WEBVTT 0:00:03.200000 --> 0:00:07.160000 Hello and welcome to this video in which I'd like to do a review of configuring 0:00:07.160000 --> 0:00:12.360000 DHCP snooping in Cisco iOS and how you monitor and verify it. 0:00:12.360000 --> 0:00:15.180000 So that's what we're going to look at. 0:00:15.180000 --> 0:00:17.360000 Let's jump right into it. 0:00:17.360000 --> 0:00:21.800000 So DHCP snooping, your very first command is just to enable it globally 0:00:21.800000 --> 0:00:24.880000 with IP DHCP snooping. 0:00:24.880000 --> 0:00:29.960000 Now this command on the outside doesn't really look like it's doing a 0:00:29.960000 --> 0:00:33.260000 lot because the second thing you have to do is basically replicate it 0:00:33.260000 --> 0:00:35.920000 but this time specify the VLAN. 0:00:35.920000 --> 0:00:37.660000 So what does the first command do? 0:00:37.660000 --> 0:00:43.620000 Well, here's an analogy I can paint that will hopefully help clarify this. 0:00:43.620000 --> 0:00:47.660000 If you're familiar with routing protocols, all right, you know on Cisco 0:00:47.660000 --> 0:00:52.020000 routers or even Cisco switches that support routing, what's the first 0:00:52.020000 --> 0:00:54.500000 command you do to start your routing protocol? 0:00:54.500000 --> 0:00:58.160000 Don't you go to the global configuration level and then type router and 0:00:58.160000 --> 0:01:03.940000 then the name like router rip, router ERP, router OSPF and yet if that 0:01:03.940000 --> 0:01:07.880000 was the only thing you typed, it kind of looks like it's not doing anything. 0:01:07.880000 --> 0:01:09.760000 So what's the purpose of that command? 0:01:09.760000 --> 0:01:13.160000 Well, in the world of routing protocols, think about it this way. 0:01:13.160000 --> 0:01:17.680000 All routing protocols need to have a certain section of memory that they 0:01:17.680000 --> 0:01:19.920000 use for their databases and their tables. 0:01:19.920000 --> 0:01:24.880000 So for example, when you enable rip as a routing protocol, rip reserves 0:01:24.880000 --> 0:01:28.880000 some of your memory and stores its rip database in there of all the rip 0:01:28.880000 --> 0:01:30.640000 routes it's learned about. 0:01:30.640000 --> 0:01:35.420000 EIGRP takes some of the memory and converts it into an EIGRP topology 0:01:35.420000 --> 0:01:38.020000 table for storing of EIGRP routes. 0:01:38.020000 --> 0:01:43.420000 So when you say router rip, router ERP, router OSPF or even router BGP, 0:01:43.420000 --> 0:01:46.480000 before you do anything else after that, it's like you're telling your 0:01:46.480000 --> 0:01:48.540000 CPU, hey, get ready. 0:01:48.540000 --> 0:01:50.500000 I'm going to run this protocol. 0:01:50.500000 --> 0:01:54.340000 So can you start formatting the memory and creating these data structures 0:01:54.340000 --> 0:01:59.540000 in advance? So when I actually enable the protocol on an interface, we're 0:01:59.540000 --> 0:02:02.800000 ready to go. We got the tables all set up in memory and ready to start 0:02:02.800000 --> 0:02:04.820000 populating them with information. 0:02:04.820000 --> 0:02:06.160000 Same thing is true here. 0:02:06.160000 --> 0:02:10.180000 Remember, DHCP snooping in the background in memory is going to populate 0:02:10.180000 --> 0:02:14.480000 something called an IP DHCP snooping binding database. 0:02:14.480000 --> 0:02:17.540000 Well, that's what this command is doing. 0:02:17.540000 --> 0:02:21.600000 It's structuring and formatting and building that database in advance. 