IP Source Guard dropping DHCP Offers

Similar Messages

• Ip source guard feature and dhcp DHCP scope exhaustion (client spoofs other clients)

  Hi everybody.
  A dhcp server assigns ip adress based on mac address carried by client hardware field in dhcp packets.
  One potential attack is when a rogue host mimics different mac addresses and causes dhcp server to assign the ip addresses until no ip address is left for legitimate host.
  For e.g a host h1 with mac1 has assigned ip address by dhcp server as:
  199.199.199.1 mac1
  Dhcp server has the above entry in its database.
  Using hacking tools such as Yersinia or Gobbler one can create a dhcp discover messages each time creating a different mac for client hardware field in dhcp server thereby causing a dhcp server to assign ip addresses because to dhcp server , these are legitimate dhcp discover messages with each carrying a different mac in client hardware addresses.
  You might say use dhcp snooping and it will prevent that (  dhcp scope exhaustion) and configure the switch to check if src mac matches the client hardware address in dhcp message. But still we can creat spoofed discover messages where src mac in ethernet header will match the client hardware address in dhcp discover message. We still did not overcome the problem.
  You might say use IP source guard feature but will it really prevent that problem from happening?
  Let me illustrate it :
  h1---------f1/1SW---------DHCP server
  Let say we have configured dhcp snooping on sw1 and f1/1 is untrusted port.  The switch has following dhcp binding
  199.199.199.1    mac1   vlan1  f1/1
  Next we configure ip source guard to  validate both src mac and src ip against the dhcp bindings  . When  we configures ip source guard first  , it will allow dhcp communication only so a host can request ip address and a dhcp binding can be built. After that ip source guard will validate src ip or src mac or both against the dhcp binding.depending upon how we configure ip source guard.
  In our case we have configured ip source guard to validate both src mac and src ip against the dhcp binding.
  A dhcp binding is already created as:
  199.199.199.1 mac1 vlan 1 f1/1
  Now using the hacking tools Yersinia or Gobbler on h1, we create our first spoofed dhcp discover message  where src mac=mac2 in ethernet header and  client harware address= mac2 in dhcp discover message. Since switch is configured with ip source guard feature and therefore allows dhcp discover message to pass through. Dhcp server upon receiving the dhcp message assigns another ip address from the pool. Now the dhcp server has following entries:
  199.199.199.1 mac1
  199.199.199.2 mac2.
  We can continue to craft spoofed dhcp discover messages as mentioned above and have dhcp server keep assigning ip addresses until the whole pool is exhausted.
  So my question is how does  ip source guard in conjuction with dhcp snooping prevent this particular attack from happening? ( i.e DHCP scope exhaustion)
  I really appreciate your input.
  thanks and have a great week.

  Thanks Karthikeyan.
  First of all, we gather all the information about the  locations of legitimate dhcp servers in our network. Once we have this information, we will configure the ports used to reach them as trusted. All the ports where end users will connect will be untrusted and therefore subject to dhcp snooping .
  it means if any of user connected in that switch/vlan runs a dhcp  services like vmware for eg. Snooping will prevent the dhcp/bootp  servers connected to that port will not be able to process.
  Yes that is correct. Because dhcp snooping feature will check these ports for the messages usually sent by dhcp server such as dhcp offer, etc. If the end user is running dhcp server using virtual machine, that port should be configured as trusted if it is dertermined  that end user is running a legitimate dhcp server using vm ware.
  When we have the dhcp snooping it prevents the 1st level of hacking  itself. I don't think so it will have any impact on dhcp address  releasing.
  I am sorry. You lost me here. What is 1 level of hacking?
  Dhcp snooping checks for dhcp messages such as dhcp release, dhcp decline.on untrusted port against the dhcp bindings.
  Here is why;
  h1---------SW1-------dhcp server
                 |
               h2
  Let say we don't have dhcp snooping in above attack and  h2 is a legitimate user has already assigned ip address 199.199.199.2 by dhcp server. Thus the dhcp server has an entry:
  199.199.199.2 mac2
  Next we connect rogue user and it gets ip address 199.199.199.1 now the dhcp server has entries:
  199.199.199. 1  mac1
  199.199.199.2   mac2
  Now using hacking tools, h1 create a fake dhcp release message  with  199.199.199.199.2   mac2
  Dhcp server upon receiving this message, will release the ip address and returns it to the pool.
  By using DHCP snooping, switch will peer inside dhcp release message and checks against the binding. If there is conflict, it will drop the message.
  IFor e.g
  If have dhcp snooping configured , then switch will have adhcp binding as:
  199.199.199.1    mac1    vlan 1   f1/1  lease time
  199.199.199.2     mac2    vlan 2    f1/2 lease time.
  If h1 tries to send fake dhcp release with ip address 199.199.199.2    mac2
  Switch will check ip address 199.199.199.2  and mac2 against the binding related to f1/1 . Sw will find a conflict and therefore drops the dhcp release packet.
  Thanks

