DHCP Snooping

DHCP Snooping

DHCP被用于动态地址分发，极大的降低了终端接入网络的简易性，但是协议本身没有任何的安全保护机制，非常容易被针对攻击。同一广播域中一旦出现虚假DHCP Server，终端获取的地址将极有可能是虚假DHCP Server推送的IP地址，导致广播域中很大一部分终端无法上网。

DHCP Snooping功能概述

• 对非信任接口收到的DHCP等报文过滤
• 限制DHCP速率
• 维护DHCP snooping binding database
• DAI需要DHCP snooping binding database的信息

DHCP Snooping报文过滤

当DHCP Snooping功能在相应vlan开启后，在不信任的接口在收到以下报文会产生丢弃行为

• 当收到（例如：DHCPOFFER、DHCPACK、DHCPNAK、DHCPLEASEQUERY报文）
• 当收到源MAC地址和DHCP客户端硬件地址不匹配
• 当收到DHCPRELEASE、DHCPDECLINE报文但是和DHCP Snooping数据库中的绑定条目不匹配
• 当收到DHCP packets含有options-82选项

DHCP Snooping 82选项插入

开启DHCP Snooping的就交换机在收到DHCP报文时会对报文插入82选项

• option-82信息包含交换机MAC、端口身份、vlan-mod-port（如下图）
• 
  

• 如果开启802.1x，option-82内包含Radius认证信息
• 包含中继地址

DHCP Snooping database

所有绑定信息都会存储在数据库中（如下图）

默认DHCP Snooping开启功能

Option	Default Value/State
DHCP snooping	Disabled
DHCP snooping host tracking feature	Disabled
DHCP snooping information option	Enabled
DHCP option-82 on untrusted port feature	Disabled
DHCP snooping limit rate	None
DHCP snooping trust	Untrusted
DHCP snooping vlan	Disabled
DHCP snooping spurious server detection	Disabled
DHCP snooping detect spurious interval	30 minutes

DHCP Snooping配置

拓扑

配置

Client
Client#configure terminal 
Enter configuration commands, one per line.  End with CNTL/Z.
Client(config)#inter e0/0
Client(config)#ip add dhcp    #接口地址启用dhcp

SW1:
SW1#configure terminal 
Enter configuration commands, one per line.  End with CNTL/Z.
SW1(config)#vlan 10
SW1(config-vlan)#exit
SW1(config)#inter e0/0
SW1(config)#sw mo acc
SW1(config)#sw acc vlan 10
SW1(config)#inter e0/1
SW1(config)#sw mo acc
SW1(config)#sw acc vlan 10
SW1(config)#ip dhcp snooping  #全局开启dhcp snooping功能
SW1(config)#do show ip dhcp snooping | include Switch    #查看dhcp snooping是否开启
Switch DHCP snooping is enabled
SW1(config)ip dhcp snooping information option
SW1(config-vlan)#do show ip dhcp snooping | include 82  #查看option82是否打开
Insertion of option 82 is enabled
Option 82 on untrusted port is not allowed
SW1(config)#ip dhcp snooping verify mac-address  #开启mac-ip绑定验证功能
SW1(config-vlan)#do show ip dhcp snooping | include hwaddr  #查看上述功能是否打开
Verification of hwaddr field is enabled
SW1(config)#ip dhcp snooping database disk0:/dhcp.db #配置dhcp snooping database存放位置
SW1(config)#ip dhcp snooping vlan 10    #在特定vlan启动dhcp snooping
SW1(config)#do show ip dhcp snooping
Switch DHCP snooping is enabled
Switch DHCP gleaning is disabled
DHCP snooping is configured on following VLANs:
10
DHCP snooping is operational on following VLANs:
10
DHCP snooping is configured on the following L3 Interfaces:
Insertion of option 82 is enabled
   circuit-id default format: vlan-mod-port
   remote-id: aabb.cc00.5000 (MAC)
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Verification of giaddr field is enabled
DHCP snooping trust/rate is configured on the following Interfaces:
Interface                  Trusted    Allow option    Rate limit (pps)
-----------------------    -------    ------------    ----------------   
SW1(config-if)#ip dhcp snooping trust   #将连接上游交换机接口配置为可信接口
SW1(config-if)#ip dhcp snooping limit rate 60   #根据需求配置DHCP限速

