DHCP-Secured IP Address Assignment

DHCP-Secured IP Address Assignment

Problem

You wish to synchronize the ARP entries to the DHCP bindings to prevent IP address spoofing.

Solution

To enable secured IP address assignment, use the update arp command:

Router1#configure terminal 
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#ip dhcp pool OREILLY
Router1(dhcp-config)#update arp
Router1(dhcp-config)#end
Router1#

Discussion

Beginning with IOS Version 12.2(15)T, Cisco introduced the concept of DHCP secured IP address assignment. This feature synchronizes the ARP entry to the DHCP binding to ensure that IP addresses assign via DHCP can't be spoofed. By default, ARP tables dynamically map MAC addresses to IP addresses to facilitate communication. Unfortunately, it's rather easy for someone to spoof a DHCP assigned IP address and overwrite the router's ARP cache with his own MAC address.

Once the DHCP-secured IP address assignment is enabled, the router adds a secured ARP entry for each DHCP binding. This ensures that the ARP entry cannot be dynamically, or even manually, erased or overwritten. In fact, the only way to clear a secured ARP entry is by releasing the DHCP lease.

The following is an example configuration of DHCP-secured IP address assignment:

Router1#configure terminal 
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#ip dhcp pool OREILLY
Router1(dhcp-config)#network 172.25.1.0 255.255.255.0
Router1(dhcp-config)#default-router 172.25.1.1
Router1(dhcp-config)#dns-server 172.25.1.1 172.25.1.3
Router1(dhcp-config)#domain-name oreilly.com
Router1(dhcp-config)#lease 3
Router1(dhcp-config)#update arp
Router1(dhcp-config)#end
Router1#

Once configured, the router will provide DHCP leases as normal; however, for each new binding, the router will also add a secured ARP entry. All of this is completely transparent to the end users. The next example shows three newly assigned DHCP leases:

Router1#show ip dhcp binding
Bindings from all pools not associated with VRF:
IP address Client-ID/ Lease expiration Type
Hardware address/
User name
172.25.1.51 0100.0d60.b21a.4c Aug 24 2006 04:20 PM Automatic
172.25.1.52 0100.104b.33da.73 Aug 24 2006 04:22 PM Automatic
172.25.1.53 0100.0475.839d.3f Aug 24 2006 04:48 PM Automatic
Router1#

To confirm that the router has indeed created secured ARP entries, use the following command:

Router1#show ip dhcp server statistics
Memory usage 108579
Address pools 1
Database agents 0
Automatic bindings 3
Manual bindings 0
Expired bindings 0
Malformed messages 0
Secure arp entries 3

Message Received
BOOTREQUEST 0
DHCPDISCOVER 135
DHCPREQUEST 18
DHCPDECLINE 0
DHCPRELEASE 13
DHCPINFORM 0

Message Sent
BOOTREPLY 0
DHCPOFFER 24
DHCPACK 13
DHCPNAK 1
Router1#

Notice that the router has three new secured ARP entries, as highlighted in the previous example.

You can add the update arp command to existing DHCP pools; however, the router will only create secured ARP entries once existing leases are renewed. Once leases are renewed, the router will automatically create secured ARP entries for the renewed DHCP bindings.


As we mentioned earlier, secured ARP entries cannot be erased manually. For instance, clearing the router's ARP cache does not erase the secured ARP entries:

Router1#clear arp-cache

Router1#show arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 10.1.1.1 - 000e.8424.4e71 ARPA FastEthernet0/1
Internet 10.1.1.17 0 000d.bcef.f638 ARPA FastEthernet0/1
Internet 172.25.1.52 31 0010.4b33.da73 ARPA FastEthernet0/0
Internet 172.25.1.53 25 0004.7583.9d3f ARPA FastEthernet0/0
Internet 172.25.1.51 33 000d.60b2.1a4c ARPA FastEthernet0/0
Internet 172.25.1.5 0 0001.9670.b780 ARPA FastEthernet0/0
Internet 172.25.1.1 0 0010.4b09.5700 ARPA FastEthernet0/0
Internet 172.25.1.3 0 000a.5e40.0126 ARPA FastEthernet0/0
Internet 172.25.1.101 - 000e.8424.4e70 ARPA FastEthernet0/0
Router1#

Notice that the age of the secured ARP entries remained the same even after we cleared the ARP cache. The secured ARP entries will remain in the ARP cache until the associated DHCP lease is terminated by either the client or DHCP server.

The router can only secure directly connected clients on LAN interfaces.