Wednesday, January 6, 2010

DHCP Snooping on Cisco Switches

DHCP protocol is widely used and have security issues as it was build long time ago before there was need for network security. Cisco have implemented several enhancements in IOS to (partially) protect and stop most of the DHCP attacks. Port Security, DHCP Snooping, IP Source Guard and Dynamic ARP Inspections are mostly used these days.

DHCP Snooping is a security feature which protect the network clients to receive IP settings from rogue DHCP servers. Ports can be classified into 2 types: trusted and untrusted. Ports which are connected to a authorized DHCP servers have to be configured as trusted. All the rest should be configured as untrusted (the default value). Trusted ports are bypassed from DHCP Snooping validation. DHCP Snooping feature can be enabled per Vlan.

Enabling this feature will create DHCP Snooping binding database  with support up to 8192 entries. In that database there are records for: IP address of the client, MAC Address of the client, DHCP lease time, Interface on which the client is connected and VLAN number (there are also checksums for each entry and one checksum for the file)

The switch is comparing Source MAC Address with DHCP CHADDR (Client Hardware Address). If those 2 addresses match, packet is forwarded. In other case, the packet is dropped.

The switch will drop the packet if:

  1. Packet originated from DHCP server is received on untrusted port
  2. The Source MAC Address is different then the CHADDR
  3. The switch receive a DHCPRELEASE on interface for a MAC address which doesn't match the interface in the DHCP Snooping binding database
  4. DHCP relay agent forwards a packet that includes option-82 information to an untrusted port. (this situation will be covered in another post, as I've experienced this in practice recently)

Example of DHCP Snooping configuration:

Switch(config)# ip dhcp snooping
Switch(config)ip dhcp snooping vlan 101-102,104,301,1000

Show commands:

show ip dhcp snooping

Switch#show ip dhcp snooping
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
101-102,104,301,1000
DHCP snooping is operational on following VLANs:
101-102,104,301,1000
DHCP snooping is configured on the following L3 Interfaces:

Insertion of option 82 is enabled
   circuit-id format: vlan-mod-port
    remote-id format: MAC
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Verification of giaddr field is enabled
DHCP snooping trust/rate is configured on the following Interfaces:

show ip dhcp snooping binding

Switch#show ip dhcp snooping binding
MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface
------------------  ---------------  ----------  -------------  ----  --------------------
00:21:70:15:EA:8D   10.216.20.55     244958      dhcp-snooping   101   FastEthernet3/0/22
00:1C:23:4F:F3:DD   10.216.20.43     244166      dhcp-snooping   101   FastEthernet1/0/10
00:1C:23:4F:F3:10   10.216.20.37     246563      dhcp-snooping   101   FastEthernet4/0/16
00:1C:25:97:57:63   10.216.20.42     258392      dhcp-snooping   101   FastEthernet4/0/23
00:1C:23:4F:E6:E1   10.216.20.30     240567      dhcp-snooping   101   FastEthernet3/0/18
00:21:70:15:E9:14   10.216.20.26     152945      dhcp-snooping   101   FastEthernet3/0/2
00:1C:23:5A:F7:93   10.216.20.34     160704      dhcp-snooping   101   FastEthernet2/0/9
00:1C:23:4F:F6:4B   10.216.20.45     245043      dhcp-snooping   101   FastEthernet1/0/14
00:1C:23:4F:F4:24   10.216.20.48     97990       dhcp-snooping   101   FastEthernet3/0/12
00:1C:23:4F:F6:BF   10.216.20.36     244629      dhcp-snooping   101   FastEthernet1/0/21
MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface
------------------  ---------------  ----------  -------------  ----  --------------------
00:24:E8:BC:FF:6E   10.216.20.54     252080      dhcp-snooping   101   FastEthernet2/0/12
00:22:68:13:55:A8   10.216.20.47     253335      dhcp-snooping   101   FastEthernet4/0/23
00:21:70:15:FC:F2   10.216.20.31     252408      dhcp-snooping   101   FastEthernet2/0/19
00:1E:C9:70:D4:F2   10.216.20.82     201709      dhcp-snooping   101   FastEthernet3/0/16
00:0F:1F:EA:23:04   10.216.20.69     226910      dhcp-snooping   101   FastEthernet4/0/14
00:21:70:15:F8:06   10.216.20.32     243896      dhcp-snooping   101   FastEthernet3/0/1
00:21:70:15:EA:0E   10.216.20.57     158323      dhcp-snooping   101   FastEthernet3/0/10
00:21:70:15:EB:78   10.216.20.41     248641      dhcp-snooping   101   FastEthernet2/0/21
00:21:70:16:00:9D   10.216.20.38     159319      dhcp-snooping   101   FastEthernet2/0/11
00:21:70:15:EB:15   10.216.20.59     247514      dhcp-snooping   101   FastEthernet2/0/18
00:1A:6B:D4:53:C5   10.216.20.52     248756      dhcp-snooping   101   FastEthernet4/0/23
MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface
------------------  ---------------  ----------  -------------  ----  --------------------
00:1C:25:97:81:55   10.216.20.51     255468      dhcp-snooping   101   FastEthernet4/0/20
00:22:68:13:28:40   10.216.20.40     255690      dhcp-snooping   101   FastEthernet4/0/23
00:21:70:15:FC:C9   10.216.20.33     242025      dhcp-snooping   101   FastEthernet4/0/17
00:21:70:15:FF:E1   10.216.20.46     250732      dhcp-snooping   101   FastEthernet1/0/18
00:1C:23:5A:F7:EE   10.216.20.27     241494      dhcp-snooping   101   FastEthernet2/0/10
00:24:E8:D5:CF:9E   10.216.20.60     244181      dhcp-snooping   101   FastEthernet3/0/15
00:21:70:AF:C0:BF   10.216.20.53     243784      dhcp-snooping   101   FastEthernet4/0/19
00:21:70:B0:48:68   10.216.20.49     246445      dhcp-snooping   101   FastEthernet5/0/20
00:1C:23:4F:86:F4   10.216.20.44     242733      dhcp-snooping   101   FastEthernet1/0/15
00:1C:23:4F:F4:DB   10.216.20.35     239051      dhcp-snooping   101   FastEthernet2/0/2
00:21:70:15:FB:FF   10.216.20.87     243821      dhcp-snooping   101   FastEthernet3/0/6

show ip dhcp snooping statistics detail

Switch#show ip dhcp snooping statistics detail
Packets Processed by DHCP Snooping                    = 1823
Packets Dropped Because
   IDB not known                                       = 0
   Queue full                                          = 0
   Interface is in errdisabled                         = 0
   Rate limit exceeded                                 = 0
   Received on untrusted ports                         = 0
   Nonzero giaddr                                      = 0
   Source mac not equal to chaddr                      = 680
   Binding mismatch                                    = 0
   Insertion of opt82 fail                             = 0
   Interface Down                                      = 0
   Unknown output interface                            = 0
   Reply output port equal to input port               = 0
   Packet denied by platform                           = 0

And log messages when some PC are trying to use different MAC address then their hardware address:

Jan  6 09:55:47.405 UTC: %DHCP_SNOOPING-5-DHCP_SNOOPING_MATCH_MAC_FAIL: DHCP_SNOOPING drop message because the chaddr doesn't match source mac, message type: DHCPDISCOVER, chaddr: 0021.6a31.a2ec, MAC sa: 001c.2597.802a
Jan  6 09:57:42.085 UTC: %DHCP_SNOOPING-5-DHCP_SNOOPING_MATCH_MAC_FAIL: DHCP_SNOOPING drop message because the chaddr doesn't match source mac, message type: DHCPDISCOVER, chaddr: 0022.68e1.e669, MAC sa: 001c.2597.5763
Jan  6 10:01:29.406 UTC: %DHCP_SNOOPING-5-DHCP_SNOOPING_MATCH_MAC_FAIL: DHCP_SNOOPING drop message because the chaddr doesn't match source mac, message type: DHCPDISCOVER, chaddr: 0021.6a31.a2ec, MAC sa: 001c.2597.802a
Jan  6 10:03:33.086 UTC: %DHCP_SNOOPING-5-DHCP_SNOOPING_MATCH_MAC_FAIL: DHCP_SNOOPING drop message because the chaddr doesn't match source mac, message type: DHCPDISCOVER, chaddr: 0022.68e1.e669, MAC sa: 001c.2597.5763

17 comments:

Anonymous said...

Hello,

Having DHCP snooping on users vlan since a while, and no change done on Cisco switch configuration, what could explain an issue for users to obtain a new DHCP lease?

DHCP server is working fine and is able to deliver leases on others vlans.

For the moment, I've disabled the DHCP snooping to restore connectivity to users.

Thanks in advance for any answer.

Best regards.

DarkSide said...

Hello
Can you provide me the logs from your switch. Also would it be possible to configure new vlan and to assign new DHCP scope for that vlan and enable snooping just for that vlan, and test with a machine? Before that you can enable "debug ip dhcp snooping events" and "debug ip dhcp packets". That should provide me with more details to look into this. Do you use dhcp option 82 for your vlans?

Anonymous said...

Hello,

Thanks for answering my post.

Syslogs are not showing anything relevant.
They're full of such messages which are there since a while too...

Aug 30 18:00:34 MET-DST: %DHCP_SNOOPING-5-DHCP_SNOOPING_MATCH_MAC_FAIL: DHCP_SNOOPING drop message because the chaddr doesn't match source mac, message type: DHCPREQUEST, chaddr: 001d.e096.b753, MAC sa: 001b.3894.9d9c
Aug 30 18:01:58 MET-DST: %DHCP_SNOOPING-5-DHCP_SNOOPING_MATCH_MAC_FAIL: DHCP_SNOOPING drop message because the chaddr doesn't match source mac, message type: DHCPREQUEST, chaddr: 001d.e096.b753, MAC sa: 001b.3894.9d9c
Aug 30 18:02:40 MET-DST: %DHCP_SNOOPING-5-DHCP_SNOOPING_MATCH_MAC_FAIL: DHCP_SNOOPING drop message because the chaddr doesn't match source mac, message type: DHCPREQUEST, chaddr: 001d.e096.b753, MAC sa: 001b.3894.9d9c

DHCP option 82 is disabled.

Else, for the troubleshoot, it will take some time to have all of these completed as asked, but it's feasible.

I'll keep you posted tomorrow with the debug outputs.

Cheers.

DarkSide said...

Hello
Those drops are there because the client HARDWARE MAC address (CHADDR) is not the same as the source MAC address of the machines which are requesting IP addresses. You can see the CHADDR in the MAC address table. If this was working before and suddenly all the users had the same problem, I would suspect installation of a new application which deals with network interfaces, or an update of an operating system. Would be great to have the debugs. Also, is the DHCP server connected on the same switch, or it is few hops away from the clients connected on this switch?
Thanks!

Anonymous said...

PS: per floor
150/175 users + printers and meeting rooms

Anonymous said...

Hello,

I did the troubleshoot with my laptop as test machine.
It was connected to the same switch, on another vlan with DHCP snooping only on this vlan.

Nothing relevant with the debug session:

#debug ip dhcp snooping event
DHCP Snooping Event debugging is on
#debug ip dhcp snooping packet
DHCP Snooping Packet debugging is on
#
Aug 31 16:53:52 CEST: DHCP_SNOOPING: checking expired snoop binding entries

(the last syslog message is repeated each 2 minutes)



Else, the DHCP servers are not connected to this access switch but in our datacenters.

