ip source guard ( ip +mac) and option 82 requirement

sarahr202 · ‎06-09-2012

Hi everybody

IP source guard can be used to verify src ip and mac using dhcp binding.

According to my book, it requires that option 82 be enabled. Below is the excerpt:

Source IP and MAC address ﬁlter. IP trafﬁc is ﬁltered based on its source IP address

and MAC address. Only IP trafﬁc whose source IP and MAC addresses match an IP

source binding entry is permitted. When IP Source Guard is enabled in IP+MAC

ﬁltering mode, DHCP snooping Option 82 must be enabled. Without DHCP Option

82 data returned from the DHCP server, the switch cannot locate the client host port

to forward the DHCP server reply. If Option 82 is not used, the DHCP server reply is

dropped, and the DHCP client cannot obtain an IP address. Also, IP Source Guard

with IP+MAC actually disables dynamic MAC learning on the port for DHCP and

ARP packets; otherwise, MAC spooﬁng could not be prevented. This is why you need

to enable Option 82 so that the switch can populate its bridging table with accurate

information for the device connected to the switch.

The reason we must enable option 82 is so switch can forward dhcp messages from dhcp server out of appropriate port . The reason being that dynamic mac learning is disabled when we use ip source guard feature to detect spoofed ip src and mac address on a port. Since switch does not have a mac entry associated with the port , it must somehow figure out which port to send out received dhcp message from dhcp server. Switch uses option 82 to find the port and sends the message out.

Aright I got it as to why we need to enable option 82 when ip source guard feature is used to detect both spoofed ip and mac address.

My question is why configuring ip source guard for spoofed ip and mac disables dynamic mac learning on the port ? The book says

Also, IP Source Guard with IP+MAC actually disables dynamic MAC learning on the port for DHCP and

ARP packets; otherwise, MAC spooﬁng could not be prevented.

Conversely speaking, if we enable ip source guard with ip+mac, and suppose it does not disable dynamic mac leaning, then mac spoofing could not be prevented.

Lets put this to test.

Lets assume configuring ip source guard IP+mac does not disable dynamic mac learning on f1/1 .

h1 ---------------------------------------f1/1Sw---------------------server

h1---> mac1

-

h1 just powers up . Switch is already configured with ip dhcp snooping. Since ip source guard ip+mac is configured, only dhcp messages are allowed to pass through f1/1 of sw.

H1 sends dhcp discover message encapsulated in ethenet frame with src mac: mac1

Sw1 receives the dhcp message and create an entry in mac table as:

mac1 f1/1 vlan1

After few exchanges of dhcp message between h1 and dhcp server, H1 finally gets ip an address 199.199.199.1. DHCP snooping also create an dhcp binding as;

mac1 199.199.199.1 f1/1 vlan 10 days

The port f1/1 is now open for all other traffic from h1. Let say h1 wants to spoof a mac adress mac2, and ip address 199.199.199.2.

H1 create a packet let say ping packet with src mac: mac2 src ip: 199.199.199.2

H1 then sends this packet to sw.

Sw receives the packet . Since the switch is configured with IP source guard IP+ mac, It will check src ip 199.199.199.2, and src mac : mac 2 aganist the dhcp binding on f1/1.

Obviously, Spoofed ip ( 199.199.199.2) and spoofed mac ( mac 2) do not match; Sw therefore drops the packet.

In above example we are able to prevent h1 from spoofing ip and mac address when dynamic mac learning is still enabled.

The book's claim" disabling dynamic mac learning on a port configured with ip source guard Ip+mac, prevents mac spoofing" does not hold any weight.

I would appreciate your input.

thanks and have a great weekend

andresfcl · ‎05-14-2013

If you check the following link you will get why option 82 it needs to be enable, and it is because you will have to enable DHCP snooping first and then ip source guard, but DHCP snooping it will not allow DHCP reply message from the server to be broadcast and get to the requestor, it will drop the packet (behavior of DHCP snooping function) that is why you need to activate option 82 on the switch. oPTIO 82 is not there to avoid mac spoofing is just to allow DHCP reply to get to the client.

http://vcabbage.com/2010/08/07/dhcp-snooping-ip-source-guard-and-dhcp-option-82/

paul driver · ‎05-14-2013

Hello sarah,

This is my test results from ip source guard and mac- address filtering lab:

Ip source guard

--verifys source ip or ip source & mac address relating the snooping database--

switch MUST run EMI image

####################################################################################

ip source: -Layer 3 checking!

Switch

#######

int fa0/3

description Link to Host 1

switchport mode access

ip verify source

Host1

######

int fa0/0

Mac 0000.1111.1111

ip address 192.168.1.1 255.255.255.0 or via DHCP

if the mac-address is changed on this port - it will still be able to work

As ip verify source is only set to look at the ip address of the interface and not the

mac address in the binding table.-

change ip address:

##################

int fa0/0

Mac 0000.1111.1111

ip address 192.168.1.2 255.255.255.0

now connection is lost and even if you change the ip address back, it will still be down

I have found either manually adding a binding to the snoop d/B or shutdown and renable port

re-enables connection

ip dhcp snooping binding 0000.3333.3333 vlan 20 192.168.1.1 interface fa0/3 expiry 10000

This will work as long as the ip address is back in the snooping database the mac is irelivant

ip source & mac address

Switch

#######

int fa0/3

description Link to Host 1

switchport mode access

ip verify source port-security

switchport port-security

Host1

######

int fa0/0

Mac 0000.1111.1111

ip address 192.168.1.1 255.255.255.0 or via DHCP

if the ip or mac-address is change on this port - it will WONT be able to work

As ip verify source port-security is set to look at both the ip address and mac address of

the interface and the in the binding table.

Now if you change either the ip or mac-address the connection is lost

again either manually adding a binding to the snoop d/B or shutdown and renable port

re-enables connection

All static entrys are checked BEFORE the snooping database.

When interface is shut down or changed the dymainic bindings are removed from the snooping D/B

this is related to either configuration.

res

Paul

Please don't forget to rate any posts that have been helpful.

Thanks.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Agustin Ciciliani · ‎04-12-2014

Hi, although this is a rather old post, I believe discussion still deserves clarification...

After reading sarahr202 question and her example, trying to figure out why the switch should disable dynamic MAC learning, I noticed the following:

From question: "Also, IP Source Guard with IP+MAC actually disables dynamic MAC learning on the port for DHCP and

ARP packets; otherwise, MAC spooﬁng could not be prevented"

From example: "H1 create a packet let say ping packet with src mac: mac2 src ip: 199.199.199.2"

I believe the problem is specifically for DHCP and ARP protocols... For example in DHCP requests or Gratuitous ARPs (which I could use to starve a DHCP server or man-in-the-middle attack respectively), the packets do not have source IPs... Actually, those protocols are not IP-based packets... So switch cannot tell if the frame is to be trusted or not with "IP Source Guard" feature. I believe the only way would be combining with "Port-Security" feature, which can check which MAC address is trying to send frames...

Different case would be with ICMP, where we always have layer 2 and layer 3 sources and destinations, and it is IP-based...

Does it make sense? Please share your comments.