IP Source guard feature enabling

Similar Messages

• Ip source guard feature and dhcp DHCP scope exhaustion (client spoofs other clients)

  Hi everybody.
  A dhcp server assigns ip adress based on mac address carried by client hardware field in dhcp packets.
  One potential attack is when a rogue host mimics different mac addresses and causes dhcp server to assign the ip addresses until no ip address is left for legitimate host.
  For e.g a host h1 with mac1 has assigned ip address by dhcp server as:
  199.199.199.1 mac1
  Dhcp server has the above entry in its database.
  Using hacking tools such as Yersinia or Gobbler one can create a dhcp discover messages each time creating a different mac for client hardware field in dhcp server thereby causing a dhcp server to assign ip addresses because to dhcp server , these are legitimate dhcp discover messages with each carrying a different mac in client hardware addresses.
  You might say use dhcp snooping and it will prevent that (  dhcp scope exhaustion) and configure the switch to check if src mac matches the client hardware address in dhcp message. But still we can creat spoofed discover messages where src mac in ethernet header will match the client hardware address in dhcp discover message. We still did not overcome the problem.
  You might say use IP source guard feature but will it really prevent that problem from happening?
  Let me illustrate it :
  h1---------f1/1SW---------DHCP server
  Let say we have configured dhcp snooping on sw1 and f1/1 is untrusted port.  The switch has following dhcp binding
  199.199.199.1    mac1   vlan1  f1/1
  Next we configure ip source guard to  validate both src mac and src ip against the dhcp bindings  . When  we configures ip source guard first  , it will allow dhcp communication only so a host can request ip address and a dhcp binding can be built. After that ip source guard will validate src ip or src mac or both against the dhcp binding.depending upon how we configure ip source guard.
  In our case we have configured ip source guard to validate both src mac and src ip against the dhcp binding.
  A dhcp binding is already created as:
  199.199.199.1 mac1 vlan 1 f1/1
  Now using the hacking tools Yersinia or Gobbler on h1, we create our first spoofed dhcp discover message  where src mac=mac2 in ethernet header and  client harware address= mac2 in dhcp discover message. Since switch is configured with ip source guard feature and therefore allows dhcp discover message to pass through. Dhcp server upon receiving the dhcp message assigns another ip address from the pool. Now the dhcp server has following entries:
  199.199.199.1 mac1
  199.199.199.2 mac2.
  We can continue to craft spoofed dhcp discover messages as mentioned above and have dhcp server keep assigning ip addresses until the whole pool is exhausted.
  So my question is how does  ip source guard in conjuction with dhcp snooping prevent this particular attack from happening? ( i.e DHCP scope exhaustion)
  I really appreciate your input.
  thanks and have a great week.

  Thanks Karthikeyan.
  First of all, we gather all the information about the  locations of legitimate dhcp servers in our network. Once we have this information, we will configure the ports used to reach them as trusted. All the ports where end users will connect will be untrusted and therefore subject to dhcp snooping .
  it means if any of user connected in that switch/vlan runs a dhcp  services like vmware for eg. Snooping will prevent the dhcp/bootp  servers connected to that port will not be able to process.
  Yes that is correct. Because dhcp snooping feature will check these ports for the messages usually sent by dhcp server such as dhcp offer, etc. If the end user is running dhcp server using virtual machine, that port should be configured as trusted if it is dertermined  that end user is running a legitimate dhcp server using vm ware.
  When we have the dhcp snooping it prevents the 1st level of hacking  itself. I don't think so it will have any impact on dhcp address  releasing.
  I am sorry. You lost me here. What is 1 level of hacking?
  Dhcp snooping checks for dhcp messages such as dhcp release, dhcp decline.on untrusted port against the dhcp bindings.
  Here is why;
  h1---------SW1-------dhcp server
                 |
               h2
  Let say we don't have dhcp snooping in above attack and  h2 is a legitimate user has already assigned ip address 199.199.199.2 by dhcp server. Thus the dhcp server has an entry:
  199.199.199.2 mac2
  Next we connect rogue user and it gets ip address 199.199.199.1 now the dhcp server has entries:
  199.199.199. 1  mac1
  199.199.199.2   mac2
  Now using hacking tools, h1 create a fake dhcp release message  with  199.199.199.199.2   mac2
  Dhcp server upon receiving this message, will release the ip address and returns it to the pool.
  By using DHCP snooping, switch will peer inside dhcp release message and checks against the binding. If there is conflict, it will drop the message.
  IFor e.g
  If have dhcp snooping configured , then switch will have adhcp binding as:
  199.199.199.1    mac1    vlan 1   f1/1  lease time
  199.199.199.2     mac2    vlan 2    f1/2 lease time.
  If h1 tries to send fake dhcp release with ip address 199.199.199.2    mac2
  Switch will check ip address 199.199.199.2  and mac2 against the binding related to f1/1 . Sw will find a conflict and therefore drops the dhcp release packet.
  Thanks

