IP DHCP snooping, IP source Guard, and DIA

Similar Messages

• Ip source guard feature and dhcp DHCP scope exhaustion (client spoofs other clients)

  Hi everybody.
  A dhcp server assigns ip adress based on mac address carried by client hardware field in dhcp packets.
  One potential attack is when a rogue host mimics different mac addresses and causes dhcp server to assign the ip addresses until no ip address is left for legitimate host.
  For e.g a host h1 with mac1 has assigned ip address by dhcp server as:
  199.199.199.1 mac1
  Dhcp server has the above entry in its database.
  Using hacking tools such as Yersinia or Gobbler one can create a dhcp discover messages each time creating a different mac for client hardware field in dhcp server thereby causing a dhcp server to assign ip addresses because to dhcp server , these are legitimate dhcp discover messages with each carrying a different mac in client hardware addresses.
  You might say use dhcp snooping and it will prevent that (  dhcp scope exhaustion) and configure the switch to check if src mac matches the client hardware address in dhcp message. But still we can creat spoofed discover messages where src mac in ethernet header will match the client hardware address in dhcp discover message. We still did not overcome the problem.
  You might say use IP source guard feature but will it really prevent that problem from happening?
  Let me illustrate it :
  h1---------f1/1SW---------DHCP server
  Let say we have configured dhcp snooping on sw1 and f1/1 is untrusted port.  The switch has following dhcp binding
  199.199.199.1    mac1   vlan1  f1/1
  Next we configure ip source guard to  validate both src mac and src ip against the dhcp bindings  . When  we configures ip source guard first  , it will allow dhcp communication only so a host can request ip address and a dhcp binding can be built. After that ip source guard will validate src ip or src mac or both against the dhcp binding.depending upon how we configure ip source guard.
  In our case we have configured ip source guard to validate both src mac and src ip against the dhcp binding.
  A dhcp binding is already created as:
  199.199.199.1 mac1 vlan 1 f1/1
  Now using the hacking tools Yersinia or Gobbler on h1, we create our first spoofed dhcp discover message  where src mac=mac2 in ethernet header and  client harware address= mac2 in dhcp discover message. Since switch is configured with ip source guard feature and therefore allows dhcp discover message to pass through. Dhcp server upon receiving the dhcp message assigns another ip address from the pool. Now the dhcp server has following entries:
  199.199.199.1 mac1
  199.199.199.2 mac2.
  We can continue to craft spoofed dhcp discover messages as mentioned above and have dhcp server keep assigning ip addresses until the whole pool is exhausted.
  So my question is how does  ip source guard in conjuction with dhcp snooping prevent this particular attack from happening? ( i.e DHCP scope exhaustion)
  I really appreciate your input.
  thanks and have a great week.

  Thanks Karthikeyan.
  First of all, we gather all the information about the  locations of legitimate dhcp servers in our network. Once we have this information, we will configure the ports used to reach them as trusted. All the ports where end users will connect will be untrusted and therefore subject to dhcp snooping .
  it means if any of user connected in that switch/vlan runs a dhcp  services like vmware for eg. Snooping will prevent the dhcp/bootp  servers connected to that port will not be able to process.
  Yes that is correct. Because dhcp snooping feature will check these ports for the messages usually sent by dhcp server such as dhcp offer, etc. If the end user is running dhcp server using virtual machine, that port should be configured as trusted if it is dertermined  that end user is running a legitimate dhcp server using vm ware.
  When we have the dhcp snooping it prevents the 1st level of hacking  itself. I don't think so it will have any impact on dhcp address  releasing.
  I am sorry. You lost me here. What is 1 level of hacking?
  Dhcp snooping checks for dhcp messages such as dhcp release, dhcp decline.on untrusted port against the dhcp bindings.
  Here is why;
  h1---------SW1-------dhcp server
                 |
               h2
  Let say we don't have dhcp snooping in above attack and  h2 is a legitimate user has already assigned ip address 199.199.199.2 by dhcp server. Thus the dhcp server has an entry:
  199.199.199.2 mac2
  Next we connect rogue user and it gets ip address 199.199.199.1 now the dhcp server has entries:
  199.199.199. 1  mac1
  199.199.199.2   mac2
  Now using hacking tools, h1 create a fake dhcp release message  with  199.199.199.199.2   mac2
  Dhcp server upon receiving this message, will release the ip address and returns it to the pool.
  By using DHCP snooping, switch will peer inside dhcp release message and checks against the binding. If there is conflict, it will drop the message.
  IFor e.g
  If have dhcp snooping configured , then switch will have adhcp binding as:
  199.199.199.1    mac1    vlan 1   f1/1  lease time
  199.199.199.2     mac2    vlan 2    f1/2 lease time.
  If h1 tries to send fake dhcp release with ip address 199.199.199.2    mac2
  Switch will check ip address 199.199.199.2  and mac2 against the binding related to f1/1 . Sw will find a conflict and therefore drops the dhcp release packet.
  Thanks

