DHCP Snooping lab. example.

Objetivo: Desarrollar un laboratorio con switches de acceso y distribución e implementar el DHCP Snooping feature.

Topology:

Objetivo específico: configurar DHCP snooping en el switch de acceso y en el de distribución.

Escenario:
Sw2960 IOS: Version 12.2(25)SEE3
Sw3750 IOS: Version 12.2(35)SE5
DHCP Router: Un router 1941 configurado para trabajar en capa 3 con el 3750. Además tiene la configuración del servidor de dhcp para la vlan 2 que existe en el sw de acceso y en el distribución.

DHCP Server config:
!
hostname DHCP
!
ip dhcp excluded-address 10.1.2.1
ip dhcp excluded-address 10.1.2.2
!
/DHCP pool para la vlan 2. Las solicitudes vendrán a través de la interfaz gig0/0 como paquetes unicast.
ip dhcp pool vlan2
network 10.1.2.0 255.255.255.0
default-router 10.1.2.200
domain-name cisco.com
dns-server 10.1.2.254
lease 7
!
interface GigabitEthernet0/0
ip address 10.1.3.1 255.255.255.252
duplex auto
speed auto
!
/Para saber como llegar a la vlan 2, que no sube hasta el router, sino que termina en el 3750
ip route 10.1.2.0 255.255.255.0 10.1.3.2
!

Distribution Switch config:
!
hostname Distri_SW
!
/Enable IP Routing
ip routing
!
/Enable DHCP snooping for specific vlan2
ip dhcp snooping vlan 1-2
ip dhcp snooping information option allow-untrusted
no ip dhcp snooping information option
/Enable DHCP snooping globally.
ip dhcp snooping
!
/L2 downlink to access switch. Aquí no puse el comando ip dhcp snooping trust dentro del modo de configuración de interfaz por el comando ip dhcp snooping information option allow-untrusted.
interface GigabitEthernet1/0/23
switchport trunk encapsulation dot1q
switchport mode trunk
!
/L3 Uplink with thw DHCP Server.
interface GigabitEthernet1/0/24
no switchport
ip address 10.1.3.2 255.255.255.252
!
interface Vlan1
no ip address
!
interface Vlan2
ip address 10.1.2.200 255.255.255.0
ip helper-address 10.1.3.1
!

Note:  When a switch receives a packet on an untrusted interface and the interface belongs to a VLAN in which DHCP snooping is enabled, the switch compares the source MAC address and the DHCP client hardware address. If the addresses match (the default), the switch forwards the packet. If the addresses do not match, the switch drops the packet.

If the switch is an aggregation switch (3750) supporting DHCP snooping and is connected to an edge switch (2960) that is inserting DHCP option-82 information, the switch drops packets with option-82 information when packets are received on an untrusted interface. If DHCP snooping is enabled and packets are received on a trusted port, the aggregation switch does not learn the DHCP snooping bindings for connected devices and cannot build a complete DHCP snooping binding database.(Esto es muy cierto, lo comprobé en este escenario. Con cualquier otra variante, los bindings solo se registraban en el 2960 y no en el 3750)

When an aggregation switch can be connected to an edge switch through an untrusted interface and you enter the ip dhcp snooping information option allow-untrusted global configuration command, the aggregation switch accepts packets with option-82 information from the edge switch. The aggregation switch learns the bindings for hosts connected through an untrusted switch interface. The DHCP security features, such as dynamic ARP inspection or IP source guard, can still be enabled on the aggregation switch while the switch receives packets with option-82 information on untrusted input interfaces to which hosts are connected. The port on the edge switch that connects to the aggregation switch must be configured as a trusted interfaceImportant!!!.

Access Switch Config:
!
hostname Access_SW
!
/Enable DHCP snooping globally and for a specific vlan. Information option is not enable by default.
ip dhcp snooping vlan 2
ip dhcp snooping
!
interface FastEthernet0/1
switchport access vlan 2
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
!
!
/L2 trunk uplink to  the 3750. Must be a snooping trusted interface.
interface GigabitEthernet0/1
switchport mode trunk
ip dhcp snooping trust
!