0:02:21.600000 --> 0:02:26.620000 So it's ready to go once we actually enable DHCP snooping on a particular 0:02:26.620000 --> 0:02:30.420000 VLAN. That's what's happening, even though you don't really see that with, 0:02:30.420000 --> 0:02:32.940000 you know, syslog messages or anything. 0:02:32.940000 --> 0:02:37.440000 So next, we have to enable DHCP snooping on whatever VLAN we wish. 0:02:37.440000 --> 0:02:42.620000 Now we're not quite done yet because if this was all we did, DHCP wouldn't 0:02:42.620000 --> 0:02:46.920000 work for anybody on that VLAN because as soon as you hit enter for that 0:02:46.920000 --> 0:02:52.180000 command, now all the ports in that VLAN become DHCP snooping untrusted 0:02:52.180000 --> 0:02:56.800000 interfaces, even the interface or interfaces that are leading to your 0:02:56.800000 --> 0:02:59.540000 real legitimate DHCP servers. 0:02:59.540000 --> 0:03:01.720000 And we need those interfaces to be trusted. 0:03:01.720000 --> 0:03:06.080000 So then we want to go to the interface where that server lives and type 0:03:06.080000 --> 0:03:10.480000 ipdcp snooping trust, make it a trusted interface. 0:03:10.480000 --> 0:03:11.740000 Now, notice here there was one other command. 0:03:11.740000 --> 0:03:12.700000 This is optional. 0:03:12.700000 --> 0:03:16.500000 You don't have to do it where you can do DHCP snooping rate limiting. 0:03:16.500000 --> 0:03:20.180000 If you're concerned that somebody might be trying to attack your server 0:03:20.180000 --> 0:03:27.900000 by sending to it, you know, 1000 DHCP packets every second to try to overwhelm 0:03:27.900000 --> 0:03:31.640000 the server, you could use this command here to try to prevent that from 0:03:31.640000 --> 0:03:38.180000 happening. Now, this is also a very important command, especially if you're 0:03:38.180000 --> 0:03:41.960000 doing this in a lab environment, hint hint, so pay a special attention 0:03:41.960000 --> 0:03:48.760000 to this. So DHCP is built around this idea of options. 0:03:48.760000 --> 0:03:55.060000 Everything the DHCP server sends to your default gateway, your DNS server, 0:03:55.060000 --> 0:04:00.240000 your, your, whatever, you know, a bootable file, all that stuff has a 0:04:00.240000 --> 0:04:02.040000 specific option code. 0:04:02.040000 --> 0:04:05.740000 Like off the top of my head, I believe option three is the option number 0:04:05.740000 --> 0:04:06.700000 for the default gateway. 0:04:06.700000 --> 0:04:10.420000 So the default gateway is contained in option three, and then the value 0:04:10.420000 --> 0:04:13.260000 is the default gateway's IP address. 0:04:13.260000 --> 0:04:15.960000 So your DHCP packet contains all sorts of options. 0:04:15.960000 --> 0:04:19.100000 Now, a lot of these options are optional. 0:04:19.100000 --> 0:04:22.240000 You won't see them in a DHCP packet, or, you know, you could choose to 0:04:22.240000 --> 0:04:25.060000 turn them on in your DHCP server. 0:04:25.060000 --> 0:04:27.660000 Well, what does that have to do with this last command? 0:04:27.660000 --> 0:04:29.680000 There's one option. 0:04:29.680000 --> 0:04:37.100000 I'll put down here, which the number of it is option 82. 0:04:37.100000 --> 0:04:38.960000 What does option 82 do? 0:04:38.960000 --> 0:04:43.420000 Well, the idea is, you know, here's your client connected to most likely 0:04:43.420000 --> 0:04:49.800000 a switch. And then the DHCP server is out here somewhere. 0:04:49.800000 --> 0:04:56.120000 If your objective is, hey, when the client's information reaches the server, 0:04:56.120000 --> 0:05:00.640000 in addition to like the client ID, his MAC address, you know, and all 0:05:00.640000 --> 0:05:03.260000 that other stuff, I also want that message. 