Security Features DHCP Snooping Is similar to a firewall between untrusted hosts (clients) and trusted DHCP servers Don't want to allow any rouge DHCP servers on the network Only responses from a trusted DHCP servers hand out the DCHP replies What is DHCP Snooping: Validates DHCP messages received from untrusted sources and filters out invalid messages Builds and maintains the DHCP snooping binding DB which contains information about untrusted hosts with leased IP addresses Uses the DHCP snooping binding DB to validate subsequent requests from untrusted hosts DHCP Snooping in a vPC environment DHCP requests could come in a vPC member port on vPC peer A and the response arrives from vPC Peer B. This would result in the following: Mismatched or incomplete DHCP Snooping table Breaks IP Source Gurad and Dynamic ARP Inspection How do we fix this situation? CFSoE is used to sync and resolve this problem CFSoE also forces only one switch to forward the DHCP Requests and Responses DHCP Snooping Configuration "feature DHCP" "ip dhcp snooping" This globally enables DHCP snooping "ip dhcp snooping vlan 10" this enables DHCP snooping per VLAN "ip dhcp snooping verify mac-address" This command is used when we receive a packet on an untrusted interface and the source MAC address and the DHCP client hardware address don't match, address verification causes the devices to drop the packet "ip dhcp snooping trust" (Similar to IP Source Guard in some respects) Apply this to the interface or Port-Channel that connects to the trusted DHCP server all other ports will be untrusted "ip dhcp snooping information option" Option 82 "ip dhcp relay information option vpn" " ip dhcp relay sub-option type cisco" When the DHCP server and client are in different VRF's IP ARP Inspection Uses DHCP snooping binding DB for MAC-to-IP checks This Helps prevent Man in the Middle attacks "ip arp inspection validate vlan 10" conf t int e1/11 "ip arp inspection trust" This only validates the Ethernet herder SRC MAC to SCR IP against DB by default You can enable additional validation checks "ip arp inspection validate" src-mac checks the SRC MAC address in the ethernet header against the sender MAC address in the ARP body for ARP requests and responses dest-man checks the DEST MAC address in the ethernet header against the target MAC address in the ARP body for ARP responses ip checks the ARP body for invalid and unexpected IP address. Address that include 0.0.0.0, 255.255.255.255, and all multicast addresses arp access-list UNKNOWN-SW permit ip host 10.0.0.1 mac host 0000.0000.0001 ip arp inspection filter UNKNOWN-SW vlan 10 assign to a particular VLAN IP Source Guard Similar to Dynamic ARP inspection, only on every packet, not only ARP "ip source binding 10.0.0.1 0000.0000.0001 vlan 10 Can apply to an interface int e1/1 ip verify source dhcp-snooping-vlan int e1/1 switchport ip dhcp snooping trust ip arp inspection trust ip verify source dhcp-snooping-vlan Hardware Protection Strom Control int e1/1 strom-control broadcast level 35 (after 35% of the link is broadcasts it will drop packets) strom-control multicast level 30 storm-control unicast level 25 These are not individually set values The last entered value change all values In the example above all storm-control levels are changed to 25 One suppression level is shared by all three modes, Hardware Rate Limiter For packets forwarded to supervisor CoPP |
Blog >