DHCP Snooping

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] but why dhcp controls are so important in our catalyst switch environment beyond that is the fact that we are going to rely on this dhcp protection feature for a variety of other security protections yeah we're worried about MAC address spoofing in our infrastructure we're worried about IP address spoofing in our infrastructure and the DHCP protections are is a requirement to go ahead and configure those other types of protections that I mentioned so let's get it started here with the first necessary ingredient let's look at deploying these DHCP types of controls ok DHCP protections are going to center around a particular feature called DHCP snooping that we are going to be an enabling but let's back up for a minute here I've kind of given away that we need DHCP snooping for a variety of other purposes but let's just forget that for a second why in the world would we want to consider DHCP snooping to begin with well it's just so easy to attack your DHCP infrastructure one of the common attacks is server spoofing right one of my favorite stories about this is when one of my colleagues keith barker he went in and did this inadvertently he was at i believe it was a netware conference and he was at this network conference you can show this shows how old we are right he was at this network conference and he plugged his laptop into one of the available ports at the Expo Center at the conference so all these people are in these boo showing off their various products that integrate with NetWare and he goes over and he plugs in his laptop to one of the wall ports the ethernet wall jacks and sure enough he's watching all of the internet-based displays everywhere in this conference just start to get 404s he absolutely was spoofing dhcp he didn't realize it at the time but sure enough his teaching laptop the laptop that he would do demonstrations and stuff on was set up with a DHCP server yeah he had a windows-based DHCP server running here he plugged into their network everybody started making their requests for their IP address information from him and they had a very short lease duration obviously set for whatever reason I guess that would make sense in a public area like this and anyways he caused chaos on the expo floor great story so one of the things that we need to guard against is just what I described often times it might be an accidental implementation of one of these rogue DHCP servers it hits the network clients start utilizing it for their IP address information and this could obviously cause major problems a lot of times if attackers do this maliciously it is their first step in later attacks right their initial step is to give out the wrong DHCP leased information and then once clients possess that wrong IP address information then they come through with some other Moorman even more malicious or damaging attack like they go ahead and steal data off of these machines redirect these machines whatever we obviously want to control what IP address information our DHCP clients have so we want to def keep one of these rogue DHCP servers off of the network something else that would be really really easy to do would be to go ahead and starve somebody's DHCP implementation now just think about how easy this would be to do the attacker comes in and literally just consumes all of the DHCP addressing that is intended for your legitimate trial edge it emit house out there yikes so depletion of your address pool and again it's scary to think about just how easy that would be to do right there's applications that'll do it that'll make these false requests and consume all of the addresses in the pool just to be really really well hey this is a denial of service attack isn't it yeah sure it is it's an easy way in which to deny the DHCP service to little illegitimate folks on your network so here's what we're gonna do with DHCP snooping we are gonna go into our switched infrastructure and we are going to enable DHCP snooping on these catalyst switches now when we enable DHCP snooping all the ports are untrusted by default the ports are untrusted by default which means that they are not going to allow DHCP traffic to come in on that port in other words responses from a server right so if we were to set up a DHCP server out there at the access layer and the port is untrusted it's not going to allow a DHCP server to respond into that port it's that simple in that clever so we have this concept of trusted vs. unn rusted ports so when you go ahead and roll this feature into production what you have to make sure you do is go to where your legitimate DHCP server is and make sure those incoming ports are trusted yeah trusted ports are going to be flagged for where the DHCP server actually is in your infrastructure this builds a DHCP snooping table that's what's so cool about this I mean obviously the concept of untrusted and trusted ports to protect your infrastructure is really cool but what we really love about DHCP snooping and why this feature will end up ceding other protection mechanisms at layer two is because of this database that gets built we have this concept of the the DHCP snooping catalyst switch tracking what IP address went to what MAC address utilizing what port and utilizing what VLAN so there's this nice DHCP Information database if you will that gets built for all of this DHCP communication and now this database can be relied upon for other security features that we can enable that layer to what would be the input parameters that you would want to gather up before you try rolling out this DHCP snooping feature well you