Config Lab: DHCP Snooping 2

 In 200-301 V2 Ch08: DHCP Snooping & DAI, 200-301 V2 Part 2: Security Services, 200-301 V2 Parts, Config Lab, Config Lab CCNA Vol 2 Part 2, Hands-on

Dynamic Host Configuration Protocol (DHCP), like many network protocols, can be used as part of a cybersecurity attack. DHCP Snooping, a LAN switch feature, monitors DHCP messages flowing through the switch, filtering messages based on a set of rules. In this lab, you configure DHCP snooping on two different switches and examine the minor differences in configuration.

All about Config Labs

The blog has a series of lab exercises called “Config Labs.” Each lab presents a topology with the relevant initial configuration for each device. The lab also lists new requirements, after which you should create the additional configuration to meet those requirements. You can do the lab on paper, in a text editor, or use software tools like Cisco Packet Tracer or Cisco Modeling Labs.

Once you have created your answer, you can click various tabs at the bottom of this post to see the lab answers, comments about the lab, and other helpful information.

The Lab Exercise

The Lab Exercise

Attackers can effect DHCP-based Cybersecurity attacks by sending messages as if the attacker were a legitimate DHCP server or as if they were a legitimate DHCP client. In the familiar “DORA” message flow, with Discover, Offer, Request, and Ack messages, the DHCP client sends the Discover and Request messages, while the DHCP server sends the Offer and Ack messages. For instance, an attacker might reply to a Discover message with an Offer message, pretending to be a DHCP server.

DHCP Snooping examines incoming DHCP messages while also asking the question of whether DHCP Snooping trusts the port. DHCP Snooping should trust the port if messages from the legitimate DHCP server(s) will arrive in that port – in fact, on trusted ports, DHCP Snooping allows all DHCP message types entering the port. For all other ports, especially the access ports connected to DHCP clients, the switch should not trust the port. DHCP Snooping discards messages normally sent by DHCP servers that arrive in untrusted ports, like the DHCP Offer and Ack messages. (DHCP Snooping allows incoming DHCP client messages.)

This lab uses two VLANs located on opposite sides of a WAN link. On the left, switch SW1 implements VLAN 10 and the associated subnet of 172.16.10.0/24. The subnet contains two DHCP Clients, PC11 and PC12. The subnet uses the DHCP server, which supplies IP addresses to all LAN subnets in the figure.

On the right, switch SW2 creates VLAN 20, with the attached devices using subnet 172.16.20.0/24. PC21 and PC22 in that subnet act as DHCP clients, leasing their IP addresses from the DHCP server on the left.

Both routers use static IP addresses and learn routes using OSPF in a single-area design. R2 also acts as a DHCP Relay Agent so that hosts in subnet 172.16.20.0/24 can lease IP addresses.

 

Figure 1: Topology for this Lab

 

For this lab, take these specific steps.

  1. Enable DHCP Snooping in VLAN 10 on switch SW1 and VLAN 20 in switch SW2.
  2. Both switches operate as layer 2 switches, not layer 3 switches, so disable the insertion of DHCP Option 82 headers.
  3. Consider DHCP Snooping trust settings for the ports connected to the PCs (DHCP clients) and set if needed.
  4. Also, consider DHCP Snooping trust settings for the switch ports connected to each router and any servers, and set if needed.

 

Initial Configurations

Both switches assign all their ports to one VLAN: VLAN 10 for switch SW1 and VLAN 20 for switch SW2. Additionally, each router’s G0/0 interface uses an IP address on the respective local LAN to act as the default router in the subnets. Finally, the routers both use OSPF to exchange routes so that once the PCs all learn their IP addresses, they should ping each other.

hostname SW1
!
vlan 10
!
interface range FastEthernet0/1-3
 switchport access vlan 10
 switchport mode access
 spanning-tree portfast
!
interface GigabitEthernet0/1
 switchport access vlan 10
 switchport mode access
 spanning-tree portfast

Example 1: SW1 Config

 

hostname SW2
!
vlan 20
!
interface range FastEthernet0/2-3
 switchport access vlan 20
 switchport mode access
 spanning-tree portfast
!
interface GigabitEthernet0/1
 switchport access vlan 20
 switchport mode access
 spanning-tree portfast

