Hp Procurve Dhcp Snooping



You can use DHCP snooping to help avoid the Denial of Service attacks that result from unauthorized users adding a DHCP server to the network that then provides invalid configuration data to other DHCP clients on the network. DHCP snooping accomplishes this by allowing you to distinguish between trusted ports connected to a DHCP server or switch and untrusted ports connected to end-users. DHCP packets are forwarded between trusted ports without inspection. DHCP packets received on other switch ports are inspected before being forwarded. Packets from untrusted sources are dropped. Conditions for dropping packets are shown below.

Page 29 ProCurve (config)# dhcp-snooping option 82 remote-id subnet-ip ProCurve (config)# show dhcp-snooping DHCP Snooping Information DHCP Snooping Enabled Vlans Verify MAC Option 82 untrusted policy: drop Option 82 Insertion Option 82 remote-id Disabling the MAC Address Check DHCP snooping drops DHCP packets received on untrusted ports when the check address (chaddr) field in the DHCP. Dhcp-snooping dhcp-snooping authorized-server 192.168.0.254 dhcp-snooping vlan 1 interface Trk1 dhcp-snooping trust exit The switches are set to trust BOTH the port the authorized dhcp server is attached to and its IP address. If DHCP snooping is enabled on a switch where an edge switch is also using DHCP snooping, HP recommends that you have the packets forwarded so the DHCP bindings are learned. To configure the policy for DHCP packets from untrusted ports that already have Option 82 present, use the following command in the global configuration context. To enable DHCP snooping on a VLAN or range of VLANs enter this command: HP Switch (config)# dhcp-snooping vlan You can also use this command in the vlan context, in which case you cannot enter a range of VLANs for snooping. Below is an example of DHCP snooping enabled on VLAN 4.

Condition for dropping a packet

Condition for Dropping a PacketPacket Types
A packet from a DHCP server received on an untrusted portDHCPOFFER, DHCPACK, DHCPNACK
If the switch is configured with a list of authorized DHCP server addresses and a packet is received from a DHCP server on a trusted port with a source IP address that is not in the list of authorized DHCP server addresses.DHCPOFFER, DHCPACK, DHCPNACK
Unless configured to not perform this check, a DHCP packet received on an untrusted port where the DHCP client hardware address field does not match the source MAC address in the packetN/A
Unless configured to not perform this check, a DHCP packet containing DHCP relay information (option 82) received from an untrusted portN/A
A broadcast packet that has a MAC address in the DHCP binding database, but the port in the DHCP binding database is different from the port on which the packet is receivedDHCPRELEASE, DHCPDECLINE

DHCP snooping is enabled globally by entering this command:

Use the no form of the command to disable DHCP snooping.

Syntax:

[no]dhcp-snooping [authorized-server|database|option|trust|verify|vlan]

authorized server

Enter the IP address of a trusted DHCP server. If no authorized servers are configured, all DHCP server addresses are considered valid. Maximum: 20 authorized servers.

database

To configure a location for the lease database, enter a URL in the format tftp://ip-addr/ascii-string. The maximum number of characters for the URL is 63.

option

Add relay information option (Option 82) to DHCP client packets that are being forwarded out trusted ports. The default is yes, add relay information.

trust

Configure trusted ports. Only server packets received on trusted ports are forwarded. Default: untrusted.

verify

Enables DHCP packet validation. The DHCP client hardware address field and the source MAC address must be the same for packets received on untrusted ports or the packet is dropped. Default: Yes.

vlan

Enable DHCP snooping on a vlan. DHCP snooping must be enabled already. Default: No.

To display the DHCP snooping configuration, enter this command:

Output for the show dhcp-snooping command

To display statistics about the DHCP snooping process, enter this command:

An example of the output is shown below.

Output for the show DHCP snooping statistics command

DHCP snooping on VLANs is disabled by default. To enable DHCP snooping on a VLAN or range of VLANs enter this command:

You can also use this command in the vlan context, in which case you cannot enter a range of VLANs for snooping. Below is an example of DHCP snooping enabled on VLAN 4.

HP Networking switches support DHCPv4 and DHCPv6 snooping. Configuring both versions helps protect your entire network by blocking unintended or rogue DHCPv4 and DHCPv6 servers. By default, all ports are untrusted. Once configured, DHCP server packets are forwarded only if received on a trusted port. DHCP server packets received on an untrusted port are dropped.

To configure a port or range of ports as trusted, enter this command:

You can also use this command in the interface context, in which case you are not able to enter a list of ports.

Setting trusted ports

Use the no form of the command to remove the trusted configuration from a port.

To configure a port or range of ports as trusted, enter this command:

You can also use this command in the interface context, in which case you are not able to enter a list of ports.

Use the no form of the command to remove the trusted configuration from a port.

