Things You Need to Know about DHCP Snooping
DHCP Attacks
- An attacker sets up a rogue DHCP server
- An attacker replies to a valid client DHCP request
- An attacker assigns IP configuration information that establishes a rogue device as a client default gateway
- An attacker floods the DHCP server with requests
DHCP Snooping
- Allows the configuration of ports as trusted or untrusted
- Untrusted ports cannot forward DHCP replies
- Configure DHCP trust on the uplinks to a DHCP server
- Do not configure DHCP trust on client ports
- Switch(config)# ip dhcp snooping
- Switch(config)# ip dhcp snooping information option
- Switch(config)# ip dhcp snooping vlan 10, 20
- Switch(config)#interface fa0/1
- Switch(config-if)# switchport access vlan 10
- Switch(config-if)# ip dhcp limit rate 50
- Switch(config)# interface fa0/24
- Switch(config-if)# switchport mode trunk
- Switch(config-if)# switchport trunk allowed vlan 10, 20
- Switch(config-if)# ip dhcp snooping trust
ARP Poisoning
- Host A sends an ARP request for MAC address of default gateway
- Default gateway replies with its MAC and IP address. DG also updates its ARP cache
- Host A binds MAC address of DG to DG’s IP address
- Attacker sends ARP binding its own MAC address with the IP address of the DG
- Host A now binds MAC address of attacker to the IP address of DG and DG binds MAC address of attacker with IP address of host A
- Packets are now diverted through the attacker
Dynamic ARP Inspection (DAI)
- Protect against ARP poisoning
- Uses DHCP Snooping binding table (DHCP Snooping is required for DAI)
- Tracks IP-to-MAC bindings from DHCP transactions
- Drops gratuitous ARPs
- Stops ARP poisoning and man-in-the-middle attacks
- Rate-limits ARP requests from client ports
- Untrusted ports undergo DAI validation
Configuring DAI
- Switch(config)# ip dhcp snooping
- Switch(config)# ip dhcp snooping vlan 10, 20
- Switch(config)# ip arp inspection vlan 10, 20
- Switch(config)#interface fa0/1
- Switch(config-if)# switchport access vlan 10
- Switch(config-if)# ip dhcp limit rate 50
- Switch(config)# interface fa0/24
- Switch(config-if)# switchport mode trunk
- Switch(config-if)# switchport trunk allowed vlan 10, 20
- Switch(config-if)# ip dhcp snooping trust
- Switch(config-if)# ip dhcp arp inspection trust
IP Source Guard
- Protects against spoofed IP addresses
- Uses the DHCP snooping binding table (DHCP Snooping must be enabled)
- Tracks IP addresses to port associations
- Dynamically programs port ACLs to drop traffic not originating from an IP address assigned via DHCP
Configuration with DHCP Snooping, DAI, and Source Guard:
- Switch(config)# ip dhcp snooping
- Switch(config)# ip dhcp snooping vlan 10, 20
- Switch(config)# ip arp inspection vlan 10, 20
- Switch(config)#interface fa0/1
- Switch(config-if)# switchport access vlan 10
- Switch(config-if)# ip dhcp limit rate 50
- Switch(config-if)# ip verify source port-security
- Switch(config)# interface fa0/24
- Switch(config-if)# switchport mode trunk
- Switch(config-if)# switchport trunk allowed vlan 10, 20
- Switch(config-if)# ip dhcp snooping trust
- Switch(config-if)# ip dhcp arp inspection trust
Configuration of Secure Shell
- Switch(config)# username Student password C1sc0
- Switch(config)#ip domain-name corporate.com
- Switch(config)# crypto key generate rsa
- Switch(config)# ip ssh version 2
- Switch(config)# line vty 0 15
- Switch(config-line)# login local
- Switch(config-line)# transport input ssh
Configuration of HTTP Server:
- Switch(config)#access-list 100 permit ip 10.1.1.0 0.0.0.255 any
- Switch(config)# username Student password C1sc0
- Switch(config)#ip domain-name corporate.com
- Switch(config)# crypto key generate rsa
- Switch(config)# no ip http server
- Switch(config)# ip http secure-server
- Switch(config)# http access-class 100 in
- Switch(config)# http authentication local
Switch Security Recommendations:
- Configure system passwords
- Authenticate admin access via TACACS+ server
- Configure encrypted or hashed passwords
- Secure physical access to the console
- Secure Telnet access with ACL
- Use SSH when possible
- Configure system warning banners
- Use Syslog to log system messages
- Disable unused services
- Secure switch protocols
- Trim CDP and LLDP and use only as needed
- Secure STP
- Mitigate compromises through a switch
- Take precautions for trunk links
- Minimize physical port access
- Establish standard access port configuration for both unused and used ports
- Shut down unused ports
Be sure you can configure:
- Port Security
- DHCP Snooping
- DAI
- IP Source Guard
- AAA Authentication
- 802.1X Authentication
- VLAN access maps
- Secure Shell
- HTTPS
Be sure you are familiar with:
- show port-security [interface] [address]
- show ip dhcp snooping
- show ip dhcp conflict
- DHCP spoofing
- ARP poisoning and Dynamic ARP inspection (DAI)
- Authentication
- Authorization
- Accounting
- Switch security recommendations
CCNP Exam Prep Tips and Must Knows Series
- CCNP Exam Prep Tips and Must Knows
- CCNP Exam Prep Tips and Must Knows
- CCNP Exam Prep Tips and Must Knows
- CCNP Exam Prep Tips and Must Knows
- CCNP Exam Prep Tips and Must Knows
- CCNP Exam Prep Tips and Must Knows
- CCNP Exam Prep Tips and Must Knows
- CCNP Exam Prep Tips and Must Knows
- CCNP Exam Prep Tips and Must Knows
- CCNP Exam Prep Tips and Must Knows about Switch Security
- CCNP Exam Prep Tips and Must Knows
- CCNP Exam Prep Tips and Must Knows about Mitigating VLAN Attacks
- CCNP Exam Prep Tips and Must Knows about DHCP Snooping
Please support our Sponsors here :