Configuring DHCP Snooping
This chapter describes DHCP snooping configuration methods.
- Configure Basic Functions of DHCP Snooping
DHCP snooping enables DHCP clients to obtain IP addresses from authorized servers and records mappings between IP addresses and MAC addresses of DHCP clients to generate the binding table. - Configuring DHCP Snooping Attack Defense
After basic DHCP snooping functions are configured, DHCP clients can obtain IP addresses from the authorized DHCP server, preventing bogus DHCP server attacks on the network. However, many other DHCP attacks exist on the network. The administrator can configure DHCP snooping attack defense on the device as required. - Inserting the Option 82 Field to a DHCP Message
You can configure a device to insert the Option 82 field to a DHCP message to notify the DHCP server of the DHCP client location.
Configure Basic Functions of DHCP Snooping
DHCP snooping enables DHCP clients to obtain IP addresses from authorized servers and records mappings between IP addresses and MAC addresses of DHCP clients to generate the binding table.
Enabling DHCP Snooping
Context
Before configuring DHCP snooping security functions, you need to enable DHCP snooping.
You must enable DHCP snooping in the system view, and then on an interface or in a VLAN (Virtual Local Area Network).
Enable DHCP globally using the dhcp enable command before enabling DHCP snooping.
Configuring an Interface as the Trusted Interface
Context
- DHCP Reply messages are forwarded on the trusted interface.
- The device discards DHCP ACK messages, NAK messages, and Offer messages on untrusted interfaces.
After enabling DHCP snooping on the interface or in the VLAN connected to the user, configure the interface connected to the DHCP server as the trust interface, so that the dynamic DHCP snooping binding table is generated.
(Optional) Disabling Location Fixation for DHCP Snooping Users
(Optional) Configuring Association Between ARP and DHCP Snooping
Context
When a DHCP snooping-enabled device receives a DHCP Release message sent from a DHCP client, the device deletes the binding entry of the DHCP client. However, if a client is disconnected and cannot send a DHCP Release message, the device cannot immediately delete the binding table of the DHCP client.
After association between ARP and DHCP snooping is enabled, when the ARP entry mapping an IP address ages, the DHCP snooping-enabled device detects the IP address by performing ARP probe. If the DHCP client is not detected after a specified number of probes, the device deletes the ARP entry. The device then detects the IP address again by performing ARP probe. If the DHCP client still cannot be detected after a specified number of probes, the device deletes the binding entry of the DHCP client.
The device supports association between ARP and DHCP snooping only when the device functions as a DHCP relay agent.
(Optional) Configuring the Device to Clear the MAC Address Entry Immediately When the User Is Disconnected
Context
If a DHCP client is disconnected but its MAC address entry is not aged, the device forwards the message whose destination address is the IP address of the DHCP client based on the dynamic MAC address entries. This deteriorates device performance.
The DHCP client sends a DHCP Release message when it is disconnected. Upon receiving the message, the device immediately deletes the DHCP snooping binding entry of the DHCP client. You can enable the device to delete the mapping MAC address entry when a dynamic DHCP snooping binding entry is deleted.
Procedure
- Run:
system-view
The system view is displayed.
- Run:
dhcp snooping user-offline remove mac-address
The device deleted the MAC address entry of a DHCP client when the dynamic binding entry is deleted.
By default, the device does not delete the MAC address entry of a DHCP client when the dynamic binding entry is deleted.
- Run:
commit
The configuration is committed.
Checking the Configuration
Procedure
- Run the display dhcp snooping [ interface interface-type interface-number | vlan vlan-id ] command to view DHCP snooping running information.
- Run the display user-bind dhcp snooping { { interface interface-type interface-number | ip-address ip-address | mac-address mac-address | vlan vlan-id } * | all } [ verbose ] command to check the binding table.
Configuring DHCP Snooping Attack Defense
After basic DHCP snooping functions are configured, DHCP clients can obtain IP addresses from the authorized DHCP server, preventing bogus DHCP server attacks on the network. However, many other DHCP attacks exist on the network. The administrator can configure DHCP snooping attack defense on the device as required.