0:05:03.260000 --> 0:05:06.460000 Let's say this is the DHCP discover that's coming through. 0:05:06.460000 --> 0:05:11.160000 I also want that message to include information about the port on the 0:05:11.160000 --> 0:05:13.460000 switch that received this. 0:05:13.460000 --> 0:05:18.180000 What VLAN that port was in, maybe even the MAC address of the switch itself 0:05:18.180000 --> 0:05:19.620000 that it went through. 0:05:19.620000 --> 0:05:24.120000 You know, if you can find some use for that, that's what option 82 does. 0:05:24.120000 --> 0:05:29.920000 Option 82 inserts into the DHCP packet as it's flying through the switch, 0:05:29.920000 --> 0:05:33.780000 that information about the port, the VLAN, and the MAC address of the 0:05:33.780000 --> 0:05:39.020000 switch itself. Kind of interesting, but here's the problem. 0:05:39.020000 --> 0:05:45.220000 A lot of DHCP server implementations, if they receive a DHCP message from 0:05:45.220000 --> 0:05:50.060000 the client and it has an unrecognized option inside of it, they'll just 0:05:50.060000 --> 0:05:51.340000 discard the whole message. 0:05:51.340000 --> 0:05:54.080000 It's not like they'll say, oh, I'll process the rest of this message, 0:05:54.080000 --> 0:05:56.420000 but that one field right there that I don't really understand, I'll just 0:05:56.420000 --> 0:05:57.540000 ignore that field. 0:05:57.540000 --> 0:05:59.460000 No, they ignore the whole thing. 0:05:59.460000 --> 0:06:03.960000 And unfortunately, a lot of DHCP server implementations don't understand 0:06:03.960000 --> 0:06:09.340000 option 82. And so you'll never get your DHCP address because you're sending 0:06:09.340000 --> 0:06:10.900000 them an option that they don't understand. 0:06:10.900000 --> 0:06:12.600000 You say, wait a second, I didn't put that in there. 0:06:12.600000 --> 0:06:17.760000 No, you didn't. But the moment you enabled DHCP snooping on the switch, 0:06:17.760000 --> 0:06:21.180000 guess what? He puts it in there by default. 0:06:21.180000 --> 0:06:24.860000 Now, don't ask me why Cisco decided to make this the default behavior 0:06:24.860000 --> 0:06:26.600000 of DHCP snooping. 0:06:26.600000 --> 0:06:30.800000 I have no idea. But essentially, when you enable DHCP snooping on a VLAN, 0:06:30.800000 --> 0:06:35.320000 without you doing anything, it adds option 82 into the packets from the 0:06:35.320000 --> 0:06:37.740000 clients as they're going to the servers. 0:06:37.740000 --> 0:06:42.440000 And this is a bad thing because most servers don't recognize option 82. 0:06:42.440000 --> 0:06:44.440000 Here's another reason why it's a bad thing. 0:06:44.440000 --> 0:06:48.740000 In a lab environment, like the lab tasks we've developed for this particular 0:06:48.740000 --> 0:06:54.580000 set of videos right here, our DHCP server is actually going to be a router. 0:06:54.580000 --> 0:06:56.440000 We're going to have a Cisco router. 0:06:56.440000 --> 0:07:01.280000 Cisco routers, Cisco switches, when you configure them as a DHCP server, 0:07:01.280000 --> 0:07:04.780000 they also don't recognize option 82. 0:07:04.780000 --> 0:07:07.800000 So you can be sitting and scratching your head saying, what's going on? 0:07:07.800000 --> 0:07:12.980000 I've configured my client to obtain an address via DHCP. 0:07:12.980000 --> 0:07:17.480000 I've configured my DHCP pool over here and router three or whatever router 0:07:17.480000 --> 0:07:19.700000 that's it's all well and good. 0:07:19.700000 --> 0:07:23.660000 But the client is just not getting, and I've configured DHCP snooping 0:07:23.660000 --> 0:07:25.800000 correctly on my switch. 