Uplinks to the distrib switches are DHCP snooping trusted (users ports are all untrusted of course).



Any other idea? :(

Thanks again.

Anonymous said...

Some additional notes:

using Wireshark to capture DHCP packets, only the DHCP Discover is sent, without any DHCP Offer reply from server.
(packet DHCP Discover sent 5 times)

Changing the switchport vlan to a non-snooped vlan, and Wireshark is showing the complete DHCP session:
DHCP Discover
DHCP Offer
DHCP Request
DHCP ACK

DarkSide said...

Hmm.. this is interesting.. What is the message in the log of the switch? Do you have "ip helper address" configured on the SVI (interface vlan)?

Anonymous said...

Which message in the log are you referring to?
This is the only debug output in the syslog:

DHCP_SNOOPING: checking expired snoop binding entries



"interface vlan" is on distrib switches, and yes, there's the ip helper-address command.

Between access and distrib, trunks are allowing the same list of vlans.



Could it be a bug of IOS?
(I'll try removing the trusted, and putting back again)

Else, I'll open a TAC and don't bother you anylonger.

Your help has been really appreciated!

Kind regards.

DarkSide said...

I've meant for the new vlan that you've created for test. In my understanding the interface vlan which is on distribution switch should have "ip helper" set to be able to unicast the DHCP discovers messages. To me it seems like the DHCP messages didn't reached the DHCP server due to ip helper settings on the new vlan. If they were stopped on the access switch due to dhcp snooping, you would saw a log message on the access switch.
Would be great if you comment back once you have the solution.

Anonymous said...

Hello,

In fact, it's not a new vlan.
It's a separate vlan used for meeting rooms only.

L3 config on distrib is ok and having the "ip helper-address" set.
It's configured the same than for users vlan.

Unfortunately, no syslog messages on the access switch showing the reason of the blocking packets due to DHCP snooping.

I'll keep you posted for sure...

BR.

Anonymous said...

Hello,

Just to give you an update regarding the issue I got earlier...

The DHCP snooping configuration had to be completely removed and put-back, in order to restore the good behavior.
Users are now getting their DHCP leases without any problem.

Configs before and after the fixup are the same.

Meanwhile, no bug has been identified with Cisco.
Investigations are still on-going.

I'll keep you posted if any news related to a bug...

Thanks for your assistance.

Best regards.

Anonymous said...

HI, what IOS version were you running when you experienced this problem. I am going to enable snooping and would like to know the version that is most stable.

Anonymous said...

I rolled out snooping a while ago and started seeing this issue. It looks like the MAC is being spoofed because it's not in the table, however I found that the chaddr address is the wireless Nic MAC and the SA address is the wired NIC MAC for the affected hosts. Turning off wireless whilst connected to the wired network worked for me. Hope this helps.

Anonymous said...

I have enable DHCP snooping on my 900 equipments. I can see also this erro:%DHCP_SNOOPING-5-DHCP_SNOOPING_MATCH_MAC_FAIL: DHCP_SNOOPING drop message because the chaddr doesn't match source mac, message type: DHCPREQUEST, chaddr: MACOFTHEWIRELESSCARD, MAC sa: MACOFTHEWIREDCARD

I have this issue only on 2960 equipments. With this IOS: 12.2(44)SE6 and with a 12.2(44)SE6 also. I confirm that when I disable the wireless card, the problem disappears. But why is the wireless card talking with the wired ?

Matt said...

I'm also having this issue, are there any recommendations on applications that can be installed on the workstations to allow only one connection to the network? Either wired or wireless?

Also, I think the previous person had a great question. Why would the MAC address of the wireless NIC be seen on the switchport?

shani kashti said...

this command will stop all the comparation the switch doing withween the CHADDR AND THE MACHINE MAC ADDRESS :

"no ip dhco snooping verify mac-address"

this will stop all the loggs you have.

this is what i did in my company.