• IP Source Guard dropping DHCP Offers

  Hello,
  I have a problem with IP Source Guard on a Catalyst 3750 switch running 12.2.40SE IOS.
  I've configured port-security, DHCP Snooping and DAI and they all work as expected.
  However when it comes to IP Source Guard, things don't work as I expected... when a DHCP lease expires because a user has switched their machine off for a number of days, the Snooping binding is removed and IP source Guard then blocks the port. When the user switches the PC on again, I can see the DHCP request and a reply gets generated but the offer gets dropped because there is no Snooping binding!
  One thing to note is that the DHCP server is on the switch itself and not on a port.
  Does anyone know if this is the correct behaviour???
  Thanks.

  Hi Istvan,
  Thanks for your advice: I have that config in place. I'm using port security, dhcp snooping, dynamic arp inspection and ip source guard - proper switch security ;-)
  I've spent the last 2 days figuring out what's happening and I've found that it's a bug in 12.2.40SE. I've tried the same config using 12.2.35SE2, 12.2.44SE and 12.2.44SE1 and they all behave as expected.
  Here is the relevant config:
  ip dhcp excluded-address 172.21.1.254
  ip dhcp pool Users
  network 172.21.1.0 255.255.255.0
  default-router 172.21.1.254
  lease 0 0 5
  ip dhcp snooping vlan 2
  ip dhcp snooping database tftp://172.21.1.250/test-sw-dhcpDB
  ip dhcp snooping
  ip arp inspection vlan 2
  interface GigabitEthernet1/0/4
  description Laptop
  switchport access vlan 2
  switchport mode access
  switchport port-security maximum 2
  switchport port-security
  switchport port-security aging time 2
  switchport port-security aging type inactivity
  spanning-tree portfast
  spanning-tree bpduguard enable
  ip verify source port-security
  ip dhcp snooping limit rate 10
  interface Vlan2
  ip address 172.21.1.254 255.255.255.0
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  The lease time is so long for testing purposes; and option 82 is enabled by default so the command is not displayed in the running config.
  Thanks, Steve

• Questions about IP source guard

  1.ISG & port-channel
  Where I should input the command "ip verify source dhcp-snooping-vlan", under the physical interface or port-channel interface?
  2.ISG & PVLAN
  Because I will not use IP DHCP snooping, I have to input the static ISG entry as below:
  "ip source binding 1.1.1.1 1111.1111.1111 vlan xx interface g2/1"
  I'm confused about the VLAN ID, it should be Primary VLAN ID or the Secondary VLAN ID???