If authorized server addresses are configured, a packet from a DHCP server must be received on a trusted port AND have a source address in the authorized server list in order to be considered valid. If no authorized servers are configured, all servers are considered valid. You can configure a maximum of 20 authorized servers.

To configure a DHCP authorized server address, enter this command in the global configuration context:

DHCP adds Option 82 (relay information option) to DHCP request packets received on untrusted ports by default. (See “Configuring DHCP Relay” in the Management and Configuration Guide for more information on Option 82.)

When DHCP is enabled globally and also enabled on a VLAN, and the switch is acting as a DHCP relay, the settings for the DHCP relay Option 82 command are ignored when snooping is controlling Option 82 insertion. Option 82 inserted in this manner allows the association of the client’s lease with the correct port, even when another device is acting as a DHCP relay or when the server is on the same subnet as the client.

Igmp

NOTE: DHCP snooping only overrides the Option 82 settings on a VLAN that has snooping enabled, not on VLANS without snooping enabled.

If DHCP snooping is enabled on a switch where an edge switch is also using DHCP snooping, it is desirable to have the packets forwarded so the DHCP bindings are learned. To configure the policy for DHCP packets from untrusted ports that already have Option 82 present, enter this command in the global configuration context.

Syntax:

[no]dhcp-snooping option 82 [remote-id <mac|subnet-ip|mgmt-ip>][untrusted-policy <drop|keep|replace>]

Enables DHCP Option 82 insertion in the packet

Hp Procurve Firmware

remote-id

Set the value used for the remote-id field of the relay information option.

mac

The switch mac address is used for the remote-id. This is the default.

subnet-ip

The IP address of the VLAN the packet was received on is used for the remote-id. If subnet-ip is specified but the value is not set, the MAC address is used.

mgmt-ip

The management VLAN IP address is used as the remote-id. If mgmt-ip is specified but the value is not set, the MAC address is used.

untrusted-policy

Configures DHCP snooping behavior when forwarding a DHCP packet from an untrusted port that already contains DHCP relay information (Option 82). The default is drop.

drop

The packet is dropped.

keep

The packet is forwarded without replacing the option information.

replace

The existing option is replaced with a new Option 82 generated by the switch.

NOTE: The default drop policy should remain in effect if there are any untrusted nodes, such as clients, directly connected to this switch.

Changing the remote-id from a MAC to an IP address

By default, DHCP snooping uses the MAC address of the switch as the remoteid in Option 82 additions. The IP address of the VLAN the packet was received on or the IP address of the management VLAN can be used instead by entering this command with the associated parameter:

DHCP snooping option 82 using the VLAN IP address

DHCP snooping drops DHCP packets received on untrusted ports when the check address (chaddr) field in the DHCP header does not match the source MAC address of the packet (default behavior). To disable this checking, use the no form of this command.

DHCP snooping maintains a database of up to 8192 DHCP bindings on untrusted ports. Each binding consists of:

  • Client MAC address

  • Port number

  • VLAN identifier

  • Leased IP address

  • Lease time

The switch can be configured to store the bindings at a specific URL so they will not be lost if the switch is rebooted. If the switch is rebooted, it will read its binding database from the specified location. To configure this location use this command.

Syntax:

[no]dhcp-snooping database [file <tftp://<ip-address>/<ascii-string>>][delay <15-86400>][timeout <0-86400>]

file

Must be in Uniform Resource Locator (URL) format – “tftp://ip-address/ascii-string”. The maximum filename length is 63 characters.

delay

Number of seconds to wait before writing to the database. Default = 300 seconds.

timeout

Number of seconds to wait for the database file transfer to finish before returning an error. A value of zero (0) means retry indefinitely. Default = 300 seconds.

Hp procurve disable dhcp snooping

A message is logged in the system event log if the DHCP binding database fails to update. To display the contents of the DHCP snooping binding database, enter this command.

Syntax:

DHCP snooping binding database contents

Procurve

NOTE: If a lease database is configured, the switch drops all DHCP packets until the lease database is read. This only occurs when the switch reboots and is completed quickly. If the switch is unable to read the lease database from the tftp server, it waits until that operation times out and then begins forwarding DHCP packets.

DHCP snooping max-binding prevents binding entries from getting exhausted. This feature is on a per-port basis. It restricts the maximum number of bindings allowed on a port/interface. It applies to untrusted interfaces only. The maximum bindings for a particular port includes both statically configured and dynamically learned. The number of bindings on a per port basis is maintained i.e., incremented upon a lease offer and decremented upon a lease expiry or release.