SW2:
SW2:
SW2#configure terminal 
Enter configuration commands, one per line.  End with CNTL/Z.
SW2(config)#vlan 10
SW2(config-vlan)#exit
SW2(config)#inter e0/0
SW2(config)#sw mo acc
SW2(config)#sw acc vlan 10
SW2(config)#inter e0/1
SW2(config)#sw mo acc
SW2(config)#sw acc vlan 10
SW2(config)#ip dhcp snooping  #全局开启dhcp snooping功能
SW2(config)#do show ip dhcp snooping | include Switch    #查看dhcp snooping是否开启
Switch DHCP snooping is enabled
SW2(config)ip dhcp snooping information option
SW2(config-vlan)#do show ip dhcp snooping | include 82  #查看option82是否打开
Insertion of option 82 is enabled
Option 82 on untrusted port is not allowed
SW2(config)#ip dhcp snooping verify mac-address  #开启mac-ip绑定验证功能
SW2(config-vlan)#do show ip dhcp snooping | include hwaddr  #查看上述功能是否打开
Verification of hwaddr field is enabled
SW2(config)#ip dhcp snooping database disk0:/dhcp.db #配置dhcp snooping database存放位置
SW2(config)#ip dhcp snooping vlan 10    #在特定vlan启动dhcp snooping
SW2(config)#do show ip dhcp snooping
Switch DHCP snooping is enabled
Switch DHCP gleaning is disabled
DHCP snooping is configured on following VLANs:
10
DHCP snooping is operational on following VLANs:
10
DHCP snooping is configured on the following L3 Interfaces:
Insertion of option 82 is enabled
   circuit-id default format: vlan-mod-port
   remote-id: aabb.cc00.5000 (MAC)
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Verification of giaddr field is enabled
DHCP snooping trust/rate is configured on the following Interfaces:
Interface                  Trusted    Allow option    Rate limit (pps)
-----------------------    -------    ------------    ----------------   
SW2(config-if)#ip dhcp snooping trust   #将连接上游交换机接口配置为可信接口
SW2(config-if)#ip dhcp snooping limit rate 60   #根据需求配置DHCP限速
SW2(config-if)#inter e0/0
SW2(config-if)#ip dhcp snooping information option allow-untrusted  #将连接下游交换机接口配置允许含option82数据包通过（默认非信任端口自动丢弃）

Server:
DHCP#configure terminal 
Enter configuration commands, one per line.  End with CNTL/Z.
DHCP(config)#inter e0/0
DHCP(config-if)#ip address 192.168.2.1 255.255.255.0
DHCP(config-if)#no shut
DHCP(config)#ip dhcp pool test  #配置DHCP Server
DHCP(dhcp-config)#network 192.168.2.0 255.255.255.0
DHCP(dhcp-config)#default-router 192.168.2.1 
DHCP(dhcp-config)#dns-server 114.114.114.114
DHCP(dhcp-config)#exit
DHCP(config)#ip dhcp relay information trust-all #所有IOS配置的DHCP Server对于DHCP插入option82选项的报文检查中继选项，如果中继选项为0.0.0.0丢弃报文。（另外一种接解决方案可以关闭插入option82选项在交换机上，大神说关闭这个选项影响性能详见：https://supportforums.cisco.com/t5/lan-switching-and-routing/dhcp-snooping/td-p/1622877）

DHCP Snooping 终结

除了上述一些功能外，dhcp snooping还有以下的特性

• DHCP Snooping Host Tracking #Release 12.2(33)SXJ2后支持利用cache记录vlan-mac-port绑定用于DHCP转发相应报文
• DHCP Snooping database远程数据库 #从远程tftp服务器读取配置信息
  详细文档见官网（https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/snoodhcp.html#wp1140196）