Hello, I am trying to set DHCP snooping in a network of cisco and hp procurve switches All switches is connected via 802.1q trunk interfaces, Lots of VLANS defined Default VLAN changed to 199 Static-IP clients works, but DHCP clients cannot obtain IP adress Is there any special con. How to prevent rogue DHCP servers with DHCP snooping in an HP Procurve switch This is cool. I'm using an HP Procurve 2530 switch, running firmware YA.15.16. These switches, by the way, come with a lifetime next-business-day warranty. The DHCP Snooping feature on ProCurve ProVision switches allows you to configure switches to accept DHCP responses only from authorized servers that are connected to trusted ports.
- Hp Procurve Default Password
- Hp Procurve Dhcp-snooping Trust
- Hp Procurve Disable Dhcp Snooping
- Hp Procurve 2910al 48g
- Hp Procurve Firmware
You can use DHCP snooping to help avoid the Denial of Service attacks that result from unauthorized users adding a DHCP server to the network that then provides invalid configuration data to other DHCP clients on the network. DHCP snooping accomplishes this by allowing you to distinguish between trusted ports connected to a DHCP server or switch and untrusted ports connected to end-users. DHCP packets are forwarded between trusted ports without inspection. DHCP packets received on other switch ports are inspected before being forwarded. Packets from untrusted sources are dropped. Conditions for dropping packets are shown below.
Condition for dropping a packet
| Condition for Dropping a Packet | Packet Types |
|---|---|
| A packet from a DHCP server received on an untrusted port | DHCPOFFER, DHCPACK, DHCPNACK |
| If the switch is configured with a list of authorized DHCP server addresses and a packet is received from a DHCP server on a trusted port with a source IP address that is not in the list of authorized DHCP server addresses. | DHCPOFFER, DHCPACK, DHCPNACK |
| Unless configured to not perform this check, a DHCP packet received on an untrusted port where the DHCP client hardware address field does not match the source MAC address in the packet | N/A |
| Unless configured to not perform this check, a DHCP packet containing DHCP relay information (option 82) received from an untrusted port | N/A |
| A broadcast packet that has a MAC address in the DHCP binding database, but the port in the DHCP binding database is different from the port on which the packet is received | DHCPRELEASE, DHCPDECLINE |
DHCP snooping is enabled globally by entering this command:
Use the no form of the command to disable DHCP snooping.
Syntax:
[no]dhcp-snooping [authorized-server|database|option|trust|verify|vlan]
authorized server | Enter the IP address of a trusted DHCP server. If no authorized servers are configured, all DHCP server addresses are considered valid. Maximum: 20 authorized servers. |
database | To configure a location for the lease database, enter a URL in the format |
option | Add relay information option (Option 82) to DHCP client packets that are being forwarded out trusted ports. The default is |
trust | Configure trusted ports. Only server packets received on trusted ports are forwarded. Default: |
verify | Enables DHCP packet validation. The DHCP client hardware address field and the source MAC address must be the same for packets received on untrusted ports or the packet is dropped. Default: |
vlan | Enable DHCP snooping on a vlan. DHCP snooping must be enabled already. Default: |
To display the DHCP snooping configuration, enter this command:
Output for the show dhcp-snooping command
To display statistics about the DHCP snooping process, enter this command:
An example of the output is shown below.
Output for the show DHCP snooping statistics command
DHCP snooping on VLANs is disabled by default. To enable DHCP snooping on a VLAN or range of VLANs enter this command:
You can also use this command in the vlan context, in which case you cannot enter a range of VLANs for snooping. Below is an example of DHCP snooping enabled on VLAN 4.
HP Networking switches support DHCPv4 and DHCPv6 snooping. Configuring both versions helps protect your entire network by blocking unintended or rogue DHCPv4 and DHCPv6 servers. By default, all ports are untrusted. Once configured, DHCP server packets are forwarded only if received on a trusted port. DHCP server packets received on an untrusted port are dropped.
To configure a port or range of ports as trusted, enter this command:
You can also use this command in the interface context, in which case you are not able to enter a list of ports.
Setting trusted ports
Use the no form of the command to remove the trusted configuration from a port.
To configure a port or range of ports as trusted, enter this command:
You can also use this command in the interface context, in which case you are not able to enter a list of ports.
Use the no form of the command to remove the trusted configuration from a port.
If authorized server addresses are configured, a packet from a DHCP server must be received on a trusted port AND have a source address in the authorized server list in order to be considered valid. If no authorized servers are configured, all servers are considered valid. You can configure a maximum of 20 authorized servers.