• Does ip source guard has any syslog or message??(on 2960 switch)

  hi everyone , I got a problem that I need to config a secure feature "IP SOURECE GUARD" on 2960 switch
  Everthing is ok
  But, when the IP-MAC mismatch
  I can't receive any SYSLOG from "show log"
  Only from "show ip verify source"  to know which interface be denied
  L2#show ip verify source
  Interface  Filter-type  Filter-mode  IP-address       Mac-address        Vlan
  Fa0/2      ip-mac       inactive-no-snooping-vlan
  Fa0/3      ip-mac       active       deny-all         permit-all         10
  Fa0/4      ip-mac       inactive-no-snooping-vlan
  Fa0/5      ip-mac       inactive-no-snooping-vlan
  Fa0/6      ip-mac       inactive-no-snooping-vlan
  Fa0/7      ip-mac       inactive-no-snooping-vlan
  Fa0/8      ip-mac       inactive-no-snooping-vlan
  Fa0/9      ip-mac       active       192.168.10.1     permit-all         10 
  Fa0/10     ip-mac       inactive-no-snooping-vlan
  does ip source guard has no Features to create LOG ??
  or anyone can tell me what I can do that I can receive some message when the "deny-all" situation be triggered
  Regards,
  Lin

  I have exactly the same question : is it possible to have a syslog message when an Ip source guard event occurs on a switch 2960 ?
  Is anyone can help us ?

• IP Source Guard dropping DHCP Offers

  Hello,
  I have a problem with IP Source Guard on a Catalyst 3750 switch running 12.2.40SE IOS.
  I've configured port-security, DHCP Snooping and DAI and they all work as expected.
  However when it comes to IP Source Guard, things don't work as I expected... when a DHCP lease expires because a user has switched their machine off for a number of days, the Snooping binding is removed and IP source Guard then blocks the port. When the user switches the PC on again, I can see the DHCP request and a reply gets generated but the offer gets dropped because there is no Snooping binding!
  One thing to note is that the DHCP server is on the switch itself and not on a port.
  Does anyone know if this is the correct behaviour???
  Thanks.

  Hi Istvan,
  Thanks for your advice: I have that config in place. I'm using port security, dhcp snooping, dynamic arp inspection and ip source guard - proper switch security ;-)
  I've spent the last 2 days figuring out what's happening and I've found that it's a bug in 12.2.40SE. I've tried the same config using 12.2.35SE2, 12.2.44SE and 12.2.44SE1 and they all behave as expected.
  Here is the relevant config:
  ip dhcp excluded-address 172.21.1.254
  ip dhcp pool Users
  network 172.21.1.0 255.255.255.0
  default-router 172.21.1.254
  lease 0 0 5
  ip dhcp snooping vlan 2
  ip dhcp snooping database tftp://172.21.1.250/test-sw-dhcpDB
  ip dhcp snooping
  ip arp inspection vlan 2
  interface GigabitEthernet1/0/4
  description Laptop
  switchport access vlan 2
  switchport mode access
  switchport port-security maximum 2
  switchport port-security
  switchport port-security aging time 2
  switchport port-security aging type inactivity
  spanning-tree portfast
  spanning-tree bpduguard enable
  ip verify source port-security
  ip dhcp snooping limit rate 10
  interface Vlan2
  ip address 172.21.1.254 255.255.255.0
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  The lease time is so long for testing purposes; and option 82 is enabled by default so the command is not displayed in the running config.
  Thanks, Steve

