DHCP Snooping | Cisco CCNA 200-301

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Applause] [Music] [Music] [Applause] [Music] [Music] [Music] [Music] [Music] and welcome everybody it is so good to have you for a few minutes today um last week we took a look in our livestream has some topics regarding what did we talk about last week oh yeah oh SPF routing the link-state routing protocol that converges quickly had a lot of fun and I asked you last week what topic you'd like to cover this week and the majority vote was DHCP snooping so that's exactly what we are going to do also I wanted to ask this question as well to make sure I get your input for next week and that's this what topic would you like next week and here's our three choices switch port security dynamic ARP inspection or access control lists and each week I'll promote or suggest three or four different ideas and then let you choose it so if you take a moment right now and type in what you'd love to have for the topic next week and we'll do that for the live stream I also before we talk about DHCP snooping today I want to thank you for your attendance and for being here with me oh it's a little embarrassing so today was the interesting day it's the day before Thanksgiving and so I finished at my work earlier today and my son and his girlfriend were down visiting and I got chatting with them went had a nice lunch and then I totally forgot about the livestream until about two hours ago I realized Jake texted me and said hey do you want me to moderate your livestream today and I said oh my gosh it's like that dream where like you forgot something or you didn't you didn't have the tools might my dream is this I have a class or some type of a session and I can't get online or I forgot I was gonna happen so about two hours ago I I was reminded that I had the livestream and because of my schedule a little wackadoodle you know like oh my gosh I'm so grateful that I remembered I don't want to miss a single session with us also the new CCNA content and the DEF net can't is being released in December I guess a this month but it's the 27th of November so they'll be released in December looking forward to that also in dev net they gave me a chance to teach network fundamentals in dev net so as we learn how to automate routers and switches and and networks it's important for a person to know what the devices do so there's a entry level section called network fundamentals in definite the super excited to be part of and I'm working on that course with Ben Finkel and Knox Hutchison who are in charge of walking us through setting up an environment for automation the infrastructure and then how to actually do the network automation it's amazing a lot of a lot of fun stuff so all that content is coming out very very shortly in in December of 2009 teen so I'd like to I'm looking forward to having you enjoy that so getting to the point of today's topic which is DHCP snooping let me bring up a screen and let me share with you the behind the scenes look at what we do when we create content here and let me just line this up so we can see it here so this is my my CBT Nuggets we do the thing called studio and this is the content I've created regarding DHCP snooping there's a quick introduction and instead of playing the introduction for you let me let me tell you about wipe DHCP snooping is so darn important DHCP the dynamic host configuration protocol it's sort of like the protocol that automatically gets devices an IP address so they can work on the network because really to communicate on a network we need a few things going for us we need an IP address which includes the network portion host portion with the mask we also need a default gateway unless we just stay on the local network all day we also need something to do name resolution so we go out to a site like WWE bc comm or twitch comm or CBT Nuggets comm that needs to be resolved to an IP address and so we use dns for that domain name system and so every device if it wants to use dns needs to know about the IP address of a DNS server so we can configure that manually and sometimes we do on our core network devices but for most of the clients thousands and thousands of clients on networks we use DHCP dynamic host configuration protocol and it it basically boils down to four exchanges for packets and let's let's you and I play the role of a DHCP client it goes like this somebody goes to the computer and they click the radio the but radio button and networking network config this says obtain an IP address automatically which means be a DHCP client so the client before the client we shout like this hey I'm looking for a DHCP server it's a broadcast at layer two it's a broadcast frame that's being sent in that VLAN to all other devices now if there's a DHCP server listening on the well-known port for DHCP and these DHCP LC by the way at transport layer uses a UDP user Datagram protocol so that the client shell said hey I'm looking for a DHCP server and if there's a DHCP server the server responds with an offer so the initial client request is called a discover and then the server offers now the server wasn't going to offer well if there's the DHCP server it offers the DHCP server could offer us hey here's a beautiful IP address you're gonna love it here's the mask here's the DNS server you can use here's the default gateway you can use and those are all included in the offer all the client us we say whoa thank you very much it looks great I'll take it that's a request so the client says I'd like to request the offer you just gave me I'd like to request to have that IP address and use that information and then the final acknowledgement it from the DHCP server says yep you got it that's the acknowledgment so that process is known as Dora d-ohh are a discover from the client offer from the server request from the client acknowledgement from the server like Dora the explora and that's a lot of fun it's it's it's used millions of times every day across networks and the challenge is this somebody brings in one of these from home this is an example of a home type of wireless access point and router and they if something just takes us from their home they've brain to work and they plug it in and they power it up these bad boys have a DHCP server built in automatically and they're handing out IP addresses and very likely not the correct IP addresses the correct DNS information the correct default gateway for the corporate network so the poor client who doesn't Discover and gets an offer from this guy it's gonna get bogus information but there's gonna be a denial of service a failure of service to that dice and it also could be more malicious like this bad boy right here take a look oops say hello to my little friends and how many of you may recognize what this is this is a Raspberry Pi very inexpensive this device has a USB ports and has a wireless card and it's got a slot for a hard drive like a flash card and a HDMI output and Ethernet connection so basically it's a computer and a very small form factor it's powered by USB power so a device like this if it's plugged in if it's running a like Kali Linux software or even other software it could be a DHCP server and if there's an attacker on your network the attacker may want to hand out bogus information or hand out itself as the default gateway so clients when they get an IP address they use this device as a default gateway this guy can route them on to the real default gateway and act as a man-in-the-middle attack so easy to do so in the 90s that's what happened accidentally well so in the 90s when Wi-Fi was fairly new fairly readily available I went to a conference and at that conference I made my huge laptop I mean it's like massive brick and we're in windows NT 4 oh and they had these wireless network cards that you could rent check out so I I put one in at the it was probably an WEP was like the thing anyway I plugged it in and I wondered can I be a DHCP server and answer is yes so there was very little security at all and I created a scope of addresses that was appropriate I pointed to myself as the DNS this is like in the 90s I pointed to myself as a DNS server and then I had mice DNS server used the real DNS server to look up so I didn't actually manipulate or harm any base traffic I didn't cause anybody's traffic to good unauthorized or unintended websites but it's super it would've been super easy to do and it still is so a company or customer a person who's curious could either in software or with a dedicated device become a DHCP server start handing out IP addresses and unfortunately it could cause a compromise on the network so how do you prevent that I'm glad you asked the way to prevent it is we just tell the switch like this guy we just tell the switch with a technique called DHCP snooping know what do you mean oh well you know those messages that a DHCP server would send into the network in fact let me just let's connect it up so let's imagine this is our rogue DHCP server this is a plastic baggie that I will use later and I keep my cable straight speaking of straight through cables this is a straight through cable patch cable so I plug in here and imagine this goes to the switchboard and now this is the DHCP server assuming it was powered on kept our so um if this is actually on the DHCP server when a client issues a DHCP discover message and this rogue fake mean DHCP server sees it tries to respond when this guy sends an offer into the network at DHCP server type message into the network the switch on this port once DHCP snooping is running the switch says no I'm not accepting any inbound in traffic regarding DHCP server type messages like offers acknowledgments things like that I'm not allowing a man unless this is specifically a DHCP snooping trusted port so by default if we enable DHCP snooping on VLAN 10 and we didn't specify this port as they trusted port any time this device tries to send it offers acknowledgments anything that a server might respond into the network with the switch at this port will deny it this is a fantastic feature that how many people should be running this if they have the capability and their switches everybody because we don't want to accidentally or maliciously have anybody acting as a DHCP server trying to deny traffic coming into our networks are trying to influence our networks so I'm gonna put these back in the baggies um so I can sort it I also learned a long time ago that by putting my stuff in in so this is a this is I've been called Ethernet so and I've got like six bins of various types of device and things by keeping them in bags it helps them not get tangled as much so this is an adapter that goes from I straight through cable to make it a crossover cable which is fantastic if you need a pinch and I've got fibre with various connectors so if you related to Ethernet and ethnic cabling and connections I keep in this bin right here and I'll tell you what it comes in handy so I've got one for devices power cables audio devices USB and it makes it really handy okay so that's the scoop regarding DHCP snooping so what I like to do is I'd like to play you a you know I think I might do is just show you one video that talks about the basics here of how its configured because we just talked about why it's needed ten right here why it's needed and then maybe walk you through a lab where I provide a hands-on lab for actually implementing and verifying it so before I launch the video the recipe for DHCP snooping which is basically the ingredients of how to get it done like to go ahead and give you a moment if you have any questions about what we have talked about so far regarding DHCP snooping go ahead and type it in Jake's helping me on the moderation and we'll give that a few 15-20 seconds for any questions to make sure I've got them and without any further questions we'll go ahead and watch the video so I'll be right back and thanks in advance for your questions [Music] okay and I do have one question and then we'll go straight to the the video missus hey Keith I'm getting my a plus by the end of the year fantastic way to go awesome awesome and just look at my notes thanks Jake for feeding these to me and after that after a plus should I do to network plus or the new CCNA after a plus I am so glad you asked here's what I would do the network plus is amazing the CompTIA Network+ it covers a lot of ground a lot of fundamentals and if I was going to do it and I am just gonna finish my a plus by the end of this year I would go right in the network plus study that for a couple months three months ramped up on it make sure you're comfortable with it go take that exam because then immediately following that and maybe it'll be February or March because the exam will be then out then as well maybe even April if it takes you that long to finish network plus why do you go into CCNA most of that content that you learned in network plus you will be able to directly apply to the world of CCNA because I would do the A+ by the end of the year that's fantastic then network plus and then right into CCNA because by then it'll be available and let me read it out it says do I think even do I think Eve okay so I believe the questions about even G & G and s3 and getting hands-on practice so here's the key for hands-on practice for CCNA you ready the goal is to get the hands-on practice and it really there seems to be a feeling of oh I gotta have the physical gear and I you know like I've got another physical gear right next to me and touch it and put the cables in in the production environment we rarely see the physical gear anymore I mean you can walk through the data center and you can see the physical gear but most the time we're in our office at a desk at a site working on devices that are physically not next to us so in the real world we're gonna be working in terminal looking at topology diagrams and configuring devices but not a ton of consoling in and doing it right there on the physical gear so as far as hands-on practice my number my number one recommendation would be if you're a cc if you're a CBT Nuggets customer please use our virtual apps because just like what I'm going to show you here in just a few moments we're gonna walk you through how to configure it and then give you hands-on practice to do it to do that the actual configuration so that's pretty easy it's a click we try to reduce the friction between learning it and practicing it getting hands-on so if you're a CBT nightís customer launch the virtual labs wherever they exist because that will help you a lot I'd say the second most easiest way to get hands-on practice is packet tracer so I've got a skill in fact let me show you I forgot hey I'm here in studio I can just show you a good dashboard and go to do control F and look for PA CK T here we go so I did a set of videos and here they are they are nine videos and they walked through from soup desert how to set up packet tracer how to use it and most people I'll bring back the video here most people when I show them packet tracer their jaw drops it's like what yeah you can build a rack of equipment and yeah you can either choose the devices and build a rack of equipment virtually and then go to the logical topology or you can build a logical topology and then look at the rack of equipment and then use the commands and at the CCNA level it's it's all unique in fact it's more than what you need as far as the hands-on practice and it's so easy and it's free you've got a netacad sign up for a free account download the legal version of packet tracer install it and start using it and it doesn't cost a dime and it's fantastic practice especially for the CCNA level so um so for the CCNA level hands-on labs at CBT Nuggets are great the packet tracer is super easy and readily available I strongly recommend it physical gear if you want to buy some used gear you know if you have the time and money for that great III guess what I did back in 2000 let's hear back in when I was a kid in 1990 I guess was 1999 getting ready for I see CIA by physical gear and it was very expensive back then but I bought the physical gear but it together and it was all I had is the only option I had additional options that exist are viral the IRL that's a licensed Cisco product from Cisco it's like I think as the tire of this recording probably at 200 dollars a year for a license but you install it it takes a little bit getting going but you install it and you can do just tons and tons of high-end devices including Nexus and so forth right there in viral so that's another great option so as far as even G&G and s3 I would say that first just hands-on practice for CCNA you might what you might want to skip the pain and just go right to packet tracer and the labs of CBT Nuggets and just call it good and then when you get into the advanced topics professional level and CCA level and a little bit more viral and other tools like that would be very very helpful alright so hopefully I answered that for ya and alright then there's one other question asking it does it work the same way in ipv6 as oh I see it meaning DHCP snooping that's a great question so for ipv6 and DHCP because there's the automatic configuration for ipv6 where clients don't actually need a DHCP server to dynamically get an IP address there's router advertisements and the routers are advertising the network prefix and then that the ipv6 client will say oh I'm gonna go ahead and create my own host address and then I'll make sure it's not a duplicate and so as far as protecting it is that DHCP snooping I don't think would be the appropriate tool for that what we'd want to protect there is the router advertisements to make sure that no rogue device is lying or advertising about what the network is so it would not be DHCP snooping as a security tool for that and for the life of me I don't know what the right tool would be but but neither easily be protecting against I guess the ipv6 routers from a bogus or untrusted router that injected itself when the networking was trained a lie that's a good question and I look into that all right so I think that's all the questions in the queue thanks for those and let's do this let's go to the interface here and then go back to snooping SNL Opie snoop dog dog okay here we go it's the shizzle all right videos and let's do the recipe for DHCP snooping that way you can see the commands that are used for making it work and then we'll go right to the apply it and the production environment my voice is getting a little hoarse not sure why that is alright so now put it 1 X feed I'll put it at the beginning let me look at my second monitor here and make sure I can line this up and enjoy we'll be back in just a few moments after this is done and we'll take some questions and we'll queue up the second video in this video chat with you about a few of the ingredients and commands that you know you're gonna use to implement DHCP snooping and also reinforce we're in our Enterprise we're gonna implement this feature so let's consider where a rogue or malicious DHCP server it might be injected it's very likely can be injected where users can connect to the network and that's the access layer so we have actually our switches with wiring that goes over to the offices and cubes it's really here the access layer and the access layer switches where you want to implement the feature of DHCP snooping so let's imagine that for this network up here let's say this is VLAN 30 that's being supported up here and these are trunks going down to the core distribution layer well this imagine our DHCP server is right here our legitimate one so to implement DHCP snooping on this access layer switch here's the command we'd use we'd use the pan IP dhcp put my little spaces in there snooping enter boom now that enables the age should be stooping the feature on the switch but it doesn't apply the feature to this VLAN so we need to add one more command that is IP space DHCP space snooping space VLAN space and then if it's beyond 30 would put a 30 right there so now with this one to punch the feature is enabled and it's applied to VLAN 30 so with this in place let's consider this machine right here we'll call PCE 1 2 3 4 5 PC 5 it boots up its a DHCP client it does a DHCP discover message so in the discover message is going to send out a frame a broadcast frame and for the source layer to address is gonna use its MAC address and then inside the DHCP message the discover message it's going to include its layer 2 address if those 2 MAC addresses the one that's in the layer 2 header and the one that's in the DHCP discover message itself if those are not the same this port right here says and I'm not letting that go in it's not congruent something funny is going on and that's because all the ports in this VLAN and then 30 by default are considered untrusted and so there's some extra inspections that are going to go on and reals of that also if Bob or somebody else plugs into an access port here and they have a DHCP server meaning they have a device that's trying to do DHCP offer messages or acknowledgment messages if the switch with DHCP snooping sees any of those server type DHCP messages trying to enter the network on a non trusted or untrusted DHCP snooping port it's gonna drop those and that way we're protecting our network from having unauthorized DHCP servers added or connected to our network so if this client doesn't discover message and that discovers broadcast and it's forwarded down the trunk and this DV server sees it my question is what's a really good DHCP server we're gonna do if it gets a discover message well you might be saying well Keith it's gonna respond with an offer exactly and that's where the problem comes in if we have DHCP snooping enabled for the entire VLAN check this out when the server responds with the offer saying hey I've got a beautiful IP address you're gonna love it and it trays and send it into the switch it goes in here too or two because core two does not have DHCP snooping enabled that gets forwarded up the trunk and up to the access later switch but right here on this trunk port guess what DHCP snooping is enabled for VLAN 30 so that's tagged to be that 30 it's a DHCP offer coming in and the access which says untrusted port and kills it which is not the intent so what we'd also want to do is we'd also want to specify from the access layer switches perspective which ports are to be trusted meaning which ports lead to legitimate DHCP servers so on the access layer switch is to support zero flash one that goes down to core one and zero two goes down the core two we want to configure both of those trump ports as being trusted IP dhcp snooping trusted ports and the syntax to do that would be to go into interface configuration mode for these two trunk interfaces on the access layer switch and we'd use the command IP dhcp snooping I'll put a snoop for short space trust and if we did that for each of these two trunk ports that would make them trusted ports and as a result when the DHCP server sends us offer an ace acknowledgement some messages from the server back up into that X layer switch the isolator switch will allow it because it's coming in on a trusted port so in this example all of the access ports would be untrusted from a DHCP snooping perspective and the trunk ports would both be configured as trusted ports and there's one more element that often causes DHCP snooping to be so good at what it does it doesn't have any DHCP services to work and that is option 82 in many networks there's DHCP relay agents that listen for DHCP discovers on a given broadcast network and then they unicast either they route it over to the DHCP server well option 82 includes information about that DHCP relay agent if we're using DHCP snooping it can add that option 82 information as part of the DHCP request we don't need that added information effectively add that information might cause DHCP services not to function correctly so this command right here no IP dhcp snooping information option says don't please don't include the option 82 and raishin to the dhcp messages and sometimes that that information is left on and dhcp snooping injects it it causes dhcp services to fail so please be aware of that command as well in our next video join me as we take a look at building a small Network where we can implement DHCP snooping and verifying its results so I'll see you there in just a few moments meanwhile I hope this has been informative for you and I'd like to thank you for viewing all right so those are the ingredients and then I'd like to skip down to video 6 which is where we're going to apply so also there's other pieces and parts they teach along the way but applying DHCP to the production network is a good example of end and also Oh check this out so what I'm creating these videos and having a lot of fun doing it I imagine that I'm talking like I am right now to you and sometimes it doesn't go right there's a mistake or a problem like ah you know facepalm I can't believe I just did that or whatever so I'd like you to look out for in this video a couple challenges that I faced where I I made a little slip-up and I thought to myself as I went through it ah here's the verification commands here's the oh there's the problem and I left it in because I thought I want the I want I want you as we're going through this together to realize that it's important to verify our work you know make changes verify the results correct as needed and I wanted to leave it in I took a few extra maybe an extra minute and a half because I want you to see the logic and troubleshooting of going through it so um also in this one oh yeah I also did this yeah I'm trying to recall this is about I created this back in September so it's been a couple months but I believe this one also I also set up a DHCP server on a Cisco router so you can see that process as well so I thought it'd be great C&N and that way a student can replicate this or login to our labs and actually do it so thanks for listening to you ramble for a minute there as I remember the details of this I'm excited to see it too it's been a while all right let's go back to the video and let's take a look at implementing DHCP snooping with this video which is about twelve minutes in length it is that time my friend you might be saying Keith what time is it it's time to take the skills that we've been building learning regarding IP dhcp snooping and apply it to the production network so let's go meet with bob we'll take a look at the topology what he has in mind we'll make a plan we'll implement it and verify it together let's begin so it's a Tuesday morning we walk into Bob's office we exchange greetings we say hello and then we settle down and he shares this the topology for the production network which is this bad boy right here and we ask him okay Bob what he wants to do regarding DHCP snooping where do you want it and he says this well I've got a little work to do it isn't all down here in Florida we made a decision says Bob that instead of doing a DHCP relay on this interface and then sending the DHCP request up to a corporate server in Arizona instead we just want this router router 3 to act as a DHCP server to support VLAN 30 so V then 30 is this bad boy right here 10 16 20.0 at the 24 bit mask and Bob also indicates that router 3 is already directly connected to VLAN 30 and that subnet so all we need to do is add dhcp services on there but to help protect the florida network from rogue DHCP servers he would like us to configure DHCP snooping on this Florida switch to support VLAN 30 so that no unauthorized DHCP servers can just plug in and start offering IP addresses and who knows what subnet in addition because the DHCP server is directly connected to this network Bob would like us to disable option 82 insertion for DHCP snooping no problem we did that in the previous video we'll do it again here with the commands no IP dhcp snooping information option then they'd like us to test it by going to this Florida PC making it a DHCP client and verifying that it gets an IP address and also going back to the switch to make sure we can look at the DHCP snooping information to verify that the switch learned that I could rest at this clients using along with its MAC address now one thing that we definitely want to do is once we configure DHCP snooping we want to specify that interface 3/3 is a trusted pork because the DHCP server is off of that port so in our troubleshooting if the client is unable to get an IP address either we didn't disable option 82 or we didn't make port 3-3 a trusted port either way we want to make sure we check both of those elements and get full functionality from the Florida PC and getting a valid IP address and being able to communicate on the network and because this is a virtual lab you can click on the link if you logged on the CBC nice click on the link for the virtual lab and let's walk through this together so here on DC Doug our management PC let's open up MT putty upper left-hand corner and we'll open up connections - I will need router 3 in Florida and it will also need the Florida switch FL switch great and also PC one in Florida so have those three tabs open so let's start on the router and let's set up DHCP services so to do that we'll go to configuration mode IP dhcp pool and let's go ahead and call this our pool for a DHCP and the network let's take a look at the plan again so we're supporting VLAN 30 which is this network right here in Florida 1016 20.0 and this router is going to be dot 7 so there's a little dot 7 there and we can set up ourselves that router as the default gateway at 10.16 dot 20.7 so our pool will be 10 16 20 with the 24 bit mast and we can also do excluded IP addresses if we want to so back at the CLI our network statement is gonna be for the 1016 20.0 we'll do a space last 24 Ana and then for the default gateway it's gonna be the router itself at 10.20 Phi that this router has the IP address of dot seven always verify on a new gear verify what the current status is before we start making changes we'll do it do show IP interface brief enter so sure not fear on the sub interface 30 we have the IP address of 10.16 dot 2007 that is the appropriate address to hand out as a default gateway so we'll use a command default - router and then that IP address which I was just copy/paste making sure I don't do the typo there we go enter and if you wouldn't do a DNS server we can hand out maybe Google or if we have an internal and we can hand out that as well press Enter great now we'll do it exit and let's also set up the first maybe 10 IP addresses as exclusions so do an IP dhcp excluded address and then we'll do 10.16 dot 20.1 is the first in the range and we'll go through 10.16 dot 20 dot let's go through ten so it won't hand those out and and let's a show IP dhcp and let's just go ahead and use word pool and they'll show us our pool so fantastic there's our range for the network we've also got ten IP addresses are excluded which is dot one through ten great so that's the router let's go over to these switch and set up DHCP snooping so here on the switch we'll do a show IP dhcp snooping just to verify what we're starting with the snooping is disabled by default and it's not configured for any VLANs so we are good to go so we'll go in a configuration mode IP dhcp snooping will enable the feature next won't the up arrow key and able it for VLAN 1 enter and let's do a to show IP dhcp snooping and so currently it's enabled it's enabled for VLAN 1 and the insertion of option 82 is enabled let's fix that as well what they know IP dhcp snooping information option press enter and we'll hit the upper ok a couple times and do the show IP dhcp snooping again it's just to verify that it is not inserting option 82 great ok so we've got the dhcp services set up on our three we've got dhcp snooping set up on the florida switch but what we don't have yet is we don't have set up this port 3/3 identified as a trusted work that will allow the dhcp services to do offer as a Nick Donovan and server type messages back into the network so let's also specify interface 3/3 on the switch as a DHCP snooping trusted or so back on the floor to switch will go into interphase gig 3/3 and also we should do this how do we know for real that gig 3/3 on the switch really is connecting over to the router how do we know we're not physically there most of the work we do is in the cloud or data centers how do we know and what answer is CDP because they're both Cisco devices we can do a show CDP neighbor and just verify that it's the router hanging off 3/3 to make so it's still an interface configuration mode for a gig 3/3 and it's a good option by the way if you're not sure which interface you're in you can always just go interface gate 3 sets 3 again and confirm you're in the right place so here we want to do a night at your picture that if we had this switch configured with DHCP snooping and if our dhcp services were down here somewhere we would definitely want to configure on this access layer switch port 0 / 1 & 0 / 2 as trusted ports otherwise when dhcp servers try to respond with offers and other things those responses will not be allowed into the switch if these two ports are not trusted so that's a key element so whether the port is a trump port or an access port if it leads towards the legitimate offer as dhcp server that port needs to be a DHCP snooping trusted port all right so here on the switch we've done our work let's go to our client so this is the Florida PC for do a show IP this is a Virtual PC so show IP will show the IP address so it's currently 10 16 20 30 and the default gateway is 10 16 2007 but if we configure it to be a DHCP client we would do this IP space DHCP and press enter and one of the cool things with this it shows us the doora process and to discover packets it looks like then they've got an offer from the server then it had a request and the final acknowledgement and check that out it got 9 Peter us and the reason that worked was because we have DHCP services set up and DHCP snooping is not prohibiting that server from responding to us we can go back to the switch and let's do that now and let's say show IP dhcp snooping and we'll tag on let's tag on binding and that'll show us what DAC Amina's learn from his snooping and I was literally expecting to see the entry there for the DHCP client let's do this let's do a show IP dhcp stooping just to make sure they accept so it's enabled great oh oh oh oh I'm so embarrassed so in our previous exercise we had enabled DHCP snooping for me than one and so I carried that forward here so yeah it's enabled on VLAN 1 but this client this client is in VLAN 30 so what we all need to do is enable this for VLAN 30 so that's the benefit of checking our work so config T IP dhcp snooping and we want to do VLAN 30 boom just like that I'm glad we checked I don't do a show IP dhcp snooping and verify there we go so we got VLAN 1 which we don't really care about too much and be that 30 which is where our client is so now let's go back to our clients so let's give it an IP address again we'll go back to static IP and then it's gonna copy paste this bad boy right here boom just for a moment and then we'll do a IP dhcp again to be a DHCP client it's gonna go through the door process discover off a request acknowledgement and survey says boom gotta lemon now if DHCP snooping is working and we configured it correctly we should have a an entry if we do a show IP dhcp snooping binding that should show that IP address that was just given to the pc along with its associated layer to address and that should show up on the switch that's doing DHCP snooping for VLAN 30 let's take a look so back at the switch we'll go ahead into the upper ok a few times and do a show IP dhcp snooping finding the center so here's the IP address that was handed out via DHCP there's the corresponding layer to address the way it got into the table was via DHCP snooping it was on VLAN 30 and it was learned on gig 0/1 that's for this client pc 1 is connected to on this switch and in this video again the opportunity to take our skills and knowledge regarding how DHCP works to apply it to our production network and then also to verify it and that's part as part of the verification process we identified that I had put in the wrong VLAN and as a result there was no entry in The Binding table for DHCP snooping that's why it's always a great idea to when we configure something verify it make sure it works and if it didn't come out like we thought investigate the root causes and correct us which we did so I've had a lot of fun in this now at the end of each of these sets of videos needs these skills my intention is we apply these skills to a production environment if you've done this with me if you've done it an an emulator a simulator on your own physical gear in the labs I would like you to give yourself ten more points and the goal being let's get a hundred points to represent growth and building skills and having fun and becoming more valuable to ourselves our families and our employers has become better and better and working with IP networks so I've got a blast instead of videos and I look forward to seeing in the next meanwhile I hope this has been informative for you and I'd like to thank you for viewing I'm having a good time I'm so glad you're joining me for these it's it's a lot of fun because a couple things we can identify what technologies exist that we can use to secure our networks and then walk through together how to implement them and verify them and the fun thing is this in a production network when we're actually employing techniques like like DHCP snooping it's fantastic because we're protecting against rogue or even innocent people bringing those devices on the network and causing denial for other devices so thanks for joining me for those I appreciate it I had a couple questions I wanted to follow up on one question was asking regarding DHCP snooping like why just access layer why couldn't we put it in the core could you put it in the core or the distribution layer we could but most of the time users those you know those users they've got access in their offices and cubes and through rj45 connection connections and those are connecting to access layer switches so the most likely place for someone to attach to the network is at the act there so you certainly could have it elsewhere but mostly is that the access layer to protect against people where they do connect just remember your trusted ports though that bites me almost every time because without looking at like okay what are all the possible paths to the DHCP server because we could have a DHCP server that's hanging off the core or the distribution layer and then we have to identify the paths and not just the path that's being used but also the path that spanning-tree might use if there's a failure in the network so a spanning tree we've got you know the one path that we're using for forwarding a layer to one path is blocking well if we only make the perhaps that's forwarding a trusted port and then there's a failure in spanning tree swaps over to the other path and it's not a trusted port our network dispro so just consider any possible paths that lead to the real DHCP server as trusted ports all right so another question was statement was I've got a router and a switch he provides the models I put the commands in on the switch it didn't work including the option no option 82 the switch is blocking the discover offer request acknowledged the router is the DHCP server I even know to help redress what do I do well after watching this yeah and you've done all those steps here's what I would do I would say I always say to my device let's imagine this is the router for a moment dear mr. router thank you so much for being a DHCP server I'm gonna test you directly with a client just remove the switch from the equation so you can take a crossover cable go from the router directly to your PC in your lab environment and verified DHCP is working now if that works you can also with a switch in place you could have your router connect to the switch your client connect to the switch and turn off DHCP snooping altogether and verify that that works so if that's the case where the router is the DHCP server there is a switch in between your client and the router and no DHCP snooping is enabled and it works and then you enable DHCP snooping and it stops working I would take a strong look at trusted ports like make sure that the switch on its connection to the make sure that port that is connected to this imagine it's I put my cables away there we go all right thanks oh by the way I get a lot of questions hey your keep your hair always looks different how you do that canned air it's fantastic you know just get yourself going to the morning all right that's not literally what I do every morning but sometimes okay so listen guys this is the switch and it's going to the router let me get this edge this is the router and the switch is the second device I'm gonna have this device player switch our switch today is played by a Palo Alto firewall I've also got a Cisco firewall right there if that makes it may feel better all right so router to switch and what you want to do on this switch is you'd want to say this port that leads to the router is a DHCP snooping trusted port otherwise the server if it's issuing DHCP offers and acknowledgments and so forth the switch port by default DHCP snooping says they're all untrusted from a DHCP snooping perspective it's not gonna allow your DHCP messages to come in so okay so the whole soup to dessert is try it without DHCP snooping if it works and then you enable the HP's to me it doesn't work make sure this port on the switch that leads to the router make sure that port is a trusted DHCP snooping port like we had in the video if that doesn't work there is an option that I recall the DHCP information option or DHCP relay trusts I'd have to look it up I do remember a few corner cases where I had to do a few additional tweaks now the lab we did here was all the gear that is shown and all the commands that I use to make that all work so in my CCIE days they used to do a lot of CCA labs and we'd have tricky scenarios and make things breaks they wouldn't submit what the CCI Canada would have to you didn't figure out how to make it work and make almost near impossible scenarios so they could you know get final functionality but I'll tell you what if you post that it was Jonathan uh whoever it was if you when this video gets posted live if you post that scenario again if you're still having problems with that I'll research it I'll find the additional option or options regarding trust that that may have to be done on the router acting as a DHCP server to make it function but in the lab everything that I just did was what you saw was how it worked there could be slight variations based on the version of iOS so if you're interested in that be happy to help okay I'll see what else and yep InfoSec Pat said during your demonstration Keith your enable DHCP snooping for VLAN one and the client was in VLAN 30 now why is that so darn important well that gate to make it work first of all to have that protection also the DHCP snooping binding table that associates the IP address and the layer 2 address that's learned through the DHCP snooping process we're gonna use that in next week next week we're going to take a look at dynamic ARP inspection to make sure that devices when they connect to the network they don't lie about what they're layer 2 addresses the fantastic and easy way to do man-in-the-middle attacks is by I lie to everybody I like to this device I say hey this is device a this device see I'm device B I tell device a that device sees layer 2 dress is me and I tell them I see that layer is layer 2 addresses me and they start forwarding frames to me when they want to talk to each other now a man-in-the-middle attack so that could be done by ARP spoofing address resolution protocol spoofing and that could be fixed or solved with a feature called dynamic ARP inspection rdài which by votes earlier today that's our next topic so we'll cover that in more detail about what it is why it's needed how to implement it how to verify it in our next session ok there was another question I thought about Python mmm did you huh maybe it went away regarding python python is a very friendly language so for Network automation there's a lot of Python that's used if you are interested in Python the dev net is a great starting point for a lot of people who want to get into automation also CCNA has a section on network programming and networking automation there's a book what's that book called it's called proven I think it's called programming boring things programming all the boring things with Python and NOC sections and I'll tell you what you can do if you have search for Knox Hutchinson on YouTube he just put a video on that today and you talked about this book and basically this is meant to be read over 30 days during your lunch like 40 to 50 minutes a day for 30 days to get up and running with Python and so if you search for Knox that I'll add it as a comment as well to this video in the notes that's a great book to start and in CCNA we talked about some of the high-level basics a little bit high level ideas about Network automation and in Deb net it's three major sections in Devitt there's Network fundamentals which I get to do layer 2 switching layer 3 routing the tcp/ip protocol stack how it works it's great stuff and then Ben Finkel talks about the infrastructure and the tools that we would use for network item for on programming and development and network government the infrastructure to make it all work and then Knox focuses primarily on doing it how to do the automation where Python fits in so there is some basic there are some basic training there we also have some Python options at CBT Nuggets but that book which by the way knocks knocks inspired me I'm working on this project with Ben Finkel and Knox uh chanson and those guys are really amazing and they're they're they're they're both way beyond me as far as coding and programming including Python and apps that you they work with for automation and so after a little heart after a little soul-searching I to myself I'm always you know learning new things I always enjoy learning things I thought I'm gonna spend a couple months and go through our own dev net content including that book that Knox recommended about programming all the boring things with Python and I'm just gonna take it easy I'm not gonna try to cram it all overnight I'm going to enjoy it I mean I understand the basics of Python but I have to start applying it and learning it and and using it I mean I have configured how many Cisco switches and routers and firewalls and intrusion prevention systems and load balancers have I configured over my lifetime just lots and lots and lots and I thought it's gonna be fun because Knox is in the dead net he's gonna walk us through he already has it's just waiting to be released in December how to use automation to do those things that we've done so repetitively like how do you query 50 devices and find out the certain values or how do you push elements to those 50 devices using scripts that use the commands that we know and love on those choices but just doing it an automated way so anyway I'm committed to doing that and again not as a oh I'm gonna do this today no I'm gonna enjoy it I'm gonna take the next two months and enjoy it spend maybe 45 minutes to an hour a day enjoying the videos at CBT Nuggets that from Knox and from Ben and enjoying doing the hands-on practice and enjoy doing what they asked me to do and enjoy some reading just to increase my skills now do I need to for my own personal you know my career I could probably get away without doing it but when's the last time you get a really good skill where at the end of it you thought yeah whoo I wouldn't want that skill again totally worth it like networking totally worth it so um anyway that's my own personal motivation to learn more about Python and getting more involved with it okay one other comment from Jay Cole a I'm currently working for a major service provider specializing in SD you an awesome I'm 53 years old my brother I'm I was born in 64 so hey let's do the math on that we were very close and have not taken a Cisco service do you think it's viable for me to go all the way to CCA ie at my age that's a great question ever but we all we all come from different experiences and different backgrounds and we have different levels of abilities when it comes to taking tests and things like that I think what I would do i I've been reading a book here Eve Keith yeah I read um I've been reading a book in fact I've read it two or three times over the last year and a half it was recommended to me by Dan Charbonneau it was the the visionary at CBT Nuggets and also the owner and it's called atomic habits it's it's a game changer anatomic habits is all about not focusing on the prize at the top of the mountain although it's important to have an awareness of where we're going you know which ladder we're climbing you know for climbing a ladder make sure it's leaning against the right building right so we want to make sure leading us right building but the secret is anatomic habits is he talked about who wants to win the Super Bowl I mean what football team wants to win Super Bowl all of them all the professional teams they feel I wanted but who wins it's not gonna be everybody so the secret is he says is to get better systems in place better systems at improving ourselves like I'm going for 10% body fat by May or June of 2000 when we have a trainer Palooza meeting every year in Eugene Oregon we all the trainer's together and we just it's just great so we get to connect and physically see each other as opposed to just virtually see each other and last year I committed to getting to 15 percent body fat and I had some help I had a lot of good people coaching me and motivating me a committed publicly and I focused on the system which is eating a little better working out a little more smart more smart working out how about that it's just science at that point if you work out a little more actually a little more and you eat a little better and you keep on that going keep those systems doesn't have days I'm going for days that I'm winning not just got to my goal day by day by day and so the same thing is true with working for a service provider or maybe thinking about a CCI Sunday I would focus on getting better at those things that you want to get better on and setting up systems like this week did I get better I use a journal here it is and in it every day has a little rubber band so I can put my spot in there and find it I specify what I want to work on and what's what examples today's top three goals what absolutely must be done today what are some things that I and has a whole bunch of ideas to get me thinking and then I just try to make every day a win and win for me is a gold star it's like okay Keith did you did you do your cardio for 30 minutes today yeah gold star did you study that Python like you told people you're going to you you made a commitment publicly like right here you know that you're gonna study Python over the next couple months just to have a better understanding of it just to kind of enjoy some Network automation even if I don't code for a living you'd be nice because when we talked to the development team or the programmers and they are starting to do automation for network devices whether there are firewalls or firepower threat defense appliances or a SAS or routers or switches whatever they probably are going to want some information from us and it would be nice if we could have a common language we could talk with them they could show us the script we could take a look look at the Cisco related commands and have some mutual time our mutual benefits there so going back to the CCI I think anything's possible if you're willing if a person is willing to put enough time and effort and concern into doing a thing I think the question would be if we're over 50 would be certainly it can be done the question would be would it be worth it now as a in 2001 which was you know a long time ago I got my first CCIE and in doing so it was not easy I I studied probably eight months and I think it was four or five hours four or five days a week after