To configure a DHCP authorized server address, enter this command in the global configuration context:
DHCP adds Option 82 (relay information option) to DHCP request packets received on untrusted ports by default. (See “Configuring DHCP Relay” in the Management and Configuration Guide for more information on Option 82.)
When DHCP is enabled globally and also enabled on a VLAN, and the switch is acting as a DHCP relay, the settings for the DHCP relay Option 82 command are ignored when snooping is controlling Option 82 insertion. Option 82 inserted in this manner allows the association of the client’s lease with the correct port, even when another device is acting as a DHCP relay or when the server is on the same subnet as the client.
NOTE: DHCP snooping only overrides the Option 82 settings on a VLAN that has snooping enabled, not on VLANS without snooping enabled. |
If DHCP snooping is enabled on a switch where an edge switch is also using DHCP snooping, it is desirable to have the packets forwarded so the DHCP bindings are learned. To configure the policy for DHCP packets from untrusted ports that already have Option 82 present, enter this command in the global configuration context.
Syntax:
[no]dhcp-snooping option 82 [remote-id <mac|subnet-ip|mgmt-ip>][untrusted-policy <drop|keep|replace>]
Enables DHCP Option 82 insertion in the packet
| Set the value used for the
|
| Configures DHCP snooping behavior when forwarding a DHCP packet from an untrusted port that already contains DHCP relay information (Option 82). The default is
|
NOTE: The default |
Changing the remote-id from a MAC to an IP address
By default, DHCP snooping uses the MAC address of the switch as the remoteid in Option 82 additions. The IP address of the VLAN the packet was received on or the IP address of the management VLAN can be used instead by entering this command with the associated parameter:
DHCP snooping option 82 using the VLAN IP address
DHCP snooping drops DHCP packets received on untrusted ports when the check address (chaddr) field in the DHCP header does not match the source MAC address of the packet (default behavior). To disable this checking, use the no form of this command.
DHCP snooping maintains a database of up to 8192 DHCP bindings on untrusted ports. Each binding consists of:
Client MAC address
Port number
VLAN identifier
Leased IP address
Lease time
The switch can be configured to store the bindings at a specific URL so they will not be lost if the switch is rebooted. If the switch is rebooted, it will read its binding database from the specified location. To configure this location use this command.
Syntax:
[no]dhcp-snooping database [file <tftp://<ip-address>/<ascii-string>>][delay <15-86400>][timeout <0-86400>]
| Must be in Uniform Resource Locator (URL) format – “tftp://ip-address/ascii-string”. The maximum filename length is 63 characters. |
| Number of seconds to wait before writing to the database. Default = 300 seconds. |
| Number of seconds to wait for the database file transfer to finish before returning an error. A value of zero (0) means retry indefinitely. Default = 300 seconds. |
A message is logged in the system event log if the DHCP binding database fails to update. To display the contents of the DHCP snooping binding database, enter this command.
Syntax:
DHCP snooping binding database contents
NOTE: If a lease database is configured, the switch drops all DHCP packets until the lease database is read. This only occurs when the switch reboots and is completed quickly. If the switch is unable to read the lease database from the tftp server, it waits until that operation times out and then begins forwarding DHCP packets. |
DHCP snooping max-binding prevents binding entries from getting exhausted. This feature is on a per-port basis. It restricts the maximum number of bindings allowed on a port/interface. It applies to untrusted interfaces only. The maximum bindings for a particular port includes both statically configured and dynamically learned. The number of bindings on a per port basis is maintained i.e., incremented upon a lease offer and decremented upon a lease expiry or release.
DHCP snooping max-binding can be configured in configuration context or in an interface context for an untrusted interface. In case of configuration context, a port or a list of ports is selected for which max-binding is to be configured. Then the corresponding max-binding value is provided within a range of <1-8192>. For the interface context, after selecting the interface on which max-binding is to be configured, the max-binding value is provided within a range of <1-8192>. The max-binding configuration for a port can be removed using the no option of the command. max-binding cannot be set on trusted ports and ports for which the associated VLAN is not DHCP-snooping enabled. Once the max-bindings limit on an interface is reached, packets for DHCP clients which do not have a binding entry are dropped.
Syntax:
(config)# dhcp-snooping max-bindings [PORT-LIST][MAX-BINDING-NUM]
Configure the maximum number of bindings on specified ports. The maximum number of bindings default value is 8192. The allowed range on a port is 1 to 8192.
Syntax:
(interface)# dhcp-snooping <trust|max-bindings>[1-8192]
Configures the maximum binding value on a port. Only this number of clients are allowed on a port. By specifying [no] the max-binding is removed from the configuration and set to the default value of 8192.
Syntax:
Show all available dhcp-snooping information.
Example:
Syntax:
Shows the dhcp-snooping statistics.
To enable debug logging for DHCP snooping, use this command.
Syntax:
[no]debug security dhcp-snooping [agent|event|packet]
| Displays DHCP snooping agent messages. |
| Displays DHCP snooping event messages. |
| Displays DHCP snooping packet messages. |
DHCP is not configurable from the WebAgent or menu interface.
If packets are received at too high a rate, some may be dropped and need to be re-transmitted.
HP recommends running a time synchronization protocol such as SNTP in order to track lease times accurately.
A remote server must be used to save lease information or there may be a loss of connectivity after a switch reboot.
Hp Procurve Default Password
Server <ip-address> packet received on untrusted port <port-number> dropped. | Indicates a DHCP server on an untrusted port is attempting to transmit a packet. This event is recognized by the reception of a DHCP server packet on a port that is configured as untrusted. |
Ceasing untrusted server logs for %s. | More than one packet was received from a DHCP server on an untrusted port. To avoid filling the log file with repeated attempts, untrusted server drop packet events will not be logged for the specified <duration>. |
Client packet destined to untrusted port <port-number> dropped. | Indicates that the destination of a DHCP client unicast packet is on an untrusted port. This event is recognized when a client unicast packet is dropped because the destination address is out a port configured as untrusted. |
Ceasing untrusted port destination logs for %s. | More that one client unicast packet with an untrusted port destination was dropped. To avoid filling the log file with repeated attempts, untrusted port destination attempts will not be logged for the specified <duration>. |
Unauthorized server <ip-address> detected on port <port-number>. | Indicates that an unauthorized DHCP server is attempting to send packets. This event is recognized when a server packet is dropped because there are configured authorized servers and a server packet is received from a server that is not configured as an authorized server. |
Ceasing unauthorized server logs for <duration>. | More than one unauthorized server packet was dropped. To avoid filling the log file with repeated attempts, unauthorized server transmit attempts will not be logged for the specified <duration>. |
Received untrusted relay information from client <mac-address> on port <port-number>. | Indicates the reception on an untrusted port of a client packet containing a relay information option field. This event is recognized when a client packet containing a relay information option field is dropped because it was received on a port configured as untrusted. |
Ceasing untrusted relay information logs for <duration>. | More than one DHCP client packet received on an untrusted port with a relay information field was dropped. To avoid filling the log file with repeated attempts, untrusted relay information packets will not be logged for the specified <duration>. |
Client address <mac-address> not equal to source MAC <mac-address> detected on port <port-number>. | Indicates that a client packet source MAC address does not match the “chaddr” field. This event is recognized when the dhcp-snooping agent is enabled to filter DHCP client packets that do not have a matching “chaddr” field and source MAC address. |
Ceasing MAC mismatch logs for <duration>. | More than one DHCP client packet with a mismatched source MAC and chaddr field was dropped. To avoid filling the log file with repeated attempts, client address mismatch events will not be logged for the specified <duration>. |
Attempt to release address <ip-address> leased to port <port-number> detected on port <port-number> dropped. | Indicates an attempt by a client to release an address when a DHCPRELEASE or DHCPDECLINE packet is received on a port different from the port the address was leased to. |
Ceasing bad release logs for %s. | More than one bad DHCP client release packet was dropped. To avoid filling the log file with repeated bad release dropped packets, bad releases will not be logged for <duration>. |
Lease table is full, DHCP lease was not added. | The lease table is full and this lease will not be added to it. |
Write database to remote file failed errno (error-num). | An error occurred while writing the temporary file and sending it using tftp to the remote server. |
DHCP packets being rate-limited. | Too many DHCP packets are flowing through the switch and some are being dropped. |
Snooping table is full. | The DHCP binding table is full and subsequent bindings are being dropped. |
The agent remote-id and circuit-id fields are left as vendor-specific and, of course, differ between switch platforms. Detecting the different formats is a little hit-and-miss, but seems to be possible between HP and Cisco, at least. When I get time later, I may look at Extreme XOS stuff as we use that too (although only in our data centres, where we don't have DHCP in use, except to set up servers initially).
