Tuesday 23 October 2018

DHCP Snooping and IP ARP Inspection




DHCP snooping is a DHCP security feature to prevent unauthorized (rogue) DHCP servers offering IP addresses to DHCP clients.

It provides network security by filtering untrusted DHCP messages and by building and maintaining a DHCP snooping binding database, also referred to as a DHCP snooping binding table.

DHCP Snooping works along with IP ARP inspection, it is a security feature that protects ARP (Address Resolution Protocol) which is vulnerable to an attack like ARP poisoning.

DAI checks all ARP packets on untrusted interfaces, it will compare the information in the ARP packet with the DHCP snooping database and/or an ARP access-list. If the information in the ARP packet doesn’t match with database/snooping table or with access-list, it will be dropped.

We first need to enable DHCP snooping, both globally and for VLAN
Switch(config)#ip dhcp snooping
Switch(config)#ip dhcp snooping vlan 20

Trust the interface pointing towards DHCP Server to accept DHCP messages from and to DHCP Server
Switch(config)#interface fastethernet0/1
Switch(config)#ip dhcp snooping trust 
Switch#show ip dhcp snooping
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
20
DHCP snooping is operational on following VLANs:
20
DHCP snooping is configured on the following L3 Interfaces:
Insertion of option 82 is enabled
   circuit-id format: vlan-mod-port
   remote-id format: MAC
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Verification of giaddr field is enabled
DHCP snooping trust/rate is configured on the following Interfaces:
Interface               Trusted Allow option  Rate limit (pps)
--------------------   ---------- -----------------  ---------------------
Fastethernet0/1     yes            yes               unlimited
 Custom circuit-ids:

Option 82 
By default, switch adds option 82 into dhcp request packet before forwarding to DHCP server. Actually, information option addition task is supposed to be done by DHCP realy device with giaddr field to non-zero vlaue. DHCP server assigns ip addresses based on option 82 parameters and forwards packets to ip address mentioned in giaddr field. But when switch forwards dhcp packet with option 82 information, it does not change giaddr field to non-zero value, it remians to 0.0.0.0 only.
DHCP server expects a packet with option field should have giaddr field to some non-zero value but observs that its zero hence rejects them
To avoid this configure "no ip dhcp snooping information option" in switch, so that switch does not add option field in dhcp packet

Lets check our table !
Switch#show ip dhcp snooping binding 
MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface
------------------  ---------------  ----------  -------------  ----  --------------------
00:11:22:33:44:55   192.168.0.1      65330       dhcp-snooping   20   FastEthernet0/3
Total number of bindings: 1
As you can see above, we have 1 dhcp client available in dhcp binding database.

Now lets configure ip arp inspection
Switch(config)#ip arp inspection vlan 20
Switch(config)#interface fastethernet0/1
Switch(config)#ip arp inspection trust
Switch#show ip arp inspection
Source Mac Validation      : Disabled
Destination Mac Validation : Disabled
IP Address Validation      : Disabled
Vlan     Configuration    Operation   ACL Match          Static ACL
 ----     -------------    ---------   ---------          ----------
   20     Enabled          Active
Vlan     ACL Logging      DHCP Logging      Probe Logging
 ----     -----------      ------------      -------------
   20     Deny             Deny              Off
Vlan      Forwarded        Dropped     DHCP Drops      ACL Drops
 ----      ---------        -------     ----------      ---------
   20              0              0              0              0
Vlan   DHCP Permits    ACL Permits  Probe Permits   Source MAC Failures
 ----   ------------    -----------  -------------   -------------------
   20              0              0              0                     0
Vlan   Dest MAC Failures   IP Validation Failures   Invalid Protocol Data
 ----   -----------------   ----------------------   ---------------------
   20                   0                        0                       0
Source MAC, destination MAC, and IP address validation are showing as disabled.
you can enable optionally (optional) to have thorough security with “ip arp inspection validate” command.

Below is the details to use the option
dst-mac(Optional) : Enables validation of the destination MAC address in the Ethernet header against the target MAC address in the ARP body for 
ARP responses. The device classifies packets with different MAC addresses as invalid and drops them.
ip(Optional) : Enables validation of the ARP body for invalid and unexpected IP addresses. Addresses include 0.0.0.0, 255.255.255.255, and all IP multicast addresses. The device checks the sender IP addresses in all ARP requests and responses and checks the target IP addresses only in ARP responses.
src-mac (Optional)  : Enables validation of the source MAC address in the Ethernet header against the sender MAC address in the ARP body for ARP requests and responses. The devices classifies packets with different MAC addresses as invalid and drops them.

Lets look at the ARP Inspection to allow static clients to reach the destination
As an example now if Attacker/Rogue Device with static IP configured with it, tries to ping DHCP Server, it will fail reason being is, there is no entry found in the dhcp snooping binding table, also there is no ACL configured to accept the packet from this device.
To allow untrust to trust either "ip arp inspection trust" command is required or ACL must be configured.
ACL can be configured to accept the packet if the port is untrust and static IP is assigned to the device, in our case it is the Static client who wants to connect to the network and for this we can configure the access-list.

Below is the command to configure access-list
Switch(config)#arp access list acl-name
Switch(config-arp-acl)#permit ip host IP_ADDRESS mac host MAC_ADDRESS 

Applying access list
Switch(config)#ip arp inspection filter acl-name vlan 20

That's it for DHCP Snooping and IP ARP Inspection !

No comments:

Post a Comment

What are Sticky Clients ?

What are Sticky Clients ? CREDIT : http://wifinigel.blogspot.com/2015/03/what-are-sticky-clients.html One term you'll often hear banded ...