2.1.a DHCP snooping
In this segment we will cover DHCP, as well as DHCP Snooping. It seems the blueprint is remiss in mentioning DHCP in its own line item so we will briefly cover it here as you cannot have DHCP Snooping without DHCP.
DHCP is easy enough; there are only 2 requirements for it so long as you are using a single subnet, as we will do here for the sake of simplicity. The minimum requirements call for a default-router and a DHCP network for address assignment. You could establish a lease period, DNS, and many other delimiters, but they are not minimum requirements. It is a good idea to include a domain-name but usually that has already been configured.
DHCP is the Dynamic Host Configuration Protocol. It eases administration by allowing clients to broadcast for Ip addresses and a default gateway, among other parameters. A lot easier than statically configuring a bunch of windows or linux boxes in any size environment. The usual method is for a dedicated server to handle the chore, but Cisco was kind enough to include it in its routers and switches, and on it’s exams.
So the first step will be to set up a DHCP server. Keep in mind the acronym DORA, dis, off, req, ack and you can easily memorize the dhcp process. Discover, Offer, Request, Acknowledge.
Option 82 or the information option is a player in the VIRL canvas. Option 82 is turned on by default and does further fact checking for validity on untrusted ports especially in the case of relays. We can avoid this by turning off option 82 at the switch, or by enabling option 82 on the access ports, the untrusted ports, however, here we will turn it off on the switch. You can find out more detail about option 82 on the internet, in fact Petr Lapukhov has a great article about it on his INE blog. Just do a search for “option 82 Petr” and that should be your first hit.
Let’s get down to configuration.
Now that we have DHCP in place and operational, we can talk about DHCP Snooping. DHCP Snooping is designed to disallow rogue DHCP servers from inhabiting your network and dishing out false Ip addresses and gateways to your clients. This is performed by establishing a trust between authorized devices and thereby building a reference database for cross checking. Remember, only untrusted connections will be leased ip addresses and assigned to the snooping database, along with their associated mac’s and vlan’s. It is vital to understand that trusted connections are established between server and switch or router and switch or switch and switch, not switch and access ports.
There are three essential items to get DHCP Snooping operational. Of course there are other options but we will discuss the minimum. They
Turn on dhcp snooping
turn on dhcp snooping for the Vlan or Vlan’s
and establish trust between the server and switch.
here we go: