DHCP-Secured IP Address Assignment

Problem

You wish to synchronize the ARP entries to the DHCP bindings to prevent IP address spoofing.

Solution

To enable secured IP address assignment, use the update arp command:

Router1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router1(config)#ip dhcp pool OREILLY Router1(dhcp-config)#update arp Router1(dhcp-config)#end Router1#

Discussion

Beginning with IOS Version 12.2(15)T, Cisco introduced the concept of DHCP secured IP address assignment. This feature synchronizes the ARP entry to the DHCP binding to ensure that IP addresses assign via DHCP can't be spoofed. By default, ARP tables dynamically map MAC addresses to IP addresses to facilitate communication. Unfortunately, it's rather easy for someone to spoof a DHCP assigned IP address and overwrite the router's ARP cache with his own MAC address.

Once the DHCP-secured IP address assignment is enabled, the router adds a secured ARP entry for each DHCP binding. This ensures that the ARP entry cannot be dynamically, or even manually, erased or overwritten. In fact, the only way to clear a secured ARP entry is by releasing the DHCP lease.

The following is an example configuration of DHCP-secured IP address assignment:

Router1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router1(config)#ip dhcp pool OREILLY Router1(dhcp-config)#network 172.25.1.0 255.255.255.0 Router1(dhcp-config)#default-router 172.25.1.1 Router1(dhcp-config)#dns-server 172.25.1.1 172.25.1.3 Router1(dhcp-config)#domain-name oreilly.com Router1(dhcp-config)#lease 3 Router1(dhcp-config)#update arp Router1(dhcp-config)#end Router1#

Once configured, the router will provide DHCP leases as normal; however, for each new binding, the router will also add a secured ARP entry. All of this is completely transparent to the end users. The next example shows three newly assigned DHCP leases:

Router1#show ip dhcp binding Bindings from all pools not associated with VRF: IP address Client-ID/ Lease expiration Type Hardware address/ User name 172.25.1.51 0100.0d60.b21a.4c Aug 24 2006 04:20 PM Automatic 172.25.1.52 0100.104b.33da.73 Aug 24 2006 04:22 PM Automatic 172.25.1.53 0100.0475.839d.3f Aug 24 2006 04:48 PM Automatic Router1#

To confirm that the router has indeed created secured ARP entries, use the following command:

Router1#show ip dhcp server statistics Memory usage 108579 Address pools 1 Database agents 0 Automatic bindings 3 Manual bindings 0 Expired bindings 0 Malformed messages 0 Secure arp entries 3 Message Received BOOTREQUEST 0 DHCPDISCOVER 135 DHCPREQUEST 18 DHCPDECLINE 0 DHCPRELEASE 13 DHCPINFORM 0 Message Sent BOOTREPLY 0 DHCPOFFER 24 DHCPACK 13 DHCPNAK 1 Router1#

Notice that the router has three new secured ARP entries, as highlighted in the previous example.

As we mentioned earlier, secured ARP entries cannot be erased manually. For instance, clearing the router's ARP cache does not erase the secured ARP entries:

Router1#clear arp-cache Router1#show arp Protocol Address Age (min) Hardware Addr Type Interface Internet 10.1.1.1 - 000e.8424.4e71 ARPA FastEthernet0/1 Internet 10.1.1.17 0 000d.bcef.f638 ARPA FastEthernet0/1 Internet 172.25.1.52 31 0010.4b33.da73 ARPA FastEthernet0/0 Internet 172.25.1.53 25 0004.7583.9d3f ARPA FastEthernet0/0 Internet 172.25.1.51 33 000d.60b2.1a4c ARPA FastEthernet0/0 Internet 172.25.1.5 0 0001.9670.b780 ARPA FastEthernet0/0 Internet 172.25.1.1 0 0010.4b09.5700 ARPA FastEthernet0/0 Internet 172.25.1.3 0 000a.5e40.0126 ARPA FastEthernet0/0 Internet 172.25.1.101 - 000e.8424.4e70 ARPA FastEthernet0/0 Router1#

Notice that the age of the secured ARP entries remained the same even after we cleared the ARP cache. The secured ARP entries will remain in the ARP cache until the associated DHCP lease is terminated by either the client or DHCP server.