obviously want to list all of the switches that connect to untrusted users right users that could inadvertently or maliciously connect a switch to the infrastructure you're also going to want to then take that list of switches and figure out exactly where the DHCP servers are because remember we're gonna have to make those ports that connect to the legitimate DHCP servers trusted and then this is important for the exam realized that on your inter switch links on your trunks you're gonna have to do some port trusting as well okay you're gonna look at where that DHCP server is and all of the incoming ports for that traffic have to be in the appropriate trust state including the inter switch links so that the legitimate DHCP server can get its traffic out to the legitimate clients that need that information so what do our configuration tasks look like for this particular feature well first things first we enable DHCP globally DHCP snooping on the switch then we go ahead and specify the location of the persistent DHCP snooping database this is actually optional if you want that to go ahead and just default to the default location it'll do that if you don't provide an alternate location most administrators though like to know exactly where it is and what its name is so they go ahead and configure that as part of step two then we got to go ahead and make sure we go to where that legitimate DHCP server or servers are located and make sure we flag the ports appropriately as trusted those that are going to be trusted make sure we set them up as trusted and then everything else is untrusted now step four says you know we have to designate the ports is untrusted I don't really agree when in step three we set up our trusted ports we just took care of step I understand what Cisco was doing here they wanted you to make sure you realize that when you set up your trusted ports yeah I think about everything left over because it is going to be in an untrusted state by default now this is something interesting in step five we can go ahead and configure DHCP rate limiting and add port security on the untrusted ports this is a nice optional cool feature that will guard against DHCP starvation your legitimate clients they can come in and get their lease information but if they're trying to hammer your DHCP server the rate limiting feature can kick in and prevent that you gotta love it also noted here is port security that you learned about in our CCNA security class think of how powerful that is to include with this particular feature you're making sure the hosts out there that wants to get its DHCP and from a DHCP information is legitimate and then you make sure that you do rate limiting so that particular device does not try some denial of service monkey business with our particular infrastructure notice step six we're going to go ahead and enable the DHCP snooping then on specific VLANs this is one of those features that it's a two-step aright no we're not talking about a country in western dance but this is a two-step er it is one of those ones where we better globally enable it and then after you globally enable it you're gonna say exactly where it is to run this globally enabling it really isn't doing anything it's not until you come in here and you say okay go ahead and snoop on the specific VLANs that the feature really really kicks into place well let's go ahead and take a look at a configuration example why don't we and I love how we use sample scenarios in this to make sure we've got this mastered from a real-world kind of perspective notice here we have a primary DHCP server and that device is connected to Fast Ethernet 5/1 sure enough we have a secondary DHCP server connect it to another switch via a trunk out Fast Ethernet 5/2 something else that we want to do in this particular scenario is make sure that we rate limit make sure that we rate limit the requests the DHCP requests to 2 packets per second and also we want to make sure we're limiting addresses to 10 per port that's obviously going to be a little port security feature we're going to add to this situation but notice the rate limiting of DHCP requests that's going to be done with our DHCP snooping feature now you look at this and you say ok let me think about trusted ports all right obviously all these ports in VLAN 500 they're going to be untrusted that's where we could have these individuals these potential troublemakers out here that's where we could have them setting up rogue DHCP servers but now trusted ports that I'm gonna have to worry about are obviously fast ethernet 5/1 this connects to the legitimate DHCP server so we're gonna want them to go ahead and make sure that this is a trusted port and this trunk link out to this secondary switch with the secondary DHCP server sure enough this is going to need to be a trusted port in our particular configuration scenario so let's go ahead and get this particular feature configured then we're going to go in and enable DHCP snooping globally we know that is done with the IP dhcp snooping command and then if we want to hard-code the database to a particular location and a particular name we use IP dhcp snooping database and go ahead and park that in flash notice it is a dot DB extension that you need to utilize all right so we set up the feature globally we set the location then we zero in on the trusted ports so here we have the primary DHCP server notice it is at five slash one and we go ahead and we say IP dhcp snooping trusts remember we highlight we we handpick and configure our trusted ports and then everything else that would be step four is untrusted by default pretty cool so