HP DHCP Snooping and Option 82
HP has three modes for the remote-id, set with the dhcp-snooping option 82 remote-id global command: mac (the default) - just 6 bytes of the base MAC address of the switch, subnet-ip - the switch's IP address on the VLAN with the client (I have no idea what happens if there isn't one set), and mgmt-ip - the management IP address (the IP address set on the management VLAN). The latter looks the most useful. There is no leading byte to indicate which of these options has been selected.
There seems to be no way to control what the format of the circuit-id takes: on the switches I've tested it on - a 2610-24-PWR and a 5412), it's two bytes - the first is zero and I assume would increase with slot numbers on a chassis-based switch (the AP I have on the 5412 is in slot A and it's still 0); the second is the port number.
Cisco and HP Option 82 information compared
Hp Procurve Dhcp-snooping Trust
The remote-id is as follows:| Format | 0 | 1 | 2 | 3 | 4 | 5 | 6 | 7- |
|---|---|---|---|---|---|---|---|---|
| Cisco | (default) | 0 | Switch base MAC address | |||||
| Hostname | 1 | Len | Hostname or explicit string | |||||
| HP | mac | Switch base MAC address | ||||||
| subnet-ip | Client VLAN IP address? | |||||||
| mgmt-ip | Management VLAN IP address | |||||||
The logic to parse this field seems best as:
- If byte 0 is 1, it's probably a Cisco hostname (it's unlikely to be an IP address '1.q.r.s' or a multicast MAC address), so print the string starting at byte 2
- If it's 4 bytes long, assume it's an HP IP address, so print it as an IPv4 address
- Else assume it's an HP MAC address so print as colon-separate hex string (which, if it's not a MAC address, we can still translate)
| Format | 0 | 1 | 2 | 3 | 4 | 5 | 6- |
|---|---|---|---|---|---|---|---|
| Cisco | vlan-mod-port | 0 | 4 (= Length) | VLAN ID (big endian) | Module (slot) | Port | |
| string | 1 | Length | Port and VLAN string | ||||
| HP | - | Slot | Port | ||||
- Cisco - parse the 2-byte VLAN ID and print the port as 'module/port' in decimal
- HP - print the data as hyphen-separated decimals (it could be separated by slashes, but this is just to differentiate)
Cisco configuration
The following is what I've used on the Cisco switches; the lines with a leading '!' are defaults:
ip dhcp snooping vlan ...
!ip dhcp snooping information option
ip dhcp snooping information option format remote-id hostname
!no ip dhcp snooping information option allow-untrusted
ip dhcp snooping database ...
ip dhcp snooping database write-delay 900
ip dhcp snooping
!
interface <uplink>
ip dhcp snooping trust
On the Cisco routers, I've issued the following, to allow Option 82 to be set by a downstream switch:
ip dhcp relay information trust-all
HP configuration
The following is what I've used on HP switches; the lines with a leading '!' are defaults:
dhcp-snooping vlan ...
dhcp-snooping option 82 remote-id mgmt-ip
!dhcp-snooping option 82 untrusted-policy drop
!dhcp-snooping option 82
dhcp-snooping database file ...
dhcp-snooping
!
interface <uplink>
dhcp-snooping trust
Printing the agent details in ISC DHCP
Adapting the code posted before to cope with these variations:
# if the agent (Option 82) details are present, attempt to read information
# from them; this is tricky because different vendors and configurations can
# return information in conflicting formats and it's difficult to work out
# what format the information is in, so we make some assumptions
if exists agent.remote-id {
if substring(option agent.remote-id, 0, 1) = 1 {
# the first byte of the remote ID is 1 - that's unlikely to be an IP addr-
# ess and, if it were a MAC address it would be multicast, so it is
# probably a hostname from a Cisco switch
log(
info,
concat(
'agent information ',
binary-to-ascii(10, 8, '.', leased-address),
' to ',
binary-to-ascii(16, 8, ':', substring(hardware, 1, 6)),
' on ',
substring(option agent.remote-id, 2, extract-int(substring(option agent.remote-id, 1, 1), 8)),
' port ',
binary-to-ascii(10, 8, ', substring(option agent.circuit-id, 4, 1)),
'/',
binary-to-ascii(10, 8, ', substring(option agent.circuit-id, 5, 1)),
' VLAN ',
binary-to-ascii(10, 16, ', substring(option agent.circuit-id, 2, 2))));
Hp Procurve Disable Dhcp Snooping
This gives log output for an HP:
Sep 16 22:56:52 janganmun dhcpd: agent information 172.30.162.130 to 6c:f3:7f:c0:54:cf on 172.30.64.114 port 0-23