DHCP Snooping and Dynamic ARP Inspection

By stretch | Wednesday, August 18, 2010 at 3:01 a.m. UTC

DHCP snooping is a feature which allows a Cisco Catalyst switch to inspect DHCP traffic traversing a layer two segment and track which IP addresses have been assigned to hosts on which switch ports. This information can be handy for general troubleshooting, but it was designed specifically to aid two other features: IP source guard and dynamic ARP inspection. These features help to mitigate IP address spoofing at the layer two access edge. I've already covered IP source guard (with and without DHCP), so today we'll look at how to implement dynamic ARP inspection.

First, we need to enable DHCP snooping, both globally and per access VLAN:

Switch(config)# ip dhcp snooping
Switch(config)# ip dhcp snooping vlan 10
Switch(config)# ^Z
Switch# show ip dhcp snooping
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
10
DHCP snooping is operational on following VLANs:
10
DHCP snooping is configured on the following L3 Interfaces:

Insertion of option 82 is enabled
   circuit-id format: vlan-mod-port
    remote-id format: MAC
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Verification of giaddr field is enabled
DHCP snooping trust/rate is configured on the following Interfaces:

Interface                    Trusted     Rate limit (pps)
------------------------     -------     ----------------

In this scenario, our multilayer switch is relaying DHCP requests toward a central DHCP server elsewhere on the network, a behavior enabled by adding one or more ip helper-address commands under the access VLAN interface. However, if the access switch was functioning only at layer two, we would have to designate our uplink interfaces as trusted interfaces by applying the command ip dhcp snooping trust to the layer two interfaces. This informs the switch that DHCP responses are allowed to arrive on those interfaces.

Legitimate DHCP clients and their assigned IP addresses will appear in the DHCP snooping binding table:

Switch# show ip dhcp snooping binding
MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface
------------------  ---------------  ----------  -------------  ----  --------------------
00:19:AA:7D:E6:88   192.168.10.2     86250       dhcp-snooping   10    FastEthernet0/3
Total number of bindings: 1

Next, we'll enable dynamic ARP inspection for the VLAN. (When enabling the feature for multiple VLANs, a range of VLAN numbers can be specified.)

Switch(config)# ip arp inspection vlan 10
Switch(config)# ^Z
Switch# show ip arp inspection

Source Mac Validation      : Disabled
Destination Mac Validation : Disabled
IP Address Validation      : Disabled

Vlan     Configuration    Operation   ACL Match          Static ACL
 ----     -------------    ---------   ---------          ----------
   10     Enabled          Active

Vlan     ACL Logging      DHCP Logging      Probe Logging
 ----     -----------      ------------      -------------
   10     Deny             Deny              Off

Vlan      Forwarded        Dropped     DHCP Drops      ACL Drops
 ----      ---------        -------     ----------      ---------
   10              0              0              0              0

Vlan   DHCP Permits    ACL Permits  Probe Permits   Source MAC Failures
 ----   ------------    -----------  -------------   -------------------
   10              0              0              0                     0

Vlan   Dest MAC Failures   IP Validation Failures   Invalid Protocol Data
 ----   -----------------   ----------------------   ---------------------
   10                   0                        0                       0

Notice in the above output that source MAC, destination MAC, and IP address validation are indicated as being disabled. We can optionally enable one or more of these additional validation checks to achieve even more thorough security with the command ip arp inspection validate followed by the address type.

Now suppose an intruder connects to VLAN 10 on interface FastEthernet0/5 and begins sending gratuitous ARP replies, purporting to be the default router for the subnet in an attempt to initiate a man-in-the-middle attack. The switch inspects these ARP packets and does not find an entry in the DHCP snooping table for the source IP address 192.168.10.1 on port FastEthernet0/5. The packets are consequently discarded by the switch, as evidenced by this log message:

%SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa0/5, vlan 10.
([0013.6050.acf4/192.168.10.1/ffff.ffff.ffff/192.168.10.1/05:37:31 UTC Mon Mar 1 1993])

We can see the drop counter begin to increase in the output of show ip arp inspection:

Switch# show ip arp inspection

Source Mac Validation      : Disabled
Destination Mac Validation : Disabled
IP Address Validation      : Disabled

Vlan     Configuration    Operation   ACL Match          Static ACL
 ----     -------------    ---------   ---------          ----------
   10     Enabled          Active

Vlan     ACL Logging      DHCP Logging      Probe Logging
 ----     -----------      ------------      -------------
   10     Deny             Deny              Off

Vlan      Forwarded        Dropped     DHCP Drops      ACL Drops
 ----      ---------        -------     ----------      ---------
   10             22              2              2              0

Vlan   DHCP Permits    ACL Permits  Probe Permits   Source MAC Failures
 ----   ------------    -----------  -------------   -------------------
   10             22              0              0                     0

Vlan   Dest MAC Failures   IP Validation Failures   Invalid Protocol Data
 ----   -----------------   ----------------------   ---------------------
   10                   0                        0                       0

A word of caution

If the DHCP server is an IOS router directly connected to the layer two segment, you may see it throw the following error if DHCP server debugging is enabled (debug ip dhcp server packet):

DHCPD: inconsistent relay information.
DHCPD: relay information option exists, but giaddr is zero.