• IP Source Guard

  I have configured DHCP snooping with option 82. That is working OK. I then went to enable IP Source guard to help against MAC Spoofing. I enable port security and ip verify source. I connected a client to the port and the address when into the snooping database as it should. I then spoofed my MAC address on the same port with the same client and it adds another entry and ip address into the DHCP Snooping Binding database and give my client an IP address. So, it looks like my ip verify source is not working? Any suggestions?

  and the dhcp server link to the core switch, but it is a win-server do not support option 82.And I can not config : ip veryfy source.

• Questions about IP source guard

  1.ISG & port-channel
  Where I should input the command "ip verify source dhcp-snooping-vlan", under the physical interface or port-channel interface?
  2.ISG & PVLAN
  Because I will not use IP DHCP snooping, I have to input the static ISG entry as below:
  "ip source binding 1.1.1.1 1111.1111.1111 vlan xx interface g2/1"
  I'm confused about the VLAN ID, it should be Primary VLAN ID or the Secondary VLAN ID???

  Hello sarah,
  This is my test results from ip source guard and mac- address filtering lab:
  Ip source guard
  --verifys source ip or ip source & mac address relating the snooping database--
          switch MUST run EMI image
  ip source: -Layer 3 checking!
  Switch
  int fa0/3
  description Link to Host 1
  switchport mode access
  ip verify source
  Host1
  int fa0/0
  Mac 0000.1111.1111
  ip address 192.168.1.1 255.255.255.0 or via DHCP
  if the mac-address is changed on this port - it will still be able to work
  As ip verify source is only set to look at the ip address of the interface and not the
  mac address in the binding table.-
  change ip address:
  int fa0/0
  Mac 0000.1111.1111
  ip address 192.168.1.2 255.255.255.0 
  now connection is lost and even if you change the ip address back, it will still be down
  I have found either manually adding a binding to the snoop d/B or shutdown and renable port
  re-enables connection
  ip dhcp snooping binding 0000.3333.3333 vlan 20 192.168.1.1 interface fa0/3 expiry 10000
  This will work as long as the ip address is back in the snooping database the mac is irelivant
  ip source & mac address
  Switch
  int fa0/3
  description Link to Host 1
  switchport mode access
  ip verify source port-security
  switchport port-security
  Host1
  int fa0/0
  Mac 0000.1111.1111
  ip address 192.168.1.1 255.255.255.0 or via DHCP
  if the ip or mac-address is change on this port - it will WONT be able to work
  As ip verify source port-security is set to look at both the ip address and mac address of
  the interface and the in the binding table.
  Now if you change either the ip or mac-address the connection is lost
  again either manually adding a binding to the snoop d/B or shutdown and renable port
  re-enables connection
  All static entrys are checked BEFORE the snooping database.
  When interface is shut down or changed the dymainic bindings are removed from the snooping D/B
  this is related to either configuration.
  res
  Paul
  Please don't forget to rate any posts that have been helpful.
  Thanks.

• How do I disable Web Guard feature?

  Sometimes I get an error message that says, "Content Restricted : The Web Guard feature has been enabled on your line. Web Guard has restricted your access to this content. The person on your Wireless account who is designated as the Primary Account Holder can disable this restriction through the account management website"

  Hi there,
  Hmmm, that does sound annoying.
  This sounds like a feature that's being provided by your Internet Service Provider (ISP for short - they're the people you pay for your internet connection).
  If you contact their customer services department, I'm sure they'll be able to turn Web Guard off for you. Their contact details will probably be on any recent bills or letters you've received from them.
  Hope this helps!