  Hello sarah,
  This is my test results from ip source guard and mac- address filtering lab:
  Ip source guard
  --verifys source ip or ip source & mac address relating the snooping database--
          switch MUST run EMI image
  ip source: -Layer 3 checking!
  Switch
  int fa0/3
  description Link to Host 1
  switchport mode access
  ip verify source
  Host1
  int fa0/0
  Mac 0000.1111.1111
  ip address 192.168.1.1 255.255.255.0 or via DHCP
  if the mac-address is changed on this port - it will still be able to work
  As ip verify source is only set to look at the ip address of the interface and not the
  mac address in the binding table.-
  change ip address:
  int fa0/0
  Mac 0000.1111.1111
  ip address 192.168.1.2 255.255.255.0 
  now connection is lost and even if you change the ip address back, it will still be down
  I have found either manually adding a binding to the snoop d/B or shutdown and renable port
  re-enables connection
  ip dhcp snooping binding 0000.3333.3333 vlan 20 192.168.1.1 interface fa0/3 expiry 10000
  This will work as long as the ip address is back in the snooping database the mac is irelivant
  ip source & mac address
  Switch
  int fa0/3
  description Link to Host 1
  switchport mode access
  ip verify source port-security
  switchport port-security
  Host1
  int fa0/0
  Mac 0000.1111.1111
  ip address 192.168.1.1 255.255.255.0 or via DHCP
  if the ip or mac-address is change on this port - it will WONT be able to work
  As ip verify source port-security is set to look at both the ip address and mac address of
  the interface and the in the binding table.
  Now if you change either the ip or mac-address the connection is lost
  again either manually adding a binding to the snoop d/B or shutdown and renable port
  re-enables connection
  All static entrys are checked BEFORE the snooping database.
  When interface is shut down or changed the dymainic bindings are removed from the snooping D/B
  this is related to either configuration.
  res
  Paul
  Please don't forget to rate any posts that have been helpful.
  Thanks.

• Does 3550/3560 support static dhcp snooping binding?

  Hi All,
  I'm currently studing DHCP snooping.
  Just found there is no 'ip dhcp snooping bindg' syntax on 3550/3560, Is there any way to add static dhcp snooping entry?
  If there is no way, and the switch intruduced ip arp inspect and ip source guard, and a untrust port connected to an end host with static IP address assigned, in such situation, is it right that I have to add static 'ip arp inspection filter' and ' ip source binding' to makes the end host can send packet out?
  Thanks for any comments.
  Regards,
  Yi

  check the following link for configuration of DHCP snooping
  http://packetlife.net/blog/2010/aug/18/dhcp-snooping-and-dynamic-arp-inspection/
  http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/snoodhcp.html

• DHCP snooping on SUP2 / MSFC2

  The question is: is there such thing?  The bits and pieces of info I've found kind of contradict each other (some say it's been there since IOS SXE, some say it's not supported at all) - the fact is, we have a 6509 in our network running s222-adventerprisek9_wan-mz.122-18.SXF17a.bin on which "ip dhcp snooping" doesn't seem to be available, either in global or interface config mode...
  Thank you.

  Hi,
  Looking at the configuration for your IOS version.
  http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SXF/native/configuration/guide/swcg/snoodhcp.html
  You need a PFC3 st support ip dhcp snooping
  Configuring DHCP Snooping
  This chapter describes how to configure Dynamic Host Configuration Protocol (DHCP) snooping on Catalyst 6500 series switches.
  Note•The DHCP snooping feature requires PFC3 and Release 12.2(18)SXE and later releases. The PFC2 does not support DHCP snooping.
  •For complete syntax and usage information for the commands used in this chapter, refer to the Cisco IOS Master Command List, Release 12.2SX at this URL:
  http://www.cisco.com/en/US/docs/ios/mcl/allreleasemcl/all_book.html
  Regards,
  Alex.
  Please rate useful posts.

• LAN was down ie Users are not getting ip from DHCP server after enabling DHCP snooping

  Hi All ,
  Enclosed file has network connectivity diagram.
  1. L3 vlan's ie 2,3,4,5 and 6 are configured on ACC-CR1 and ACC-CR2. 
  2.Trunk is configured between Core switches ( CR1 and CR2) and access switches .VTP mode is transparent on all switches.L2 vlans are configured on all access switches.
  3.DHCP is server is located at different location and is reachable over MPLS.
  Without enabling dhcp snooping , users connected to access switches (Sw1,sw2,sw3 and Sw4 ) are getting ip address from DHCP server without any problem and everything is working fine.
  But users connected to Sw3 and Sw4 are getting ip address from rouge DHCP server which is not pingable from any one of the switch.
  So we have configured DHCP snooping for all vlan's on CR1 , CR2 , SW3 and SW4 and "trusted uplink ports" which are connected to WAN routers from CR1 and CR2  and also "trusted uplink ports " of Sw3 and Sw4 which are connected to CR1 and CR2.
  As soon we have enabled DHCP snooping and trusted respective uplink ports , users are not getting ip address from remote DHCP server and even users connected to Sw1 and SW2 are facing same issue.
  Note : DHCP snooping is not configured on SW1 and SW2.
  Why users are not getting ip address from remote DHCP server as soon as we enabled dhcp snooping on Core switches and two access switches ie sw3 and sw4 ? what could have caused DHCP packets to be dropped ? Any idea would be appreciated .

