Ip source guard feature and dhcp DHCP scope exhaustion (client spoofs other clients)

Similar Messages

• IP Source guard feature enabling

  Dear All ,
          My organisation has a requirement that if any user change the IP of his system , he should not able to access anything from his machine .
  I have read that IP source guard feature on cisco can be used to achieve the same .
   Can some body explain the process .  Also if i have a unmanaged switch( 24 port )  connected to the Cisco L2 switch . so can i enable IP source guard for multiple source IP's on single port .
   Kindly revert urgently .
  Rgds,
  Tushar

  Hello Tushar,
  IP Source Guard provides source IP address filtering on a Layer 2 port to prevent a malicious host from impersonating a legitimate host by assuming the legitimate host's IP address. The feature uses dynamic DHCP snooping and static IP source binding to match IP addresses to hosts on untrusted Layer 2 access ports.
  Initially, all IP traffic on the protected port is blocked except for DHCP packets. After a client receives an IP address from the DHCP server, or after static IP source binding is configured by the administrator, all traffic with that IP source address is permitted from that client. Traffic from other hosts is denied. This filtering limits a host's ability to attack the network by claiming a neighbor host's IP address. IP Source Guard is a port-based feature that automatically creates an implicit port access control list (PACL).
  Below is the CCO document for your reference..
  http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/ipsrcgrd.html
  Regards,
  Mohit

• IP DHCP snooping, IP source Guard, and DIA

  Hi All,
  I have Configured DHCP snooping and IP source guard and Dynamic arp inspection on my 3560 and 3750 Network Switches,
  on both of them I'm facing that issue. (the printers and access points are configured to get ip addresses via DHCP), but when the lease time expires, they don't get ip addresses, and become unreacheable.
  while all other clients get thier ip addresses normally
  below you can find the Configuration configuration
  ip dhcp snooping vlan 98,105,111
  no ip dhcp snooping information option
  ip dhcp snooping database flash:dhcpsnooping
  ip dhcp snooping database write-delay 15
  ip dhcp snooping
  ip arp inspection vlan 98,105,111
  ip verify trust on all access ports including printers and access point ports
  all access ports are DHCP snooping untrusted
  also when I create a static dhcp snooping binding record for these devices on the switch it resolves the Issue, but when I reload the switch it's removed automatically.
  any resolution will be much appreciated.
  regards,
  Maher

  check the following link for configuration of DHCP snooping
  http://packetlife.net/blog/2010/aug/18/dhcp-snooping-and-dynamic-arp-inspection/
  http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/snoodhcp.html

• IP Source Guard dropping DHCP Offers

  Hello,
  I have a problem with IP Source Guard on a Catalyst 3750 switch running 12.2.40SE IOS.
  I've configured port-security, DHCP Snooping and DAI and they all work as expected.
  However when it comes to IP Source Guard, things don't work as I expected... when a DHCP lease expires because a user has switched their machine off for a number of days, the Snooping binding is removed and IP source Guard then blocks the port. When the user switches the PC on again, I can see the DHCP request and a reply gets generated but the offer gets dropped because there is no Snooping binding!
  One thing to note is that the DHCP server is on the switch itself and not on a port.
  Does anyone know if this is the correct behaviour???
  Thanks.

  Hi Istvan,
  Thanks for your advice: I have that config in place. I'm using port security, dhcp snooping, dynamic arp inspection and ip source guard - proper switch security ;-)
  I've spent the last 2 days figuring out what's happening and I've found that it's a bug in 12.2.40SE. I've tried the same config using 12.2.35SE2, 12.2.44SE and 12.2.44SE1 and they all behave as expected.
  Here is the relevant config:
  ip dhcp excluded-address 172.21.1.254
  ip dhcp pool Users
  network 172.21.1.0 255.255.255.0
  default-router 172.21.1.254
  lease 0 0 5
  ip dhcp snooping vlan 2
  ip dhcp snooping database tftp://172.21.1.250/test-sw-dhcpDB
  ip dhcp snooping
  ip arp inspection vlan 2
  interface GigabitEthernet1/0/4
  description Laptop
  switchport access vlan 2
  switchport mode access
  switchport port-security maximum 2
  switchport port-security
  switchport port-security aging time 2
  switchport port-security aging type inactivity
  spanning-tree portfast
  spanning-tree bpduguard enable
  ip verify source port-security
  ip dhcp snooping limit rate 10
  interface Vlan2
  ip address 172.21.1.254 255.255.255.0
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  The lease time is so long for testing purposes; and option 82 is enabled by default so the command is not displayed in the running config.
  Thanks, Steve

• 3000 series and Multiple DHCP scopes (DHCP-relay)

  I need to send different DHCP options to users; however, I need to put certain groups in different subnets. Is it possible to setup the concentrator to relay for addresses from different scopes?

