Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1105
Views
10
Helpful
7
Replies

DAI Question

Go to solution
Patrick McHenry
Level 3
Level 3

‎11-29-2011 08:12 AM - edited ‎03-07-2019 03:39 AM

I've been trying to think of way to keep only certain users from using our conference room data jacks. Port-security won't help as there are multiple ports in the conference rooms going to the same switch and it is not scalable. We don't use dot1x at the moment so, that is out but, I tried DAI in a lab. I configured dhcp-snooping and turn it on for the VLAN and then added verify source to each port. Now, when the device gets a address from DHCP, it allows that device on the network. On the DHCP side, I created reservations and only the macs that have reservations will get ip addresses. When I give a device a address other than the one it learned by DHCP, the port denies it access.

Questions:

Do I need to put the ip verify source on each interface to make this work or would dhcp snooping be enough?

Is this working because it checks the dhcp database - then, if the MAC to IP entry is in there it allows access?

thanks, Pat.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
cadet alain
VIP Alumni
VIP Alumni
In response to Patrick McHenry

‎11-30-2011 03:04 AM

Hi Pat,

is it IP source guard with the ip verify source config checking the DHCP snooping database?

Yes it is

Regards.

Alain

Don't forget to rate helpful posts.

View solution in original post

0 Helpful
7 Replies 7

Go to solution
cadet alain
VIP Alumni
VIP Alumni

‎11-29-2011 11:18 AM

Hi Pat,

ip verify-source is IP Source Guard not DAI and it won't do anything against someone spoofing its MAC address to get a valid DHCP IP address( you should then also consider implementing port security), all it does is prevent IP spoofing.

Yes it uses the DHCP snooping database but it could also be configured for static IPs just as DAI is also relying on DHCP snooping but can be configured for static IPs.

Yes you'll have to use it on every access port.

Regards.

Alain

Don't forget to rate helpful posts.

Go to solution
Patrick McHenry
Level 3
Level 3
In response to cadet alain

‎11-29-2011 11:39 AM

Thanks, Alain

I don't want to go the static route as I am trying not to create any added administration. I just want to set up DHCP-snooping on the switches that are going to have the conference room VLAN. Then, the only administration will be making reservations on the DHCP scope. What was the last comment you made refering to, "Yes you'll have to use it on every access port." ? You me untrust every port that I want the DHCP database checked?

Thanks, Pat.

0 Helpful

Go to solution
cadet alain
VIP Alumni
VIP Alumni
In response to Patrick McHenry

‎11-29-2011 12:30 PM

Hi Pat,

all DHCP snooping prevents is Rogue DHCP server  by only permitting server responses on trusted ports and putting by default all ports in the vlan as untrusted.It can also prevent DHCP starvation attacks by rate limiting requests on untrusted ports.If you're using IP Source guard then you'll have to enter the ip verify source command on every access port.

Regards

Alain

Don't forget to rate helpful posts.

Go to solution
Patrick McHenry
Level 3
Level 3
In response to cadet alain

‎11-30-2011 02:38 AM

Alain,

In my lab, I only configured a DHCP server with a range from 192.168.1.1 - 255 and a Router of 192.168.1.1. I gave the switch a VLAN 1 interface IP of 192.168.1.1. Then configured DHCP snooping for VLAN 1(really only so I had a database of addresses) then, IP verify source on the ports. The result is that my laptop could only connect if I got an address from the DHCP server. If, after getting an IP from the DHCP server I statically gave myself that same IP I got from the DHCP server, the device would still ping the gateway but, if I gave it my device one that my device did not get from the DHCP server it would not ping the gateway.

I'm trying to understand why it is working. From what I understand about DHCP snooping is that it stops an untrusted port from handing out addresses and limits requests like you said.

Is it the DHCP snooping that is stopping the connections or is it IP source guard with the ip verify source config checking the DHCP snooping database? Or, is there something else happening?

Sorry about the confusion with the DAI. I dont't know what I was thinking.

Thanks, Pat.

Ultimately, what I am trying to accomplish is to keep unauthorized users from accessing our network in conference rooms. Port security won't work in this situation as there are many ports in these conference rooms that connect to the same switch. You can only configure a group of MACs to one port on a switch, and also this method isn't very scalable.  Every time I need to add a device that needs to connect, I would have to go to every switch that has a conference room and add that new MAC.

So, in addition to the switch config that I used in the lab, I would only allow the "allowed devices"(MACs) to get DHCP addresses from the DHCP server.

Thanks. again.

0 Helpful

Go to solution
cadet alain
VIP Alumni
VIP Alumni
In response to Patrick McHenry

‎11-30-2011 03:04 AM

Hi Pat,

is it IP source guard with the ip verify source config checking the DHCP snooping database?

Yes it is

Regards.

Alain

Don't forget to rate helpful posts.
0 Helpful

Go to solution
Patrick McHenry
Level 3
Level 3
In response to cadet alain

‎11-30-2011 03:07 AM

Thanks, Alain.

Do you sleep?

0 Helpful

Go to solution
cadet alain
VIP Alumni
VIP Alumni
In response to Patrick McHenry

‎11-30-2011 03:26 AM

Hi Pat,

Yes of course like everybody, why ? 

Regards.

Alain

Don't forget to rate helpful posts.
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card