Cisco switch dhcp snooping, DAI, IPSG Solution

1. DHCP spoofing attacks

1. a DHCP attacker can also provide SERVER services in a VLAN.

2. DHCP attackers will respond to the DHCP Client's sending request information.

3. attackers will allocate IP addresses and other information and default gateways to DHCP clients.

Note: Multiple DHCP servers in a VLAN may cause Address allocation conflicts.

Ii. DHCP spoofing attack (DHCP SnoopingDHCP listener)

1. DHCP Snooping allows you to configure the trusted and untrusted ports.

2. The Untrusted port cannot process DHCP response messages.

3. DHCP Snooping is configured on the (access layer) switch of the upstream link of the DHCP Server.

3. configuration steps

Switch (config) # ip dhcp snooping // enable DHCP Snooping

Switch (config) # ip dhcp snooping information option // enable option 82

// 82 option function: before sending a DHCP request to the DHCP server, the Supervisor Engine adds the entry module, port, VLAN, and MAC address of the switch to the packet.

Switch (config-if) # ip dhcp snooping trust // configure the trust Port

Switch (config) # ip dhcp snooping vlan // VLAN for DHCP listening

Switch # show ip dhcp snooping

Iv. IPSG (IP Source Protection)

Ip source guard forms an ip source binding table based on the dhcp snooping function and only works on Layer 2 ports.

IPSG provides a detection mechanism to ensure that the packets received by a single interface can be received by each interface. If the check succeeds, the data packet is licensed; otherwise, the activity against the policy will occur. IPSG not only ensures that the IP addresses of terminal devices in the 2nd layer network do not conflict or occupy, however, it also ensures that unauthorized devices cannot access the network by using their own IP addresses or the network is abnormal.

DAI (DynamicARPDetection)

ARP binding

Static ARP binding on PC:

C:> ARP-s 192.168.1.1 00-50-8b-f0-0c-3e // ARP static binding

C:> ARP-d // clear the current ARP list

C:> ARP-a // view all current ARP lists

Static ARP binding of the Router:

Router (config) # arp 192.168.2.69 0001.1111.1111 arpae0/0 // bind

Router # show arp // view the ARP list

Router # clear arp-cache // clear the ARP list

Dynamic arp inspection is a technology that can verify the security characteristics of ARP packets in the network.

DAI is also based on dhcp snooping binding database. It is also divided into trusted and untrusted ports. DAI only checks the ARP packets of untrusted ports, you can intercept, record, and discard ARP packets that do not match the IP address-MAC address ing relationship entries in the snooping binding. If dhcp snooping is not used, you must manually configure the arp acl.

Although dhcp snooping is used to prevent illegal dhcp server access, it plays an important role once the client obtains a valid dhcp offer. When dhcp snooping is enabled, the obtained IP address and the mac address of the client are recorded under the corresponding interface. This is a basis for ARP inspection detection by another technology. ARP inspection is used to detect arp requests and prevent invalid ARP requests. The table created in the previous dhcp snooping is the legal standard. The table is created when the dhcp server responds normally, including the correct arp information. If there is arp attack information at this time, ARP inspection technology can be used to intercept this illegal arp packet. In fact, using this method can also prevent users from arbitrarily modifying IP addresses, resulting in address conflicts and other problems.

650) this. width = 650; "src =" 51cto.com/uploads/allianz 110929/135k3b18-0.jpg "border =" 0 "/>

1. Configure the protection function of SW1

SW1 (config) # ip dhcp snooping // enable DHCP Snooping

SW1 (config) # ip dhcp snooping information option // enable 82

SW1 (config) # ip dhcp snooping vlan 10, 20 // VLAN for DHCP listening

SW1 (config) # ip dhcp database flash: dhcp. db // Save the DHCP binding information to dhcp. db

SW1 (config) # ip dhcp snooping verify mac-address

SW1 (config) # interface f0/21

SW1 (config-if) # switchport mode access

SW1 (config-if) # switchport port-security

SW1 (config-if) # ip verify source port-security

SW1 (config) # interface f0/23

SW1 (config-if) # switchport mode access

SW1 (config-if) # switchport port-security

SW1 (config-if) # ip verify source port-security

Optional // SW1 (config) # ip source binding 255..0000.0001 vlan 10 172.16.1.1 interface f0/2

Optional // SW1 (config) # ip source binding 255..0000.0002 vlan 20 172.16.2.1 interface f0/1

SW1 (config) # ip arp inspection vlan 10, 20 // ARP Detection Based on VLAN10VLAN20

SW1 (config) # ip arp inspection validate src-mac dst-mac ip // target MAC and IP address based on the source MAC

// Configure the DHCP server

The DHCP-SERVER is done using a router

Router (config) # ip dhcp pool vlan10 defines the address pool

Router (config-vlan) # network 172.16.1.0 255.255.255.0 defines the network segment and address range used by the address pool.
Router (config-vlan) # default-router 172.16.1.254 defines the default gateway of the client.
Router (config-vlan) # dns-server 218.108.248.200 defines the dns of the Client

Router (config-vlan) # exit

Router (config) # ip dhcp pool vlan20

Router (config-vlan) # network 172.16.2.0 255.255.255.0

Router (config-vlan) # default-router 172.16.2.254

Router (config-vlan) # dns-server 218.108.248.200

Router (config-vlan) # exit

Router (config) # ip dhcp excluded-address 172.16.1.100 172.16.1.254 // configure the reserved address segment

Router (config) # ip dhcp excluded-address 172.16.2.100 172.16.2.254

Router (config) # interface e0/0

Router (config-if) # ip address 172.16.3.1 255.255.255.0

Router (config-if) # no shutdown

Configuration on the vswitch

SW1 (config) # interface vlan 10

SW1 (config-if) # ip address 172.16.1.254 255.255.255.0

SW1 (config-if) # ip helper-address 172.16.3.1 // send a request to the DHCP-SERVER in Unicast Mode

SW1 (config-if) # interface vlan20

SW1 (config-if) # ip address 172.16.2.254 255.255.255.0

SW1 (config-if) # ip helper-address 172.16.3.1