  - Configuration
  - System
  - IP Routing
  - DHCP Relay
  a. Enable 'Enabled' checkbox
  b. Select Forward to
  c. Address == 192.168.10.8 255.255.255.0
  - Address Management
  - Assignment
  a. Enable 'Use DHCP'
  - User Management
  - Groups
  - Select 'groupA'
  - Modify Group
  - Click General tab
  - Enter 'DHCP Network Scope' x.x.x.x
  - Select 'groupA'
  - Remove Address Pool
  Now I get the following error:
  118 02/08/2005 13:29:00.720 SEV=3 DHCPDBG/39 RPT=34
  DHCP discover timeout: no response from polled servers (xid 3821297335)
  I can ping the server, and it is serving up this scope to other devices (just not from the concentrator)

• Clients unable to connect and get DHCP - LAP1142N AP and 5508 WLC

  Hi,
  I have 19 locations, each with 1 or more LAP1142N AP's in FlexConnect mode, AP's are primed using CAPWAP to my 5508 WLC at the datacenter. The AP's join the WLC without issue every time. I have two WLAN's, one guest and one staff, the guest network is open and obtains DHCP from a WatchGuard XTM33 firewall at each of the remote locations. The staff side is WPA2/RADIUS and DHCP is assigned from the WLC. Each AP is assigned a static IP that is not in the DHCP scope. For example: DHCP scope on the branch firewall is 192.168.1.10-250 the AP will be assigned static IP of 192.168.1.1.. The AP's are connected to a HP procurve switch that has a untagged VLAN, the firewall is using the native vlan 1 and so is the AP.
  I have been running this network for over a year and it has not had a single issue until the last two weeks. Nothing on the network has changed or has been upgraded.
  Now for the issue: The issue I am seeing is that clients are no longer able to connect to the AP and do not get DHCP assigned to them. I am able to get it working, if I remove the static IP from the AP, the AP will reboot, join the controller, then begin working, users can connect and DHCP is assigned from the firewall as it should. However, If the AP then reboots, the AP will join back to the controller but no clients can connect nor do they get a DHCP address. So, I then reassign a static IP to the AP again and it reboots, connects to the controller and clients then can connect and get DHCP.
  Attached is a running config from one of the APs
  I've found several posts on this topic, in fact the patch of unassigning or reassigning static IP is one that I found. However, I wanted to post this to see if there is any further assistance I can get on this. I am also waiting on my SmartNet to start up and will be contacting Cisco support as well.
  Thanks for any help.

  Alright, so I finally figured out the issue with this. I had a Mobility Anchor set on the guest WLAN and once I removed that all started working again.
  What is Mobility Anchor?
  A. Mobility Anchor, also referred to as Guest tunneling or Auto Anchor Mobility, is a feature where all the client traffic that belongs to a WLAN (Specially Guest WLAN) is tunneled to a predefined WLC or set of controllers that are configured as Anchor for that specific WLAN. This feature helps to restrict clients to a specific subnet and have more control over the user traffic. Refer to the Configuring Auto-Anchor Mobility section of Cisco Wireless LAN Controller Configuration Guide, Release 7.0 for more information on this feature.

