snooping on switch

srikanth ath · ‎08-23-2011

hi guys , need help with DHCP snooping.

i want to configure my core switch(3750) as DHCP server that serves client with IPs

here is my configuration on core switch with 3 vlans..

core

# vla20 , vlan 30 and vlan 40 are configured.

#interface vlan 30

ip address 10.10.10.1 255.255.255.0

no shut

interface vlan 40

ip address 10.10.20.1 255.255.255.0

no shut

interface vlan 20

ip address 10.10.30.1 255.255.255.0

no shut

DHCP server as core switch (pool 2) ( pool 3)

core# service dhcp # service dhcp #service dhcp

ip dhcp pool market ip dhcp pool network ip dhcp pool hr

network 10.10.10.0 255.255.255.0 network 10.10.20.0 255.255.255.0 network 10.10.30.0 255.255.255.0

host 10.10.10.2 255.255.255.0

client-identifier 0100.0cf1.0560.98 <-- mac-address of host

end

ip dhcp excluded-address 10.10.10.1,10.10.20.1, 10.10.30.1

.....................................................................................

here i have connected layer 2 switch to core switch and made it as atrunk port at each end and configured ports with vlan access

layer 2 switch:

example:::

int fa 0/2

switchport mode access

switchport access vlan 20

now the user connected to port fa 0/2 (vlan 20) gets ip of 10.10.10.2 from pool of a market(pool1) ,

conditions:

1. say in a pool 1(market ) i have 50 clients, i dont want any other person can carry his laptop and plug into our network and access our network. for this i want to give all 50 clients mac address into the pool to provide all with the static ip address.

2. say in pool 2 and 3 i have the same 50 each clients and gave ip based on mac address.

here i have queries

i heard that dhcp snooping is a technique to avoid man in middle attack and spoofing attacks.

1. If yes how can I use these commands to configure in my network which should satisfy condition 1 and 2 (that should provide ip based on mac address) or ir relevant of mac address where the only concern is no one should gain an access in to our company network physically(plugging in to the port) or remotely.

2. if yes, what all the commands i need to give in core switch and layer 2 switch per vlan, per port and per trunk port?

3. or configuring the static ip in dhcp pool with mac address to all 150 clients in their respective vlan id and pool is the best mean of security (justify).

very badly need advice from you guys.

thanks in advance

srikanth

srikanth ath · ‎08-23-2011

can some body help me out please..

thanks

srikanth

srikanth ath · ‎08-23-2011

any1 has answer for this.???

Reza Sharifi · ‎08-23-2011

DHCP snooping is usually used to prevent attaches coming from untrusted sources sitting behind a firewall. In your case all these vlans are under your admin. So, a couple of choices here: 1-Configure Statc IP address for each client and do not give them admin rights to the laptops or workstations, so they can never change the IP address. 2-configure the MAC address for each device with "client-identifier" command. This can be a pain, because as soon as a client move from one port to another in the same area, they cannot connect to the network since the MAC address is not configured on that port.

HTH

srikanth ath · ‎08-23-2011

but can i enable dhcp snooping on all switches

1. if yes how it is helpfull to my network?

@. what actually snooping does?

srikanth ath · ‎08-23-2011

hi reza,

would mean DHCP snooping is only useful when we are using (ip helper-address ) making switch as a relay agent.

if we make switch as DHCP server , no need to be concerned about enabling DHCP snooping

thanks in advance

srikanth

Harrie Hendriks · ‎08-23-2011

Hello Srikant,

You must try DHCP Snooping and ARP inspection on a access switch (I'm not sure if the dhcp switch needed).

ip arp inspection vlan 10,20,30

ip dhcp snooping vlan 10,20,30

no ip dhcp snooping information option

! We are using a windows DHCP server, witch cannot use option 82.

ip dhcp snooping

On the trunk to the core switch

ip arp inspection trust

ip dhcp snooping trust

On a untrusted access port

ip arp inspection limit rate 100

ip dhcp snooping limit rate 100

Beware, if you setting up dhcp snooping, all clients will be blokking with the arp inspection rule. After a client make a dhcp request will it be working.

You can checkup the clients with a dhcp snooping binding ..

switch#show ip dhcp snooping binding

MacAddress IpAddress Lease(sec) Type VLAN Interface

------------------ --------------- ---------- ------------- ---- --------------------

00:11:22:33:44:55 10.10.10.2 678805 dhcp-snooping 10 GigabitEthernet0/27

Total number of bindings: 1

Succes Harrie

cadet alain · ‎08-23-2011

Hi,

I think the solution to your problem, that is to prevent outsiders from plugging their laptop and getting an Ip address would be dot1x.

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_50_se/configuration/guide/sw8021x.pdf

Regards.

Alain.

Don't forget to rate helpful posts.

Harrie Hendriks · ‎08-23-2011

Hello Alain,

You have first 8021x, and the switch is setting the port in a vlan.

Then second DHCP will request an IP address.

If the PC have a IP adres, there will be dhcp snooping binding in the switch.

An other problem is that if the 8021x the vlan will be changing (example from PC vlan to guest vlan). The dhcp snooping binding is not overlapping the new setting, and you have blokking (show logging).

Groeetings Harrie

cadet alain · ‎08-23-2011

Hi,

you can do dot1x without dynamic vlan assignement and if the host connecting hasn't the correct credentials he won't be able to communicate at layer 2 so at layer3 and won't be able to request an dhcp leased address.

DHCP snooping is only there to prevent dhcp rogue servers and dhcp starvation used in MiM attacks.

Of course the 2 features aren't incompatible so he could use DHCP snooping also but it's a lot of overhead to do manual bindings for so many hosts and furthermore mac spoofing would give away a dhcp address to the outsider.

Regards.

Alain.

Don't forget to rate helpful posts.

srikanth ath · ‎08-23-2011

thanks alain

here in my network we are not using any authentication server (radius,tacas)

wanna configure vlans and those vlans client should get ip(a static ip configured based on mac addres) from switch itself.

I have gone through DHCP snooping but couldnt understand

few points

1. DHCP snooping is only useful when we are using (ip helper-address ) making switch as a relay agent.

2. if we make switch as DHCP server , no need to be concerned about enabling DHCP snooping

my main concern is every cleint should get a static ip configured

thanks in advance

srikanth

cadet alain · ‎08-23-2011

Hi srikanth,

1) No DHCP snooping is a way to mitigate some form of Man in the Middle attack using dhcp starvation and/or dhcp rogue servers.By default when this feature is on it puts all ports in the configured vlan as untrusted which means those can't receive DHCP server packets( offer, ack,nack) then you have to put ports going to dhcp sever as trusted.There will be a table called the dhcp snooping binding table which will associate mac address, ip address leased and port.

2) No no need to.

Regards.

Alain.

Don't forget to rate helpful posts.