• IP DHCP snooping, IP source Guard, and DIA

  Hi All,
  I have Configured DHCP snooping and IP source guard and Dynamic arp inspection on my 3560 and 3750 Network Switches,
  on both of them I'm facing that issue. (the printers and access points are configured to get ip addresses via DHCP), but when the lease time expires, they don't get ip addresses, and become unreacheable.
  while all other clients get thier ip addresses normally
  below you can find the Configuration configuration
  ip dhcp snooping vlan 98,105,111
  no ip dhcp snooping information option
  ip dhcp snooping database flash:dhcpsnooping
  ip dhcp snooping database write-delay 15
  ip dhcp snooping
  ip arp inspection vlan 98,105,111
  ip verify trust on all access ports including printers and access point ports
  all access ports are DHCP snooping untrusted
  also when I create a static dhcp snooping binding record for these devices on the switch it resolves the Issue, but when I reload the switch it's removed automatically.
  any resolution will be much appreciated.
  regards,
  Maher

  check the following link for configuration of DHCP snooping
  http://packetlife.net/blog/2010/aug/18/dhcp-snooping-and-dynamic-arp-inspection/
  http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/snoodhcp.html

• IP Source Guard

  I have configured DHCP snooping with option 82. That is working OK. I then went to enable IP Source guard to help against MAC Spoofing. I enable port security and ip verify source. I connected a client to the port and the address when into the snooping database as it should. I then spoofed my MAC address on the same port with the same client and it adds another entry and ip address into the DHCP Snooping Binding database and give my client an IP address. So, it looks like my ip verify source is not working? Any suggestions?

  and the dhcp server link to the core switch, but it is a win-server do not support option 82.And I can not config : ip veryfy source.

• Questions about IP source guard

  1.ISG & port-channel
  Where I should input the command "ip verify source dhcp-snooping-vlan", under the physical interface or port-channel interface?
  2.ISG & PVLAN
  Because I will not use IP DHCP snooping, I have to input the static ISG entry as below:
  "ip source binding 1.1.1.1 1111.1111.1111 vlan xx interface g2/1"
  I'm confused about the VLAN ID, it should be Primary VLAN ID or the Secondary VLAN ID???

  Hello sarah,
  This is my test results from ip source guard and mac- address filtering lab:
  Ip source guard
  --verifys source ip or ip source & mac address relating the snooping database--
          switch MUST run EMI image
  ip source: -Layer 3 checking!
  Switch
  int fa0/3
  description Link to Host 1
  switchport mode access
  ip verify source
  Host1
  int fa0/0
  Mac 0000.1111.1111
  ip address 192.168.1.1 255.255.255.0 or via DHCP
  if the mac-address is changed on this port - it will still be able to work
  As ip verify source is only set to look at the ip address of the interface and not the
  mac address in the binding table.-
  change ip address:
  int fa0/0
  Mac 0000.1111.1111
  ip address 192.168.1.2 255.255.255.0 
  now connection is lost and even if you change the ip address back, it will still be down
  I have found either manually adding a binding to the snoop d/B or shutdown and renable port
  re-enables connection
  ip dhcp snooping binding 0000.3333.3333 vlan 20 192.168.1.1 interface fa0/3 expiry 10000
  This will work as long as the ip address is back in the snooping database the mac is irelivant
  ip source & mac address
  Switch
  int fa0/3
  description Link to Host 1
  switchport mode access
  ip verify source port-security
  switchport port-security
  Host1
  int fa0/0
  Mac 0000.1111.1111
  ip address 192.168.1.1 255.255.255.0 or via DHCP
  if the ip or mac-address is change on this port - it will WONT be able to work
  As ip verify source port-security is set to look at both the ip address and mac address of
  the interface and the in the binding table.
  Now if you change either the ip or mac-address the connection is lost
  again either manually adding a binding to the snoop d/B or shutdown and renable port
  re-enables connection
  All static entrys are checked BEFORE the snooping database.
  When interface is shut down or changed the dymainic bindings are removed from the snooping D/B
  this is related to either configuration.
  res
  Paul
  Please don't forget to rate any posts that have been helpful.
  Thanks.

