Solved: DHCP AND IP Source Guard

kulbhushan_yadav · ‎01-22-2016

Hello everyone ..i am a bit confused as how to use and implement dhcp snooping with ip souce guard and port security ..

i have a scenario where i have around 50 L2 cisco 2960 switches all connected through thier trunks ans all tat end on a L3 3750x switch where we have a dhcp server for allocating ip to users whose mac is binded in the dhcp allowed entries .after that we a zyxel firewall that does the remaing job to move the traffic out .we also used zyxel for mac binding but its a 300 user only so under load it used to crash a lot so we have been using dhcp server now

now the problem is that sometimes users are putting wrong ip or simply and using the services here which i want to stop so please suggest a method to use ip source guard and it to use mac binding from the dhcp server and then allow access to the users

thanks in advance ....pls help

Masoud Pourshabanian · ‎01-23-2016

Hello,

i have two questions that can i use to cisco 3750 as a database for snooping bindings and then it would only allow access to users whose mac entry is there

Each switch has its own databases. Each switch has a database for DHCP snooping and a database for source Guard. Source guard inspects IP and mac and allows only legitimate users to send traffic. DHCP snooping inspects the DHCP packets to make sure only legitimate users and server send and receive DHCP information.

and overall how it works in a scenario where the ip is given by dhcp server and it has its own table for mac binding and just switch needs to verify that the ip /mac bindings are given out by the trusted dhcp server and no static entries are allowed until there mac is there on he devices either the dhcp server or the firewall.

DHCP Snooping

When DHCP gives IP to a host, switch inspects the DHCP packets and register the IP with MAC address and interface information on DHCP snooping database. It also does some controlling mechanism. For example, It blocks sending DHCP discovery on untrusted port and also untrusted ports are not allowed to send DHCP offer and it does some more.

DHCP snooping database is a good source so other applications can use it. You can manually add an entry into its database. In this way, you do not have to create static entry foereach application(IP source guard, DAI, IP device tracking) separately.

IP DHCP snooping binding [mac] vlan [number] [IP] interface[number] (Add an entry in Snooping database in privilege mode)

Database can be located also in Flash.(recommended).

IP source guard has its own database. You can add static entry in IP source guard data base;However, the database is automatically populated by IP DHCP snooping so it is better to add entry in IP DHCP snooping instead.

When you activate IP source guard on an interface, it inspects the traffic coming from the source. Source IP and mac-address must match. It also checks the mac address to see if it is legitimate If you have activated port security.

I need a solution to this scenario and also how many mac bindings a cisco 3750 could have on its database or maximum it can have on it

I do not think there is any limitation in the number of the mac. Because each switch has its own table and you activate them locally, so there would not be too many entries.

Try with one switch, then add other switches as well. Do not forget this command if you have used IP helper

ON 3750(with IP helper)

ip dhcp snooping information option allowed-untrusted

Masoud

View solution in original post

paul driver · ‎01-24-2016

Hello

To use IPSG and DHCP snopping the switch(s) need to be running EMI image.

ISPG can be used to check just the ip address or the ip address and mac address of a host thus alow of deny that host.

IPSG binding table is populated two ways:

- Learned by the DHCP snoping D/B
- Manual entry in the IPSG binding table

Note: Only when IPSG is enabled is the IPSG binding table consulted

Below is a result of small lab Example I managed to do for testing IPSG

ip source only: (Layer 3 checking)

Switch
ip dhcp snooping
ip dhcp snooping vlan 20

int fa0/3
description Link to Host 1
switchport mode access vlan 20
ip verify source<-----------------------------------IPSG enabled to just check the Ip address

Host1 <--------------------------------- Applied static entry just for example but can be DHCP
int fa0/0
Mac 0000.1111.1111
ip address 192.168.1.1 255.255.255.0

Now if the mac-address is changed on this port - it will still be able to work
As ip verify source is only set to look at the ip address of the interface and not the
mac address in the binding table, however if you change the ip address

Host1
int fa0/0
Mac 0000.1111.1111
ip address 192.168.1.2 255.255.255.0 <----------------Ip address is changed