The router is complaining about the presence of DHCP option 82 with a null value being added by the switch performing DHCP snooping. This is easily remedied by issuing the command no ip dhcp snooping information option in global configuration on the switch to disable the addition of option 82 to DHCP requests. Check out this article by Internetwork Expert for more information.

About the Author

Jeremy Stretch is a network engineer living in the Raleigh-Durham, North Carolina area. He is known for his blog and cheat sheets here at Packet Life. You can reach him by email or follow him on Twitter.

Posted in Switching

Comments


robgil
August 18, 2010 at 7:01 a.m. UTC

Great post on the two, although another word of caution... If you are enabling this in a production environment be sure to let DHCP snooping run for at least half the time of the DHCP leases if not more. With ARP Inspection depending on the DHCP snooping table, it is going to need to have some entries or you will be seeing a lot of those log messages. :)


Karsten
August 18, 2010 at 11:55 a.m. UTC

My typical problem when implementing DAI was, that there were always PCs with hardcoded IP-addresses, regardless what the Client-Staff told me ... To help myself, I wrote a little (very basic) Python-script, that compares the entries of the DHCP-snooping-bindings with the the arp-entries of the connected L3-switch. You can download the script on my blog. The page is in german, but the script is pretty easy to use.


Josey (guest)
September 1, 2010 at 10:29 p.m. UTC

Hi there,
I really liked your article here. I set up dhcp snooping on a site using your guide this evening and it worked great. However I am a little confused about the "ip dhcp snooping information option" command. On the site I implemented tonight I configured "no ip dhcp snooping information option" on every switch, works fine but on a previous site I have "ip dhcp snooping information option" on all switches and DHCP snooping still works.

In both cases the DHCP Server is a cisco switch.

Should I do a "no ip dhcp snooping information option" on my previous config, is there an impact on issuing it or if I leave it as is is there a danger of problems down the road?

Many thanks,

Josey


ben_j
October 24, 2010 at 12:41 a.m. UTC

@robgil: Serious question, because I've held off implementing DAI in our environment (University) as a result: What happens when (not if) the switch is reloaded because of a power disruption? Actually, may have answered my own question - I seem to remember that you can have the binding table written to a non-volatile location (TFTP or the like) so that it's immediately repopulated when the switch reloads.

Has anyone tried this and found that it does/doesn't work well?

Retro-fitting the network with DAI also raises a fear about just who you'll end up cutting off because they've been given a static IP that isn't recorded anywhere (by someone else, of course!)?

@stretch: Great site. Just discovered it. Keep up the good work.

Cheers,
Ben.


john (guest)
April 12, 2011 at 4:14 p.m. UTC

Hi Jeremy

I have 2 3560 distribution switches both connected via L2 etherchannel. Underneath it is 10 access switches mix of 3550s and 2950Gs. I want to implement arp inspection and dhcp snooping. my dhcp server is on the 3550 switch. ip helper address is also implemented on my 3560s. my question is, where do I place the dhcp snooping and ip arp inspection? do i need to place it also on the trunk ports? including the etherchannel?

thanks in advance.


passer_by (guest)
May 29, 2011 at 7:58 p.m. UTC

Hi John, i think you need to put the ip dhcp snooping and ip arp inspection configuration in the global configuration ( you also need to specify which vlan you would want to implement these features.) You need to put the ip dhcp snooping trust and ip arp inspection trust in the uplinks. (e.g. trunk ports to other switches)


n9 (guest)
June 21, 2011 at 8:35 a.m. UTC

Hi,

Do we need to create the DHCP snooping table? or it will get generated automatically?

Thanks,
N9.


9Stratagem
October 18, 2012 at 8:44 p.m. UTC

Good article. :)

Also remember to "ip arp inspection trust" any uplink ports to other switches in the environment. Non-issue in a single switch environment like this how-to.


sclinton13 (guest)
March 21, 2013 at 1:28 a.m. UTC

An alternative to the "no ip dhcp snooping information option" would also be to have the router that is acting as the IOS DHCP server configured with the "ip dhcp relay information trust-all" command.

The command makes IOS DHCP server accept empty giaddr in the DHCP messages.


A guest
May 11, 2015 at 5:08 p.m. UTC

thanks


Ben Piper (guest)
March 7, 2016 at 5:00 p.m. UTC

Just don't configure DHCP snooping with 15.0(2)SE5 on a 3560 :)


bob (guest)
August 12, 2016 at 10:52 p.m. UTC

HI what happen if enabled ip arp inspection with dhcp snooping in wifi guest network ? DIA block dhcp messages or not if no entry on dhcp binding table if new guest connected to netork what happen ?

Comments have closed for this article due to its age.