DHCP Snooping, IP Source Guard, and DHCP Option 82
When a client initially connects to a port protected by IP source guard only DHCP discover and request messages are allowed, everything else is dropped. An important point to keep in mind is that at this point no traffic, including DHCP, will cause the switch to add an entry for the client in the CAM table and therefor when the DHCP server responds with an offer the switch will not know where to send the packet and when DHCP snooping is enabled replies from the DHCP server are not flooded out all ports if there is no entry in the CAM, so the DHCP offer will be dropped. To get around this DHCP option 82, or Relay Agent Information, is necessary. Option 82 is a frequently misunderstood value, likely because unlike other options it is not set by the DHCP server, rather it is set by an intermediary device such as a DHCP relay agent or a switch. Option 82 is made up of two TLVs (type, length, value) fields, the circuit ID and remote ID. The values of these fields are up to the vendor, the default for Cisco switches is to use circuit ID to record vlan, module, and port of the interface the request is received through and remote ID for switch’s ID (MAC address). When DHCP snooping is enabled you can view the Option 82 configuration with ‘show ip dhcp snooping’ as seen below.
Switch#show ip dhcp snooping
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
1
DHCP snooping is operational on following VLANs:
1
DHCP snooping is configured on the following L3 Interfaces:
Insertion of option 82 is enabled
circuit-id default format: vlan-mod-port
remote-id: 000d.2818.cd00 (MAC)
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Verification of giaddr field is enabled
DHCP snooping trust/rate is configured on the following Interfaces:
Interface Trusted Allow option Rate limit (pps)
----------------------- ------- ------------ ----------------
FastEthernet1/0/11 yes yes unlimited
Custom circuit-ids:
When a DHCP packet is received on an untrusted port the switch adds the option 82 information and sends it on it’s way, if the option 82 field already exists the packet will be dropped (this behavior can be changed by using the ‘ip dhcp snooping information option allow-untrusted’ command under interface configuration). When the DHCP server receives the discover it is expected to return the values in option 82 with it’s offer, unfortunately not all DHCP servers support this, most glaringly is Microsoft’s server which just ignores option 82. Assuming that the server does support option 82 and returns an offer with the information intact the switch will determine whether it is the originator of the option 82 information by checking whether the MAC address in the remote ID field matches it’s own, it then looks at the VLAN, module, and port carried in the circuit ID field to find out which port the packet should be sent out, the switch then strips option 82 out of the packet and forwards it to the specified port. The same process will occur with the request and ack portion of DHCP. If the offer is sent back from the DHCP server without the option 82 information the switch is unable to determine where the packet should be sent and drops it.
Once the DHCP negotiation is completed the switch will add the IP and MAC mapping to the DHCP snooping table and the MAC address will be eligible to be added to port security and the CAM table. Note that the MAC address is not added by the DHCP snooping process, additional traffic must occur before the MAC address is added.
Now that we know how IP source guard works lets get to the configuration.
- Configure the port connected to the DHCP server as trusted.
Switch(config)#int fa1/0/11 Switch(config-if)#ip dhcp snooping trust Switch(config-if)#exit - Enable DHCP snooping globally.
Switch(config)#ip dhcp snooping Switch(config)#ip dhcp snooping vlan 1 - Configure interface as access port.
Switch(config)#int fa1/0/12 Switch(config-if)#switchport mode access - Enable port security on the interface. (For more details on port security see my CAM Table Overflow Attack article.)
Switch(config-if)#switchport port-security - Enable IP source guard with MAC verification.
Switch(config-if)#ip verify source port-security
We can verify the configuration with the following commands:
- As seen above
show ip dhcp snoopingshows us which VLANs snooping is enabled for, option 82 parameters, and which interfaces are configured as trusted. show ip dhcp snooping bindingwill display the current bindings for each interface.Switch#show ip dhcp snooping binding MacAddress IpAddress Lease(sec) Type VLAN Interface —————— ————— ———- ————- —- ——————– 00:24:81:68:7F:A3 10.0.0.10 598 dhcp-snooping 1 FastEthernet1/0/12 Total number of bindings: 1- Use
show port security interface [interface]to see the port security configuration for a particular interface.Switch#show port-security Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action (Count) (Count) (Count) ————————————————————————— Fa1/0/12 1 1 0 Shutdown ————————————————————————— Total Addresses in System (excluding one mac per port) : 0 Max Addresses limit in System (excluding one mac per port) : 12288 show ip verify sourcedisplays the status of each port with IP source guard enabled.Switch#show ip verify source Interface Filter-type Filter-mode IP-address Mac-address Vlan ——— ———– ———– ————— —————– —- Fa1/0/12 ip-mac active 10.0.0.10 00:24:81:68:7F:A3 1
We’re all done with the configuration, but what exactly are we protected against? Well, pretty much any attack that relies on the ability to spoof the source IP or MAC address, this includes CAM overflow, CAM table poisoning, ARP table poisoning (correction: ARP is not IP-based so it is not affected), and DHCP exhaustion to name a few. The DHCP snooping also protects against rogue DHCP servers.
Copyright: http://vcabbage.com/networking/2010/08/07/ip-source-guard.html
Комментариев нет:
Отправить комментарий