IP dhcp snooping – first hop security on IPv4

When we connect customers to Access switch we immediately face these security threats :

DHCP spoofing – some PC in the network will run DHCP server. It can be cause even by wrong configuration of Windows machine. In this case, some of computers inside LAN will connect to new DHCP server and will forward packets there. It’s a men-in-the middle problem then.

DHCP starvation – flood of DHCP requests and exhausting of DHCP address pool.

ARP spoofing – When DHCP spoofing is often created by misconfiguration on PC, ARP spoofing is mainly an attack on L2 layer. Attacker sends ARP messages to PCs with IP address of a network resource, such as the default gateway, or a DNS server, and replaces the MAC address for the corresponding network resource with its own MAC address.

ARP poisoning – same as ARP spoofing, but adds DDOS features. The attacker, instead of pretending that he is a gateway and works as man in the middle attack, can simply drop the packets, causing the clients to be denied service to the attacked network resource.

IP spoofing – changing of SRC IP address in outgoing packets. This will cause that answers are received by another IP that request was sent. Used a lot for Ddos amplification attacks, but also can be used by attacker to avoid IP-based authentication in the network.

MAC spoofing – changing of MAC address of PC. Used for identity masking and passing MAC based authentication.

MAC flooding – attacker floods frames with different SRC MAC address, when CAM on the switch is full it switch starts to work as hub – means sends all frames to all ports.

OK, we have main types of threats inside LAN network. In IPv4 environment IP DHCP snooping, Dynamic ARP inspection and IP source guard are used to prevent all threats except the last one. MAC flooding can be prevented with Port-security. As I wrote already – it’s configured on Access switches. Below are steps how to configure first hop security

Limits amount of DHCP requests on interface and also blocks DHCP offers on untrusted ports.
Switch(config)# ip dhcp snooping
Switch(config)# ip dhcp snooping information option
Switch(config)# ip dhcp snooping vlan 10,20
– apply snooping on all ports inside VLANs 10 and 20

Untrusted interface (with PCs) :
Switch(config)# interface fa0/1
Switch(config-int)# ip dhcp limit rate 50
– maximum amount of requests on port

Trusted interface (where DHCP server is located):
Switch(config)# interface fa0/2
Switch(config-int)# ip dhcp snooping trust

Important note is that database of IP DHCP SNOOPING(binding table) is used by DAI and IP source guard. It means that DAI and IP source guard will not work if we don’t have DHCP and DHCP snooping enabled inside our network.

Has two types of interfaces – trusted and untrusted. Trusted is
Switch(config)# ip dhcp snooping
Switch(config)# ip dhcp snooping vlan 10,20
Switch(config)# ip arp inspection vlan 10,20
– one additional command added to configuration of snooping

Tracks IP address to port asociations, dynamically creates PACL to drop traffic which is not from DHCP pool
Switch(config)# ip dhcp snooping
Switch(config)# ip dhcp snooping vlan 10,20
Switch(config)# interface fa0/1
Switch(config-int)# ip verify source
– IP source verification is a per-interface command

We can define how many MACs and what MAC addresses can be connected to certain port.
Switch(config)# interface fa0/1
Switch(config-int)# switchport mode access
Switch(config-int)# switchport access vlan 10
Switch(config-int)# switchport port-security
Switch(config-int)# switchport port-security maximum 2
Switch(config-int)# switchport port-security mac-address 0000.1111.2222

Also can be used sticky mode – to port security is put learned MAC address from the interface
Switch(config-int)# switchport port-security mac-address sticky
Switch(config-int)# switchport port-security violation protect

Modes of reaction on port-security violation:

  • Protect – silent mode, no log, just drop frames.
  • Restrict – log + drop frame + send SNMP tramp
  • Shutdown – interface is err-disabled + log + SNMP tramp (default mode)
  • Combination of IP source guard and port-security is a strong verification of IP/MAC combination.
    To enable it run the command on interface (port-security must be configured):
    Switch(config-int)# ip verify source port-security

    Show commands:
    show ip source binding
    show ip verify source
    show port-security interface fa0/1
    show port-security
    show ip dhcp binding
    show ip dhcp snooping