1
00:00:12,850 --> 00:00:18,130
OK, so let's configure DHCP snooping before I do that once again.

2
00:00:20,280 --> 00:00:26,970
On the clients or PCs, when I use the command IP config slash renew.

3
00:00:28,100 --> 00:00:37,340
We can see that the PCs are getting IP addresses from the rogue DHCP server, in some cases they get

4
00:00:37,340 --> 00:00:42,980
an IP address from the enterprise server, but in other cases they get an IP address from the rogue 

5
00:00:43,520 --> 00:00:44,180
DHCP server.

6
00:00:45,970 --> 00:00:46,960
Here's PC 1

7
00:00:48,900 --> 00:00:56,850
rouge DHCP server IP address has been allocated, typically it's the server that replies first, and here

8
00:00:56,850 --> 00:01:01,560
you can see the PC got an IP address from the Enterprise DHCP server.

9
00:01:05,770 --> 00:01:13,450
So in simulation mode, when I use the command IP config slash renew, we can see that the DHCP message is

10
00:01:13,450 --> 00:01:17,110
sent to the switch is flooded to both servers.

11
00:01:19,720 --> 00:01:28,720
A DHCP message is sent from the rogue server to the client, and the client receives this DHCP message

12
00:01:28,720 --> 00:01:35,500
from the rogue server, we can see it's a broadcast from the rogue DHCP server.

13
00:01:37,420 --> 00:01:43,810
IP addresses 10.1.100.201 on the rogue DHCP server.

14
00:01:45,410 --> 00:01:48,890
We can see that that's the IP address of the rogue server.

15
00:01:51,690 --> 00:01:58,710
My packet tracer simulation broke there, so let's do that again on PC 2 IP config slash renew

16
00:02:00,170 --> 00:02:02,030
message is sent to the switch.

17
00:02:02,070 --> 00:02:03,110
It's flooded out.

18
00:02:06,060 --> 00:02:15,000
In this example, DHCP message from the enterprise server is sent to the PC, we can see that the source

19
00:02:15,000 --> 00:02:17,850
IP address is 10.1 .1.200.

20
00:02:19,600 --> 00:02:22,920
In the inbound PDU, we can see that as well.

21
00:02:25,970 --> 00:02:29,780
Client sends a reply, but notice the

22
00:02:31,090 --> 00:02:32,250
rouge server

23
00:02:33,290 --> 00:02:34,520
is also sending

24
00:02:35,930 --> 00:02:38,180
DHCP messages into the network.

25
00:02:39,670 --> 00:02:47,980
So what we want to do is block DHCP offers and other DHCP server messages from the rogue DHCP server.

26
00:02:49,280 --> 00:02:52,520
So let's configure the switch, here's the console.

27
00:02:53,670 --> 00:03:01,800
Now, this is a bug in packet tracer, even though I change the font size of the CLI.

28
00:03:03,760 --> 00:03:10,800
On 2960 switches the font remains small, so I'll have to zoom in on this video to make it clearer.

29
00:03:11,440 --> 00:03:14,600
My apologies for that, but there's not much I can do about it.

30
00:03:15,250 --> 00:03:16,630
It's a bug in packet

31
00:03:16,630 --> 00:03:19,150
tracer, show ip interface brief,

32
00:03:20,610 --> 00:03:26,820
we can see that interfaces FastEthernet 0,1 to 4 are currently up.

33
00:03:28,730 --> 00:03:35,040
Show IP DHCP snooping at the moment DHCP snooping is disabled.

34
00:03:35,690 --> 00:03:42,200
It's not configured on any VLANs at the moment and no interfaces are trusted.

35
00:03:43,040 --> 00:03:50,960
So in global configuration mode, I'm simply going to type IP DHCP, snooping, and press enter.

36
00:03:53,220 --> 00:03:57,750
So now show IP DHCP, snooping notice it's enabled.

37
00:03:58,730 --> 00:04:03,710
We're told that it's not enabled for any VLANs, we'll need to configure that.

38
00:04:04,670 --> 00:04:09,170
But let's see what happens at the moment on the PCs.

39
00:04:11,300 --> 00:04:17,180
IPconfig slash renew on PC 2, does the PC get an IP address?

40
00:04:17,220 --> 00:04:18,140
No, it doesn't.

41
00:04:19,839 --> 00:04:24,070
Do that again, no IP address is received.

