sebusel
1 Nickel

Port security with DHCP snooping on N2000 does not work as expected

Jump to solution

We have configured port-security on the access switches and now I have been trying to add DHCP snooping feature to this. It seems that DHCP snooping allows the host connected to the port-security protected port to obtain IP address, however further communication is blocked.

Below I have reproduced steps and pasted CLI output to demonstrate how I executed my configuration and testing.

Step 1. Port security configured with 1 static MAC address learned in sticky mode, DHCP snooping enabled and port is not trusted.

DEV-SWITCH#show running-config interface gi4/0/12

ip dhcp snooping log-invalid
ip dhcp snooping limit rate 300
ip verify source port-security
switchport port-security
switchport port-security dynamic 0
switchport port-security maximum 1
switchport port-security mac-address sticky
switchport port-security mac-address sticky 001A.4D56.5B58 vlan 1

Port-security is enabled: globally

DEV-SWITCH#show port-security                       

Port Security Administration Mode: Enabled

...and on the port:

DEV-SWITCH#show port-security gigabitethernet 4/0/12

Interface Status   Max-dynamic Max-static Protect   Frequency  Shutdown   Sticky Mode
--------- -------- ----------- ---------- --------- ---------- ---------- -----------
Gi4/0/12  Enabled  0           1          Enabled   30         Disabled   Enabled

This mac address is loaded into MAC address table:

DEV-SWITCH#show mac address-table interface Gi4/0/12

Aging time is 300 Sec

Vlan     Mac Address           Type        Port
-------- --------------------- ----------- ---------------------
1        001A.4D56.5B58        Static      Gi4/0/12

Also, DHCP snooping is enabled:

DEV-SWITCH#show ip dhcp snooping 

DHCP snooping is Enabled
DHCP snooping source MAC verification is enabled
DHCP snooping is enabled on the following VLANs:
1

 Interface    Trusted     Log Invalid Pkts
-----------  ----------   ----------------
[...]
Gi4/0/12     No           Yes
[...]

Step 2. Host is hooked up to the port and DHCP snooping shows a lease assigned to this MAC address:

DEV-SWITCH#show ip dhcp snooping binding 

Total number of bindings:  1
Total number of Tentative bindings:  0

   MAC Address       IP Address     VLAN   Interface    Type    Lease (Secs)
-----------------  ---------------  ----  -----------  -------  ------------
   001A.4D56.5B58    192.168.16.40     1     Gi4/0/12  DYNAMIC         1437

Step 3. When I go to the host and spoof its MAC address (001A.4DAB.CDEF), I will get another DHCP binding even though my port-security is allowing only one MAC address

EV-SWITCH#show ip dhcp snooping binding 

Total number of bindings:  2
Total number of Tentative bindings:  0

   MAC Address       IP Address     VLAN   Interface    Type    Lease (Secs)
-----------------  ---------------  ----  -----------  -------  ------------
   001A.4D56.5B58    192.168.16.40     1     Gi4/0/12  DYNAMIC         1250
   001A.4DAB.CDEF    192.168.16.31     1     Gi4/0/12  DYNAMIC          599

Going further, the MAC address table still shows only the legitimate address:

DEV-SWITCH#show mac address-table interface Gi4/0/12

Aging time is 300 Sec

Vlan     Mac Address           Type        Port
-------- --------------------- ----------- ---------------------
1        001A.4D56.5B58        Static      Gi4/0/12

... and there is port-security violation on that port:

DEV-SWITCH#show port-security violation gigabitethernet 4/0/12

Last Violation MAC Address    VLAN ID
----------------------------- -------
001A.4DAB.CDEF                1

I was expecting port-security would block ALL traffic if it comes from unwanted MAC addresses, in the above it looks like enabling DHCP snooping feature it bypasses port-security, potentially allows malicious client to exhaust DHCP pool.

Has anyone similar experience with port-security and DHCP snooping on N2000 series switches?

Thanks in advance!

Sebastian

0 Kudos
1 Solution

Accepted Solutions
Highlighted
Moderator
Moderator

Re: Port security with DHCP snooping on N2000 does not work as expected

Jump to solution

You should be able to downgrade, but I would check the release notes for the latest update to see if there are any downgrade restrictions.

Thanks,
Josh Craig
Dell EMC Enterprise Support Services
Get support on Twitter @DellCaresPRO
0 Kudos
3 Replies
Moderator
Moderator

Re: Port security with DHCP snooping on N2000 does not work as expected

Jump to solution

Hi,

Is the switch firmware up to date? There have been a bunch of updates to DHCP snooping. There was a new firmware that came out three weeks ago.

Thanks,
Josh Craig
Dell EMC Enterprise Support Services
Get support on Twitter @DellCaresPRO
0 Kudos
sebusel
1 Nickel

Re: Port security with DHCP snooping on N2000 does not work as expected

Jump to solution

Hi Josh,

 

Thanks for the reply. Actually, we updated switch firmware a few months ago, I have just checked it and we are already 4 updates behind.

If it comes to updating software, we have more of those switches working in a stack. I pulled out one switch to test DHCP snooping before deploying it to the production network. If I upgrade the test switch, I assume I have to do upgrade on the whole stack? Otherwise, can I downgrade my test switch if I decide not to go ahead with upgrading stack in the production network?

Regards,

Sebastian

 

0 Kudos
Highlighted
Moderator
Moderator

Re: Port security with DHCP snooping on N2000 does not work as expected

Jump to solution

You should be able to downgrade, but I would check the release notes for the latest update to see if there are any downgrade restrictions.

Thanks,
Josh Craig
Dell EMC Enterprise Support Services
Get support on Twitter @DellCaresPRO
0 Kudos