  Hi,
  as you say: " HSRP is configured between CR1 and CR2 and Vlans are active on CR1" does it mean there are L3 intrefaces configured in each VLAN on your CR switches and ip hepler-address pointing to the remote DHCP server is configured on each of them?
  I know it's difficult in a productive environment but IMHO you need to find out where are the DHCP offers dropped.
  Either by enabling DHCP debugging or by capturing packets via Wireshark, e.g.
  Best regards,
  Milan

• Can I use DHCP snooping and IOS DHCP server on the same switch stack

  Hello,
  I am shortly going to be deploying a Cisco CallManager solution for a customer whose network comprises stacks of Catalyst 3850 switches.
  There is no separate core/server farm switch so the CallManager servers, voice gateways and IP phones will all plug into the same stack and be in the same VLAN (not my choice!).
  For security we want to enable DHCP snooping and were planning on using the IOS DHCP server on the Catalyst switch stack.
  Will this work? - when I enable DHCP snooping in networks with separate access layer switches I set the uplinks to the core as trusted links.
  I am not sure whether DHCP snooping will work in this case. Do I need to set the VLAN interface on the switch as trusted, is this even possible?
  Unfortunately I do not have access to a layer 3 switch to test this at the moment.
  Thanks

  Nope.  That's the issue.
  They'll sync on a third device acting as a hotspot, but the device sending a signal is not "on" the network it creates so the airport is all by itself on that network.  At least that is what it looks like to me.  Anyone have another take on it?  Seems pretty silly that an iPad can put out a wifi signal, an Airport Express can receive a wifi signal, and yet there is no simple way to get them to communicate under this particular condition.

• ISE and dhcp snooping

  Hi all,
  The ISE configuration validator says we should have DHCP snooping enabled on our network access devices (switches) so we do it. However I have never understood what this accomplishes. (In terms of ISE/NAC. I understand what DHCP snooping is).
  Can anyone explain? Thanks.

  Thanks for the reply, Vattulu.
  Interesting article/section, but I don't see where it says anything about the relationship between dhcp snooping and profiling. It seems to be talking about the use of dhcp snooping option 82 to convey the 802.1x user info to the dhcp server. The dhcp server can then act on this information to assign specific IPs to specific users. I can see how ISE would get this information via ip-helper or maybe by snmp bulk query, but don't understand how that would assist with profiling. I mean, ISE already has the 802.1x user identity from the radius request, right? Maybe you can enlighten me.
  Googling around I found this article/section:
  http://www.cisco.com/c/en/us/td/docs/security/ise/1-1-1/user_guide/ise_user_guide/ise_sw_cnfg.html#wp1059679
  which seems to imply that dhcp snooping info can be used when applying DACLs. Interesting, because I thought that was based on the ip device tracking table only. But, it says that dhcp snooping is optional, and doesn't go into any detail.
  Still digging, I would like to understand this. Thanks for your help.

• How to synchronize between DHCP binding table and DHCP snooping table ?

  I clear DHCP snooping table with command "clear ip dhcp snooping binding " , and PC can't communicate with other any more. So how to synchronize between DHCP binding table and DHCP snooping table ?
  dhcp-test#sh ip dhcp bind
  IP address Client-ID/ Lease expiration Type
  Hardware address
  99.1.65.32 0100.1125.353c.25 Mar 02 1993 01:05 AM Automatic
  99.1.65.33 0100.1438.059f.85 Mar 02 1993 12:01 AM Automatic
  dhcp-test#sh ip dhcp snooping binding
  MacAddress IpAddress Lease(sec) Type VLAN Interface
  Total number of bindings: 0
  thanks!

  ip dhcp snooping binding mac-address vlan vlan-id ip-address interface interface-id expiry seconds
  Add binding entries to the DHCP snooping binding database. The vlan-id range is from 1 to 4904. The seconds range is from 1 to 4294967295.
  Enter the above command for each entry that you add
  To delete the database agent or binding file, use the no ip dhcp snooping database interface configuration command. To reset the timeout or delay values, use the ip dhcp snooping database timeout seconds or the ip dhcp snooping database write-delay seconds global configuration command.To renew the database, use the renew ip dhcp snooping database privileged EXEC command.