42
00:04:24,970 --> 00:04:29,680
In simulation mode, in packet tracer, IP config slash renew

43
00:04:30,720 --> 00:04:35,370
DHCP message is sent to the switch and notice it's simply dropped.

44
00:04:38,420 --> 00:04:45,980
When I click on the message, Switch receives the frame, we've got an inbound PDU, but there's no

45
00:04:45,980 --> 00:04:47,680
outbound PDU at all.

46
00:04:50,120 --> 00:04:53,220
The PC is trying to get an IP address, but it's simply dropped.

47
00:04:53,990 --> 00:04:56,090
We see other messages such as spanning tree

48
00:04:57,530 --> 00:05:02,630
but notice when I run the simulation again, IP config slash renew.

49
00:05:04,220 --> 00:05:10,010
DHCP message gets sent to the switch and is simply dropped by the switch.

50
00:05:11,280 --> 00:05:18,210
So we've stopped PCs getting IP addresses from the rogue DHCP server, but we've effectively broken

51
00:05:18,210 --> 00:05:19,470
the network at the moment.

52
00:05:20,940 --> 00:05:24,080
Debug IP, DHCP snooping

53
00:05:26,670 --> 00:05:28,890
and let's have a look at packets.

54
00:05:32,400 --> 00:05:46,380
IP DHCP Snooping VLAN 1, in this case, the PCs are configured in VLAN 1, all ports are currently

55
00:05:46,380 --> 00:05:54,020
in VLAN 1, so I'm gonna enable DHCP snooping on VLAN 1 and then on FastEthernet 02

56
00:05:54,510 --> 00:05:59,310
I'm going to trust that port.

57
00:06:00,470 --> 00:06:04,970
So we're going to trust messages from the enterprise server.

58
00:06:06,350 --> 00:06:09,810
Again, I'm running the debug and notice at this point

59
00:06:09,830 --> 00:06:16,850
we see the output of the debug, we received a packet on FastEthernet 04.

60
00:06:18,200 --> 00:06:22,520
We can see that it was a broadcast, it's a DHCP request message.

61
00:06:23,670 --> 00:06:27,570
We can see that a message was received on FastEthernet 02

62
00:06:28,670 --> 00:06:30,560
and the switch is forwarding those messages.

63
00:06:32,420 --> 00:06:34,070
So let's do that again.

64
00:06:35,740 --> 00:06:37,330
IP config slash renew,

65
00:06:38,400 --> 00:06:41,250
we've received a message on FastEthernet 04

66
00:06:42,320 --> 00:06:50,690
but that's once again where PC 2 is, we can see it's a DHCP request, the DHCP reply has been sent back

67
00:06:50,900 --> 00:06:58,670
out of FastEthernet04 after it was received on FastEthernet 02. So on FastEthernet 02

68
00:06:59,180 --> 00:07:07,250
we received a message from source IP address 10.1.1.200 to a destination address of a broadcast, 

69
00:07:08,060 --> 00:07:08,660
IP address

70
00:07:08,660 --> 00:07:11,090
to allocate it to the client is 10.1.1.1,

71
00:07:12,330 --> 00:07:19,380
DHCP server IP address and default gateway information is shown here and on the client, we can see

72
00:07:19,590 --> 00:07:22,650
that that's what was allocated to the client.

73
00:07:23,890 --> 00:07:24,950
So that looks better

74
00:07:24,970 --> 00:07:28,300
let's run the renew multiple times

75
00:07:31,380 --> 00:07:40,440
and see if we receive any offers from the rogue DHCP server at the moment, we're not. In this lab the

76
00:07:40,440 --> 00:07:45,510
Enterprise DHCP server has this IP address, 10.1.1.200

77
00:07:47,150 --> 00:07:50,430
DHCP pool is 10.1.1.0.

78
00:07:51,140 --> 00:07:57,110
So if our network is configured correctly, PCs should only get IP addresses in that range.

79
00:07:59,800 --> 00:08:04,840
The rogue DHCP server has an IP address of 10.1.100.201.

80
00:08:05,860 --> 00:08:09,940
It's offering IP addresses in the range 10.1.100.0.

81
00:08:11,990 --> 00:08:14,090
What about PC 1?

82
00:08:17,510 --> 00:08:25,190
It's also only receiving IP addresses in the 10.1.1.0 range, it's not receiving IP addresses

83
00:08:25,190 --> 00:08:30,050
from the rogue DHCP server.