DHCP protocol is widely used and have security issues as it was build long time ago before there was need for network security. Cisco have implemented several enhancements in IOS to (partially) protect and stop most of the DHCP attacks. Port Security, DHCP Snooping, IP Source Guard and Dynamic ARP Inspections are mostly used these days.
DHCP Snooping is a security feature which protect the network clients to receive IP settings from rogue DHCP servers. Ports can be classified into 2 types: trusted and untrusted. Ports which are connected to a authorized DHCP servers have to be configured as trusted. All the rest should be configured as untrusted (the default value). Trusted ports are bypassed from DHCP Snooping validation. DHCP Snooping feature can be enabled per Vlan.
Enabling this feature will create DHCP Snooping binding database with support up to 8192 entries. In that database there are records for: IP address of the client, MAC Address of the client, DHCP lease time, Interface on which the client is connected and VLAN number (there are also checksums for each entry and one checksum for the file)
The switch is comparing Source MAC Address with DHCP CHADDR (Client Hardware Address). If those 2 addresses match, packet is forwarded. In other case, the packet is dropped.
The switch will drop the packet if:
- Packet originated from DHCP server is received on untrusted port
- The Source MAC Address is different then the CHADDR
- The switch receive a DHCPRELEASE on interface for a MAC address which doesn't match the interface in the DHCP Snooping binding database
- DHCP relay agent forwards a packet that includes option-82 information to an untrusted port. (this situation will be covered in another post, as I've experienced this in practice recently)
Example of DHCP Snooping configuration:
Switch(config)# ip dhcp snooping
Switch(config)ip dhcp snooping vlan 101-102,104,301,1000
Show commands:
show ip dhcp snooping
Switch#show ip dhcp snooping
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
101-102,104,301,1000
DHCP snooping is operational on following VLANs:
101-102,104,301,1000
DHCP snooping is configured on the following L3 Interfaces:Insertion of option 82 is enabled
circuit-id format: vlan-mod-port
remote-id format: MAC
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Verification of giaddr field is enabled
DHCP snooping trust/rate is configured on the following Interfaces:
show ip dhcp snooping binding
Switch#show ip dhcp snooping binding
MacAddress IpAddress Lease(sec) Type VLAN Interface
------------------ --------------- ---------- ------------- ---- --------------------
00:21:70:15:EA:8D 10.216.20.55 244958 dhcp-snooping 101 FastEthernet3/0/22
00:1C:23:4F:F3:DD 10.216.20.43 244166 dhcp-snooping 101 FastEthernet1/0/10
00:1C:23:4F:F3:10 10.216.20.37 246563 dhcp-snooping 101 FastEthernet4/0/16
00:1C:25:97:57:63 10.216.20.42 258392 dhcp-snooping 101 FastEthernet4/0/23
00:1C:23:4F:E6:E1 10.216.20.30 240567 dhcp-snooping 101 FastEthernet3/0/18
00:21:70:15:E9:14 10.216.20.26 152945 dhcp-snooping 101 FastEthernet3/0/2
00:1C:23:5A:F7:93 10.216.20.34 160704 dhcp-snooping 101 FastEthernet2/0/9
00:1C:23:4F:F6:4B 10.216.20.45 245043 dhcp-snooping 101 FastEthernet1/0/14
00:1C:23:4F:F4:24 10.216.20.48 97990 dhcp-snooping 101 FastEthernet3/0/12
00:1C:23:4F:F6:BF 10.216.20.36 244629 dhcp-snooping 101 FastEthernet1/0/21
MacAddress IpAddress Lease(sec) Type VLAN Interface
------------------ --------------- ---------- ------------- ---- --------------------
00:24:E8:BC:FF:6E 10.216.20.54 252080 dhcp-snooping 101 FastEthernet2/0/12
00:22:68:13:55:A8 10.216.20.47 253335 dhcp-snooping 101 FastEthernet4/0/23
00:21:70:15:FC:F2 10.216.20.31 252408 dhcp-snooping 101 FastEthernet2/0/19
00:1E:C9:70:D4:F2 10.216.20.82 201709 dhcp-snooping 101 FastEthernet3/0/16
00:0F:1F:EA:23:04 10.216.20.69 226910 dhcp-snooping 101 FastEthernet4/0/14
00:21:70:15:F8:06 10.216.20.32 243896 dhcp-snooping 101 FastEthernet3/0/1
00:21:70:15:EA:0E 10.216.20.57 158323 dhcp-snooping 101 FastEthernet3/0/10
00:21:70:15:EB:78 10.216.20.41 248641 dhcp-snooping 101 FastEthernet2/0/21
00:21:70:16:00:9D 10.216.20.38 159319 dhcp-snooping 101 FastEthernet2/0/11