then we go into fast ethernet 0 / 2 this is the inter switch link this is the inter switch link over to the other device and we set up the trust on that particular interface remember when you're gathering the inputs for this DHCP snooping feature you are going to want to make sure you really do your homework you're gonna want to make sure you have your network documentation in front of you you're gonna want to make sure you really really study carefully where you are going to be placing this particular feature ok the trusting I should say of the feature now we're not done we wanted to do some rate limiting a really good idea to ensure that we don't have that starvation attack here you can see how we do it in global configuration mode we say IP dhcp snooping VLAN 500 yep it's that simple IP dhcp snooping for VLAN 500 and oh sorry that's not doing our rate limiting is it that is enabling DHCP snooping on our VLAN great so this really kicks it in we globally enable it and then we specify where it's going to take place okay now we have our optional configurations here we can see how easy it is to set up the rate-limiting this is done in interface configuration mode right for all of our VLAN 500 users we say IP dhcp limit rate - pretty cool and then notice we wanted to make sure that we had port security in place to give a maximum on the number of MAC addresses that can exist out a particular port so notice we've got some port security added in there we won't cover port security with you here because that was covered fully in your CCNA security with Stormwind live so really pretty cool pretty straightforward this is very very easy compared to our private VLANs isn't it now obviously we want to be able to verify this and you want to be able to verify it you know without actually setting up a DHCP server initially right you want to just verify that this is in place and then go ahead and connect your DHCP and all that fun stuff so one of the commands that we're gonna recommend is show IP dhcp snooping the only gotcha here on this command is that some students will type show DHCP snooping and it will return an error just remember it's show IP dhcp snooping notice the output it says ok you guys are good to go on VLAN 500 it's configured there it's opera a tional there and then you can kind of skip to the bottom to quickly see that we have particular interfaces that are trusted everybody else is going to be untrusted and we can see whether or not we're rate limiting you might say well Anthony what happened here I thought we configured rate limiting yes we did but not on the trusted ports we configured rate limiting on the untrusted ports that were in VLAN 500 great stuff now what if you wanted to actually see this very cool database that the DHCP snooping feature is building for us we know that database can be used to cede some of our other great security features well if you want to see that database it's show IP don't forget the IP key word DHCP snooping binding and then you could optionally put it in my P address but that's not typically what we would do we want to see the whole database so we say show IP dhcp snooping binding how cool look at all this great information we are recording now we've got MAC address IP address lease duration we've got the type of entry they're all going to be DHCP snooping unless we have some static entries in here and then the VLAN and the interface look at all that great information and think to yourself how easy it's going to be for the catalyst switch to if we want to subsequently use that information in order to yeah none other than guard against MAC address or IP address spoofing we're gonna be able to put those types of protections in place okay by the way notice how we look at the bindings keep that keyword in your mind when you want to look at the contents of the database when you want to get information about the database itself like where is it stored how much is being written to it and how much is being overwritten and how much how long has it been since there was some kind of problem with this database when you want this information about the database itself you're gonna do show IP dhcp snooping database so remember the keyword binding is going to be the magic that allows you to see inside the database and then if we just do the database keyword itself we're going to be looking at parameters about the database now you've got this set up you're all excited awesome you've got this cool protection in place for your DHCP infrastructure and you think to yourself hmm what will happen if there is some security breaches in my infrastructure well let's take a look at exactly what's gonna happen your catalyst which is gonna proactively let you know that there is a problem notice the severity levels on these particular messages there are fives and fours right there are fives and fours so they are messages of a pretty decent severity level so you shouldn't be filtering these out you should be looking for these in your system messages notice the first one and by the way let me warn you right now for those of you that are interested in certification one of Cisco's favorite little exam tricks is to show you a system message that would be associated with a particular technology that we demonstrate in this course and then ask you what the heck's going on right what's going on with this particular message I don't know about you but I love these types of questions because it is quite obvious what's going on I mean you know system messages have a descriptor that does that goes a long way to tell you what's going on and then they have a plain English typically a very plain English explanation as to what's with the system message so I don't know Cisco asked me all you want about these system messages I think there's some of the easiest questions that we could get in this certification exam environment so the first one DHCP snooping well we know who gave us this message severity level five DHCP snooping untrusted port okay what's going on on one of our untrusted ports DHCP snooping drop message on untrusted port message type DHCP offer the source MAC address is bang right there how awesome is this DHCP snooping is telling us hey look we just had on one of your untrusted ports we just had someone come in with a rogue DHCP server and try and give an offer out into your network infrastructure you've got to love all the level of detail it even gives you the source MAC address of the offending system so we can go out there and and really really get mad at someone for either inadvertently or maliciously trying to poison our DHCP infrastructure let's take a look at the second DHCP snooping v DHCP snooping match Mac fail hmm DHCP snooping dropped a message because the CH address doesn't match the source Mac message type DHCP request eh address is given Mac source address is given whoa so what's happening here is a very interesting attack where the there there was a switch done right the someone injected themselves in the four-way DHCP handshake process right so this is a very cool protection that we get built into the DHCP snooping everything's being tracked here and somebody is trying to request DHCP information all right the DHCP config and they're not the legitimate source address for that communications very very cool how DHCP snooping can catch that next down DHCP snooping fake interface DHCP snooping drop a message with mismatched source interface the bindings not updated and again this would involve a DHCP request here someone has jumped ports on you they are attempting to now get the DHCP information but it's not the port that they are supposed to be on pretty cool and finally DHCP snooping error disabled warning this is what's going to happen if that rate limit that we set gets violated notice administrator intervention is going to be required here because the port that is being set up for this denial of service type situation it is going to error disabled so you could configure error disabled recovery if you wanted to automate that it's literally error disabled recovery at the command line that you're going to configure or you better as the administrator better get ready to go in and solve that situation what you would do is you would investigate why DHC P requests are coming at such a fast rate once you've got it investigated and corrected then you're gonna uh narrow disable the particular port that was error disabled thanks to the violation of the rate limit well one of the things that Cisco will emphasize any exam environment as they should is they will emphasize the overall guidelines the guidelines for implementing a particular feature for DHCP snooping we've got three guidelines and if I were you if I was preparing for the certification exam I would make sure that I make good old-fashioned flashcards and I liked the good old-fashioned kind because I can use them when I'm out of Internet or computer reach yeah get some index cards and make flashcards with your index cards and now you can use these wherever you are when you don't have a computer or an iPad or an Android tablet handy you can just go through your flashcards and one that you memorize put in a separate pile from ones that you're still struggling with as you build these flashcards you can go ahead and utilize what I point out is important information as we go out go through the course so now you're making sure you have this repository of information to challenge yourself on and it is the most important information from a certification standpoint all right our DHCP snooping guidelines in our multi switch environment we're going to make sure that we trust those trunk links yeah make sure you trust those trunk links remember a common problem that administrators have when implementing this feature is they know to go to the port that faces the DHCP server li and make it trust it but what they forget to do is the downstream trunks they forget to go and put them in the appropriate trust state so we got to make sure that we're getting all the right ports into that appropriate trust state remember a rate limiting for DHCP starvation but another very very important way to guard against that is port security port security can be even more robust than the DHCP rate limiting feature in order to make sure our DHCP does not fall prey to any starvation type of attacks finally let's make sure we enable Network Time Protocol on our switches this way the timestamps that are in the DHCP database and leased time durations and things of that nature they coordinate with the actual correct time network Time Protocol is going to be a good idea for this particular security feature and the next one we talked about and the next one that we talked about and the one after that I mean it's just a given that we want to make sure that the time is absolutely accurate on our devices we said that one of the reasons we are so excited about having this DHCP snooping capability in our infrastructure is that it can go ahead and seed other great security features

Info

Channel: StormWind Studios

Views: 56,143

Rating: 4.884726 out of 5

Keywords: Management, Data, Software, System, Security, Technology, Training, Systems

Id: qYf4zsOSxn4

Channel Id: undefined

Length: 33min 4sec (1984 seconds)

Published: Sat Nov 12 2011