Prerequisites
Basic DHCP snooping functions have been completely configured.
Configuring Defense Against Bogus DHCP Server Attacks
Context
After DHCP snooping is enabled and an interface is configured as the trusted interface, the device enables DHCP clients to obtain IP addresses from the authorized DHCP server, preventing bogus DHCP server attacks. However, the location of the bogus DHCP server cannot be detected, which brings security risks on the network.
After detection of DHCP servers is enabled, the DHCP snooping-enabled device checks and records information about the DHCP server, such as the IP address and port number, in the DHCP Reply messages in the log. The network administrator identifies whether bogus DHCP servers exist on the network based on logs.
Configuring Defense Against Attacks from Non-DHCP Users
Context
On a DHCP network, users with static IP addresses may initiate attacks such as bogus DHCP server attacks and bogus DHCP Request message attacks. This brings security risks for authorized DHCP users.
Dynamic MAC address entries are learned and generated by the device, and static MAC address entries are configured by command lines. A MAC address entry includes the MAC address, VLAN ID, and port number of a DHCP client. The device implements Layer 2 forwarding based on MAC address entries.
After a static MAC address entry is configured on the user-side interface of the device, the device generates static MAC address entries based on dynamic DHCP snooping binding entries for all DHCP users connected to the interface, clears all the dynamic MAC address entries on the interface, disables the interface from learning dynamic MAC address entries, and enables the interface to match the source MAC address based on the MAC address entries. Only messages whose source MAC addresses match the static MAC address entries can pass through the interface; other messages are discarded. Therefore, the administrator needs to manually configure static MAC address entries for non-DHCP users on the interface so that messages sent from non-DHCP users can pass through; otherwise, DHCP messages are discarded. This prevents attacks from non-DHCP users.
Procedure
- Run:
system-view
The system view is displayed.
- Run:
interface interface-type interface-number
The interface view is displayed.
- Run:
dhcp snooping sticky-mac
The device is enabled to generate static MAC address entries based on the dynamic DHCP snooping binding table.
By default, the device is disabled from generating static MAC address entries based on the DHCP snooping binding table.
NOTE:
The dhcp snooping sticky-mac command cannot be used simultaneously with commands of some other features. For details, see Precautions in dhcp snooping sticky-mac.
- Run:
commit
The configuration is committed.
Configuring Defense Against DHCP Flood Attacks
Context
On a DHCP network, if an attacker sends a large number of DHCP messages to the device within a short time, the device performance may be affected and the device may not work normally. To prevent DHCP Flood attacks, you can enable the device to check the rate of sending DHCP messages to the processing unit.
Configuring Defense Against Bogus DHCP Message Attacks
Context
If an attacker sends a bogus DHCP Request message to the DHCP server to extend the lease, the IP address cannot be released after the lease expires and authorized users cannot use the IP address. If the attacker forges a DHCP Release message of an authorized user and sends it to the DHCP server, the authorized user may be disconnected.
After a DHCP snooping binding table is generated, the device checks DHCP Request and Release messages against the binding table. Only DHCP messages that match entries are forwarded. This prevents unauthorized users from sending bogus DHCP Request messages or Release messages to extend the lease or to release IP addresses.
Procedure
- Run:
system-view
The system view is displayed.
- You can enable the device to check the DHCP messages against the binding table in the system view, VLAN view, or interface view.
- In the system view:
- In the VLAN view or interface view:
- Enable the trap function for DHCP snooping in the interface view.
- (Optional) Set the alarm threshold for the number of messages discarded by DHCP snooping in the system view or interface view.
- In the system view:
- In the interface view:
- Run:
commit
The configuration is committed.
Configuring Defense Against DHCP Server DoS Attacks
Context
Malicious use of IP addresses exhausts IP addresses in the IP address pool, which leaves no IP address for authorized users. The DHCP server generally identifies the MAC address of a DHCP client based on the CHADDR (client hardware address) field in the DHCP Request message. If attackers continuously apply for IP addresses by changing the CHADDR field, IP addresses in the address pool on the DHCP server may be exhausted. As a result, authorized users cannot obtain IP addresses.
To prevent malicious IP address application, you can set the maximum number of DHCP snooping binding entries to be learned on an interface. When the number of DHCP snooping binding entries reaches the maximum value, no DHCP client can obtain an IP address through the interface. To prevent attackers from continuously changing the CHADDR field in the DHCP Request message, you can enable the device to check whether the MAC address in the Ethernet frame header matches the CHADDR field in the DHCP message. If the two values match, the message is forwarded; if the two values do not match, the message is discarded.
Procedure
- Run:
system-view
The system view is displayed.
- Set the maximum number of DHCP snooping binding entries to be learned by an interface in the system view, VLAN view, or interface view.
- Enable the device to check the CHADDR field in the message in the system view, VLAN view, or interface view.
- In the system view:
- In the VLAN view or interface view:
- (Optional) Set the alarm threshold for the number of messages discarded by DHCP snooping in the system view or interface view.
- In the system view:
- In the interface view:
- Run:
commit
The configuration is committed.
Checking the Configuration
Context
After DHCP snooping attack defense is completely configured, you can check configured parameters.
Procedure
- Run the display dhcp snooping [ interface interface-type interface-number | vlan vlan-id ] command to view DHCP snooping running information.
- Run the display mac-address snooping [ interface-type interface-number | vlan vlan-id ] * command to view static MAC address entries generated from the DHCP snooping binding table.
Inserting the Option 82 Field to a DHCP Message
You can configure a device to insert the Option 82 field to a DHCP message to notify the DHCP server of the DHCP client location.
Context
The Option 82 field records the location of a DHCP client. A device inserts the Option 82 field to a DHCP Request message to notify the DHCP server of the DHCP client location. The DHCP server can assign an IP address and other configurations to the DHCP client, ensuring DHCP client security.
DHCP Option 82 must be configured on the user-side of a device; otherwise, the DHCP message sent to the DHCP server will not carry Option 82.
Procedure
- Run:
system-view
The system view is displayed.
- You can configure the device to insert the Option 82 field to a DHCP message in the interface view or VLAN view. If the configuration is performed in the VLAN view, the configuration takes effect for all the DHCP message from this VLAN received by the interface. If the configuration is performed in the interface view, the configuration takes effect only for the specified interface.
View
Steps
VLAN view
- Run the vlan vlan-id command to enter the vlan view.
- Run the dhcp option82 { insert | rebuild } enable command to enable the device to insert the Option 82 field to a DHCP message.
By default, the device is disabled from inserting the Option 82 field to a DHCP message.
- Run the quit command to return to the system view.
Interface view
Run the interface interface-type interface-number command to enter the interface view.
- Run the dhcp option82 { insert | rebuild } enable command to enable the device to insert the Option 82 field to a DHCP message.
By default, the device is disabled from inserting the Option 82 field to a DHCP message.
- Run the quit command to return to the system view.
- (Optional) You can configure the format of the Option 82 field in the system view or interface view. If the configuration is performed in the system view, the configuration takes effect for all interfaces on the device. If the configuration is performed in the interface view, the configuration takes effect only for the specified interface.
View
Steps
System view
- Run the dhcp option82 [ circuit-id | remote-id ] format { default | common | extend | user-defined text } command to configure the format of the Option 82 field in a DHCP message.
By default, the format of the Option 82 field in a DHCP message is default.
Interface view
Run the interface interface-type interface-number command to enter the interface view.
- Run the dhcp option82 [ vlan vlan-id ] [ circuit-id | remote-id ] format { default | common | extend | user-defined text } command to configure the format of the Option 82 field in a DHCP message.By default, the format of the Option 82 field in a DHCP message is default.NOTE:
Layer 3 Ethernet interfaces do not support the vlan parameter.
- Run the dhcp option82 [ circuit-id | remote-id ] format { default | common | extend | user-defined text } command to configure the format of the Option 82 field in a DHCP message.
- Run:
commit
The configuration is committed.