Now connection will be lost and even if you change the ip address back, it will still be down

I have found that a shutdown and renable of the port re-enables the host or manually adding a static source guard entry or static snoop binding entry will also work

here is the latter:

ip dhcp snooping binding 0000.3333.3333 vlan 20 192.168.1.1 interface fa0/3 expiry 10000
ip source guard 0000.3333.3333 vlan 20 192.168.1.1 interface fa0/3 expiry 1000

This will work as long as the ip address is back in the snooping database as the mac is irrelevant ( notice the different mac address)

======================================

ip source & mac address

Switch
ip dhcp snooping
ip dhcp snooping vlan 20

int fa0/3
description Link to Host 1
switchport mode access vlan 20
ip verify source port-security<-----------------------------------IPSG enabled to just check both ip & mac address(s)

Host1 <--------------------------------- Applied static entry just for example but can be DHCP
int fa0/0
Mac 0000.1111.1111
ip address 192.168.1.1 255.255.255.0

Now if either the ip address or mac-address is change on this port - The host WONT be able to work

Because setting ip verify source port-security is set to look at both the ip address and mac address of the interface as stated above

These entires can be checked in the source guard binding and the snooping database tables:

sh ip source binding
sh ip dhcp snooping binding

Now if you change either the ip or mac-address on the interface the connection will be lost

However you can negate this by manaully adding two statics entries to the source guard OR snoop D/B tables so connection can be restored

or

You can shutdown and re enable port which re-enables connection via dhcp.

Example of the two statics (the same as above but now they need to have both the Ip and mac address(s) correct):

- static to source guard binding D/B
conf t
ip source binding 0000.0000.1111 vlan 20 192.168.1.1 interface fa0/3 expiry 10000

or

- static to snooping D\B
ip dhcp snooping binding 0000.0000.1111 vlan 20 192.168.1.1 interface fa0/3 expiry 10000

The switch will consult the IPSG table first and if a match ISNT found then it will consult the snooping D/B table ( dynamic or static entries)

Lastly, the source guard binding is saved to the running config and all static source guard entry’s are checked BEFORE the snooping database.

Hope this was of help

res
Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

Mark Malone · ‎01-23-2016

Heres a good example of how to implement ipsg with dhcp snooping and switchport security on l2 network if that's what Im right in thinking that's what your trying to do

http://packetpushers.net/ccnp-studies-configuring-ip-source-guard/

kulbhushan_yadav · ‎01-23-2016

thanks for the reply

i have two questions that can i use to cisco 3750 as a database for snooping bindings and then it would only allow access to users whose mac entry is there

and overall how it works in a scenario where the ip is given by dhcp server and it has its own table for mac binding and just switch needs to verify that the ip /mac bindings are given out by the trusted dhcp server and no static entries are allowed until there mac is there on he devices either the dhcp server or the firewall .

i need a solution to this scenario and also how many mac bindings a cisco 3750 could have on its database or maximum it can have on it

or i dont know if i have understood it correctly but i we trust the dhcp server port on the switch as trusted and trunks the same way then is there any way that the dhcp snooping database to be filled by the that port and dhcp snoops adds then to its database direclty or how to populate dhcp snooping database through a external dhcp server .

i have network of around 1500 users and need something through which i could restrict the ip handeled by the user on its own and on the current setup which is 4 cisco 3750 switches and a firewall that has a limit of around 300 users so i cant put ip/mac filtering load on it

thanks in advance

Masoud Pourshabanian · ‎01-23-2016

Hello,

If you configure DHCP snooping, it populates IP source guard database. You can also add static entries.

DHCP Snooping configurations on 2960 and 3750.

***

Global configuration.

IP DHCP Snooping datebase flash:mydatabase

ip dhcp snooping

ip dhcp snooping vlan [ vlan numbers]

interface x.x (trunck interfaces and DHCP server interface)

IP DHCP snooping trust

**********************************

IP source guard on 2960 + portsecrity

First configure port security

interface X.X ( access interfaces)

switchport port-security

switchport port....[continue with other port security commands]

ip verify source port-security

*************************************************

Two ways to add static entries

1-IP source binding [mac] vlan [number] [ip] [interface]

2-IP DHCP snooping binding [mac] vlan [number] [IP] interface[number] ( config in privilege mode)

the second way add entries to the DHCP snooping database. Then DHCP snooping database populates IP source Gaurd database. The second way is suggest.

