Blog‎ > ‎

NX-OS DHCP Snooping/Dynamic ARP inspection/IP Source Guard/Hardware Protection

posted Apr 24, 2014, 7:04 PM by Rick McGee   [ updated Apr 24, 2014, 8:02 PM ]
Security Features 

DHCP Snooping 
    Is similar to a firewall between untrusted hosts (clients) and trusted DHCP servers
        Don't want to allow any rouge DHCP servers on the network 
        Only responses from a trusted DHCP servers hand out the DCHP replies
     What is DHCP Snooping:
        Validates DHCP messages received from untrusted sources and filters out invalid messages
        Builds and maintains the DHCP snooping binding DB which contains information about
        untrusted hosts with leased IP addresses

        Uses the DHCP snooping binding DB to validate subsequent requests from untrusted hosts

DHCP Snooping in a vPC environment 
    DHCP requests could come in a vPC member port on vPC peer A and the response arrives from
    vPC Peer B. 
    This would result in the following:
            Mismatched or incomplete DHCP Snooping table
            Breaks IP Source Gurad and Dynamic ARP Inspection
    How do we fix this situation?
        CFSoE is used to sync and resolve this problem
        CFSoE also forces only one switch to forward the DHCP Requests and Responses

DHCP Snooping Configuration 
    "feature DHCP"
    "ip dhcp snooping" This globally enables DHCP snooping
    "ip dhcp snooping vlan 10" this enables DHCP snooping per VLAN
    "ip dhcp snooping verify mac-address" 
            This command is used when we receive a packet on an untrusted interface and the source
            MAC address and the DHCP client hardware address don't match, address verification 
            causes the devices to drop the packet
    "ip dhcp snooping trust"  (Similar to IP Source Guard in some respects)
             Apply this to the interface or Port-Channel that connects to the trusted DHCP server
             all other ports will be untrusted

    "ip dhcp snooping information option"   Option 82
    "ip dhcp relay information option vpn"
    " ip dhcp relay sub-option type cisco" 
        When the DHCP server and client are in different VRF's

IP ARP Inspection 
    Uses DHCP snooping binding  DB for MAC-to-IP checks
        This Helps prevent Man in the Middle attacks 
    "ip arp inspection validate vlan 10"
        conf t
        int e1/11
        "ip arp inspection trust" 
            This only validates the Ethernet herder SRC MAC to SCR IP against DB by default

    You can enable additional validation checks
        "ip arp inspection validate"
                    checks the SRC MAC address in the ethernet header against the sender MAC 
                    address in the ARP body for ARP requests and responses
                    checks the DEST MAC address in the ethernet header against the target MAC
                    address in the ARP body for ARP responses

                    checks the ARP body for invalid and unexpected IP address. Address that include
          ,, and all multicast addresses 
            arp access-list UNKNOWN-SW    
                    permit ip host mac host 0000.0000.0001 
            ip arp inspection filter UNKNOWN-SW vlan 10
                    assign to a particular VLAN 

IP Source Guard 
     Similar to Dynamic ARP inspection, only on every packet, not only ARP
        "ip source binding 0000.0000.0001 vlan 10 
        Can apply to an interface 
        int e1/1
            ip verify source dhcp-snooping-vlan 
        int e1/1
            ip dhcp snooping trust
            ip arp inspection trust
            ip verify source dhcp-snooping-vlan 

Hardware Protection 
    Strom Control 
        int e1/1
        strom-control broadcast level 35 (after 35% of the link is broadcasts it will drop packets)
        strom-control multicast level 30 
        storm-control unicast level 25

    These are not individually set values
    The last entered value change all values
            In the example above all storm-control levels are changed to 25
    One suppression level is shared by all three modes, 

Hardware Rate Limiter 
        For packets forwarded to supervisor