00:21:70:15:EB:15 10.216.20.59 247514 dhcp-snooping 101 FastEthernet2/0/18
00:1A:6B:D4:53:C5 10.216.20.52 248756 dhcp-snooping 101 FastEthernet4/0/23
MacAddress IpAddress Lease(sec) Type VLAN Interface
------------------ --------------- ---------- ------------- ---- --------------------
00:1C:25:97:81:55 10.216.20.51 255468 dhcp-snooping 101 FastEthernet4/0/20
00:22:68:13:28:40 10.216.20.40 255690 dhcp-snooping 101 FastEthernet4/0/23
00:21:70:15:FC:C9 10.216.20.33 242025 dhcp-snooping 101 FastEthernet4/0/17
00:21:70:15:FF:E1 10.216.20.46 250732 dhcp-snooping 101 FastEthernet1/0/18
00:1C:23:5A:F7:EE 10.216.20.27 241494 dhcp-snooping 101 FastEthernet2/0/10
00:24:E8:D5:CF:9E 10.216.20.60 244181 dhcp-snooping 101 FastEthernet3/0/15
00:21:70:AF:C0:BF 10.216.20.53 243784 dhcp-snooping 101 FastEthernet4/0/19
00:21:70:B0:48:68 10.216.20.49 246445 dhcp-snooping 101 FastEthernet5/0/20
00:1C:23:4F:86:F4 10.216.20.44 242733 dhcp-snooping 101 FastEthernet1/0/15
00:1C:23:4F:F4:DB 10.216.20.35 239051 dhcp-snooping 101 FastEthernet2/0/2
00:21:70:15:FB:FF 10.216.20.87 243821 dhcp-snooping 101 FastEthernet3/0/6
show ip dhcp snooping statistics detail
Switch#show ip dhcp snooping statistics detail
Packets Processed by DHCP Snooping = 1823
Packets Dropped Because
IDB not known = 0
Queue full = 0
Interface is in errdisabled = 0
Rate limit exceeded = 0
Received on untrusted ports = 0
Nonzero giaddr = 0
Source mac not equal to chaddr = 680
Binding mismatch = 0
Insertion of opt82 fail = 0
Interface Down = 0
Unknown output interface = 0
Reply output port equal to input port = 0
Packet denied by platform = 0
And log messages when some PC are trying to use different MAC address then their hardware address:
Jan 6 09:55:47.405 UTC: %DHCP_SNOOPING-5-DHCP_SNOOPING_MATCH_MAC_FAIL: DHCP_SNOOPING drop message because the chaddr doesn't match source mac, message type: DHCPDISCOVER, chaddr: 0021.6a31.a2ec, MAC sa: 001c.2597.802a
Jan 6 09:57:42.085 UTC: %DHCP_SNOOPING-5-DHCP_SNOOPING_MATCH_MAC_FAIL: DHCP_SNOOPING drop message because the chaddr doesn't match source mac, message type: DHCPDISCOVER, chaddr: 0022.68e1.e669, MAC sa: 001c.2597.5763
Jan 6 10:01:29.406 UTC: %DHCP_SNOOPING-5-DHCP_SNOOPING_MATCH_MAC_FAIL: DHCP_SNOOPING drop message because the chaddr doesn't match source mac, message type: DHCPDISCOVER, chaddr: 0021.6a31.a2ec, MAC sa: 001c.2597.802a
Jan 6 10:03:33.086 UTC: %DHCP_SNOOPING-5-DHCP_SNOOPING_MATCH_MAC_FAIL: DHCP_SNOOPING drop message because the chaddr doesn't match source mac, message type: DHCPDISCOVER, chaddr: 0022.68e1.e669, MAC sa: 001c.2597.5763
18 comments:
Hello,
Having DHCP snooping on users vlan since a while, and no change done on Cisco switch configuration, what could explain an issue for users to obtain a new DHCP lease?
DHCP server is working fine and is able to deliver leases on others vlans.
For the moment, I've disabled the DHCP snooping to restore connectivity to users.
Thanks in advance for any answer.
Best regards.
Hello
Can you provide me the logs from your switch. Also would it be possible to configure new vlan and to assign new DHCP scope for that vlan and enable snooping just for that vlan, and test with a machine? Before that you can enable "debug ip dhcp snooping events" and "debug ip dhcp packets". That should provide me with more details to look into this. Do you use dhcp option 82 for your vlans?
Hello,
Thanks for answering my post.
Syslogs are not showing anything relevant.
They're full of such messages which are there since a while too...
Aug 30 18:00:34 MET-DST: %DHCP_SNOOPING-5-DHCP_SNOOPING_MATCH_MAC_FAIL: DHCP_SNOOPING drop message because the chaddr doesn't match source mac, message type: DHCPREQUEST, chaddr: 001d.e096.b753, MAC sa: 001b.3894.9d9c
Aug 30 18:01:58 MET-DST: %DHCP_SNOOPING-5-DHCP_SNOOPING_MATCH_MAC_FAIL: DHCP_SNOOPING drop message because the chaddr doesn't match source mac, message type: DHCPREQUEST, chaddr: 001d.e096.b753, MAC sa: 001b.3894.9d9c
Aug 30 18:02:40 MET-DST: %DHCP_SNOOPING-5-DHCP_SNOOPING_MATCH_MAC_FAIL: DHCP_SNOOPING drop message because the chaddr doesn't match source mac, message type: DHCPREQUEST, chaddr: 001d.e096.b753, MAC sa: 001b.3894.9d9c
DHCP option 82 is disabled.
