Configuring Dhcp Snooping and Arp Inspection on Cisco Switches

by: George El., January 2019, Reading time: 4 minutes

DHCP Snooping

dhcp snooping is a feature that protects against rogue DHCP agents. This happens by characterising links as trusted and untrusted. Untrusted ports can only forward requests, while trusted can forward all dhcp messages.

steps to to configure dhcp

I assume your dhcp server is on the distribution or core layer. Otherwise, you will have to identify also this link, and characterize it as trusted. in the following example, we assume that int gi1/0/48 is the uplink interface. If you have multiple uplinks, you have to specify them all as trusted. if there is a port channel, you have to put the command in the port-channel

int gi1/0/48
 ip dhcp snooping trust
 ip arp inspection trust

2.enable dhcp snooping on certain vlans.

if you don’t use the information option, you have to disable it, otherwise, upstream switches will drop the packets

ip dhcp snooping vlan X,Y,Z
no ip dhcp snooping information option
ip dhcp snooping

3. Enable arp inspection

Arp inspection uses the dhcp binding database to protect against mac spoofing - man in the middle - attacks Before you enable arp detection you have to let dhcp snooping run for at least a lease period

ip arp inspection vlan X,Y,Z
ip arp inspection log-buffer entries 512
ip arp inspection log-buffer logs 64 interval 3600

3.1 if you have hosts with static IPs you have to declare them in an arp access-list

ip arp inspection filter static-hosts vlan  X,Y,Z
arp access-list static-hosts
 permit ip host X.X.X.X mac host xxxx.xxxx.xxxx

4.confirm dhcp snooping is enabled

sh ip dhcp snooping    
Load for five secs: 3%/0%; one minute: 3%; five minutes: 3%
Time source is NTP, 09:13:55.261 EET Fri Jan 11 2019

Switch DHCP snooping is enabled
Switch DHCP gleaning is disabled
DHCP snooping is configured on following VLANs:
X,Y,X
DHCP snooping is operational on following VLANs:
X,Y,X
DHCP snooping is configured on the following L3 Interfaces:

Insertion of option 82 is disabled
   circuit-id default format: vlan-mod-port
   remote-id: 6c6c.d382.3580 (MAC)
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Verification of giaddr field is enabled
DHCP snooping trust/rate is configured on the following Interfaces:

Interface                  Trusted    Allow option    Rate limit (pps)
-----------------------    -------    ------------    ----------------   
Interface                  Trusted    Allow option    Rate limit (pps)
-----------------------    -------    ------------    ----------------   
TenGigabitEthernet1/1/1          yes        yes             unlimited
  Custom circuit-ids:
TenGigabitEthernet3/1/1          yes        yes             unlimited
  Custom circuit-ids:
Port-channel1                    yes        yes             unlimited
  Custom circuit-ids:

5. display the dhcp bindings

sh ip dhcp snooping binding 
Load for five secs: 2%/0%; one minute: 3%; five minutes: 3%
Time source is NTP, 09:19:59.328 EET Fri Jan 11 2019

MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface
------------------  ---------------  ----------  -------------  ----  --------------------
9C:93:4E:31:xx:xx   10.x.x.x      114478      dhcp-snooping   14    GigabitEthernet1/0/42
D8:9E:F3:17:xx:xx   10.x.x.x       168988      dhcp-snooping   10    GigabitEthernet1/0/33

6.show information abour arp inspection

#sh ip arp inspection 

Load for five secs: 6%/0%; one minute: 4%; five minutes: 3%
Time source is NTP, 15:14:32.868 EET Wed Jan 16 2019


Source Mac Validation      : Disabled
Destination Mac Validation : Disabled
IP Address Validation      : Disabled

 Vlan     Configuration    Operation   ACL Match          Static ACL
 ----     -------------    ---------   ---------          ----------
    3     Enabled          Active                         
   13     Enabled          Active      static-hosts       No 
   24     Enabled          Active      static-hosts       No 
   49     Enabled          Active                         

 Vlan     ACL Logging      DHCP Logging      Probe Logging
 ----     -----------      ------------      -------------
    3     Deny             Deny              Off          
   13     Deny             Deny              Off          
   24     Deny             Deny              Off          
   49     Deny             Deny              Off          
          
 Vlan      Forwarded        Dropped     DHCP Drops      ACL Drops
 ----      ---------        -------     ----------      ---------
    3              8              0              0              0
   13         872578          17550          17550              0
   24         167116           7151           7151              0
   49             93              0              0              0

 Vlan   DHCP Permits    ACL Permits  Probe Permits   Source MAC Failures
 ----   ------------    -----------  -------------   -------------------
    3              5              0              3                     0
   13         871878            700              0                     0
   24          58978         108138              0                     0
   49             84              0              9                     0

 Vlan   Dest MAC Failures   IP Validation Failures   Invalid Protocol Data
 ----   -----------------   ----------------------   ---------------------
    3                   0                        0                       0
   13                   0                        0                       0
   24                   0                        0                       0
   49                   0                        0                       0
#sh ip arp inspection statistics 
Load for five secs: 3%/0%; one minute: 3%; five minutes: 3%
Time source is NTP, 15:15:55.497 EET Wed Jan 16 2019


 Vlan      Forwarded        Dropped     DHCP Drops      ACL Drops
 ----      ---------        -------     ----------      ---------
    3              8              0              0              0
   13         873128          17550          17550              0
   24         167208           7151           7151              0
   49             93              0              0              0

 Vlan   DHCP Permits    ACL Permits  Probe Permits   Source MAC Failures
 ----   ------------    -----------  -------------   -------------------
    3              5              0              3                     0
   13         872428            700              0                     0
   24          59009         108199              0                     0
   49             84              0              9                     0

 Vlan   Dest MAC Failures   IP Validation Failures   Invalid Protocol Data
 ----   -----------------   ----------------------   ---------------------
    3                   0                        0                       0
   13                   0                        0                       0
   24                   0                        0                       0
          
 Vlan   Dest MAC Failures   IP Validation Failures   Invalid Protocol Data
 ----   -----------------   ----------------------   ---------------------
   49                   0                        0                       0

comments powered by Disqus