• I updated to Firefox 4.0.1 this morning. Norton 5.5 is now disabled and the message states that it is incompatible with 4.0.1. I need the Norton features enabled. Can I go back to 4.0 until this is rersolved?

  I updated to Firefox 4.0.1 this morning. Norton 5.5 is now disabled and the message states that it is incompatible with 4.0.1. I need the Norton features enabled. Can I go back to 4.0 until this is resolved?

  Please do a Live Update to the Norton product.
  They have provided an important update to Firefox 4.0.1.

• Dynamically Fill PDF form (extended features enabled forms)

  Hi Tarek
  Firstly let me say thank you for the great help you are doing through the forum.
  With Google, I did a very long search to find out how to fill a PDF form from a database. I achieved this using the iTextSharp dll. But this dll not supporting adobe extended features. thatsy once i filled forms using this class, result form will be flat form and we cant fill it manually again. even this will disable adobe extended features when i open it in adobe reader.
  I am working with a project to simplify immigration process (CANADA). I already have all immigration forms created using LiveCycle. That means when i open these form in free Adobe Reader I can fill the form manually and can save locally (offline).
  My Workflow as follows
  1. I am working with .Net Frame Work 2, Visual Studio 2005, Windows Applications (not Web/ASP)
  2. I have fillable forms designed using Adobe LiveCycle (I can fill the form manually and can save locally (offline) using Adobe Reader).
  3. I have to dynamically fill these forms with data from a database (data is already available and its almost achieved using iTextSharp Dll)
  4. Once its dynamically filled, I will send these forms to client through email, because some of the data should be filled by client.
  5. client can open these forms in free Adobe Reader and they can fill and save these forms(because Adobe extended feature enabled in this form, so they can fill and save in Adobe Reader)
  6. Once they fill and save the form, they will send back final form to us through emal (no Online Submit required).
  7. We will check it and finalize, take printout and attach to our document management system.
  8. I can't use any great technologies bcz I dont need any online Submision/Rejection thing and our budjet is low.
  9. I am looking some technologies same as itextShar, simply fill data to form and save it as a new PDF, but it should support Adobe Extended Featers( what is currently not available in iTextSharp), so that customer can fill and save it again using simple  and free ADOBE READER.
  That's it !!
  could u please verify my workflow is correct or not, bcz am new to PDF things and can u please suggest me solution to achieve this.
  Thanks in advance
  Ajo Joseph

  iTextSharp doesn't enable usage rights in PDF forms, so any changes will invidate the form.
  To bypass the validitiy of the Usage Rights, server the XDP data from the buffer of a web server, and point the File to the PDF on the same web server.
  Usage rights will still be enabled, and the form can be saved or downloaded.
  Also, please be sure to check out FDFToolkit.net, and PDFEmail.net.
  Useful Links:
  http://www.fdftoolkit.net
  http://www.pdfemail.net
  Hope this information can help!
  Best Regards,
  Nick K.
  http://www.nk-inc.com

• IP DHCP snooping, IP source Guard, and DIA

  Hi All,
  I have Configured DHCP snooping and IP source guard and Dynamic arp inspection on my 3560 and 3750 Network Switches,
  on both of them I'm facing that issue. (the printers and access points are configured to get ip addresses via DHCP), but when the lease time expires, they don't get ip addresses, and become unreacheable.
  while all other clients get thier ip addresses normally
  below you can find the Configuration configuration
  ip dhcp snooping vlan 98,105,111
  no ip dhcp snooping information option
  ip dhcp snooping database flash:dhcpsnooping
  ip dhcp snooping database write-delay 15
  ip dhcp snooping
  ip arp inspection vlan 98,105,111
  ip verify trust on all access ports including printers and access point ports
  all access ports are DHCP snooping untrusted
  also when I create a static dhcp snooping binding record for these devices on the switch it resolves the Issue, but when I reload the switch it's removed automatically.
  any resolution will be much appreciated.
  regards,
  Maher

  check the following link for configuration of DHCP snooping
  http://packetlife.net/blog/2010/aug/18/dhcp-snooping-and-dynamic-arp-inspection/
  http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/snoodhcp.html

• Cross Site collections navigation with publishing feature enabled into sharepoint 2010??

  Hi,
  Is it possible to cross site collection navigation in share point 2010 with publishing feature enabled? Right now we have a site collection with all the departmental sites within it. We are trying to create separate site collection with separate content
  database for each department for better management. But problem with Global navigation as OOB does not provide cross site collection navigation functionality, So looking for multiple site collections or navigation for more than one site collection under single
  umbrella. i was able to get the cross site collection navigation in my development env without publishing feature enabled using below link. But problem with production environment, as all the site collections and sites are publishing feature enabled. how i
  am gonna do cross site navigation with publishing feature enabled? 
  http://www.itsolutionbraindumps.com/2011/10/sharepoint-2010-cross-site-collection.html
  Any link or suggest will be greatly appreciated !

  Hi,
  According to your description, my understanding is that you want to create cross site collections navigation with publishing feature enabled in SharePoint 2010.
  Publishing sites (sites with publishing infrastructure) have their own navigation API, and it is much more complicated task to preserve cross-publishing sites navigation.
  We need to implement our own custom navigation provider.
  Please refer to the link below about the cross site collections navigation with publishing feature enabled:
  http://sadomovalex.blogspot.com/2010/12/cross-site-and-cross-site-collection.html
  Best regards.
  Thanks
  Victoria Xia
  TechNet Community Support

• Dis-advantages of not using Teststand source control feature.

  I'm in the process of creating a Workspace file for our project, primarily because we want to use the Teststand Deployment Utility.
  Included in this process is the choice to use Teststand's source control features.
  So far we have been using Microsoft's Source Safe application directly to provide source control with no problems.
  But now, having tried to incorporate Teststand's source control feature, which utilises Source Safe, I find myself getting bogged down in a tedious and time consuming process which I feel will eventually cause more confusion and errors than it prevents.
  If we choose not to put the files in Source Control when the Workspace file is created, do we run the risk of problems at a later stage ? 
  Thanks.

  Hi Gary,
    there's no "risk" as such, however by not useing some sort of source code control or configuration management, you are making a definite commitment that you will not roll back to a previous version, and you'll be doing your own backups, and making sure that if several people require access to a particular file at the same time, that only one person is going to be allowed (by agreeing to it) to modify the file.
  There's nothing that says you have to go through the TestStand sequence editor and the other workspace and projects to do the source code control.
  If you prefer, then use Visual Source Safe as a stand alone interface, and check out the files by hand to your local drive, and then work on them, and then check them back in once you're finished.
  Of course, you have to make sure that your relative and absolute paths are correct when you do check out the files.
  By going through the TestStand sequence editor to check in and check out files, it's more convenient for most people, since they don't have to dive around two environments (TestStand and VSS) to get to the point of being able to modify a file, or even find out if someone else is modifying it.
  Hope that helps.
  Thanks
  Sacha Emery
  National Instruments (UK)
  // it takes almost no time to rate an answer

• DAI & IP Source Guard

  Dear All,
  Can I configure Dynamic ARP Inspection and IP Source guard for the same VLANs???
  Are they compatible with each other or what's the difference between two???
  Thanks in Advance,
  Best Regards,
  Taufeeq?
  Sent from Cisco Technical Support iPhone App

  Yes, they can all be configured for the same vlan, and as Amit stated, you'll need to configure dhcp snooping as well. Make sure that you have a plan to deal with static ip addresses though. I've been implementing this for the past week, and I can tell you that there can be some administrative burden. It's not a set-it-and-forget it method.
  HTH,
  John
  *** Please rate all useful posts ***

• Source code / feature request

  Hi
  This tool is fantastic and saves me a huge amount of time, helping us find some interesting bugs (like why "delete myarr.pop()" was having such an odd side-effect when the array contained strings..).
  I'm trying to get hold of the source code for this but my SVN clients can't connect, I've tried lots of different network configurations (from work, home and mobile connections) and both the SVN and HTTP connections, so I think the issue is on the Adobe/SoureForge end. Can anyone check/fix this?
  The reason for wanting the source is to add a minor change to the Tag Viewer / Tag Information output. Currently I'm trying to work out what function is defined at offset 0x348B2 of my SWF file. I can see it in the hex editor but it's tricky to work out what this function name is: the class is defined in DoInitActions offset 200492 and length 24355 i.e. a big class.
  What I'm hoping for is to add the offsets into each line in the DoInitActions 'Tag Information' panel, so e.g. instead of:
          if L63
          push $1
          push 'isMouseDown'
          getMember
          pushDuplicate
  I'd see:
  1522:        if L63
  1527:        push $1
  1527:        push 'isMouseDown'
  1534:        getMember
  1535:        pushDuplicate
  etc where the number at the start is the offset of this instruction within the DoInitActions tag.
  If anyone with the source can do this and update the binaries then great but I suspect it's something I would have to do myself... but currently I can't get at the source without having to individually browse to and download every file :-(
  thanks
     Andrew

  A new version of SWF Investigator was released on Friday (version 0.6.2) and I will be updating the open-source repository in the next day or two.  When the update is complete, I will respond to this thread so that you know to pull down the latest version of the source code.
  For SVN access, I have used TortoiseSVN on Windows which is supported by SourceForge: http://sourceforge.net/apps/trac/sourceforge/wiki/TortoiseSVN%20instructions
  The logic for your feature request already exists in SWF Investigator but it is currently commented out. For the next release, I can work on enabling it. If you want to play with the functionality in the meantime, then the code is in SWFInvestigator/src/decompiler/tools/Disassembler.as.Within that file there is a function called, "start." Within that function, there is an if-block which checks for "showOffset". You will need to uncomment the out.print() statement within the showOffset if-block. You will also want to set showOffset to true just before the if statement. Recompile the application and it will begin to show the information you want.

• Thank youbfor optimizing the touch input for scrolling on my HP Slate 500, why wont the others do the horizontal scrolling feature enables?

  After testing all other available browsers the past month I have arrived at the conclusion that the Firefox browser is the only one that enables touch input for scrolling. Trying to navigate pages without this function using IE, Opera, Safari & Chrome is just tedious. I'm using the Slate as it was intended, business functions especially day to day charting for my patients in an online system.
  The larger tabs for opening new searches & sites. If Microsoft plans on making W8 truly touch enabled they need to take note of what FF has done here. The touch input is limited on W7 but you've succeeded where others have failed.
  3 cheers for FF! I couldn't do my job and document patient progress w/o your intuitive design. Brendan S. - Latham, NY
  I guess the question is why are the others not developing these key features for Windows based slates...are they ignorant or is FF that much further ahead.

  After testing all other available browsers the past month I have arrived at the conclusion that the Firefox browser is the only one that enables touch input for scrolling. Trying to navigate pages without this function using IE, Opera, Safari & Chrome is just tedious. I'm using the Slate as it was intended, business functions especially day to day charting for my patients in an online system.
  The larger tabs for opening new searches & sites. If Microsoft plans on making W8 truly touch enabled they need to take note of what FF has done here. The touch input is limited on W7 but you've succeeded where others have failed.
  3 cheers for FF! I couldn't do my job and document patient progress w/o your intuitive design. Brendan S. - Latham, NY
  I guess the question is why are the others not developing these key features for Windows based slates...are they ignorant or is FF that much further ahead.