Else, for the troubleshoot, it will take some time to have all of these completed as asked, but it's feasible.
I'll keep you posted tomorrow with the debug outputs.
Cheers.
Hello
Those drops are there because the client HARDWARE MAC address (CHADDR) is not the same as the source MAC address of the machines which are requesting IP addresses. You can see the CHADDR in the MAC address table. If this was working before and suddenly all the users had the same problem, I would suspect installation of a new application which deals with network interfaces, or an update of an operating system. Would be great to have the debugs. Also, is the DHCP server connected on the same switch, or it is few hops away from the clients connected on this switch?
Thanks!
PS: per floor
150/175 users + printers and meeting rooms
Hello,
I did the troubleshoot with my laptop as test machine.
It was connected to the same switch, on another vlan with DHCP snooping only on this vlan.
Nothing relevant with the debug session:
#debug ip dhcp snooping event
DHCP Snooping Event debugging is on
#debug ip dhcp snooping packet
DHCP Snooping Packet debugging is on
#
Aug 31 16:53:52 CEST: DHCP_SNOOPING: checking expired snoop binding entries
(the last syslog message is repeated each 2 minutes)
Else, the DHCP servers are not connected to this access switch but in our datacenters.
Uplinks to the distrib switches are DHCP snooping trusted (users ports are all untrusted of course).
Any other idea? :(
Thanks again.
Some additional notes:
using Wireshark to capture DHCP packets, only the DHCP Discover is sent, without any DHCP Offer reply from server.
(packet DHCP Discover sent 5 times)
Changing the switchport vlan to a non-snooped vlan, and Wireshark is showing the complete DHCP session:
DHCP Discover
DHCP Offer
DHCP Request
DHCP ACK
Hmm.. this is interesting.. What is the message in the log of the switch? Do you have "ip helper address" configured on the SVI (interface vlan)?
Which message in the log are you referring to?
This is the only debug output in the syslog:
DHCP_SNOOPING: checking expired snoop binding entries
"interface vlan" is on distrib switches, and yes, there's the ip helper-address command.
Between access and distrib, trunks are allowing the same list of vlans.
Could it be a bug of IOS?
(I'll try removing the trusted, and putting back again)
Else, I'll open a TAC and don't bother you anylonger.
Your help has been really appreciated!
Kind regards.
I've meant for the new vlan that you've created for test. In my understanding the interface vlan which is on distribution switch should have "ip helper" set to be able to unicast the DHCP discovers messages. To me it seems like the DHCP messages didn't reached the DHCP server due to ip helper settings on the new vlan. If they were stopped on the access switch due to dhcp snooping, you would saw a log message on the access switch.
Would be great if you comment back once you have the solution.
Hello,
In fact, it's not a new vlan.
It's a separate vlan used for meeting rooms only.
L3 config on distrib is ok and having the "ip helper-address" set.
It's configured the same than for users vlan.
Unfortunately, no syslog messages on the access switch showing the reason of the blocking packets due to DHCP snooping.
I'll keep you posted for sure...
BR.
Hello,
Just to give you an update regarding the issue I got earlier...
The DHCP snooping configuration had to be completely removed and put-back, in order to restore the good behavior.
Users are now getting their DHCP leases without any problem.
Configs before and after the fixup are the same.
Meanwhile, no bug has been identified with Cisco.
Investigations are still on-going.
I'll keep you posted if any news related to a bug...
Thanks for your assistance.
Best regards.
HI, what IOS version were you running when you experienced this problem. I am going to enable snooping and would like to know the version that is most stable.
I rolled out snooping a while ago and started seeing this issue. It looks like the MAC is being spoofed because it's not in the table, however I found that the chaddr address is the wireless Nic MAC and the SA address is the wired NIC MAC for the affected hosts. Turning off wireless whilst connected to the wired network worked for me. Hope this helps.
I have enable DHCP snooping on my 900 equipments. I can see also this erro:%DHCP_SNOOPING-5-DHCP_SNOOPING_MATCH_MAC_FAIL: DHCP_SNOOPING drop message because the chaddr doesn't match source mac, message type: DHCPREQUEST, chaddr: MACOFTHEWIRELESSCARD, MAC sa: MACOFTHEWIREDCARD
I have this issue only on 2960 equipments. With this IOS: 12.2(44)SE6 and with a 12.2(44)SE6 also. I confirm that when I disable the wireless card, the problem disappears. But why is the wireless card talking with the wired ?
I'm also having this issue, are there any recommendations on applications that can be installed on the workstations to allow only one connection to the network? Either wired or wireless?
Also, I think the previous person had a great question. Why would the MAC address of the wireless NIC be seen on the switchport?
this command will stop all the comparation the switch doing withween the CHADDR AND THE MACHINE MAC ADDRESS :
"no ip dhco snooping verify mac-address"
this will stop all the loggs you have.
this is what i did in my company.
Howdy! I simply would like to give a huge thumbs up for the good information you might have here on this post. I will probably be coming back to your blog for more soon. slots for real money
Post a Comment