Tag Archives: SWITCH 300-115 2.1a

CCNP SWITCH 300-115 2.1 Configure and verify switch security features

2.1.a DHCP snooping

In this segment we will cover DHCP, as well as DHCP Snooping. It seems the blueprint is remiss in mentioning DHCP in its own line item so we will briefly cover it here as you cannot have DHCP Snooping without DHCP.

DHCP is easy enough; there are only 2 requirements for it so long as you are using a single subnet, as we will do here for the sake of simplicity. The minimum requirements call for a default-router and a DHCP network for address assignment. You could establish a lease period, DNS, and many other delimiters,  but they are not minimum requirements. It is a good idea to include a domain-name but usually that has already been configured.

DHCP is the Dynamic Host Configuration Protocol. It eases administration by allowing clients to broadcast for Ip addresses and a default gateway, among other parameters. A lot easier than statically configuring a bunch of windows or linux boxes in any size environment. The usual method is for a dedicated server to handle the chore, but Cisco was kind enough to include it in its routers and switches, and on it’s exams.

So the first step  will be to set up a DHCP server. Keep in mind the acronym DORA, dis, off, req, ack and you can easily memorize the dhcp process. Discover, Offer, Request, Acknowledge.

Option 82 or the information option is a player in the VIRL canvas. Option 82 is turned on by default and does further fact checking for validity on untrusted ports especially in the case of relays. We can avoid this by turning off option 82 at the switch, or by enabling option 82 on the access ports, the untrusted ports, however, here we will turn it off on the switch. You can find out more detail about option 82 on the internet, in fact Petr Lapukhov has a great article about it on his INE blog. Just do a search for “option 82 Petr” and that should be your first hit.

Let’s get down to configuration.

Now that we have DHCP in place and operational, we can talk about DHCP Snooping. DHCP Snooping is designed to disallow rogue DHCP servers from inhabiting your network and dishing out false Ip addresses and gateways to your clients. This is performed by establishing a trust between authorized devices and thereby building a reference database for cross checking. Remember, only untrusted connections will be leased ip addresses and assigned to the snooping database, along with their associated mac’s and vlan’s. It is vital to understand that trusted connections are established between server and switch or router and switch or switch and switch, not switch and access ports.

There are three essential items to get DHCP Snooping operational. Of course there are other options but we will discuss the minimum. They
are:

Turn on dhcp snooping

turn on dhcp snooping for the Vlan or Vlan’s

and establish trust between the server and switch.

here we go:

VIDEO

https://www.youtube.com/watch?v=_pRDz-B_O8U

 

 

SWITCH 300-115 2.1 Configure and verify switch security features

2.1.a DHCP snooping

first a word from ethan banks about the wonders of dhcp snooping, and the perils of the information option…

http://packetpushers.net/ccnp-studies-configuring-dhcp-snooping/

global configuration (from running-config):

ip dhcp snooping vlan 300
ip dhcp snooping

note: I added the command:

ip dhcp snooping information option

but it didn’t show up in the running config (it is the default). see above link.

set the trusted port

ip dhcp snooping trust

there is little configuration to set on the untrusted ports, however, as ethan suggests you might want to rate limit the rquests so the dhcp server doesn’t get bombarded:

sw dhcp snoop int

that is pps in the figure which would be 600 a minute.

note below: i have configured int f0/21 as the trusted port which is connected to the dhcp server. also note the criteria that snooping imposes, ie ingress port, vlan, mac address.

switch sh dhcp snoop