DHCP snooping is a DHCP security feature to prevent unauthorized (rogue) DHCP servers offering IP addresses to DHCP clients.
It provides network security by filtering untrusted DHCP messages and by building and maintaining a DHCP snooping binding database, also referred to as a DHCP snooping binding table.
DHCP Snooping works along with IP ARP inspection, it is a security feature that protects ARP (Address Resolution Protocol) which is vulnerable to an attack like ARP poisoning.
DAI checks all ARP packets on untrusted interfaces, it will compare the information in the ARP packet with the DHCP snooping database and/or an ARP access-list. If the information in the ARP packet doesn’t match with database/snooping table or with access-list, it will be dropped.
We first need to enable DHCP snooping, both globally and for VLAN
Switch(config)#ip dhcp snooping
Switch(config)#ip dhcp snooping vlan 20
Trust the interface pointing towards DHCP Server to accept DHCP messages from and to DHCP Server
Switch(config)#interface fastethernet0/1
Switch(config)#ip dhcp snooping trust
Switch#show ip dhcp snooping
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
20
DHCP snooping is operational on following VLANs:
20
DHCP snooping is configured on the following L3 Interfaces:
Insertion of option 82 is enabled
circuit-id format: vlan-mod-port
remote-id format: MAC
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Verification of giaddr field is enabled
DHCP snooping trust/rate is configured on the following Interfaces:
Interface Trusted Allow option Rate limit (pps)
-------------------- ---------- ----------------- ---------------------
Fastethernet0/1 yes yes unlimited
Custom circuit-ids:
Option 82
By default, switch adds option 82 into dhcp request packet before forwarding to DHCP server. Actually, information option addition task is supposed to be done by DHCP realy device with giaddr field to non-zero vlaue. DHCP server assigns ip addresses based on option 82 parameters and forwards packets to ip address mentioned in giaddr field. But when switch forwards dhcp packet with option 82 information, it does not change giaddr field to non-zero value, it remians to 0.0.0.0 only.
DHCP server expects a packet with option field should have giaddr field to some non-zero value but observs that its zero hence rejects them
To avoid this configure "no ip dhcp snooping information option" in switch, so that switch does not add option field in dhcp packet
Lets check our table !
Switch#show ip dhcp snooping binding
MacAddress IpAddress Lease(sec) Type VLAN Interface
------------------ --------------- ---------- ------------- ---- --------------------
00:11:22:33:44:55 192.168.0.1 65330 dhcp-snooping 20 FastEthernet0/3
Total number of bindings: 1
As you can see above, we have 1 dhcp client available in dhcp binding database.
Now lets configure ip arp inspection
Switch(config)#ip arp inspection vlan 20
Switch(config)#interface fastethernet0/1
Switch(config)#ip arp inspection trust
Switch#show ip arp inspection
Source Mac Validation : Disabled
Destination Mac Validation : Disabled
IP Address Validation : Disabled
Vlan Configuration Operation ACL Match Static ACL
---- ------------- --------- --------- ----------
20 Enabled Active
Vlan ACL Logging DHCP Logging Probe Logging
---- ----------- ------------ -------------
20 Deny Deny Off
Vlan Forwarded Dropped DHCP Drops ACL Drops
---- --------- ------- ---------- ---------
20 0 0 0 0
Vlan DHCP Permits ACL Permits Probe Permits Source MAC Failures
---- ------------ ----------- ------------- -------------------
20 0 0 0 0
Vlan Dest MAC Failures IP Validation Failures Invalid Protocol Data
---- ----------------- ---------------------- ---------------------
20 0 0 0
Source MAC, destination MAC, and IP address validation are showing as disabled.
you can enable optionally (optional) to have thorough security with “ip arp inspection validate” command.
Below is the details to use the option
dst-mac(Optional) : Enables validation of the destination MAC address in the Ethernet header against the target MAC address in the ARP body for
ARP responses. The device classifies packets with different MAC addresses as invalid and drops them.
ip(Optional) : Enables validation of the ARP body for invalid and unexpected IP addresses. Addresses include 0.0.0.0, 255.255.255.255, and all IP multicast addresses. The device checks the sender IP addresses in all ARP requests and responses and checks the target IP addresses only in ARP responses.
src-mac (Optional) : Enables validation of the source MAC address in the Ethernet header against the sender MAC address in the ARP body for ARP requests and responses. The devices classifies packets with different MAC addresses as invalid and drops them.
Lets look at the ARP Inspection to allow static clients to reach the destination
As an example now if Attacker/Rogue Device with static IP configured with it, tries to ping DHCP Server, it will fail reason being is, there is no entry found in the dhcp snooping binding table, also there is no ACL configured to accept the packet from this device.
To allow untrust to trust either "ip arp inspection trust" command is required or ACL must be configured.
ACL can be configured to accept the packet if the port is untrust and static IP is assigned to the device, in our case it is the Static client who wants to connect to the network and for this we can configure the access-list.
Below is the command to configure access-list
Switch(config)#arp access list acl-name
Switch(config-arp-acl)#permit ip host IP_ADDRESS mac host MAC_ADDRESS
Applying access list
Switch(config)#ip arp inspection filter acl-name vlan 20
That's it for DHCP Snooping and IP ARP Inspection !
No comments:
Post a Comment