• DHCP Split Scope Monitoring

  Hello :
  I have an interesting scenario where I need to setup some kind of monitoring around DHCP Scope exhaustion. Now each site has two DHCP servers with the Scopes split. So If I setup event log monitor and one server reports that a scope is running out of IP
  addresses, it does not mean that the second server is also running out of free IP. Is there a way to use SCOM to monitor both DHCP servers and alert if the scope is out of free IP on both servers? There is a nice article on this for Solarwinds - https://thwack.solarwinds.com/docs/DOC-174909
  but I would like to achieve this using SCOM.
  PS: I know IPAM can be a good solution, but I am really interested in ways to do this using SCOM and I am open to any scripted solution or custom MPs.
  Any pointers will be highly appreciated.
  -A

  Hi,
  How about using an aggregate rollup monitor to group multiple monitors into one monitor and then use that monitor to set the health state and generate an alert.
  Or Dependency Monitors with Percentage policy set:
  http://technet.microsoft.com/en-us/library/hh457606.aspx
  In addition, would suggest you look at DHCP failover in WS2012, which opens up some new options for HA design.
  DHCP failover: This feature provides the ability to have two DHCP servers serve IP addresses and option configuration to the same subnet or scope, providing for continuous availability of DHCP service to clients. The two DHCP servers replicate lease information
  between them, allowing one server to assume responsibility for servicing of clients for the entire subnet when the other server is unavailable. It is also possible to configure failover in a load-balancing configuration with client requests distributed between
  the two servers in a failover relationship. For more information about DHCP failover, see Step-by-Step:
  http://technet.microsoft.com/en-us/library/hh831385.aspx
  Regards,
  Yan Li
  Regards, Yan Li

• WLC Internal and External DHCP

  I am currently using the Internal DHCP component within my 5508 Controller with software version 7.0.166.0.  This seems to be working fine as the Vlan Routed interface connected to it via the Dynamic Trunk Port is functioning as l have the ip-helper command setup on this specific vlan interface..
  My issue now is that we have a isolated ADSL Network which is configured off our Core 6513 but just as a Layer 2 Vlan so no traffic can be routed to other vlans.
  With our new WIFI environment which consists of the 5508 Controller and numerous 3502 AP's we wont to utilize this ADSL vlan with our new WIFI environment..  This ADSL Vlan has a dedicated Linksys Router which is currently running DHCP and assigning addresses to clients at the moment..
  What l want to do is configure the 5508 controller to use this ADSL vlan aswell but to also keep using the Linksys Router aswell for DHCP..
  I have setup a new dynamic interface and added the ADSL Vlan ID to the Trunk port of the 5508 and also setup its own SSID.  But for some reason l cannot get both the internal and External DHCP servers to work at the same time ?  If l enable DHCP Proxy option on the 5508 the internal DHCP server works and when l disable DHCP Proxy the ADSL Vlan DHCP works through the 5508 but not the internal DHCP Server ??
  Can l get both the internal and external DHCP servers to work in harmony or should l be focusing on using one method over the other ?

  Hey Scott l have just tried configuring another scope for the L2 Vlan but it doesn't seem to be working when l add the ip address of the management interface which is the internal DHCP Server to the dynamic interface of this adsl network l have setup l dont seem to get a ip address within this scope ?
  I am just wandering seeing it is just a L2 vlan without a routed interface would this be the problem and would need to set this up with the "ip helper-address" of the management interface ?
  Cheers SG

• WLCs 5508, HA enabled and Internal DHCP

  Hi:
  Designing a new project for a customer in which a pair of WLC-5508 and a bunch of AP-3602I will be deployed.
  Controllers running 7.4 image, and I'd also like to use them as internal DHCP servers for clients in different WLANs
  As for the redundancy mechanism I'd go for activating HA (AP-SSO) but I know HA and internal DHCP server can't coexist.
  So, my question is: does anyone know if Cisco is thinking of implementing both features in any new version to come? The goal would be the Active controller handing over all leases database in case of active to standby switchover.
  Thx!
  Juan.

  As you already know that HA and DHCP both cannot coexist on WLC. Till now there is no plan of cisco to implement this.

• Unable to boot Windows Server 2012 after adding features (AD, DNS, DHCP)

  Hi,
  I'm installing a VM server 2012 and it installs without any problems. Able to boot it and login, I change the name of the server and restart it. Still no problem.
  Now when I want to add some features, Active Directory, DHCP and DNS, promoting to Domain Controller. Create a new forest and so on. When this is configured and installed the server wants to restart. It restarts but boots into a loop and ends up in System
  Recovery/Troublshoot. I have tried repairing the boot with bcdedit in cmd-prompt but not able to fix it. Same Issue in VMware and hyper-v manager on different hosts. Im thinking that the image is at fault, but its strange that everything works at the beginning. 
  Am I missing something? The image I'm using is from MSDN, Server 2012 debug checked with updates.  I'll try another image today, but why shouldnt that one work? 

  Hi Presaro,
  I’m glad to hear that everything is OK. Thank you for posting here.
  Best Regards,
  Tina

• Swapping DHCP Split-Scope

  Hi all,
  I have a site with 2 DHCP servers, one in production environment and another in DR. For whatever reason, the DR server was setup to server the majority of the DHCP leases (10.50 -> 10.209) and the production server only 30 addresses (10.210 -> 10.240).
  We want to change this around and I have a couple of questions:
  1. Our documented process is to remove the exclusion ranges and then setup new exclusion ranges as a complete opposite of the current setup to give the production server the majority of the leases.
  2. What happens to active client leases e.g. Client connected on the DR scope, lets say 10.100. When the ranges are switched over, presumably 10.100 will then become available on the production scope and will be dished out to a new client but the old client
  will receive an IP conflict error OR is DHCP smart enough to know this?
  Any help would be appreciated.
  David Robertson

  Hi,
  I suppose the main purpose is to extend IP address pool of your product. If so, I think we can shrink the IP pool in DR, then we should wait until the lease is expired. As
  you referred, we can reduce the lease time first. Once the lease is expired, we can enlarge another DHCP pool.
  Since you have two DHCP for one network, how do you determine which computer to get an IP from production network? Do you have DHCP reservation for them? Personally, I think
  configure two subnet and router between them could be a better choice.
  Hope this helps.

• DHCP Split-Scope Configuration Wizard showing error "Not enough storage is available to process this command".

  Hi,
  I'm trying to split the DHCP scope between two Servers using the DHCP Split-Scope Configuration Wizard.
  Server one is a VM hosted on Hyper-V and is running Windows Small Business Server 2008 (I think this was previously SBS2003 and was upgraded at some point in time). The whole DHCP scope is currently configured on here.
  Server two is a VMware VM running Windows Server 2012 R2.
  I've installed the DHCP Server role on Server two (2012R2) and authorized the Server. When I launch DHCP Manager, add the SBS2008 Server in the MMC, right click the scope and choose "Advanced > Split-Scope", and then run through the wizard,
  I get as far as the "Percentage of Split" screen, and when I click next I get the error "Not enough storage is available to process this command".
  I've searched online for this particular error message and I've come across articles suggesting AV exclusions are not in place for the DHCP database and files, however in this case the exclusions are definitely in place and I've also tried completely disabling
  AV on both Servers and this made no difference to the outcome.
  I also came across articles suggesting the "IRPStackSize" registry DWORD needed to be added and set to a decimal value of 15 or larger. Again, I've tried adding this and rebooted both Servers but I get the same result.
  Anyway have any ideas?
  Thanks,
  Craig

  Hi Eve,
  No, there were no related events in the event logs. I've since tried splitting the DHCP scope manually but this did not work - the DHCP Server on the SBS would just stop and event: 1053 was displayed when trying to start the service again. I noticed
  that as soon as I de-activated DHCP Server on the 2012 Server then the DHCP Server on the SBS would start again.
  I then found the following in a TechNet article that would suggest I cannot have another DHCP Server on the network if using Small Business Server.
  Notes      
  A DHCP server running Microsoft Small Business Server will not operate if another DHCP server is active on its network.
  Detection of unauthorized DHCP servers requires the deployment of Active Directory Domain Services and the DHCP service. Other DHCP servers do not attempt to determine whether they are authorized by Active Directory Domain Services before offering IP address
  leases.

• Can you use the Airport Express A1264 as an AP and a DHCP server at the same time?

  Can you use the Airport Express A1264 as an Access Point and a DHCP server at the same time?
  I would like to use it as a DHCP server and AP at the same time in my LAN (no internet, just local machines through a few switches). I was lead to belive this could be the case from a few networking friends that haven't been friendly enough to help me out setting it up.

  I need it to act as a dLink/Cisco/Linksys/etc basic wifi router, in the fact that you can access it via wifi, and it will spit out DHCP addresses (192.168.1.xxx) to everything wired downstream of it.
  I want to simultaniously provide a Wifi connection and a LAN connection at the same time
  Thanks,
  BRad

• Why do some devices show up as wireless clients and not DHCP clients

  When looking at the 'Logs and Statistics' section it shows me the MAC addresses of 3 wireless devices I have on my W/LAN (Macbook and 2 wireless PVR's) in the 'wireless clients' section but no info on the 2 wireless PVR's in the DHCP clients section. Only the Macbook appears there with its ip address shown. Can anyone tell me how to find out the ip addresses of these 2 other devices. I tried connecting one of the PVR's via a cat 5 but that one still doesn't show up in the DHCP clients section.

  Esterhazyinoz wrote:
  Can anyone tell me how to find out the ip addresses of these 2 other devices. I tried connecting one of the PVR's via a cat 5 but that one still doesn't show up in the DHCP clients section.
  Try scanning with WakeOnLan to get a list of all devices and their IP addresses. If the devices got fixed IP addresses at the factory, they won't show up under DHCP.

• NetBoot and Multiple DHCP Servers

  Hey everyone,
  We have a NetBoot machine running here at my school (where I work). It was working like a champ until a couple of weeks ago when our network got upgraded and there are now 2 DHCP servers on our network. That, for some reason, is totally screwing up our NetBooting process.
  Here's what I think is happening, and maybe someone can tell me if I right or wrong. NetBoot (or BSDP protocol) is a "broadcast" protocol. (That means it's always just floating around out there on the network. ) NetBoot (BSDP) protocol gets injected into the DHCP stream, and any machine that gets DHCP can get BSDP, and essentially NetBoot.
  The problem is with BSDP. BSDP protocol wants to have all of it's "broadcasts" come from the same server. So when we had 1 DHCP server, everything was fine, because client machines would get their whole NetBoot process from one machine... all of the BSDP broadcasts were coming from our 1 DHCP server.
  Now, we have 2 DHCP servers. What happens is, a client will get some of it's BSDP broadcasts from one DHCP server, and some from another... which it does not like at all.
  I recently read somewhere that it is possible to somehow make one of our DHCP servers the "authoritative" server, to which all of the clients will go to get their NetBooting info.
  Does this sound in any way right? Are we on the right track ? Has anyone seen this before? Any help would be greatly appreciated. Thanks a million.
  Mike

  Now, we have 2 DHCP servers. What happens is, a
  a client will get some of it's BSDP broadcasts from
  one DHCP server, and some from another... which it
  does not like at all.
  Not unless your new DHCP server is also a NetBoot server and is set to provide NetBoot services. BSDP and DHCP are not the same thing. If what you were saying were true, it wouldn't be possible to have DHCP and NetBoot offered by different servers.
  It IS possible, however, that the two DHCP servers are causing problems by both servicing DHCP requests for the same clients. If you've got multiple DHCP servers on the same subnet (or your router's configured to pass DHCP requests between subnets), you should make sure that only one of the DHCP servers answers requests from any given client. In our world, our Novell server is the default DHCP server on our subnet, but I keep a list of excluded MAC addresses on that server so that my Macintosh clients don't get addresses from it. On the Mac OS X server, I'm careful to limit my address ranges only to those machines which have static address maps in NetInfo. That way, our servers coexist, but they don't overlap.
  It's not clear from your message whether your previously solitary DHCP server was your Mac OS X server, or whether one of the two DHCP servers is that box. But whatever the servers are, it might be helpful to turn off one of them to see if the same problem occurs (assuming you can, without major network disruptions). If that's not possible, can you talk to your network admins to see if there's some way to isolate your clients and one of the servers--in other words, see if there's some way to keep DHCP servers from responding to the same requests.
  There may be any number of other reasons why this problem has cropped up. You may need to dust off a hub and a copy of Ethereal or EtherPeek to sniff what's happening on the network. You might also try NetBooting in verbose mode, to see where the process craps out. IIRC, there'a decent guide for this kind of troubleshooting over at Bombich's site (www.bombich.com).
  Good luck.
  David Walton