6 Posts
0
3229
Port security with DHCP snooping on N2000 does not work as expected
We have configured port-security on the access switches and now I have been trying to add DHCP snooping feature to this. It seems that DHCP snooping allows the host connected to the port-security protected port to obtain IP address, however further communication is blocked.
Below I have reproduced steps and pasted CLI output to demonstrate how I executed my configuration and testing.
Step 1. Port security configured with 1 static MAC address learned in sticky mode, DHCP snooping enabled and port is not trusted.
DEV-SWITCH#show running-config interface gi4/0/12 ip dhcp snooping log-invalid ip dhcp snooping limit rate 300 ip verify source port-security switchport port-security switchport port-security dynamic 0 switchport port-security maximum 1 switchport port-security mac-address sticky switchport port-security mac-address sticky 001A.4D56.5B58 vlan 1
Port-security is enabled: globally
DEV-SWITCH#show port-security Port Security Administration Mode: Enabled
...and on the port:
DEV-SWITCH#show port-security gigabitethernet 4/0/12 Interface Status Max-dynamic Max-static Protect Frequency Shutdown Sticky Mode --------- -------- ----------- ---------- --------- ---------- ---------- ----------- Gi4/0/12 Enabled 0 1 Enabled 30 Disabled Enabled
This mac address is loaded into MAC address table:
DEV-SWITCH#show mac address-table interface Gi4/0/12 Aging time is 300 Sec Vlan Mac Address Type Port -------- --------------------- ----------- --------------------- 1 001A.4D56.5B58 Static Gi4/0/12
Also, DHCP snooping is enabled:
DEV-SWITCH#show ip dhcp snooping DHCP snooping is Enabled DHCP snooping source MAC verification is enabled DHCP snooping is enabled on the following VLANs: 1 Interface Trusted Log Invalid Pkts ----------- ---------- ---------------- [...] Gi4/0/12 No Yes [...]
Step 2. Host is hooked up to the port and DHCP snooping shows a lease assigned to this MAC address:
DEV-SWITCH#show ip dhcp snooping binding Total number of bindings: 1 Total number of Tentative bindings: 0 MAC Address IP Address VLAN Interface Type Lease (Secs) ----------------- --------------- ---- ----------- ------- ------------ 001A.4D56.5B58 192.168.16.40 1 Gi4/0/12 DYNAMIC 1437
Step 3. When I go to the host and spoof its MAC address (001A.4DAB.CDEF), I will get another DHCP binding even though my port-security is allowing only one MAC address
EV-SWITCH#show ip dhcp snooping binding Total number of bindings: 2 Total number of Tentative bindings: 0 MAC Address IP Address VLAN Interface Type Lease (Secs) ----------------- --------------- ---- ----------- ------- ------------ 001A.4D56.5B58 192.168.16.40 1 Gi4/0/12 DYNAMIC 1250 001A.4DAB.CDEF 192.168.16.31 1 Gi4/0/12 DYNAMIC 599
Going further, the MAC address table still shows only the legitimate address:
DEV-SWITCH#show mac address-table interface Gi4/0/12 Aging time is 300 Sec Vlan Mac Address Type Port -------- --------------------- ----------- --------------------- 1 001A.4D56.5B58 Static Gi4/0/12
... and there is port-security violation on that port:
DEV-SWITCH#show port-security violation gigabitethernet 4/0/12 Last Violation MAC Address VLAN ID ----------------------------- ------- 001A.4DAB.CDEF 1
I was expecting port-security would block ALL traffic if it comes from unwanted MAC addresses, in the above it looks like enabling DHCP snooping feature it bypasses port-security, potentially allows malicious client to exhaust DHCP pool.
Has anyone similar experience with port-security and DHCP snooping on N2000 series switches?
Thanks in advance!
Sebastian
DELL-Josh Cr
Moderator
Moderator
•
8.7K Posts
0
May 23rd, 2019 07:00
You should be able to downgrade, but I would check the release notes for the latest update to see if there are any downgrade restrictions.
DELL-Josh Cr
Moderator
Moderator
•
8.7K Posts
0
May 21st, 2019 15:00
Hi,
Is the switch firmware up to date? There have been a bunch of updates to DHCP snooping. There was a new firmware that came out three weeks ago.
sebusel
6 Posts
0
May 21st, 2019 23:00
Hi Josh,
Thanks for the reply. Actually, we updated switch firmware a few months ago, I have just checked it and we are already 4 updates behind.
If it comes to updating software, we have more of those switches working in a stack. I pulled out one switch to test DHCP snooping before deploying it to the production network. If I upgrade the test switch, I assume I have to do upgrade on the whole stack? Otherwise, can I downgrade my test switch if I decide not to go ahead with upgrading stack in the production network?
Regards,
Sebastian