Example 2: SW2 Config

 

hostname R1
!
interface GigabitEthernet0/0
 ip address 172.16.10.1 255.255.255.0
 no shutdown
!
interface GigabitEthernet0/2/0
 ip address 172.16.12.1 255.255.255.0
 no shutdown
!
router ospf 1
 network 172.16.0.0 0.0.255.255 area 0

Example 3: R1 Config

 

hostname R2
!
interface GigabitEthernet0/0
 ip address 172.16.20.2 255.255.255.0
 ip helper-address 172.16.10.9
 no shutdown
!
interface GigabitEthernet0/2/0
 ip address 172.16.12.2 255.255.255.0
 no shutdown
!
router ospf 1
 network 172.16.0.0 0.0.255.255 area 0

Example 4: R2 Config

 

The PCs each act as a DHCP client, expecting to lease an IP address and learn the mask and default gateway settings from the DHCP server. You can assume the DHCP Server shown in the figure works. However, to be complete, Example 5 shows the IOS DHCP server configuration that you could use to support this lab. (The CPT and CML files supplied with this lab use this same configuration.)

hostname DHCP_Server
!
ip dhcp excluded-address 172.16.10.1 172.16.10.100
ip dhcp excluded-address 172.16.20.1 172.16.20.100
!
ip dhcp pool subnet1
 network 172.16.10.0 255.255.255.0
 dns-server 172.16.10.9
 default-router 172.16.10.1
 domain-name example.com
!
ip dhcp pool subnet2
 network 172.16.20.0 255.255.255.0
 dns-server 172.16.10.9
 default-router 172.16.20.2
 domain-name example.com
!
interface GigabitEthernet0/0
 ip address 172.16.10.9 255.255.255.0
 no shutdown
!
router ospf 1
 network 0.0.0.0 255.255.255.255 area 0

Example 5: DHCP Server (IOS Router)

Answer Options - Click Tabs to Reveal

You can learn a lot and strengthen real learning of the topics by creating the configuration – even without a router or switch CLI. In fact, these labs were originally built to be used solely as a paper exercise!

To answer, just think about the lab. Refer to your primary learning material for CCNA, your notes, and create the configuration on paper or in a text editor. Then check your answer versus the answer post, which is linked at the bottom of the lab, just above the comments section.

You can also implement the lab using the Cisco Packet Tracer network simulator. With this option, you use Cisco’s free Packet Tracer simulator. You open a file that begins with the initial configuration already loaded. Then you implement your configuration and test to determine if it met the requirements of the lab.

(Use this link for more information about Cisco Packet Tracer.)

Use this workflow to do the labs in Cisco Packet Tracer:

  1. Download the .pkt file linked below.
  2. Open the .pkt file, creating a working lab with the same topology and interfaces as the lab exercise.
  3. Add your planned configuration to the lab.
  4. Test the configuration using some of the suggestions below.

Download this lab’s Packet Tracer File

You can also implement the lab using Cisco Modeling Labs – Personal (CML-P). CML-P (or simply CML) replaced Cisco Virtual Internet Routing Lab (VIRL) software in 2020, in effect serving as VIRL Version 2.

If you prefer to use CML, use a similar workflow as you would use if using Cisco Packet Tracer, as follows:

  1. Download the CML file (filetype .yaml) linked below.
  2. Import the lab’s CML file into CML and then start the lab.
  3. Compare the lab topology and interface IDs to this lab, as they may differ (more detail below).
  4. Add your planned configuration to the lab.
  5. Test the configuration using some of the suggestions below.

Download this lab’s CML file!

 

Network Device Info:

This table lists the interfaces listed in the lab exercise documentation versus those used in the sample CML file.