• IP Source guard feature enabling

  Dear All ,
          My organisation has a requirement that if any user change the IP of his system , he should not able to access anything from his machine .
  I have read that IP source guard feature on cisco can be used to achieve the same .
   Can some body explain the process .  Also if i have a unmanaged switch( 24 port )  connected to the Cisco L2 switch . so can i enable IP source guard for multiple source IP's on single port .
   Kindly revert urgently .
  Rgds,
  Tushar

  Hello Tushar,
  IP Source Guard provides source IP address filtering on a Layer 2 port to prevent a malicious host from impersonating a legitimate host by assuming the legitimate host's IP address. The feature uses dynamic DHCP snooping and static IP source binding to match IP addresses to hosts on untrusted Layer 2 access ports.
  Initially, all IP traffic on the protected port is blocked except for DHCP packets. After a client receives an IP address from the DHCP server, or after static IP source binding is configured by the administrator, all traffic with that IP source address is permitted from that client. Traffic from other hosts is denied. This filtering limits a host's ability to attack the network by claiming a neighbor host's IP address. IP Source Guard is a port-based feature that automatically creates an implicit port access control list (PACL).
  Below is the CCO document for your reference..
  http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/ipsrcgrd.html
  Regards,
  Mohit

• DAI & IP Source Guard

  Dear All,
  Can I configure Dynamic ARP Inspection and IP Source guard for the same VLANs???
  Are they compatible with each other or what's the difference between two???
  Thanks in Advance,
  Best Regards,
  Taufeeq?
  Sent from Cisco Technical Support iPhone App

  Yes, they can all be configured for the same vlan, and as Amit stated, you'll need to configure dhcp snooping as well. Make sure that you have a plan to deal with static ip addresses though. I've been implementing this for the past week, and I can tell you that there can be some administrative burden. It's not a set-it-and-forget it method.
  HTH,
  John
  *** Please rate all useful posts ***

• Does ip source guard has any syslog or message??(on 2960 switch)

  hi everyone , I got a problem that I need to config a secure feature "IP SOURECE GUARD" on 2960 switch
  Everthing is ok
  But, when the IP-MAC mismatch
  I can't receive any SYSLOG from "show log"
  Only from "show ip verify source"  to know which interface be denied
  L2#show ip verify source
  Interface  Filter-type  Filter-mode  IP-address       Mac-address        Vlan
  Fa0/2      ip-mac       inactive-no-snooping-vlan
  Fa0/3      ip-mac       active       deny-all         permit-all         10
  Fa0/4      ip-mac       inactive-no-snooping-vlan
  Fa0/5      ip-mac       inactive-no-snooping-vlan
  Fa0/6      ip-mac       inactive-no-snooping-vlan
  Fa0/7      ip-mac       inactive-no-snooping-vlan
  Fa0/8      ip-mac       inactive-no-snooping-vlan
  Fa0/9      ip-mac       active       192.168.10.1     permit-all         10 
  Fa0/10     ip-mac       inactive-no-snooping-vlan
  does ip source guard has no Features to create LOG ??
  or anyone can tell me what I can do that I can receive some message when the "deny-all" situation be triggered
  Regards,
  Lin

  I have exactly the same question : is it possible to have a syslog message when an Ip source guard event occurs on a switch 2960 ?
  Is anyone can help us ?

• Push a custom DHCP option in DHCP Offer

  Hi,
  I have Windows 2008 R2 acting as a DHCP server. I'd like to push a
  custom option (created under Scope/Predefined Options and Values/DHCP Standard options)
  during DHCP Offer.
  Currently options in DHCP Offer are: 53, 1, 58, 59, 51, 54, 6, 255.
  The reply (DHCP Request) contains: 53, 61, 50,54, 12, 81, 60, 55, 255.
  How can I configure the DHCP server so the Offer contains my custom option?
  thanks.