0:07:25.800000 --> 0:07:27.240000 But my client's not getting anything. 0:07:27.240000 --> 0:07:28.000000 What's going on? 0:07:28.000000 --> 0:07:31.480000 Well, the problem is that switch is inserting option 82. 0:07:31.480000 --> 0:07:36.420000 And the moment it gets to your router, which is acting as a DHCP server, 0:07:36.420000 --> 0:07:39.540000 he's discarding it because he doesn't know what option 82 is. 0:07:39.540000 --> 0:07:43.880000 So the moral of the story is, you should just remember that when enabling 0:07:43.880000 --> 0:07:47.060000 DHCP snooping, you want to turn off that option. 0:07:47.060000 --> 0:07:48.380000 You don't want to do that. 0:07:48.380000 --> 0:07:53.800000 So that's where you would say, no, IPDCP snooping information option. 0:07:53.800000 --> 0:07:56.800000 That disables it from doing that, which quite frankly, I think should 0:07:56.800000 --> 0:07:59.660000 be the default behavior anyway, but it's not. 0:07:59.660000 --> 0:08:01.820000 So you have to turn that on. 0:08:01.820000 --> 0:08:04.820000 So be warned of that. 0:08:04.820000 --> 0:08:08.080000 Okay. So that was just the basics of configuring it. 0:08:08.080000 --> 0:08:09.940000 Pretty simple. How do we verify it? 0:08:09.940000 --> 0:08:13.960000 Well, we can do show IP DHCP snooping, and it'll show us which VLANs you 0:08:13.960000 --> 0:08:16.260000 have configured and enabled it for. 0:08:16.260000 --> 0:08:19.840000 It'll show us what interfaces you configured as your trusted interfaces. 0:08:19.840000 --> 0:08:23.760000 You got to have at least one in there leading to a legitimate DHCP server. 0:08:23.760000 --> 0:08:28.620000 Now let me backspace on that for a moment. 0:08:28.620000 --> 0:08:29.840000 So I just said, you got to have one. 0:08:29.840000 --> 0:08:31.720000 That's not necessarily true. 0:08:31.720000 --> 0:08:34.780000 There is a circumstance when you don't need that. 0:08:34.780000 --> 0:08:38.720000 And let me just do this. 0:08:38.720000 --> 0:08:47.440000 So let's say we have your client or clients right here connected to the 0:08:47.440000 --> 0:08:53.700000 switch. And they are connected to access ports that are in VLAN too. 0:08:53.700000 --> 0:08:59.940000 All right. And let's say here's your DHCP server over here. 0:08:59.940000 --> 0:09:02.660000 And he's maybe 77777. 0:09:02.660000 --> 0:09:07.620000 And you have to go through your corporate network to reach him, which 0:09:07.620000 --> 0:09:09.760000 is connected to this port on the switch. 0:09:09.760000 --> 0:09:17.760000 Now let's say that this port on the switch, so we've got port 01, 02, 0:09:17.760000 --> 0:09:21.720000 and 03. Now let's say 03 is not in VLAN too. 0:09:21.720000 --> 0:09:24.440000 You decide you want to put that in a completely different VLAN. 0:09:24.440000 --> 0:09:29.000000 So that maybe is in VLAN 3. 0:09:29.000000 --> 0:09:32.920000 Maybe here's a router right here who's 331. 0:09:32.920000 --> 0:09:36.660000 And that router is routing to you via RIP or EIGRP. 0:09:36.660000 --> 0:09:38.700000 And he's telling you about the 7 network. 0:09:38.700000 --> 0:09:40.680000 So your switch is doing routing. 0:09:40.680000 --> 0:09:43.140000 And so you've got here, you say, all right, well, here's what I want. 0:09:43.140000 --> 0:09:48.920000 On my switch, I want to have an interface, VLAN 2. 0:09:48.920000 --> 0:09:52.500000 And that'll be the default gateway for all these laptops here. 0:09:52.500000 --> 0:09:56.200000 So I'll put some IP address on there. 