WEBVTT 0:00:02.760000 --> 0:00:07.540000 Hello and welcome to this video titled, Configuring DHCP Snooping in Cisco 0:00:07.540000 --> 0:00:11.920000 iOS. In this video, I'm going to show you the commands to actually get 0:00:11.920000 --> 0:00:16.540000 DHCP snooping working, and a commander to verify that's actually turned 0:00:16.540000 --> 0:00:19.100000 on and doing what you expected it to do. 0:00:19.100000 --> 0:00:23.160000 So let's start with our configuration commands for DHCP snooping. 0:00:23.160000 --> 0:00:28.620000 Step number one, we have to enable it globally with the IP DHCP snooping 0:00:28.620000 --> 0:00:33.640000 command. Now, this command is a little funny because when you turn this 0:00:33.640000 --> 0:00:37.200000 on, it doesn't appear to be doing anything. 0:00:37.200000 --> 0:00:39.620000 There's no tables that are built. 0:00:39.620000 --> 0:00:42.420000 DHCP snooping doesn't appear to be doing much. 0:00:42.420000 --> 0:00:45.940000 So here's an analogy I want to draw with this command. 0:00:45.940000 --> 0:00:50.600000 If you have ever configured a routing protocol in a Cisco router before, 0:00:50.600000 --> 0:00:53.680000 now if you haven't, this analogy is not going to make much sense to you. 0:00:53.680000 --> 0:00:57.940000 But in a router, if you configure routing protocol, what do you normally 0:00:57.940000 --> 0:01:04.860000 do? You say at the global configuration level, you say router, and then 0:01:04.860000 --> 0:01:06.100000 you configure your protocol. 0:01:06.100000 --> 0:01:09.200000 For example, router, rip. 0:01:09.200000 --> 0:01:13.340000 Now, once you do that and you hit enter, they'll drop you down into a 0:01:13.340000 --> 0:01:16.900000 sub-mode called config-router. 0:01:16.900000 --> 0:01:24.640000 Now, if you configure router rip or router OSPF or router EIGRP, that 0:01:24.640000 --> 0:01:27.960000 alone is not really doing anything. 0:01:27.960000 --> 0:01:30.000000 It won't start the routing protocol. 0:01:30.000000 --> 0:01:31.180000 It won't learn routes. 0:01:31.180000 --> 0:01:33.080000 It won't advertise routes. 0:01:33.080000 --> 0:01:36.720000 But that command is doing something in the background. 0:01:36.720000 --> 0:01:38.740000 It's actually doing several things. 0:01:38.740000 --> 0:01:42.640000 It's telling the central processing unit, the brain of the router, hey, 0:01:42.640000 --> 0:01:45.520000 start up this routing protocol process. 0:01:45.520000 --> 0:01:47.740000 In other words, get ready to run the logic. 0:01:47.740000 --> 0:01:50.980000 It's also saying, hey, this routing protocol is going to need some memory 0:01:50.980000 --> 0:01:55.060000 for things. Like it's going to need to carve out some memory to store 0:01:55.060000 --> 0:01:58.940000 routes and to store the information about routes it's about to learn. 0:01:58.940000 --> 0:02:02.380000 So this command here says, hey, let's take some of our memory and carve 0:02:02.380000 --> 0:02:06.360000 out a section of it that this routing protocol is going to use. 0:02:06.360000 --> 0:02:10.240000 So now when we do our next command to actually start the routing protocol 0:02:10.240000 --> 0:02:14.420000 and get it operational, everything's already pre-built in the background 0:02:14.420000 --> 0:02:17.840000 and ready and working and ready to go. 0:02:17.840000 --> 0:02:22.240000 Same thing is true here with the IPDCP snooping command. 0:02:22.240000 --> 0:02:27.360000 You see DHCP snooping is going to require a DHCP snooping binding database 0:02:27.360000 --> 0:02:32.220000 to be built. So this command here tells the CPU, hey, get ready, carve 0:02:32.220000 --> 0:02:36.180000 out some memory, structure it the way we're going to need to create the 0:02:36.180000 --> 0:02:39.800000 DHCP snooping binding table and get it ready to go. 0:02:39.800000 --> 0:02:43.660000 The next command after that is actually going to be the command that's 0:02:43.660000 --> 0:02:48.800000 going to enable DHCP snooping on the VLAN of your choice, like IPDCP snooping 0:02:48.800000 --> 0:02:54.840000 VLAN 2 or VLAN 2-7 to run it across a range of VLANs. 0:02:54.840000 --> 0:02:59.800000 And because we already did the IPDCP snooping command, it's ready to go. 0:02:59.800000 --> 0:03:04.400000 It's carved out the memory, it's ready to start building the binding database. 0:03:04.400000 --> 0:03:10.700000 Now, with just those two commands, we're not done yet because every interface 0:03:10.700000 --> 0:03:14.900000 in the VLAN that we selected here will be configured as an untrusted port 0:03:14.900000 --> 0:03:19.820000 for DHCP snooping, which means whatever interface is connected to our 0:03:19.820000 --> 0:03:24.600000 real legitimate DHCP server is not going to have any packets transmitted 0:03:24.600000 --> 0:03:26.340000 out of that interface. 