DHCP Snooping verification.

Access_SW#sh ip dhcp snooping
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
2
Insertion of option 82 is enabled
circuit-id format: vlan-mod-port
remote-id format: MAC
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Interface                    Trusted     Rate limit (pps)
————————     ——-     —————-
GigabitEthernet0/1           yes         unlimited

Distri_SW#sh ip dhcp snooping
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
1-2
DHCP snooping is configured on the following Interfaces:
Insertion of option 82 is disabled
circuit-id format: vlan-mod-port
remote-id format: MAC
Option 82 on untrusted port is allowed
Verification of hwaddr field is enabled
Interface                    Trusted     Rate limit (pps)
————————     ——-     —————-

Distri_SW#sh ip dhcp snooping binding
MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface
——————  —————  ———-  ————-  —-  ——————–
00:17:42:BA:60:32   10.1.2.4         604728      dhcp-snooping   2     GigabitEthernet1/0/23
Total number of bindings: 1

Access_SW#sh ip dhcp snooping binding
MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface
——————  —————  ———-  ————-  —-  ——————–
00:17:42:BA:60:32   10.1.2.4         604678      dhcp-snooping  2     FastEthernet0/1
Total number of bindings: 1

!!!

DHCP Snooping packet debugging is on
DHCP Snooping event debugging is on

Distri_SW#
21:37:40: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Gi1/0/23 for pak.  Was Vl2
21:37:40: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Vl2 for pak.  Was Gi1/0/23
21:37:40: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Gi1/0/23 for pak.  Was Vl2
21:37:40: DHCP_SNOOPING: received new DHCP packet from input interface (GigabitEthernet1/0/23)
21:37:40: DHCP_SNOOPING: process new DHCP packet, message type: DHCPRELEASE, input interface: Gi1/0/23, MAC da: 001c.b085.f242, MAC sa: 0017.42ba.603
Distri_SW#2, IP da: 10.1.3.1, IP sa: 10.1.2.3, DHCP ciaddr: 10.1.2.3, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: 0017.42ba.6032
21:37:40: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: 001C.B085.F242, packet is flooded to ingress VLAN: (2)
21:37:40: DHCP_SNOOPING_SW: bridge packet send packet to cpu port: Vlan2.
Distri_SW#
21:38:21: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Gi1/0/23 for pak.  Was Vl2
21:38:21: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Vl2 for pak.  Was Gi1/0/23
21:38:21: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Gi1/0/23 for pak.  Was Vl2
21:38:21: DHCP_SNOOPING: received new DHCP packet from input interface (GigabitEthernet1/0/23)
21:38:21: DHCP_SNOOPING: process new DHCP packet, message type: DHCPDISCOVER, input interface: Gi1/0/23, MAC da: ffff.ffff.ffff, MAC sa: 0017.42ba.60
Distri_SW#32, IP da: 255.255.255.255, IP sa: 0.0.0.0, DHCP ciaddr: 0.0.0.0, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: 0017.42ba.6032
21:38:21: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (2)
21:38:21: DHCP_SNOOPING_SW: bridge packet send packet to cpu port: Vlan2.
Distri_SW#
21:38:23: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Gi1/0/24 for pak.  Was Gi1/0/24
21:38:23: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Gi1/0/24 for pak.  Was Gi1/0/24
21:38:23: DHCP_SNOOPING: received new DHCP packet from input interface (Vlan2)
21:38:23: DHCP_SNOOPING: process new DHCP packet, message type: DHCPOFFER, input interface: Vl2, MAC da: 0017.42ba.6032, MAC sa: 001c.b085.f242, IP da: 10.1.2.4, IP sa: 10.1.2.200, DHCP ciaddr: 0.0.0.0, DHCP yiaddr: 10.1.2.4, DHCP siaddr: 0.0.
Distri_SW#0.0, DHCP giaddr: 10.1.2.200, DHCP chaddr: 0017.42ba.6032
21:38:23: DHCP_SNOOPING: direct forward dhcp reply to output port: GigabitEthernet1/0/23.
21:38:24: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Gi1/0/23 for pak.  Was Vl2
21:38:24: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Vl2 for pak.  Was Gi1/0/23
21:38:24: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Gi1/0/23 for pak.  Was Vl2
21:38:24: DHCP_SNOOPING: received new DHCP packet from input interface (GigabitEthernet1/0/23)
2
Distri_SW#1:38:24: DHCP_SNOOPING: process new DHCP packet, message type: DHCPDISCOVER, input interface: Gi1/0/23, MAC da: ffff.ffff.ffff, MAC sa: 0017.42ba.6032, IP da: 255.255.255.255, IP sa: 0.0.0.0, DHCP ciaddr: 0.0.0.0, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: 0017.42ba.6032
21:38:24: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (2)
21:38:24: DHCP_SNOOPING_SW: bridge packet send packet to cpu port: Vlan2.
21:38:
Distri_SW#24: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Gi1/0/24 for pak.  Was Gi1/0/24
21:38:24: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Gi1/0/24 for pak.  Was Gi1/0/24
21:38:24: DHCP_SNOOPING: received new DHCP packet from input interface (Vlan2)
21:38:24: DHCP_SNOOPING: process new DHCP packet, message type: DHCPOFFER, input interface: Vl2, MAC da: 0017.42ba.6032, MAC sa: 001c.b085.f242, IP da: 10.1.2.4, IP sa: 10.1.2.200, DHCP ciaddr: 0.0.0.0, DHCP yiaddr: 10.1.2.4, DHCP siaddr: 0.0.0.0, DHC
Distri_SW#P giaddr: 10.1.2.200, DHCP chaddr: 0017.42ba.6032
21:38:24: DHCP_SNOOPING: direct forward dhcp reply to output port: GigabitEthernet1/0/23.
Distri_SW#
21:38:32: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Gi1/0/23 for pak.  Was Vl2
21:38:32: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Vl2 for pak.  Was Gi1/0/23
21:38:32: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Gi1/0/23 for pak.  Was Vl2
21:38:32: DHCP_SNOOPING: received new DHCP packet from input interface (GigabitEthernet1/0/23)
21:38:32: DHCP_SNOOPING: process new DHCP packet, message type: DHCPDISCOVER, input interface: Gi1/0/23, MAC da: ffff.ffff.ffff, MAC sa: 0017.42ba.60
Distri_SW#32, IP da: 255.255.255.255, IP sa: 0.0.0.0, DHCP ciaddr: 0.0.0.0, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: 0017.42ba.6032
21:38:32: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (2)
21:38:32: DHCP_SNOOPING_SW: bridge packet send packet to cpu port: Vlan2.
21:38:32: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Gi1/0/24 for pak.  Was Gi1/0/24
21:38:32: DHCPSNOOP(hlfm_set_if_input): Setting if_input to G
Distri_SW#i1/0/24 for pak.  Was Gi1/0/24
21:38:32: DHCP_SNOOPING: received new DHCP packet from input interface (Vlan2)
21:38:32: DHCP_SNOOPING: process new DHCP packet, message type: DHCPOFFER, input interface: Vl2, MAC da: ffff.ffff.ffff, MAC sa: 001c.b085.f242, IP da: 255.255.255.255, IP sa: 10.1.2.200, DHCP ciaddr: 0.0.0.0, DHCP yiaddr: 10.1.2.4, DHCP siaddr: 0.0.0.0, DHCP giaddr: 10.1.2.200, DHCP chaddr: 0017.42ba.6032
Distri_SW#DHCP_SNOOPING: direct forward dhcp reply to output port: GigabitEthernet1/0/23.
21:38:32: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Gi1/0/23 for pak.  Was Vl2
21:38:32: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Vl2 for pak.  Was Gi1/0/23
