Pages

network cisco ccna gns3 certification arteq

network cisco ccna gns3 certification arteq
a network runs through it

Search insearchofthecert

Sunday, January 20, 2013

dhcp snooping...


below is a brief article i wrote some time ago about trust...


http://insearchofthecert.blogspot.com/2012/05/snoop-dog.html

here is a link to a series of great articles from petr lapukhov from INE about option 82...

http://blog.ine.com/2009/07/22/understanding-dhcp-option-82/

As you know, DHCP relay is supposed to insert the “giaddr” field in the relayed DHCP packets, so that DHCP server may identify the pool to be used for the request. The choice of the pool is made based on the “giaddr” field or the incoming interface, if the “giaddr” is missing or zero . Option 82 serves as refinement to the request, allowing the DHCP server to select a “sub-range” in the pool.

option 82 sometimes gets in the way...  the question is can it be safely removed?

in this scenario, we have just this dilemma...

DLS1#debug ip dhcp serv pack
DHCP server packet debugging is on.
DLS1#
Jul 26 18:04:54.059: DHCPD: Reload workspace interface Vlan10 tableid 0.
Jul 26 18:04:54.059: DHCPD: tableid for 10.1.10.252 on Vlan10 is 0
Jul 26 18:04:54.059: DHCPD: client's VPN is .
Jul 26 18:04:54.059: DHCPD: inconsistent relay information.
Jul 26 18:04:54.059: DHCPD: relay information option exists, but giaddr is zero.

the topology is from the net acad tshoot manual:


we see dhcp snooping is not enabled for the vlan in question, vlan 10, but option 82 is enabled...

DLS1#sh ip dhcp snoop
Switch DHCP snooping is disabled
DHCP snooping is configured on following VLANs:
none
DHCP snooping is operational on following VLANs:
none
DHCP snooping is configured on the following L3 Interfaces:

Insertion of option 82 is enabled
   circuit-id default format: vlan-mod-port
   remote-id: 0016.c706.9680 (MAC)
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Verification of giaddr field is enabled
DHCP snooping trust/rate is configured on the following Interfaces:

Interface                  Trusted    Allow option    Rate limit (pps)
-----------------------    -------    ------------    ----------------  

giaddr means gateway ip address switched by relay...

from the doccd: http://www.cisco.com/en/US/docs/ios-xml/ios/ipaddr_dhcp/configuration/12-4t/config-dhcp-server.html#GUID-AB964011-EADA-4888-BCD1-E52E91F3AA49

Automatic DHCP address allocation is typically based on an IP address, whether it be the gateway address (giaddr field of the DHCP packet) or the incoming interface IP address. In some networks, it is necessary to use additional information to further determine which IP addresses to allocate. By using option 82, the Cisco IOS relay agent has long been able to include additional information about itself when forwarding client-originated DHCP packets to a DHCP server. The Cisco IOS DHCP server can also use option 82 as a means to provide additional information to properly allocate IP addresses to DHCP clients. 

when ip dhcp snooping is enabled, and also enabled for vlan 10:

DLS1#sh run | b ip dhcp snoop
ip dhcp snooping vlan 10
ip dhcp snooping


option 82 is not automatic for the requesting device:

DLS1#sh ip dhcp snoop
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
10
DHCP snooping is operational on following VLANs:
10
DHCP snooping is configured on the following L3 Interfaces:

Insertion of option 82 is enabled
   circuit-id default format: vlan-mod-port
   remote-id: 0016.c706.9680 (MAC)
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Verification of giaddr field is enabled
DHCP snooping trust/rate is configured on the following Interfaces:

when we try to renew from the client on als1:


DLS1#
Jul 26 18:32:32.136: %DHCP_SNOOPING-5-DHCP_SNOOPING_NONZERO_GIADDR: DHCP_SNOOPING drop message with non-zero giaddr or option82


so it wants option 82...

but this is funny...

if you try to follow the rules by using the hostname argument:

DLS1(config)#ip dhcp snoop info option format remote-id hostn
DLS1(config)#
Jul 26 18:52:15.845: %DHCP_SNOOPING-5-DHCP_SNOOPING_NONZERO_GIADDR: DHCP_SNOOPING drop message with non-zero giadd


shit out of luck...

but if you allow all untrusted, bingo:

DLS1(config)#ip dhcp snoop inform option all
DLS1(config)#
Jul 26 18:54:46.258: DHCPD: Reload workspace interface Vlan10 tableid 0.
Jul 26 18:54:46.258: DHCPD: tableid for 10.1.10.252 on Vlan10 is 0
Jul 26 18:54:46.258: DHCPD: client's VPN is .
Jul 26 18:54:46.258: DHCPD: DHCPREQUEST received from client 01e8.9a8f.98a7.03.
Jul 26 18:54:46.258: DHCPD: Sending DHCPACK to client 01e8.9a8f.98a7.03 (10.1.10.1).
Jul 26 18:54:46.258: DHCPD: no option 125
Jul 26 18:54:46.258: DHCPD: unicasting BOOTREPLY to client e89a.8f98.a703 (10.1.10.1).
Jul 26 18:54:46.258: D
DLS1(config)#HCPD: no option 125

you figure it out... just trust everything and it works... some feature that...

No comments:

Post a Comment