Security Internetworking Experts


Post New Topic  Post A Reply
my profile | register | search | faq | forum home
  next oldest topic   next newest topic
» Security Internetworking Experts   » Security   » CCIE Security Lab Forum   » dhcp snooping on trunk and its implications

UBBFriend: Email this page to someone!    
Author Topic: dhcp snooping on trunk and its implications
sarahr202
Newbie

Member # 32469

posted June 15, 2012 09:30 PM      Profile for sarahr202     Send New Private Message      Edit/Delete Post  Reply With Quote 
Hi everybody

I am just wondering what would be the possible implications of configuring dhcp snooping on a trunk port. Let me start with an example:

h1----hub---f1/1 SW1---trunk---f1/2 SW2---dhcp server
h2----

dhcp server and hosts h1 and h2 are in vlan 2

We configure dhcp snooping only on sw2 for vlan 2 ,trunk port f1/2 which is untrusted

H1 powers up and while h2 is turned off.
H1 has the mac address mac1.
following will occur:
1) h1 sends dhcp broadcast frame with client address as mac1.
2) sw2 receives the broadcast over its trunk port f1/2 and forwards it to dhcp server.
3) dhcp server sends dhcp offer containing 199.199.199.1 as offered address to h1
4) h1 accepts the offer and sends dhcp request to dhcp server.
5) dhcp server sends dhcp ack.

After these dhcp messages were exchanged, sw2 builds dhcp binding as:

199.199.199.1 mac1 f1/2 vlan 2

This tells the switch to check every dhcp messages received on its trunk port f1/2 against the above mentioned binding.

Now h2 powers up and sends dhcp discover message containing client hardware address as mac 2.

Sw2 receives the dhcp discovery message.
What will sw2 do? Will it drop the dhcp discover message because it does not match the binding?

If the answer is yes, that means not more than one host can connect to a trunk port which is configured as untrusted for dhcp snooping .

That also means to allow more than one host to receive ip addresses from dhcp server, the trunk port can not be configured as untrusted for dhcp snooping. Trunk port must be configured as trusted so hosts can receive ip addresses from dhcp server.

I will appreciate any input.
thanks and have a great weekend
Posts: 2 | From: Colorado,usa | Registered: Jun 2012  |  IP: Logged
Oxana
Jr Member

Member # 32018

Rate Member 		posted June 16, 2012 01:10 AM      Profile for Oxana     Send New Private Message      Edit/Delete Post  Reply With Quote 
1. dhcp discovery message from Host 2 will not the dropped.
2. You have to configure f1/1 SW1 with ip dhcp snooping trust command.
See http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_52_se/configuration/guide/swdhcp82.html#wp1078853
Posts: 7 | From: Russia | Registered: Feb 2012  |  IP: Logged
sarahr202
Newbie

Member # 32469

posted June 16, 2012 06:19 AM      Profile for sarahr202     Send New Private Message      Edit/Delete Post  Reply With Quote 
Thanks Oxana.
" discovery message from Host 2 will not the dropped."

h1--hub--f/1 Sw1-trunk--f1/2 SW2--dhcp server
h2--hub

If sw2 does not drop dhcp discover message,it will pose a security issue dhcp pool exhaustion.

Let revisit the problem

Sw2 is configured with dhcp snooping, its trunk port f1/2 is untrusted. Sw1 is at default setting i.e no dhcp snooping.
H1 powers up and exchanges dhcp messages. Sw2 builds a dhcp binding:
mac1 199.199.199.1 f1/2 vlan 2

Now H2 powers up, H2 is rogue host ready to cause dhcp pool exhaustion by some hacking tools.

Since sw2 is not dropping dhcp discover message from h2, therefore it indicates sw2 is not checking any dhcp messages against the binding:

mac1 199.199.199.1 f1/2 vlan 2

H2 powers up and as you said sw2 will not drop its dhcp discovery message. Sw2 builds dhcp binding as:
mac2 199.199.199.2 f1/2 vlan2

Being rogue host h2 crafts another dhcp discovery message ; this time with different client hardware address say mac3. Sw2 builds another dhcp binding as:
mac3 199.199.199.3 f1/2 vlan2

If h2 continue with crafting dhcp discover messages, soon all ip addresses will be assigned by dhcp sever and eventually it will cause dhcp pool exhaustion .
==============================================

My question is if sw2 does allow dhcp messages from h2 on its untrusted trunk port, it will cause dhcp pool exhaustion . On the other hand, if sw2 drops h2's dhcp message , it will mean only one host ( in our case h1) will be able to acquire ip address from dhcp server.

In nut shell, How does a switch with dhcp snooping enabled react when it receives dhcp messages from different hosts in a same vlan on its untrusted trunk port?
thanks and have a great weekend
Posts: 2 | From: Colorado,usa | Registered: Jun 2012  |  IP: Logged
Kingsley Charles (CCSP, CCNP, CCIP)
Brainiac

Member # 29872

Member Rated:
 		posted June 17, 2012 12:08 AM      Profile for Kingsley Charles (CCSP, CCNP, CCIP)     Send New Private Message      Edit/Delete Post  Reply With Quote 
You can't limit the number of dhcp clients with dhcp snooping. DHCP snooping validates the DHCP packets like matching of chaddr to hwaddr, option 82 check, giaddr etc. By doing these, it prevents DHCP starvation.

With regards
Kings
Posts: 887 | From: India | Registered: Jun 2010  |  IP: Logged


All times are Eastern Time  
Post New Topic  Post A Reply Close Topic    Move Topic    Delete Topic next oldest topic   next newest topic
Printer-friendly view of this topic
Hop To:


Contact Us | Security Internetworking Experts