Capítulo III FUNDAMENTOS TEÓRICOS
3.3 Conceptos sobre plasmas y descargas gaseosas
Skills Tested
Identifying and configuring protection against Layer 2 and Layer 3 attacks on a Cisco Catalyst switch, specifically those related to DHCP and IP address spoofing
Solution and Verification
This exercise requires the implementation of an attack mitigation strategy on the Cisco Catalyst
switch. It is important that the administrator be familiar with attacks at both Layer 2 and Layer 3, and the features available to protect against them. This question has two requirements. The first deals with protection against DHCP-based attacks, using DHCP snooping. These include MITM attacks via rogue DHCP servers and DHCP address starvation attacks. The second requirement is the use of IP source guard (with port security) to help prevent IP and MAC spoofing attacks.
IP source guard with the port-security keyword provides an additional level of security because it will prevent a device from sending traffic on a switchport (apart from DHCP) until it receives an IP address from DHCP. The following caveats surround source guard with port security:
The MAC address in the DHCP packet is not learned as a secure address. The MAC address of the DHCP client is learned as a secure address only when the switch receives non-DHCP data traffic.
The DHCP server must support option 82 or the client is not assigned an IP address. Without DHCP option 82 data returned from the DHCP server, the switch cannot locate the client host port to forward the DHCP server reply.
IP source guard with IP+MAC disables dynamic MAC learning on the port for DHCP and ARP packets.
For all verification syntax that follows:
Required output appears in red Required tasks appear in indigo Variable syntax appears in green
To verify your solution, you will first need to trigger the DHCP request from AP1.
Bounce the interface on SW1 to AP1 to generate a DHCP request to populate DHCP snooping database:
Click here to view code image
SW1# conf t
SW1(config)# int GigabitEthernet1/0/19 SW1(config)# shut
SW1(config)# no shut
When the address is assigned by R2, check that there is a binding in the DHCP snooping database:
Click here to view code image
SW1# show ip dhcp snooping binding
MacAddress IpAddress Lease(sec) Type VLAN Interface --- --- --- --- ----
---1C:DF:0F:94:80:63 10.50.100.53 infinite dhcp-snooping 100 GigabitEthernet1/0/19 Total number of bindings: 1
The configuration of DHCP snooping itself is verified using the following (snooping has also been enabled for all the wireless VLANs serviced by the DHCP server on R2):
Click here to view code image
SW1# show ip dhcp snooping Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
100,110,120
DHCP snooping is operational on following VLANs:
100,110,120
Smartlog is configured on following VLANs:
none
Smartlog is operational on following VLANs:
none
DHCP snooping is configured on the following L3 Interfaces:
Insertion of option 82 is enabled
circuit-id default format: vlan-mod-port remote-id: c464.13fb.7780 (MAC) Option 82 on untrusted port is not allowed Verification of hwaddr field is enabled Verification of giaddr field is enabled
DHCP snooping trust/rate is configured on the following Interfaces:
Interface Trusted Rate limit (pps) --- --- ---GigabitEthernet1/0/2 yes unlimited
For the IP source guard feature verification, the show ip verify source command will show the DHCP-issued address that has been bound to the switchport (as stored in the DHCP snooping database). The ip-mac filter-type indicates the IP source guard has been correctly combined with port-security to enforce the additional restriction on traffic flow until after DHCP has assigned an address to AP1.
Click here to view code image
SW1# show ip verify source
Interface Filter-type Filter-mode IP-address Mac-address Vlan Log -- -- -- -
---Gi1/0/19 ip-mac active 10.50.100.53 1C:DF:0F:94:80:63 100 disabled Configuration
SW1
Click here to view code image
ip dhcp snooping vlan 100,110,120 ip dhcp snooping
interface GigabitEthernet 1/0/2
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 100,110,120 switchport mode trunk
ip dhcp snooping trust
interface GigabitEthernet1/0/19 switchport access vlan 100 switchport mode access ip verify source port-security switchport port-security
!
Tech Notes
Table 1a-5 summarizes the Cisco Catalyst security features used in this exercise.
