There are three closely connected features in Catalyst switches software, which can work in conjunction with each other to resolve many LAN security vulnerabilities in your network related to L2 security, ARP poisoning, L3 Spoofing, DHCP attacks and so on...
IP DHCP Snooping is for complying and enforcing usage of DHCP standard messages moreover shutting down miscellaneous DHCPs in your network. Restricting rogue DHCP servers like embedded DHCPs in small access-points and broadband routers. Also protecting your network from DHCP starvation and flood attacks with checking host ID in DHCP message body with MAC address of requester to assign only one IP to each real-MAC or switchport.
IP Source Guard can be used with DHCP Snooping or separately to protect networks from L2 and L3 address spoofing, so no more MAC spoofing (in conjunction with Port-Security) and no more IP spoofing (with DHCP binding database or static entries), you can limit clients to only use DHCP so they can not assign IP manually.
IP ARP Inspection, inspects ARP messages to see same MAC and IP inside ARP message body, cause ARP and DHCP use MAC/IP in their message body which may be different than the L2 frame, this method restricts ARP poisoning.
Validation is limited to the switch boundary and ports, so whenever we cannot verify we have to trust. (or untrust to drop)
Another good feature is the ability to rate-limite DHCP and ARP messages because both are potential for DoS in LAN.
These features can be enabled on a VLAN basis, check the configuration:
!
ip dhcp excluded-address 192.168.218.1 192.168.218.10
!
ip dhcp pool Pool1
network 192.168.218.0 255.255.255.0
!
ip dhcp pool Phones
network 192.168.219.0 255.255.255.0
option 150 ip 192.168.219.254
!
ip dhcp snooping vlan 1
ip dhcp snooping
ip arp inspection vlan 1
!
interface FastEthernet0/7
switchport mode access
switchport port-security
switchport port-security mac-address sticky
switchport port-security mac-address sticky 0013.a9fc.1186
spanning-tree portfast
ip verify source port-security
!
interface FastEthernet0/8
!
interface FastEthernet0/9
!
ip source binding 0020.ED1A.95BC vlan 1 192.168.218.1 interface Fa0/1
!
Switch# show ip dhcp snooping binding
MacAddress IpAddress Lease(sec) Type VLAN Interface
------------------ --------------- ---------- ------------- ---- --------------------
00:13:A9:FC:11:86 192.168.218.12 86018 dhcp-snooping 1 FastEthernet0/7
Total number of bindings: 1
Switch#sh ip dhcp snooping statistics
Packets Forwarded = 18
Packets Dropped = 0
Packets Dropped From untrusted ports = 0
Switch#sh ip source binding dhcp-snooping
MacAddress IpAddress Lease(sec) Type VLAN Interface
------------------ --------------- ---------- ------------- ---- --------------------
00:13:A9:FC:11:86 192.168.218.12 85983 dhcp-snooping 1 FastEthernet0/7
Total number of bindings: 1
Switch#sh ip source binding
MacAddress IpAddress Lease(sec) Type VLAN Interface
------------------ --------------- ---------- ------------- ---- --------------------
00:20:ED:1A:95:BC 192.168.218.1 infinite static 1 FastEthernet0/1
00:13:A9:FC:11:86 192.168.218.12 85992 dhcp-snooping 1 FastEthernet0/7
Total number of bindings: 2
Switch#sh ip dhcp snooping
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
1
DHCP snooping is operational on following VLANs:
1
DHCP snooping is configured on the following L3 Interfaces:
Insertion of option 82 is enabled
circuit-id format: vlan-mod-port
remote-id format: MAC
Option 82 on untrusted port is not allowed
Switch#sh ip verify source
Interface Filter-type Filter-mode IP-address Mac-address Vlan
--------- ----------- ----------- --------------- ----------------- ----------
Fa0/7 ip-mac active 192.168.218.12 00:13:A9:FC:11:86 1
Switch#sh ip arp inspection
Source Mac Validation : Disabled
Destination Mac Validation : Disabled
IP Address Validation : Disabled
Vlan Configuration Operation ACL Match Static ACL
---- ------------- --------- --------- ----------
1 Enabled Active
Vlan ACL Logging DHCP Logging Probe Logging
---- ----------- ------------ -------------
1 Deny Deny Off
Vlan Forwarded Dropped DHCP Drops ACL Drops
---- --------- ------- ---------- ---------
1 218 17 17 0
Vlan DHCP Permits ACL Permits Probe Permits Source MAC Failures
---- ------------ ----------- ------------- -------------------
1 212 0 5 0
Vlan Dest MAC Failures IP Validation Failures Invalid Protocol Data
---- ----------------- ---------------------- ---------------------
1 0 0 0
Switch#sh ip arp inspection vlan 1
Source Mac Validation : Disabled
Destination Mac Validation : Disabled
IP Address Validation : Disabled
Vlan Configuration Operation ACL Match Static ACL
---- ------------- --------- --------- ----------
1 Enabled Active
Vlan ACL Logging DHCP Logging Probe Logging
---- ----------- ------------ -------------
1 Deny Deny Off
Posts
0 comments:
Post a Comment