DHCP snooping max-binding can be configured in configuration context or in an interface context for an untrusted interface. In case of configuration context, a port or a list of ports is selected for which max-binding is to be configured. Then the corresponding max-binding value is provided within a range of <1-8192>. For the interface context, after selecting the interface on which max-binding is to be configured, the max-binding value is provided within a range of <1-8192>. The max-binding configuration for a port can be removed using the no option of the command. max-binding cannot be set on trusted ports and ports for which the associated VLAN is not DHCP-snooping enabled. Once the max-bindings limit on an interface is reached, packets for DHCP clients which do not have a binding entry are dropped.

Syntax:

(config)# dhcp-snooping max-bindings [PORT-LIST][MAX-BINDING-NUM]

Configure the maximum number of bindings on specified ports. The maximum number of bindings default value is 8192. The allowed range on a port is 1 to 8192.

Syntax:

(interface)# dhcp-snooping <trust|max-bindings>[1-8192]

Configures the maximum binding value on a port. Only this number of clients are allowed on a port. By specifying [no] the max-binding is removed from the configuration and set to the default value of 8192.

Syntax:

Show all available dhcp-snooping information.

Example:

Syntax:

Shows the dhcp-snooping statistics.

Hp Switch Igmp Snooping

To enable debug logging for DHCP snooping, use this command.

Syntax:

[no]debug security dhcp-snooping [agent|event|packet]

Hp Procurve 2910al 48g

agent

Displays DHCP snooping agent messages.

event

Displays DHCP snooping event messages.

packet

Displays DHCP snooping packet messages.

  • DHCP is not configurable from the WebAgent or menu interface.

  • If packets are received at too high a rate, some may be dropped and need to be re-transmitted.

  • HP recommends running a time synchronization protocol such as SNTP in order to track lease times accurately.

  • A remote server must be used to save lease information or there may be a loss of connectivity after a switch reboot.

Hp Procurve Dhcp Snooping Configuration

Server <ip-address> packet received on untrusted port <port-number> dropped.

Indicates a DHCP server on an untrusted port is attempting to transmit a packet. This event is recognized by the reception of a DHCP server packet on a port that is configured as untrusted.

Ceasing untrusted server logs for %s.

More than one packet was received from a DHCP server on an untrusted port. To avoid filling the log file with repeated attempts, untrusted server drop packet events will not be logged for the specified <duration>.

Client packet destined to untrusted port <port-number> dropped.

Indicates that the destination of a DHCP client unicast packet is on an untrusted port. This event is recognized when a client unicast packet is dropped because the destination address is out a port configured as untrusted.

Ceasing untrusted port destination logs for %s.

More that one client unicast packet with an untrusted port destination was dropped. To avoid filling the log file with repeated attempts, untrusted port destination attempts will not be logged for the specified <duration>.

Unauthorized server <ip-address> detected on port <port-number>.

Indicates that an unauthorized DHCP server is attempting to send packets. This event is recognized when a server packet is dropped because there are configured authorized servers and a server packet is received from a server that is not configured as an authorized server.

Ceasing unauthorized server logs for <duration>.

More than one unauthorized server packet was dropped. To avoid filling the log file with repeated attempts, unauthorized server transmit attempts will not be logged for the specified <duration>.

Received untrusted relay information from client <mac-address> on port <port-number>.

Indicates the reception on an untrusted port of a client packet containing a relay information option field. This event is recognized when a client packet containing a relay information option field is dropped because it was received on a port configured as untrusted.

Ceasing untrusted relay information logs for <duration>.

More than one DHCP client packet received on an untrusted port with a relay information field was dropped. To avoid filling the log file with repeated attempts, untrusted relay information packets will not be logged for the specified <duration>.

Client address <mac-address> not equal to source MAC <mac-address> detected on port <port-number>.

Indicates that a client packet source MAC address does not match the “chaddr” field. This event is recognized when the dhcp-snooping agent is enabled to filter DHCP client packets that do not have a matching “chaddr” field and source MAC address.

Ceasing MAC mismatch logs for <duration>.

More than one DHCP client packet with a mismatched source MAC and chaddr field was dropped. To avoid filling the log file with repeated attempts, client address mismatch events will not be logged for the specified <duration>.

Attempt to release address <ip-address> leased to port <port-number> detected on port <port-number> dropped.

Indicates an attempt by a client to release an address when a DHCPRELEASE or DHCPDECLINE packet is received on a port different from the port the address was leased to.

Ceasing bad release logs for %s.

More than one bad DHCP client release packet was dropped. To avoid filling the log file with repeated bad release dropped packets, bad releases will not be logged for <duration>.

Lease table is full, DHCP lease was not added.

The lease table is full and this lease will not be added to it.

Write database to remote file failed errno (error-num).

An error occurred while writing the temporary file and sending it using tftp to the remote server.

DHCP packets being rate-limited.

Too many DHCP packets are flowing through the switch and some are being dropped.

Snooping table is full.

The DHCP binding table is full and subsequent bindings are being dropped.