Reset Search
 

 

Article

How to configure DHCP Snooping on EXOS

« Go Back

Information

 
TitleHow to configure DHCP Snooping on EXOS
Objective
DHCP snooping enhances network security by only allowing network hosts to lease IP addresses from trusted DHCP servers.  Therefore, the presence of an unauthorized DHCP server on the network will log a violation
Environment
  • EXOS
  • Summit
  • Black Diamond
Procedure
Configure a trusted port or a trusted server:
configure trusted-port <PORT#> trust-for dhcp-server
configure trusted-servers vlan <VLAN NAME> add server <DHCP SERVER IP> trust-for dhcp-server
Enable DHCP snooping on the ports:
enable ip-security dhcp-snooping vlan <VLAN NAME> ports [ALL | <PORT-LIST>] violation-action drop-packet [block-mac | block-port | snmp-trap] [duration <duration_in_seconds> | permantently]
NOTE: Please ensure that ip-security dhcp-snooping is enabled on ports within the SAME VLAN where the DHCP traffic is expected to ingress / egress the switch and ensure that the violation-action is set to none

Configurations can be verified using the following command:
# show ip-security dhcp-snooping vlan <vlan-name>
DHCP Snooping enabled on ports: 39, 40, 41, 42
Trusted Ports: 30
Trusted DHCP Servers: 70.0.0.2
Bindings Restoration     : Enabled
Bindings Filename        : bindings-db.xsf
Bindings File Location   : 10
         Primary Server  : 192.168.0.12, VR-Mgmt, TFTP
         Secondary Server: None
Bindings Write Interval  : 5 minutes

------------------------------------
Port            Violation-action
------------------------------------
39              drop-packet, snmp-trap
40              drop-packet, block-mac permanently
41              drop-packet, snmp-trap
42              drop-packet

​When a violation occurs, a log entry is created.  Further actions can also be added to either, block the mac or port, or log an SNMP Trap. A violation will only occur on a port enabled for dhcp-snooping when incoming DHCP traffic is detected. Dhcp-snooping will determine that it is a rogue server either by matching it to the VLAN trusted server configuration or determining that the port is not a trusted port based on the trusted port configuration.

[date time]  <Warn:ipSecur.dhcpViol> A Rogue DHCP server on VLAN <vlan-name> with IP <ip-address> was detected on port <client-port>
[date time]  <Warn:ipSecur.drpPkt> DHCP violation occurred on port <client-port> Packet was dropped.
Further details of the violation can also be viewed:
# show ip-security dhcp-snooping violations vlan <vlan-name>
------------------------------------
Port              Violating MAC
------------------------------------
39              00:50:56:2b:98:e0
Active entries in the DHCP Bindings database can be viewed using the following command:
# show ip-security dhcp-snooping entries vlan <vlan-name>
------------------------------------------------------------------
Vlan: U70
------------------------------------------------------------------
                                    Lease Time    Server    Client
IP Addr         MAC Addr            (hh:mm:ss)    Port      Port
-------         --------            ----------    ------    ------
70.0.0.199      00:04:96:99:90:0a   01:00:00      30        39




 
Additional notes
  • The server VLAN is the one on which DHCP Server traffic returns
  • DHCP Snooping does not work when the Client and Server are in different VRs, even if inter-VR routes have been defined
  • The DHCP Bindings database in EXOS pertains to the collection of IP/MAC/VLAN/Port bindings that have been snooped via DHCP-Snooping
  • DHCP Bindings are only populated from untrusted ports.  All ports on a switch/stack are untrusted unless explicitly defined as trusted ports
  • The DHCP-Bindings Database populates when a DHCP-ACK is returned to a client from the DHCP Server
  • For statically assigned IP addresses, entries, MUST be manually added to the bindings database
A conversation thread on some configurations and concepts outlined above can also be followed on the Hub: Can you, please, give me explanation about DHCP-bindings

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255