Menu
Get a Quote
Let's Chat

A Guide to Configuring and Troubleshooting DHCP Snooping

by Darin Knobbe, on Jul 9, 2020 1:45:00 PM

During the course network operations, DHCP snooping issues have often times come up from our clients and their engineering teams. When they explain their situation, it boils down to being familiar with DHCP and having the confidence to handle the conditions. Today, we outline a resource to focus on DHCP Snooping troubleshooting and configuration. 

 

DHCP Snooping issues mostly occur due to adding a new device in the environment without erasing previous configurations, MAN in a middle attack, and BYOD (bringing your own device). Overall, DHCP Snooping acts like a firewall between trusted and untrusted DHCP servers and devices. We'll outline how you can configure trusted and untrusted zones manually as well as a full approach to DHCP Snooping.

As a layer 2 security technology incorporated into the operating system, DHCP prevents unauthorized DHCP servers offering IP addresses to DHCP clients. 

How DHCP Snooping Works

Dynamic Host Configuration Protocol (DHCP) is at the heart of assigning IP addresses. The keyword in DHCP is protocol, or the guiding rules and process for Internet connections for everyone, everywhere. DHCP is consistent, accurate and works the same for every computer. DHCP performs the below activities to handle DHCP issues in production networks. By default DHCP is disabled. The first step is to enable DHCP per VLAN, then the snooping feature performs the following:

  • Checks DHCP messages received from untrusted sources and filter all invalid messages
  • Maintains the DHCP Snooping binding database as it contains the untrusted hosts with leased IP address information
  • Use the DHCP Snooping binding database to validate subsequent requests from untrusted hosts

Licensing Requirements for DHCP Snooping

Product License Requirement
NX-OS DHCP Snooping requires no license. Any feature not included in a lecense package is bundled with the Cisco NS-OS system images and is provided at no extra charge.

 

DHCP Snooping Configurations

You can configure DHCP Snooping in 5 simple steps. Though, if there is any uncertainty of adding DHCP Snooping into your system operations, try it out in a virtual environment with no harm! In the virtual space, we have built four labs targeted specifically to various tests, networks, and skills. You have the opportunity to dive into DHCP along with routing protocols such as EIGRP, OSPF, BGP, RIP, and more. Learn more about each lab here: CCIE MPLS Lab, CCNA Routing Lab, CCNP DMVPN Lab, CCNP/CCIE Route and Switch Lab.

Now, back to the configuration. First, enable DHCP snooping globally with the following command:

configuration command step 1 for ip dhcp snooping at pivit global

Next, mention a VLAN you want to be secure through DHCP Snooping:

ip dhcp snooping configuration command for vlan 190 at pivit global

Add VLANs with the following command:

configuration command for ip dhcp snooping for vlan 190, 191, 201 at pivit global

Now, configure DHCP server port in "TRUST" with below mention:

dhcp server port configuration command for TRUST at pivit global

The final basic configuration is to verify the configuration with show command as it is helpful during troubleshooting.

final configuration command for dhcp snooping configuration

To walk through a full Cisco IOS DHCP Server Configuration, check out this configuration guide!

DHCP Snooping Troubleshooting

As mentioned above, the basic configurations help prepare for troubleshooting and make the process simple and straightforward. Here we'll take you through an example of a common switch IOS errors.

Error 1

DHCP Error Debug Log:

dhcp error 1 debug log from pivit global

If you ever observed Error 1 during production network you should use the command "ip dhcp relaty information trusted" to tell the switch to ignore the unset giaddr field in the DHCP packet. You can also disable option 82 insertion using the "no ip dhcp-snooping information option" command in global configuration mode.

Error 2

DHCP Error Debug Log:

dhcp error 2 debug log from pivit global mac fail & chaddr doesn't match

Your console messages may show Error 2. The DHCP Snooping, in this case, has detected a switch connected with your host trying to carry out a denial of service attack on another host in the network or on the same switch. Thus, the packet will be dropped.

Recommended Action: This is an informational message only appearing on the console logs. In this case, no action is required.

Error 3

DHCP Error Debug Log:

dhcp error 3 debug log snooping untrusted port from pivit global

Error 3 messages are very serious for your production network. These messages indicate that a client is being spoofed and a rogue DHCP server is in operation. In this case, you should trace the rogue DHCP server as soon as possible and disable the port. You can trace fake DHCP servers with the help of a mac address or IP address (ie. Show mac-address (DHCP MAC) and Show IP ARP (DHCP IP). If you have a valid contract with PivIT Global's OneCall maintenance team then contact us to avoid any disturbance in your production network.

About PivIT Global

PivIT Global provides the support you need through infrastructure, maintenance, and professional services. Contact us today to chat more about DHCP Snooping or how we can support you through our virtual labs, third-party maintenance and professional services offerings.

Topics:Configuration GuidesDHCPDHCP Snooping

Comments