work studying like just raw study practice and I would have people that we're not always in hope hoping I was gonna do it I had a lot of people that didn't want me to do it loved ones like oh you've worked hard enough and so the kids go to bed and I would go to this room this dining room or side room and I would just work and study and I had a lot of feedback to said oh you've done enough you can stop and secret is I really wanted it I had several children at 2001 have seven kids most of them are grown my youngest is 16 she'll be 16 in December of 2019 how about all the rest are 21 or older and they're all amazing so I had a lot of motivation for me he's like I at that time I needed to make enough money to provide for my family and I didn't have a high school I didn't have a high school education but I didn't have a college education I went in first one semester Community College that was it and then I wanted to go out in the world and you know make my mark and I realized that there's no free lunch and so I had an opportunity to start in I was a cashier and I saw this guy coming in and fix the cash registers it's a silver briefcase and wow I'm gonna get emotional anyway I I saw him he had a good car a decent car and I thought was a decent car and looking at a good job and I saw this advertisement on the TV that same week for control data Institute get a job in the world of IT and I thought this is 1984 and I thought you know what mmm I can do that I'm gonna I need to make a change so back in the 80s I went I paid like five or six thousand dollars got a loan and went to this technical school studies super hard and then got a job with EDS right actually they took me out of school early because they they needed somebody and they were impressed by my eagerness and my willingness to learn so I have YouTube videos all that I don't repeat that here my journey through the world of EDS and my first job and my CCI exams and those are all very fun for me the stories are very very fun but at that time it was worth it so 2001 or at that point I was not desperate but I thought I I need to provide for my family they need you know I'm it I'm the end of the road the this is the lease children and my wife they need me and so part of it was a little bit desperation but I enjoyed it and I pushed hard and I pushed her and I got my first CCI in 2001 and then I went for another one in 2003 and security and ever since then I've continued to study and learn now people ask me well are you gonna go for another ccae like in data center or something else and that my that's the question I ask myself now is what do I need to get do I do I need that or joining the skills or where would my time best be applied that's the real question at my age and I'm focused on the 20% is the this is the the core of the matter I'm focused on the 20% of what I can do as a human being to help other people that's it it's like what what's the most I can do with the most impact that with the most specific effort to help us make people and one of those things is YouTube and because I'm reaching a lot of people which is fantastic I want to help you with your goals like you want to achieve and also CBT Nuggets has been incredible for me because it gave me a space where I can create content that I care about that matters to people and they give me a lot of room to create that content and I just love it so so going forward if the CCIE is important for you if it's important financially for you or for self esteem or for cred among your peers or just to get the skills I would say getting the skills and the knowledge would be the biggest thing the most important thing and the certification if you want to choose to prove it or demonstrate it to the world would be a secondary thing so that is Keith get off the soapbox okay okay I'll get off I'll get off um it depends I guess is the answer to that okay and last question is Dora unicast or broadcast great question Dora I referring back to our topic of DHCP discover offer request acknowledgement and the answer is it depends the first discover message from the client if we're a DHCP client it is always if it's a brand-new client never had an IP address before it doesn't know who the DHCP server is it's always gonna be broadcast but after that there are some dependencies based on the flag in that discover message so in the in the DHCP messages there's a flag for broadcast or not and based on how that flag is set some of these subsequent frames may not be broadcast because think of it if we send a broadcast and there's a DHCP server it's it knows our source MAC addresses so it would have the ability technically to respond directly to our layer to address so the way that most people teach it which is good to know most people teach it oh it's all broadcast and here's why you know DHCP discover broadcast broadcast for the offer so if other devices or servers see it they can know about it and then the request so it's possible that all four could be broadcast but literally with a protocol analyzer and modifying that broadcast flag it's not always it's not always that all the frames the first frame is always a broadcast but all the rest are not always a broadcast now that is beyond way beyond what a CCNA student would be required to know about but it's the fun stuff that by working with products longer and discovering how they work or you can really dig in and say ah and yeah it's a great question I love I love studying I do okay all right I think I've taken all the time that I deserve I'm grateful for our time together our topic next week based on popular up is going to be dynamic ARP inspection so I look forward to streaming that next week if I plan on going through almost all the skills that I've created at CBT Nuggets and then when those are done I'm also thinking about doing something called Sunday subnetting making a making a small series a live stream doing on Sundays for like half-hour for a few Sundays on IP subnetting I think that would be fun I've gotten a lot better than that over the last 20 or 30 years and I enjoy sharing that with people so just checking for any last questions here I do want to thank everyone for showing up and participating in live stream I also want to thank Jake from CBT Nuggets for being so diligent in helping me with managing the queue and that's it so if you haven't yet subscribed please take a moment to do so today if you are anticipating a CCNA journey please join me here I've got a lot of content on this channel that tries to cut through the noise and shares with you exactly what's important about the technology for a CCNA and I do believe that getting a CCNA certification to demonstrate your skills which is the most important part is a important step in the world of getting skills and making a difference and becoming more valuable to everybody in your circle so thanks for joining me I'm gonna put on some exit music and I look forward to seeing everybody either in the stream next week or in a subsequent video thanks everybody [Music]

Info

Channel: Keith Barker

Views: 18,568

Rating: 4.9359999 out of 5

Keywords: dhcp snooping, dhcp snooping explained, dhcp snooping configuration, dhcp snooping option 82, dhcp snooping cisco, dhcp snooping packet tracer, dhcp snooping ccna, dhcp snooping cbt nuggets, cisco, dhcp, ccna, dhcp server, networkchuck, networkchuck ccna, ccna 200-301, ccna certification, ccna training, ogit

Id: pRZ-BDASQuM

Channel Id: undefined

Length: 74min 49sec (4489 seconds)

Published: Wed Nov 27 2019