Device Lab Port  CML Port
SW1 G0/1 G0/0
SW1 F0/1 G0/1
SW1 F0/2 G0/2
SW2 F0/3 G0/3
SW2 F0/2 G0/2
SW2 F0/3 G0/3
R1 G0/2/0 G0/2
R2 G0/2/0 G0/2

Lab Answers Below: Spoiler Alert

Lab Answers: Configuration (Click Tab to Reveal)

ip dhcp snooping
ip dhcp snooping vlan 10
no ip dhcp snooping information option
!
interface fastethernet0/1
 ip dhcp snooping trust
!
interface GigabitEthernet0/1
! You do NOT need to trust here

Example 1: SW1 Config

 

ip dhcp snooping
ip dhcp snooping vlan 20
no ip dhcp snooping information option
!
interface GigabitEthernet0/1
 ip dhcp snooping trust

Example 2: SW2 Config

Commentary, Issues, and Verification Tips (Click Tabs to Reveal)

The first three lines in both Answer Examples follow the same pattern for the same reasons. Focusing on switch SW1 for now, to enable DHCP Snooping in VLAN 10, the switch needs two global commands: ip dhcp snooping and ip dhcp snooping vlan 10. The first command enables DHCP Snooping functions, but the switch would not use DHCP Snooping in any VLANs with that command alone. The second command applies DHCP Snooping to VLAN 10.

Switch SW2 needs two similar commands, ip dhcp snooping and ip dhcp snooping vlan 20, to enable DHCP Snooping in VLAN 20 on SW2.

Both switches also need the no ip dhcp snooping information option global command. This command reverses the switch default setting of ip dhcp snooping information option. The logic works like this:

  1. LAN switches may be configured as layer 3 switches.
  2. When acting as a layer 3 switch, the switch may also act as a DHCP Relay Agent.
  3. DHCP Relay Agents use the DHCP Information option in DHCP messages, that is, DHCP option 82.
  4. The default configuration setting of ip dhcp snooping information option tells the switch that, once DHCP Snooping is enabled, to change DHCP messages as if it were a DHCP Relay agent.
  5. In this lab, the switch is neither a layer 3 switch nor a DHCP Relay Agent, so you should disable the information option feature using the no ip dhcp information option global command.

As for the DHCP trust settings, first focus on switch SW1. Ports F0/2 and F0/3, connected to the DHCP clients, use the default setting of untrusted. However, the switch port connected to the DHCP server (F0/1) must be trusted (ip dhcp snooping trust) because SW1 will receive messages normally sent by DHCP servers on that port. Also, note that the switch need not trust its port G0/1 (connected to router R1) because the only DHCP server is on the same subnet. Therefore, no other useful DHCP server messages should arrive at switch port G0/1.

Applying that same general logic to switch SW2, you might think that all ports should be untrusted. Certainly, ports F0/2 and F0/3, connected to the two PCs, should remain in their default state as untrusted. However, because messages from the legitimate DHCP server will flow from the server, through router R1, through router R2, and into SW2, SW2 needs to be ready to trust those messages. Switch SW2, therefore, requires the configuration to trust its G0/2 port (connected to router R2) for DHCP Snooping to work while allowing DHCP to function normally.

Known Issues in this Lab

This section of each Config Lab Answers post hopes to help with those issues by listing any known issues with Packet Tracer related to this lab. In this case, the issues are:

Number Summary Detail
1 Core feature config only CPT supports the configuration of core DHCP Snooping features, but not all features. For example, CPT does not support the errdisable and ip dhcp snooping limit commands.
2 Incorrect show ip dhcp snooping binding output On real gear, this command lists only non-default settings. In CPT, the output varies and often includes default settings.
3 Sparse show ip dhcp snooping output Real gear displays more detailed output as compared to CPT.
4 CPT feature platform differences In CPT, the 2960 and 3650 switch models provide some DHCP Snooping support. However, the support levels differ, with some differences in show commands. In our testing, the feature could be configured on both models but only worked when using 2960s.

 

Why Would Cisco Packet Tracer Have Issues?

(Note: The below text is the same in every Config Lab.)

Cisco Packet Tracer (CPT) simulates Cisco routers and switches. However, CPT does not run the same software that runs in real Cisco routers and switches. Instead, developers wrote CPT to predict the output a real router or switch would display given the same topology and configuration – but without performing all the same tasks, an actual device has to do. On a positive note, CPT requires far less CPU and RAM than a lab full of devices so that you can run CPT on your computer as an app. In addition, simulators like CPT help you learn about the Cisco router/switch user interface – the Command Line Interface (CLI) – without having to own real devices.

CPT can have issues compared to real devices because CPT does not run the same software as Cisco devices. CPT does not support all commands or parameters of a command. CPT may supply output from a command that differs in some ways from what an actual device would give. Those differences can be a problem for anyone learning networking technology because you may not have experience with that technology on real gear – so you may not notice the differences. So this section lists differences and issues that we have seen when using CPT to do this lab.