******************************************************************

ON 3750

ip dhcp snooping information option allowed-untrusted

*************************************************************************

Show commands

Show IP verify source

Show IP DHCP snooping binding

******************

Hope it helps,

let me know if you have more questions.

Masoud

kulbhushan_yadav · ‎01-23-2016

thanks for the reply

i have two questions that can i use to cisco 3750 as a database for snooping bindings and then it would only allow access to users whose mac entry is there

and overall how it works in a scenario where the ip is given by dhcp server and it has its own table for mac binding and just switch needs to verify that the ip /mac bindings are given out by the trusted dhcp server and no static entries are allowed until there mac is there on he devices either the dhcp server or the firewall .

i need a solution to this scenario and also how many mac bindings a cisco 3750 could have on its database or maximum it can have on it

or i dont know if i have understood it correctly but i we trust the dhcp server port on the switch as trusted and trunks the same way then is there any way that the dhcp snooping database to be filled by the that port and dhcp snoops adds then to its database direclty or how to populate dhcp snooping database through a external dhcp server .

i have network of around 1500 users and need something through which i could restrict the ip handeled by the user on its own and on the current setup which is 4 cisco 3750 switches and a firewall that has a limit of around 300 users so i cant put ip/mac filtering load on it

thanks in advance

Masoud Pourshabanian · ‎01-23-2016

Hello,

i have two questions that can i use to cisco 3750 as a database for snooping bindings and then it would only allow access to users whose mac entry is there

Each switch has its own databases. Each switch has a database for DHCP snooping and a database for source Guard. Source guard inspects IP and mac and allows only legitimate users to send traffic. DHCP snooping inspects the DHCP packets to make sure only legitimate users and server send and receive DHCP information.

and overall how it works in a scenario where the ip is given by dhcp server and it has its own table for mac binding and just switch needs to verify that the ip /mac bindings are given out by the trusted dhcp server and no static entries are allowed until there mac is there on he devices either the dhcp server or the firewall.

DHCP Snooping

When DHCP gives IP to a host, switch inspects the DHCP packets and register the IP with MAC address and interface information on DHCP snooping database. It also does some controlling mechanism. For example, It blocks sending DHCP discovery on untrusted port and also untrusted ports are not allowed to send DHCP offer and it does some more.

DHCP snooping database is a good source so other applications can use it. You can manually add an entry into its database. In this way, you do not have to create static entry foereach application(IP source guard, DAI, IP device tracking) separately.

IP DHCP snooping binding [mac] vlan [number] [IP] interface[number] (Add an entry in Snooping database in privilege mode)

Database can be located also in Flash.(recommended).

IP source guard has its own database. You can add static entry in IP source guard data base;However, the database is automatically populated by IP DHCP snooping so it is better to add entry in IP DHCP snooping instead.

When you activate IP source guard on an interface, it inspects the traffic coming from the source. Source IP and mac-address must match. It also checks the mac address to see if it is legitimate If you have activated port security.

I need a solution to this scenario and also how many mac bindings a cisco 3750 could have on its database or maximum it can have on it

I do not think there is any limitation in the number of the mac. Because each switch has its own table and you activate them locally, so there would not be too many entries.

Try with one switch, then add other switches as well. Do not forget this command if you have used IP helper

ON 3750(with IP helper)

ip dhcp snooping information option allowed-untrusted

Masoud

kulbhushan_yadav · ‎01-25-2016

thanks for your help

one more thing to ask in the scenario i a stack of around 3 cisco 3750 switches and as you say that i create the dhcp snooping database on the l3 3750 itself and all the other switches are connected via trunks to the core 3750

so i have to enable IPSG to verify the ip/mac bindings are correct and no end user puts a static ip on his/her device as that would fail as it wont have a registered mac on the dhcp server and thus the dhcp snooping bindings then it won't be allowed on the network .

so the user end switches which i am using are 2960g then the end switch would compare the validity of the user to the snooping database on the l3 cisco 3750 ?????

also could you suggest me a method as to how restrict the users from putting static ip without them being added onto dhcp server and getting access in the network

thanks for the reply ...