0:03:26.340000 --> 0:03:31.380000 So we need to go to that interface and configure it right here as IPDCP 0:03:31.380000 --> 0:03:35.640000 snooping trust. We need to make at least one interface, a trusted port 0:03:35.640000 --> 0:03:39.940000 that leads to our legitimate DHCP server. 0:03:39.940000 --> 0:03:44.720000 I skipped over a command there, the IPDCP snooping limit rate command. 0:03:44.720000 --> 0:03:50.480000 So one form of a DHCP attack is called a DHCP denial of service attack, 0:03:50.480000 --> 0:03:53.680000 where someone could say, hey, what I'm going to do is I'm just going to 0:03:53.680000 --> 0:03:58.900000 start some packet generator in my laptop, which is going to create maybe 0:03:58.900000 --> 0:04:03.900000 1,000 DHCP discover packets every single second. 0:04:03.900000 --> 0:04:08.400000 Now, I'm just going to pound the DHCP server over and over and over again 0:04:08.400000 --> 0:04:12.580000 with DHCP discover packets to where maybe just kills the server. 0:04:12.580000 --> 0:04:17.540000 I just hit the server so often with DHCP discovers that it fries it and 0:04:17.540000 --> 0:04:19.520000 just cause it to crash. 0:04:19.520000 --> 0:04:24.620000 Well, this command here could prevent that by rate limiting incoming packets. 0:04:24.620000 --> 0:04:29.260000 Now, just be aware, this packet, this command here only works on untrusted 0:04:29.260000 --> 0:04:33.560000 interfaces, which is where a DHCP attack would normally initiate from 0:04:33.560000 --> 0:04:40.280000 anyway. And this last command is very important. 0:04:40.280000 --> 0:04:43.920000 So if you've done a studying of DHCP snooping or watched any of my other 0:04:43.920000 --> 0:04:47.140000 videos, you will have learned that when you enable DHCP snooping on a 0:04:47.140000 --> 0:04:53.060000 switch, by default, it will insert a special DHCP option called option 0:04:53.060000 --> 0:04:57.080000 82 into the DHCP client messages. 0:04:57.080000 --> 0:05:02.220000 This is a bad thing because most DHCP servers don't recognize option 82. 0:05:02.220000 --> 0:05:07.760000 And if you have a router or another switch configured as a DHCP server, 0:05:07.760000 --> 0:05:12.280000 it will drop those DHCP client messages when it sees option 82. 0:05:12.280000 --> 0:05:13.420000 It doesn't like that. 0:05:13.420000 --> 0:05:16.240000 So we need to tell DHCP snooping, don't do that. 0:05:16.240000 --> 0:05:21.280000 So here we're going to want to configure no IPDHCP snooping information 0:05:21.280000 --> 0:05:25.120000 option, which means don't put in option 82. 0:05:25.120000 --> 0:05:29.440000 So when you configure this, this is how you monitor it, with the show 0:05:29.440000 --> 0:05:32.100000 IPDHCP snooping command. 0:05:32.100000 --> 0:05:35.280000 And you can see here it verifies that DHCP snooping has been configured 0:05:35.280000 --> 0:05:40.860000 and is running on the VLAN of your choice, like VLAN 18. 0:05:40.860000 --> 0:05:44.500000 It'll show you here whatever interfaces that you've configured as trusted 0:05:44.500000 --> 0:05:50.500000 interfaces. And just as importantly, we can see here it verifies that 0:05:50.500000 --> 0:05:53.420000 option 82 is disabled. 0:05:53.420000 --> 0:05:56.140000 We do not want option 82 turned on. 0:05:56.140000 --> 0:05:56.860000 So this is good. 0:05:56.860000 --> 0:05:59.620000 This confirms it has been disabled. 0:05:59.620000 --> 0:06:05.220000 Now, how do I know that DHCP snooping is actually seeing anything and 0:06:05.220000 --> 0:06:06.280000 building any tables? 0:06:06.280000 --> 0:06:09.100000 Well, we can look at the binding database. 0:06:09.100000 --> 0:06:14.140000 Show IP DHCP snooping binding shows us the various clients that have passed 0:06:14.140000 --> 0:06:18.460000 through here. So we can see, for example, that on fast ethan at 0 slash 0:06:18.460000 --> 0:06:23.640000 4, which is an untrusted interface, we have seen the client with this 0:06:23.640000 --> 0:06:30.160000 particular MAC address, that client was offered and accepted that IP address. 0:06:30.160000 --> 0:06:36.100000 We can see in seconds how long the lease is good for, and all that information 0:06:36.100000 --> 0:06:41.340000 was gleaned via the DHCP snooping information or the DHCP snooping feature 0:06:41.340000 --> 0:06:50.860000 on VLAN 18. So the show IP DHCP snooping binding command gives us all 0:06:50.860000 --> 0:06:52.860000 of that good output. 0:06:52.860000 --> 0:06:59.840000 So that concludes this video on DHCP snooping configuration and verification.