Beyond comparing your answers to this lab’s Answers post, you can test in Cisco Packet Tracer (CPT) or Cisco Modeling Labs (CML). In fact, you can and should explore the lab once configured. Note that CPT supports IP DHCP Snooping configuration better than it supports the show commands, at least at CPT Version 8.0 used when developing this lab. To that end, if testing with CPT, you can focus your testing on whether the function works. With real gear and CML, you can focus more on show commands.

  1. First, before enabling DHCP Snooping, confirm DHCP works.
    1. After opening the .pkt file, the PCs should lease an IP address. Confirm that works first.
    2. From the PCs, use ipconfig /all, ipconfig /release, and ipconfig /renew to confirm the PCs leased an IP address, released it back to the server, and then renewed the lease.
  2. Enable DHCP Snooping as planned and confirm DHCP still works.
    1. Configure the lab as per your plan.
    2. Repeat the ipconfig /release and ipconfig /renew commands to force DHCP to lease the address again. If you configured DHCP Snooping correctly, DHCP should still work.
  3. Attempt the following show commands. Compare the output to the CCNA 200-301 Cert Guide Chapter 8 Examples (or later equivalent edition’s chapter.)
    1. Show ip dhcp snooping to display interface DHCP Snooping settings.
    2. Show ip dhcp snooping binding to display the DHCP Snooping Binding table.

More Labs with Related Content!

Config Lab: DHCP Snooping 1
Config Lab: DAI 1
Subscribe
Notify of
guest

10 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
Johannes K.

Hello,

It looks like the lab’s step n°3 goes against the DHCP Snooping purpose.

“Set DHCP Snooping trust settings for the ports connected to the PCs (DHCP clients.)”

We suppose to avoid this kind of situation, are we?

Since the step n°3 is not found in the answer, let’s forget about it.

Vicente Torres

Hi Wendell,

While doing the lab on CPT, I did trust the port SW1’s G0/1 (I just thought, well, this port is connected to our router, so it should be trusted).

While reading the Lab Answers, the comment for that interface states “You do NOT need to trust here”.

So, it is not entirely clear to me the reason. Is it just because there is no DHCP server on R2’s side so we are not expected to receive “offer” and “ack” messages entering this port?

Thanks.

Faris Ossandon

Hi Wendell,

I’ve tried this lab on GNS3 with using a router as a DHCP server. I did everything exactly, but would keep getting this message from SW1 from its g0/1’s port (g1/0 in my lab):

SW1#
*May 10 02:18:34.370: %DHCP_SNOOPING-5-DHCP_SNOOPING_NONZERO_GIADDR: DHCP_SNOOPING drop message with non-zero giaddr or option82 value on untrusted port, message type: DHCPDISCOVER, MAC sa: ca02.76ba.0008
SW1#show mac address-table 
         Mac Address Table
——————————————-

Vlan   Mac Address      Type       Ports
—-   ———–      ——–   —–
 10   0241.5c65.6393   DYNAMIC    Gi0/2
 10   ca01.6b0f.0008   DYNAMIC    Gi0/1
 10   ca02.76ba.0008   DYNAMIC    Gi1/0
 10   cec8.267a.7ac7   DYNAMIC    Gi0/3
Total Mac Addresses for this criterion: 4
SW1#

I read somewhere that you have to “push the DHCP trust boundary downstream” and the trust g0/1 (g1/0 on my lab). Is this right?

Screenshot-at-2024-05-09-22-23-31
Faris Ossandon

Thank you for the reply Wendell.

Not sure if this is supposed to work this way but in my set up enabling the option “ip dhcp snooping information option” on SW2 make the message in SW1 disappear. Disabling the option “no ip dhcp snooping information option” on SW2 makes the error message in SW1 reappear. Really strange.

Last edited 9 days ago by Faris Ossandon
Vojtěch Blažek

I think I found missing zero in Example 5 line 14. The command on this line should be same as for subnet1, right? “dns-server 172.16.10.9”
Thank you

Contact Us

We're not around right now. But you can send us an email and we'll get back to you, asap.

10
0
Would love your thoughts, please comment.x
()
x