• Catalyst 3750E's and DHCP Snooping

  I am using on our perimeter Catalyst 3750E's and 4500 series switches and I have DHCP Snooping enabled.  Each switch has redundant Layer 3 10Gb uplinks back to our Core/Distribution switches.  We have a central DHCP server and each switch writes its snooping database back to a central TFTP server.
  This was working fine until we upgraded our Active Directory domain to a 2008 domain, with our DHCP server now residing on a Windows 2008R2 server.
  Since the upgrade all 12 stacks of 3750E's will no longer write of the dhcp snooping database.
  show ip dhcp snooping database
  Agent URL : tftp://<path>
  Write delay Timer : 3600 seconds
  Abort Timer : 300 seconds
  Agent Running : No
  Delay Timer Expiry : 17 (00:00:17)
  Abort Timer Expiry : Not Running
  Last Succeded Time : None
  Last Failed Time : None
  Last Failed Reason : No failure recorded.
  Total Attempts       :        0   Startup Failures :        0
  Successful Transfers :        0   Failed Transfers :        0
  Successful Reads     :        0   Failed Reads     :        0
  Successful Writes    :        0   Failed Writes    :        0
  Media Failures       :        0
  All of the 4500's (5 of them) however still work as they did prior to the upgrade.
  show ip dhcp snooping database
  Agent URL : tftp://<path>
  Write delay Timer : 3600 seconds
  Abort Timer : 60 seconds
  Agent Running : No
  Delay Timer Expiry : 2737 (00:45:37)
  Abort Timer Expiry : Not Running
  Last Succeded Time : 07:18:07 EDT Wed Jun 15 2011
  Last Failed Time : None
  Last Failed Reason : No failure recorded.
  Total Attempts       :       13   Startup Failures :        0
  Successful Transfers :       13   Failed Transfers :        0
  Successful Reads     :        0   Failed Reads     :        0
  Successful Writes    :       13   Failed Writes    :        0
  Media Failures       :        0
  Is this a software bug and has anybody else seen this after upgrading to a Windows 2008 AD domain?

  well i found this 
  When DHCP snooping is disabled and DAI is enabled, the switch shuts down all the hosts because all 
  ARP entries in the ARP table will be checked against a nonexistent DHCP database. When DHCP 
  snooping is disabled or in non-DHCP environments, use ARP ACLs to permit or to deny ARP packets
  We dont do arp acl 
  Here is a little infor on the setup on 6500 
  Switch DHCP snooping is enabled
  DHCP snooping is configured on following VLANs: Q,W,E,RT,TY,Y
  Insertion of option 82 is enabled
  Option 82 on untrusted port is not allowed
  Verification of hwaddr field is enabled
  Verification of giaddr field is enabled
  Interface                    Trusted     Rate limit (pps)
  GigabitEthernetX/X          yes         unlimited
  Port-channel                     yes         unlimited
  port config port-channel 
  ip arp inspection trust
   ip dhcp snooping trust
  2960 config 
  Switch DHCP snooping is enabled
  DHCP snooping is configured on following VLANs:Q
  Insertion of option 82 is disabled
     circuit-id default format: vlan-mod-port
     remote-id: 1111:1111:1111 (MAC)
  Option 82 on untrusted port is not allowed
  Verification of hwaddr field is enabled
  Verification of giaddr field is enabled
  DHCP snooping trust/rate is configured on the following Interfaces:
  Interface                  Trusted    Allow option    Rate limit (pps)
  Port-channel              yes        yes             unlimited
  port config 
  interface Port-channel
  ip arp inspection trust
  ip dhcp snooping trust