Masoud Pourshabanian · ‎01-25-2016

As I remember, I did not say that. You need to activate IP DHCP snooping on all switches. DHCP snooping databases are independent. Each switch inspects the DHCP traffic by its own database. Since inspection is locally, you can start configuring one switch at a time.

IP verify source will limit the user to statically configure an IP address. Activate DHCP snooping and IP source guard on one of the 2960 switches and check the databases by show command.

Masoud

paul driver · ‎01-24-2016

Hello

To use IPSG and DHCP snopping the switch(s) need to be running EMI image.

ISPG can be used to check just the ip address or the ip address and mac address of a host thus alow of deny that host.

IPSG binding table is populated two ways:

- Learned by the DHCP snoping D/B
- Manual entry in the IPSG binding table

Note: Only when IPSG is enabled is the IPSG binding table consulted

Below is a result of small lab Example I managed to do for testing IPSG

ip source only: (Layer 3 checking)

Switch
ip dhcp snooping
ip dhcp snooping vlan 20

int fa0/3
description Link to Host 1
switchport mode access vlan 20
ip verify source<-----------------------------------IPSG enabled to just check the Ip address

Host1 <--------------------------------- Applied static entry just for example but can be DHCP
int fa0/0
Mac 0000.1111.1111
ip address 192.168.1.1 255.255.255.0

Now if the mac-address is changed on this port - it will still be able to work
As ip verify source is only set to look at the ip address of the interface and not the
mac address in the binding table, however if you change the ip address

Host1
int fa0/0
Mac 0000.1111.1111
ip address 192.168.1.2 255.255.255.0 <----------------Ip address is changed

Now connection will be lost and even if you change the ip address back, it will still be down

I have found that a shutdown and renable of the port re-enables the host or manually adding a static source guard entry or static snoop binding entry will also work

here is the latter:

ip dhcp snooping binding 0000.3333.3333 vlan 20 192.168.1.1 interface fa0/3 expiry 10000
ip source guard 0000.3333.3333 vlan 20 192.168.1.1 interface fa0/3 expiry 1000

This will work as long as the ip address is back in the snooping database as the mac is irrelevant ( notice the different mac address)

======================================

ip source & mac address

Switch
ip dhcp snooping
ip dhcp snooping vlan 20

int fa0/3
description Link to Host 1
switchport mode access vlan 20
ip verify source port-security<-----------------------------------IPSG enabled to just check both ip & mac address(s)

Host1 <--------------------------------- Applied static entry just for example but can be DHCP
int fa0/0
Mac 0000.1111.1111
ip address 192.168.1.1 255.255.255.0

Now if either the ip address or mac-address is change on this port - The host WONT be able to work

Because setting ip verify source port-security is set to look at both the ip address and mac address of the interface as stated above

These entires can be checked in the source guard binding and the snooping database tables:

sh ip source binding
sh ip dhcp snooping binding

Now if you change either the ip or mac-address on the interface the connection will be lost

However you can negate this by manaully adding two statics entries to the source guard OR snoop D/B tables so connection can be restored

or

You can shutdown and re enable port which re-enables connection via dhcp.

Example of the two statics (the same as above but now they need to have both the Ip and mac address(s) correct):

- static to source guard binding D/B
conf t
ip source binding 0000.0000.1111 vlan 20 192.168.1.1 interface fa0/3 expiry 10000

or

- static to snooping D\B
ip dhcp snooping binding 0000.0000.1111 vlan 20 192.168.1.1 interface fa0/3 expiry 10000

The switch will consult the IPSG table first and if a match ISNT found then it will consult the snooping D/B table ( dynamic or static entries)

Lastly, the source guard binding is saved to the running config and all static source guard entry’s are checked BEFORE the snooping database.

Hope this was of help

res
Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul