward to trusted port 8 server drop received on untrusted port 2 server drop unauthorized server 0 client drop destination on untrusted port 0 client drop untrusted option 82 field 0 client drop bad DHCP release request 0 client drop failed verify MAC check 0
DHCP snooping on VLANs is disabled by default. To enable DHCP snooping on a VLAN or range of VLANs enter this command:
You can also use this command in the vlan context, in which case you cannot enter a range of VLANs for snooping. Below is an example of DHCP snooping enabled on VLAN 4.
HP Networking switches support DHCPv4 and DHCPv6 snooping. Configuring both versions helps protect your entire network by blocking unintended or rogue DHCPv4 and DHCPv6 servers. By default, all ports are untrusted. Once configured, DHCP server packets are forwarded only if received on a trusted port. DHCP server packets received on an untrusted port are dropped.
To configure a port or range of ports as trusted, enter this command:
HP Switch(config)# dhcp-snooping trust <port-list>
You can also use this command in the interface context, in which case you are not able to enter a list of ports.
Setting trusted ports
HP Switch(config)# dhcp-snooping trust 5-6 HP Switch(config)# show dhcp-snooping DHCP Snooping Information DHCP Snooping : Yes Enabled Vlans : 4 Verify MAC : Yes Option 82 untrusted policy : drop Option 82 Insertion : Yes Option 82 remote-id : mac Store lease database : Not configured Port Trust ----- ----- 5 Yes 6 Yes 7 No
Use the no
form of the command to remove the trusted configuration from a port.
To configure a port or range of ports as trusted, enter this command:
HP Switch(config)# dhcpv6-snooping trust <port-list>
You can also use this command in the interface context, in which case you are not able to enter a list of ports.
Use the no
form of the command to remove the trusted configuration from a port.
If authorized server addresses are configured, a packet from a DHCP server must be received on a trusted port AND have a source address in the authorized server list in order to be considered valid. If no authorized servers are configured, all servers are considered valid. You can configure a maximum of 20 authorized servers.
To configure a DHCP authorized server address, enter this command in the global configuration context:
DHCP adds Option 82 (relay information option) to DHCP request packets received on untrusted ports by default. (See “Configuring DHCP Relay” in the Management and Configuration Guide for more information on Option 82.)
When DHCP is enabled globally and also enabled on a VLAN, and the switch is acting as a DHCP relay, the settings for the DHCP relay Option 82 command are ignored when snooping is controlling Option 82 insertion. Option 82 inserted in this manner allows the association of the client’s lease with the correct port, even when another device is acting as a DHCP relay or when the server is on the same subnet as the client.
|
|
NOTE: DHCP snooping only overrides the Option 82 settings on a VLAN that has snooping enabled, not on VLANS without snooping enabled. |
|
|
If DHCP snooping is enabled on a switch where an edge switch is also using DHCP snooping, it is desirable to have the packets forwarded so the DHCP bindings are learned. To configure the policy for DHCP packets from untrusted ports that already have Option 82 present, enter this command in the global configuration context.
Syntax:
[no]
dhcp-snooping option 82 [remote-id <mac|subnet-ip|mgmt-ip>][untrusted-policy <drop|keep|replace>]
Enables DHCP Option 82 insertion in the packet
Configures DHCP snooping behavior when forwarding a DHCP packet from an untrusted port that already contains DHCP relay information (Option 82). The default is
drop
.
drop
The packet is dropped.
keep
The packet is forwarded without replacing the option information.
replace
The existing option is replaced with a new Option 82 generated by the switch.
NOTE: The default
drop
policy should remain in effect if there are any untrusted nodes, such as clients, directly connected to this switch.
By default, DHCP snooping uses the MAC address of the switch as the remoteid in Option 82 additions. The IP address of the VLAN the packet was received on or the IP address of the management VLAN can be used instead by entering this command with the associated parameter:
DHCP snooping option 82 using the VLAN IP address
HP Switch(config)# dhcp-snooping option 82 remote-id subnetip HP Switch(config)# show dhcp-snooping DHCP Snooping Information DHCP Snooping : Yes Enabled Vlans : 4 Verify MAC : Yes Option 82 untrusted policy : drop Option 82 Insertion : Yes Option 82 remote-id : subnet-ip
DHCP snooping maintains a database of up to 8192 DHCP bindings on untrusted ports. Each binding consists of:
-
Client MAC address
-
Port number
-
VLAN identifier
-
Leased IP address
-
Lease time
The switch can be configured to store the bindings at a specific URL so they will not be lost if the switch is rebooted. If the switch is rebooted, it will read its binding database from the specified location. To configure this location use this command.
Syntax:
[no]
dhcp-snooping database [file <tftp://<ip-address>/<ascii-string>>][delay <15-86400>][timeout <0-86400>]
Must be in Uniform Resource Locator (URL) format – “tftp://ip-address/ascii-string”. The maximum filename length is 63 characters.
Number of seconds to wait before writing to the database. Default = 300 seconds.
Number of seconds to wait for the database file transfer to finish before returning an error. A value of zero (0) means retry indefinitely. Default = 300 seconds.
A message is logged in the system event log if the DHCP binding database fails to update. To display the contents of the DHCP snooping binding database, enter this command.
Syntax:
DHCP snooping binding database contents
HP Switch(config)# show dhcp-snooping binding MacAddress IP VLAN Interface Time left ------------- --------------- ---- --------- --------- 22.22.22.22.22.22 10.0.0.1 4 6 1600
|
|
NOTE: If a lease database is configured, the switch drops all DHCP packets until the lease database is read. This only occurs when the switch reboots and is completed quickly. If the switch is unable to read the lease database from the tftp server, it waits until that operation times out and then begins forwarding DHCP packets. |
|
|
DHCP snooping max-binding prevents binding entries from getting exhausted. This feature is on a per-port basis. It restricts the maximum number of bindings allowed on a port/interface. It applies to untrusted interfaces only. The maximum bindings for a particular port includes both statically configured and dynamically learned. The number of bindings on a per port basis is maintained i.e., incremented upon a lease offer and decremented upon a lease expiry or release.
DHCP snooping max-binding can be configured in configuration context or in an interface context for an untrusted interface. In case of configuration context, a port or a list of ports is selected for which max-binding is to be configured. Then the corresponding max-binding value is provided within a range of <1-8192>. For the interface context, after selecting the interface on which max-binding is to be configured, the max-binding value is provided within a range of <1-8192>. The max-binding configuration for a port can be removed using the no option of the command. max-binding cannot be set on trusted ports and ports for which the associated VLAN is not DHCP-snooping enabled. Once the max-bindings limit on an interface is reached, packets for DHCP clients which do not have a binding entry are dropped.
Syntax:
Configure the maximum number of bindings on specified ports. The maximum number of bindings default value is 8192. The allowed range on a port is 1 to 8192.
Syntax:
Configures the maximum binding value on a port. Only this number of clients are allowed on a port. By specifying [no] the max-binding is removed from the configuration and set to the default value of 8192.
Syntax:
Show all available dhcp-snooping information.
Example:
DHCP Snooping Information DHCP Snooping : Yes Max Current Bindings Port Trust Bindings Static Dynamic _____ ______ ________ _______ _________ 1 Yes - - - 2 No 200 10 3 3 No 3* 3 6 4 No 5* 23 0 5 No - - - 6 No - - - 7 No - - - 8 No - - - 9 No - - - 10 No - - - 11 Yes - - - 12 Yes - - - 13 No - - - 14 No - - - 15 No - - - 16 No - 2 8 17 No 21 12 24 18 Yes - - - 19 No - - - 20 No - - - 21 No - - - 22 No - - - 23 No - - - 24 Yes - - -
Syntax:
Shows the dhcp-snooping statistics.
Packet type Action Reason Count ----------- ------- ---------------------------- --------- server forward from trusted port 0 client forward to trusted port 0 server drop received on untrusted port 0 server drop unauthorized server 0 client drop destination on untrusted port 0 client drop untrusted option 82 field 0 client drop bad DHCP release request 0 client drop failed verify MAC check 0 client drop failed on max-binding limit 0
-
DHCP is not configurable from the WebAgent or menu interface.
-
If packets are received at too high a rate, some may be dropped and need to be re-transmitted.
-
HP recommends running a time synchronization protocol such as SNTP in order to track lease times accurately.
-
A remote server must be used to save lease information or there may be a loss of connectivity after a switch reboot.
Server <ip-address> packet received on untrusted port <port-number> dropped. |
Indicates a DHCP server on an untrusted port is attempting to transmit a packet. This event is recognized by the reception of a DHCP server packet on a port that is configured as untrusted. |
More than one packet was received from a DHCP server on an untrusted port. To avoid filling the log file with repeated attempts, untrusted server drop packet events will not be logged for the specified <duration>. |
|
Client packet destined to untrusted port <port-number> dropped. |
Indicates that the destination of a DHCP client unicast packet is on an untrusted port. This event is recognized when a client unicast packet is dropped because the destination address is out a port configured as untrusted. |
More that one client unicast packet with an untrusted port destination was dropped. To avoid filling the log file with repeated attempts, untrusted port destination attempts will not be logged for the specified <duration>. |
|
Unauthorized server <ip-address> detected on port <port-number>. |
Indicates that an unauthorized DHCP server is attempting to send packets. This event is recognized when a server packet is dropped because there are configured authorized servers and a server packet is received from a server that is not configured as an authorized server. |
More than one unauthorized server packet was dropped. To avoid filling the log file with repeated attempts, unauthorized server transmit attempts will not be logged for the specified <duration>. |
|
Received untrusted relay information from client <mac-address> on port <port-number>. |
Indicates the reception on an untrusted port of a client packet containing a relay information option field. This event is recognized when a client packet containing a relay information option field is dropped because it was received on a port configured as untrusted. |
More than one DHCP client packet received on an untrusted port with a relay information field was dropped. To avoid filling the log file with repeated attempts, untrusted relay information packets will not be logged for the specified <duration>. |
|
Client address <mac-address> not equal to source MAC <mac-address> detected on port <port-number>. |
Indicates that a client packet source MAC address does not match the “chaddr” field. This event is recognized when the dhcp-snooping agent is enabled to filter DHCP client packets that do not have a matching “chaddr” field and source MAC address. |
More than one DHCP client packet with a mismatched source MAC and chaddr field was dropped. To avoid filling the log file with repeated attempts, client address mismatch events will not be logged for the specified <duration>. |
|
Attempt to release address <ip-address> leased to port <port-number> detected on port <port-number> dropped. |
Indicates an attempt by a client to release an address when a DHCPRELEASE or DHCPDECLINE packet is received on a port different from the port the address was leased to. |
More than one bad DHCP client release packet was dropped. To avoid filling the log file with repeated bad release dropped packets, bad releases will not be logged for <duration>. |
|
The lease table is full and this lease will not be added to it. |
|
An error occurred while writing the temporary file and sending it using tftp to the remote server. |
|
Too many DHCP packets are flowing through the switch and some are being dropped. |
|
The DHCP binding table is full and subsequent bindings are being dropped. |