• C2950 IOS for DHCP Snooping and DAI

  hi all,
  anyone knows what image i would need for my 2950 to enable DHCP snooping and DAI features (just for lab purpose)?
  or are these features just available on the bigger modular switches (4500 and 6500)?
  >sh ver
  Cisco Internetwork Operating System Software
  IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(22)EA8a, RELEASE SOFTWARE (fc1)
  Copyright (c) 1986-2006 by cisco Systems, Inc.
  Compiled Fri 28-Jul-06 15:16 by weiliu
  Image text-base: 0x80010000, data-base: 0x8056A000
  Switch(config)#ip dhcp snooping ?
    information  DHCP Snooping information
    vlan         DHCP Snooping vlan
    <cr>
  Switch(config)#ip arp ?
  % Unrecognized command

  Hi Alain,
  Thanks for this info! I've read you're CCNA Security.
  Just curious, are you gonna write your CCNP Security soon?
  Could you recommend a good lab switch for SECURE?
  Sent from Cisco Technical Support iPad App

• Help understanding DHCP Snooping and Dynamic ARP Inspection

  Please help me to understand DHCP Snooping and Dynamic ARP Inspection.

  HI Ezra,
  In simple words:
  DHCP Snooping is a feature which is available on switches. This feature is used to prevent rogue dhcp server attacks.
  In the diagram, a valid dhcp server is connected to the network. The computers are suppose to receive dynamic ip addresses from the valid server. An attacker implants a rogue dhcp server on the network as shown in the diagram. The following steps are followed for a client to receive an ip address from a dhcp server.
  When a client (computer) is connected to the switch and is configured to receive a dynamic ip address from a dhcp server, the dhcp service on the client, sends out a DHCP Discover packet, searching for servers on the network. This packet is broadcast in nature. DHCP servers on the network, would respond to the DHCP Discover packet sent from the client. In the example, both the DHCP servers would respond to the DHCP discover packet. The client would process the first packet it receives. If the response send by the rogue dhcp server reaches the client first, then the computer would have an ip address provided by the rogue dhcp server.
  To prevent this, dhcp snooping is configured on the port on which the valid dhcp server is connected to. After the configuration is performed, no other ports on the switch would be able to respond to DHCP Discover packets from the clients. So even through the attacker has set up a rogue dhcp server, the port on the switch to which the attacker has connected would not be allowed to respond to DHCP discover packets. Thus dhcp snooping thwarts the attempt from the attacker in setting up a rogue dhcp server.
  DAI:
  Please read the expalined version from here: http://ciscocertstudyblog.blogspot.de/2010/06/ciscoblogpics.html
  More about DHCP snooping and DAI: Please read this attached document with some detailed explanation.
  Hope it helps.
  Regards
  Please use rating system and mark athe question answered it may help others.

• [solved] DHCP snooping in environment with core and access switches

  Hello,
  I'd like to know what steps are needed to configure DHCP snooping in my environment:
  1) two core switches Catalyst 6500 (VSS): VLAN defined here, DHCP server connected here
  2) access switches Catalyst 3750: clients connected here
  Access switches are connected to core ones via trunk ports (fiber optics).
  How many snooping databases are required?  One for core and next for each stack?

  Hi Marian,
  If your network is properly designed and connected so that clients, including DHCP clients, are attached to the access layer switches, then the DHCP Snooping should be run only on access switches. Running DHCP Snooping on core switches is not going to increase the security because the DHCP communication has already been sanitized on the access layer.
  If you intend to save the DHCP Snooping database then each switch performing the DHCP Snooping needs to have its own database if you intend to use a persistent storage for it. However, you can always have the switch to save the database to its own FLASH, alleviating the need for a centralized networked storage.
  I am not sure if this answers your question so please feel welcome to ask further.
  Best regards,
  Peter

• Sg200-50 support dhcp snooping and dynamic arp inspection?

  do the sg200-50 switches support:
  dhcp snooping
  dynamic arp inspection
  ?? thanks

  HI d.pennington,
  SG200 is L2 switch only.  so this mean switch not support dhcp snooping.  Switch support IGMP snooping, Switch support dynamic arp table.  You can management switch with web page GUI only (CLI) not supported.
  Thanks,
  Moh