21:38:32: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Gi1/0/23 for pak.  Was Vl2
21:38:32: DHCP_SNOOPING: received new DHCP packet from input interface (GigabitEthernet1/0/23)
21:38:32: DHCP_SNOOPING: process new DHCP packet, message type: DHCPREQUEST, input interface: Gi1/0/23, MAC da: ffff.ffff.ffff, MAC sa: 0017.42ba.603
Distri_SW#2, IP da: 255.255.255.255, IP sa: 0.0.0.0, DHCP ciaddr: 0.0.0.0, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: 0017.42ba.6032
21:38:32: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (2)
21:38:32: DHCP_SNOOPING_SW: bridge packet send packet to cpu port: Vlan2.
21:38:32: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Gi1/0/24 for pak.  Was Gi1/0/24
21:38:32: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Gi
Distri_SW#1/0/24 for pak.  Was Gi1/0/24
21:38:32: DHCP_SNOOPING: received new DHCP packet from input interface (Vlan2)
21:38:32: DHCP_SNOOPING: process new DHCP packet, message type: DHCPACK, input interface: Vl2, MAC da: ffff.ffff.ffff, MAC sa: 001c.b085.f242, IP da: 255.255.255.255, IP sa: 10.1.2.200, DHCP ciaddr: 0.0.0.0, DHCP yiaddr: 10.1.2.4, DHCP siaddr: 0.0.0.0, DHCP giaddr: 10.1.2.200, DHCP chaddr: 0017.42ba.6032
21:38:32: DHCP_SNOOPING: add binding on port GigabitEthernet1/0/23.
21:38:32: DHCP_SNOOPING:
Distri_SW# added entry to table (index 44)
21:38:32: DHCP_SNOOPING: dump binding entry: Mac=00:17:42:BA:60:32 Ip=10.1.2.4 Lease=604800     Type=dhcp-snooping Vlan=2 If=GigabitEthernet1/0/23
21:38:32: DHCP_SNOOPING_SW no entry found for 0017.42ba.6032 0.0.0.2 GigabitEthernet1/0/23
21:38:32: DHCP_SNOOPING_SW host tracking not found for update add dynamic (10.1.2.4, 0.0.0.0, 0017.42ba.6032) vlan 2
21:38:32: DHCP_SNOOPING: direct forward dhcp reply to output port: GigabitEthernet1/0/23.
21:38:37: DHCPSNOOP(hlfm_s
Distri_SW#et_if_input): Setting if_input to Gi1/0/23 for pak.  Was Vl2
21:38:37: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Vl2 for pak.  Was Gi1/0/23
21:38:37: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Gi1/0/23 for pak.  Was Vl2
21:38:37: DHCP_SNOOPING: received new DHCP packet from input interface (GigabitEthernet1/0/23)
21:38:37: DHCP_SNOOPING: process new DHCP packet, message type: DHCPINFORM, input interface: Gi1/0/23, MAC da: ffff.ffff.ffff, MAC sa: 0017.42ba.6032, IP da: 255.255.255.255, IP
Distri_SW# sa: 10.1.2.4, DHCP ciaddr: 10.1.2.4, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: 0017.42ba.6032
21:38:37: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (2)
21:38:37: DHCP_SNOOPING_SW: bridge packet send packet to cpu port: Vlan2.
21:38:37: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Gi1/0/24 for pak.  Was Gi1/0/24
21:38:37: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Gi1/0/24 for pak.  Was Gi1/0/
Distri_SW#24
21:38:37: DHCP_SNOOPING: received new DHCP packet from input interface (Vlan2)
21:38:37: DHCP_SNOOPING: process new DHCP packet, message type: DHCPACK, input interface: Vl2, MAC da: 0017.42ba.6032, MAC sa: 001c.b085.f242, IP da: 10.1.2.4, IP sa: 10.1.2.200, DHCP ciaddr: 10.1.2.4, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 10.1.2.200, DHCP chaddr: 0017.42ba.6032
21:38:37: DHCP_SNOOPING: intercepted DHCPACK with no DHCPOPT_LEASE_TIME option field, packet is still forwarded but no snooping
Distri_SW# binding update is performed.
21:38:37: DHCP_SNOOPING: direct forward dhcp reply to output port: GigabitEthernet1/0/23.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s