  Hi,
  You can add or remove options to and from the predefined list of standard options as needed. Although options are made available in this way, they are not assigned values until administratively configured at either the server, scope, or reservation.
  Once you have manually defined an option, then expand Scope –
  Scope Options(or Server options), right click and select
  Configure Options, select the checkbox of manually added option in
  Available Options list. Then click Apply –
  OK to save the change.
  Best Regards,
  Eve Wang
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• PXE-E51: No DHCP or Proxy DHCP offers were received

  Ok so I'm new to this and decided hey lets have a go.
  I got it all working great and then all of a sudden after a server reboot I got this:
  PXE-E51: No DHCP or Proxy DHCP offers were received
  My DHCP,DNS,AD and WDS are all on the same box, I spent hours trawling the net and didn't find the answer to my problem but have stumbled across it although about 10hours wasted for a really simple solution
  The cause: seems my WDS side is loading before my DHCP is having chance to establish hense WDS can not talk to DHCP to get the pxe connection going.
  What did I find:
  If i close the GUI for WDS and open the GUI for DHCP, find my server int he tree and right click then select restart.  wait for this to complete (that's the important part)
  Once the above is done open my GUI for WDS and again find the relevant point in the tree, right click and restart
  Low and behold my connected laptop is now able to connect to the WDS.
  I posted this in hope that it will save someone else a heck of a lot of time (can't promise your issue is the same as mine as there are so many different possibilities.)

  Because PXE and DHCP use the same protocol and listen on the same ports, having them on the same box is unwise. There is a work-around but the better option is to put the two services on different systems. The work-around involves configuring the
  WDS server to use alternate ports as briefly discussed here:
  http://technet.microsoft.com/en-us/library/cc771734(v=WS.10).aspx .
  Jason | http://blog.configmgrftw.com

• Cisco Aironet 1600 - DHCP Offer Problem

  Hi,
  I have dhcp problem with our new AP:
  I add an AP to our LAN.
  I make a simple configuration with a WPA authenticate.
  I can connect some equipment to this AP and our DHCP give an address correctly.
  We use adptator to give wireless connection to old station with old operaing system (adaptator example : Netgear WNCE3001)
  This adaptor connect to AP and receive an address from DHCP.
  My problem is the equipment behind this adpatator send a DHCP request, our server send a DHCP offer but never arrive to this equipment .....
  Same problem with another adpatator (TRENDnet and ZyXEL)
  I think Cisco 1600 dont return correctly the DHCP offer, perhaps i miss some configuration.
  Anyone can help me ?
  Thx
  In attachment AP configuration
  AP system information:
   Product/Model Number:
  AIR-SAP1602I-E-K9
   Top Assembly Serial Number:
  [removed]
   System Software Filename:
  ap1g2-k9w7-tar.152-2.JB2
   System Software Version:
  15.2(2)JB2
   Bootloader Version:
  BOOTLDR: C1600 Boot Loader (AP1G2-BOOT-M) LoaderVersion 15.2(2)JAX, RELEASE SOFTWARE (fc1) 

  Now that I have googeld on your client (Netgear WNCE3001) I really understand want you are trying to accomplish. Want you want is this client acting like something called a workgroup bridge (at least, that is how it is called when you have an Cisco AP fulfilling this role).
  With the Cisco deployment you configure the AP as a workgroup bridge with multiple client MAC (and IP) addresses behind it. If the infrastructure where the AP should associated with is non Cisco you can use the "universal mode" where you can just use one (wired) client connected after the AP.
  Now back to your Netgear client. I have not seen this client in real life, but if I read the manual I'm getting the feeling that this client does a little more than only bridging. At least there is no option to really configure the workgroup bridge stuff and the WLAN interface is being called "Internet adapter". There is also a option for an LAN DHCP server, which is kinda confusing as well if you ask me.
  However, the thing that we can try is using a static IP address on the wired client side and test if communication is possible. Could you please give the output of the "show bridge 1" and "show dot11 ass" commands in that situation? Last but not least you can test if your configuration works after configuring "config network ip-mac-binding disable" on the WLC.

• No dhcp offers when booting from network

  I have 2 managed switches, a SLM2048 and a SRW2048.
  Neither of these switches work with thin clients booting from the network.
  My configuration:
  A Ubuntu LTSP server:
  More information about this here -> https://help.ubuntu.com/community/ThinClientHowto
  The Thin client:
  Intel mini ITX motherboards(D945GCLF2D) with 2gig of ram and setup in the bios to boot from the network.
  Some background info:
  When the thin client boot on a unmanaged switch it find the Ubuntu dhcp server and boots right away.
  But when put on the SLM2048 or SRW2048 on the same network the thin client is unable to get any DHCP offers.
  Window and macs pick up dhcp address fine and all devices show up on the switch fine, its just no luck boot thin clients.
  any help with this would be appreciated.
  Thank you

  Hello,
  Have you tried removing broadcast storm Control on the switches in question or alternatively setting Broadcast Storm Control to 300 kbps? In case number 610813169 this technique was used to resolve such an issue. If not, you will likely need to open a case with the SBSC.
  Regards,
  Christopher

• Linux guest does not get DHCP offer through a bridged internal switch, but Windows guests do (laptop).

  I also got trouble getting networking to work on my laptop. It has one Gigabit LAN and one wireless network interface.
  I cannot get my Linux guests, I tried CentOS 6.4, Ubuntu 13.10 and Debian 6, to get a DHCP offer from my DHCP server on my physical LAN. Manual configuration using static IP addresses works, but I need DHCP for my laptop.
  I tried a Windows 8.1 Pro 64bit guest and the Windows Phone SDK 8.0 and both connected fine to the internet.
  Here is what I tried:
  With the ethernet cable disconnected I was connected to my wireless network or LAN with WPA2 personal authentication. On this physical LAN there was a DHCP server.
  I created an internal Hyper-V switch and then I created a bridge between this switch and my wireless interface. I always used this switch as the single network connection for my VMs.
  I am using Windows 8.1 Professional 64bit.
  Why are only Linux guests affected and is there a solution? Thank you.

  Hi faustbusserl,
  "I cannot get my Linux guests, I tried CentOS 6.4, Ubuntu 13.10 and Debian 6, to get a DHCP offer from my DHCP server on my physical LAN. Manual configuration using static IP addresses works, but I need DHCP for my laptop."
  Does it mean that you have created an external virtual switch  for Linux guests and they can not get IP from DHCP ?
  Did you try to use legacy network card for the linux VM to get IP from DHCP .
  Best Regards
  Elton Ji
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• WRT54G dropping DHCP

  Okay can some please give me some help, I have been running a WRT54G ver: 7.0 for abuot six weeks, so far the wireless network drops in and out when if feels like it. Now the DHCP side of things locks up after my wifes Vista laptop turns on and logs in. Also when scanning the wireless network the channel the router is broadcasting on which has been set to channel 6 goes from 1 to 11 at random...
  Can anyone tell me if there is a firmware upgrade for my version 7, the site skips this version in the drop down box, or can offer some help please, failing that I am going to take a hammer to it!!
  Many thaks Rob
  UPDATE:  Okay I have found the lastest firmware, which I have installed, I still have the problem of my DHCP not allocating IP's to hosts logging on!  I have to power down the router and start again...
  Any help out there?
  Message Edited by helix1250 on 03-08-2009 02:20 PM

  You must reset and re-configure the router after any firmware upgrade...If you have not resetted the router after the last firmware upgrade you must do it it now...
  Press and hold the reset button for 30 seconds...Release the reset button...Unplug the power cable from your router, wait for 30 seconds and re-connect the power cable...Now re-configure your router...See if it resolves your concern...

• PPro CS6:  Source Monitor Dropping Frames

  Greetings,
  Currently I'm working off an iMac, OSC 10.8.4, 12 GB RAM, with i7, and ATI Radeon 1GB video card.  I haven't noticed it recently until today for some reason, but my source monitor keeps dropping frames like crazy after about 5 seconds of playback. 
  I've read other threads that recommend lower preview frame res, as well as playback res to 1/4.  I've tried that, allocated more memory to PPro (only 2GB left to other applications, yet PPro seems to only use 1.9GB during dropped frame playback), shut down other proccesses that might be consuming memory, switched PPro to enable better "Performance" in preferences, and rebooted several times. 
  I realized that it could be the source footage from the start:  1080p 23.976fps TIFF sequence. 
  How can I get PPro to actually use more than 1.9GB of memory during playback in order to get over this TIF hump?  Or does the real answer lie not in memory, but more processing power?
  Not a job-threatening situation, but just curious as to what it takes.
  Thanks!
  -Hunter

  Okay, thanks for the additional infor. I've taken note of this issue and will investigate when we return from the company shutdown on July 8.