0:09:56.200000 --> 0:10:02.660000 And I'm going to have an interface VLAN 3 with an IP address on it. 0:10:02.660000 --> 0:10:12.340000 And maybe I'll do OSPF or EIGRP or maybe even RIP with router 2 right 0:10:12.340000 --> 0:10:16.140000 here. And that's how router 2 is going to learn about the 2 network. 0:10:16.140000 --> 0:10:20.400000 And that's how router 2 is going to tell me about all the other networks. 0:10:20.400000 --> 0:10:23.940000 All right, so in this environment then, how do we get our network? 0:10:23.940000 --> 0:10:26.220000 Our DHCP client message is that server. 0:10:26.220000 --> 0:10:28.340000 Well, this has nothing to do with DHCP snooping. 0:10:28.340000 --> 0:10:30.320000 This is just a basic DHCP question. 0:10:30.320000 --> 0:10:34.440000 We would need our switch to be a DHCP relay agent. 0:10:34.440000 --> 0:10:37.520000 All right, so we'd have to go to interface VLAN 2 and put in our command 0:10:37.520000 --> 0:10:46.540000 IP helper dash address and then point it at the DHCP server like that. 0:10:46.540000 --> 0:10:51.180000 All right, what does this have to do with DHCP snooping? 0:10:51.180000 --> 0:10:59.100000 When your DHCP packets terminate on a layer 3 SVI, he's trusted by default. 0:10:59.100000 --> 0:11:01.280000 As a matter of fact, you can't make him trusted. 0:11:01.280000 --> 0:11:02.880000 There's no command for that. 0:11:02.880000 --> 0:11:04.820000 So this would be a scenario. 0:11:04.820000 --> 0:11:09.580000 And notice I would only have DHCP snooping on VLAN 2 here because that's 0:11:09.580000 --> 0:11:11.400000 where my clients are. 0:11:11.400000 --> 0:11:14.440000 So I'd say IP, DHCP snooping. 0:11:14.440000 --> 0:11:23.000000 And then I'd repeat that command for VLAN 2. 0:11:23.000000 --> 0:11:30.820000 Okay, so now by doing that, this port is untrusted. 0:11:30.820000 --> 0:11:34.520000 This port is untrusted. 0:11:34.520000 --> 0:11:42.540000 And we don't need a trusted interface because my layer 3 interface VLAN 0:11:42.540000 --> 0:11:46.860000 2, my switch virtual interface is trusted by default. 0:11:46.860000 --> 0:11:49.500000 So this would be a situation where you don't have to manually configure 0:11:49.500000 --> 0:11:54.200000 a trusted interface if all your DHCP packets have to go through an SVI 0:11:54.200000 --> 0:11:57.420000 to ultimately reach their destination. 0:11:57.420000 --> 0:12:03.460000 Only if the DHCP server, only if you had a port actually in VLAN 2 that 0:12:03.460000 --> 0:12:08.000000 led to your DHCP server, all right, now we would need that to be a trusted 0:12:08.000000 --> 0:12:18.740000 interface. That would be the situation for that. 0:12:18.740000 --> 0:12:21.160000 All right, so how do we monitor all this? 0:12:21.160000 --> 0:12:22.140000 We already looked at this. 0:12:22.140000 --> 0:12:29.600000 We looked at this command and notice that right here it shows us option 0:12:29.600000 --> 0:12:34.760000 82 is disabled less because we turned it off with that no command, right? 0:12:34.760000 --> 0:12:36.620000 Otherwise option 82 will be enabled by default. 0:12:36.620000 --> 0:12:38.900000 So you definitely want to see it being disabled. 0:12:38.900000 --> 0:12:43.960000 You definitely want to turn that off yourself. 0:12:43.960000 --> 0:12:47.800000 And then we can look at the DHCP binding table with show IP DHCP snooping 0:12:47.800000 --> 0:12:52.560000 binding and confirm that our switch has actually been monitoring these 0:12:52.560000 --> 0:12:57.300000 DHCP transactions and has built the binding database. 0:12:57.300000 --> 0:13:04.180000 And that concludes this video on configuration and monitoring of DHCP 0:13:04.180000 --> 0:13:06.260000 snooping. Thank you.