Table 1a-5 Cisco Catalyst Switch Security Features DHCP Implementation Notes
DHCP Option 82
DHCP option 82 is on by default with DHCP snooping and ensures the VLAN ID is passed to the DHCP server on R2 to the select address pool. It allows for an address pool to be shared across VLANs. In normal DHCP address allocation, the DHCP server will look only at the giaddr (gateway IP address) field and not be able to differentiate between multiple address ranges in the same address pool.
To solve this problem, a relay agent in the switch inserts the relay information option (option 82), which carries attributes specific to the port, and the DHCP server must inspect both the giaddr field and the inserted option 82 during the address selection process. This is especially important if the
giaddr value is 0 or missing. If a deployment requirement is to share the address pool across multiple VLANs, DHCP classes are used to define ranges within the large pool.
Example:
Click here to view code image
ip dhcp class CLASS1 relay agent information
relay-information hex 01030a0b0c02050000000123 ip dhcp pool ABC
network 10.0.20.0 255.255.255.0 class CLASS1
address range 10.0.20.1 10.0.20.100 class CLASS2
address range 10.0.20.101 10.0.20.200
The value hex is used to define the class generated by the relay agent based on the attributes of the requesting client. To determine how to configure a class value for specific ports, you can use the following trick:
Configure a DHCP pool matching the remote giaddr IP address value. Create a DHCP class with a relay-information value that will never match a real-life client. For example, set the value to 00000000*. Associate this class with the pool and configure a subrange as usual.
Enable the following debug in the server: debug ip dhcp server class, which tracks the class-based allocation. When an incoming packet contains a DHCP option 82 that does not match any class, the output similar to the following will appear:
Click here to view code image
Aug 19 21:42:52.030: DHCPD: Searching for a match to '
information 010600040064011302080006c46413fb7780' in class CLASS1 DHCP Snooping and the DHCP Server on Cisco IOS Routers
By default, Cisco IOS devices reject packets with zero giaddr and, by default, Cisco Catalyst switches use giaddr of zero when configured for DHCP snooping which is relaying the
DHCPDISCOVER message to R2. The following debug output illustrates how DHCP snooping uses option 82, and also explains how the highlighted portion of the show ip dhcp snooping command is used:
Click here to view code image
show ip dhcp snooping...
Insertion of option 82 is enabled
circuit-id default format: vlan-mod-port remote-id: c464.13fb.7780 (MAC)
DHCP_SNOOPING: received new DHCP packet from input interface
(GigabitEthernet1/0/19)
DHCP_SNOOPING: process new DHCP packet, message type: DHCPDISCOVER, input interface: Gi1/0/19,
MAC da: ffff.ffff.ffff, MAC sa: 1cdf.0f94.8063, IP da: 255.255.255.255, IP sa:
0.0.0.0, DHCP
ciaddr: 0.0.0.0, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr:
1cdf.0f94.8063
DHCP_SNOOPING: add relay information option.
DHCP_SNOOPING_SW: Encoding opt82 CID in vlan-mod-port format DHCP_SNOOPING_SW: Encoding opt82 RID in MAC address format DHCP_SNOOPING: binary dump of relay info option, length: 20 data:
0x52 0x12 0x1 0x6 0x0 0x4 0x0 0x64 0x1 0x13 0x2 0x8 0x0 0x6 0xC4 0x64 0x13 0xFB 0x77 0x80
DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (100)
In this exercise, R2 must be able to process the relay with giaddr 0 when using option 82, so the following command is needed on R2:
Click here to view code image
ip dhcp relay information trust-all
If SW1 configured for DHCP snooping had received the DHCP request with option 82 set and a giaddr of 0 from another relay through an untrusted port, it would drop the packet:
Click here to view code image
%DHCP_SNOOPING-5-DHCP_SNOOPING_NONZERO_GIADDR: DHCP_SNOOPING drop message with
non-zero giaddr or option82 value on untrusted port The following command will overcome this event:
Click here to view code image
ip dhcp snooping information option allow-untrusted Or the no ip dhcp snooping information option command can be used if there are no other dependencies on option 82.