DHCP Snooping

-

 Hello,

We're gonna talk about DHCP snooping,

DHCP SNOOPING is a technology that prevents our local network users or any device that should be asigned an ip address to contact a suspiciours dhcp server,


So we need to understand how DHCP process works first, in order to understand how we can protect our local users and their IP attributions.


There are four steps through which we need to pass in order to attribute an ip address from our internal dhcp servers or server/


First of all the client sends a DHCP discovery request in the form of a broadcast, then the DHCP server will go ahead and respond to that request with a DHCP offer frame, our client then goes ahead and accepts offer by issuing back a DHCP request for the address that was offered and then the DHCP server will send back an acknowledgment saying yes you can go ahead and use that ip and then it's installed in its database and our user starts to connect in a normal way on our internal network.

Example:



The problem comes into action when we have multiple DHCP servers on our network, and in real world we should have multiple dhcp servers in order to ensure a certain failover between them, that way if our primary server is down for a certain reason the users can ask ip addresses from the backup dhcp servers or server, so the client would still go ahead and do its discovery and all of the servers will go ahead and respond to that discovery probe and issue an offer.

The problem is that the client will accept whichever one it receives first and so on this example if the green one got there first that's the only one that would respond to and send a DHCP request back.


Then that DHCP server would go ahead and acknowledge that and install it in the database and if that particular DHCP server was a rogue, that client now it just got a bad address and may now be black hold it may be going somewhere it's not supposed to and things like that...


So what we want to do is try and mitigate that so let's pretend that this is what

we have for a network:



*We have two different switches on our data center switch which we call switch DC 

*We have a DHCP server that's installed on GE 5/12.


*On our closets which we have multiple pcs that are sitting down there that's maybe in sitting in VLANs 5 & 6 and let's just say we have an uplink port back to switch DC that's on ge 1/1 and that happens to be a trunk.


 *Now the switch DC also happens to have multiple VLANs which I've noted there you know

5, 6, 7, 8 then VLAN 15.



There's really three different things we want to go ahead and do:



It's really easy to install this 

All we have to do is at the global level we want to go ahead and turn on IP dhcp snooping then at the interface level we want to tell it which interface to trust in other words which ones would we expect to see the dhcp servers responses coming back from.

Remember those two that we saw that the server sound those are  the ones we want to have and then the last thing we do is we tell which VLANs does apply for.


 If we take a look at the different scenario we just did we'd have here's the following things we do on those switches we first get into switch DC which is the one that we have our DHCP server on and we get into config terminal mode and we turn it on globally by saying IP dhcp snooping.



Now we go in just to the interface that the server is on which is GE5/12 and say IP dhcp snooping trust 

The last thing to do is to say which VLANs we want to do the DHCP snooping on and you can go ahead and conglomerated a bunch of those together and so I did that in here where we do IP dhcp snooping VLAN 5-8 comma 15.


Last thing to do is go down to the closet switch we say closet 1 we get in config mode again once again to the global IP dhcp snooping get into the interface which on this case would be the uplink that's where we expect to see the server responses coming back from.


so only on that uplink everything else by default will be untrusted and on that interface we say DC simply trust and then since that switch happens to have two different VLANs 5 & 6 we also add in the IP dhcp snooping VLANs 5 & 6.

Comments

Post a Comment

Popular Posts

Network Access Control NAC | IT NETWORKS

-
Image
Network Access Control NAC It's something that controls access to the network. And at its simplest level, this is what NAC does.  But if that's all that it was, then it wouldn't be fundamentally different from a network authentication and authorization server. Traditional authentication to the network follows the IEEE 802.1X standard that provided an authentication method to devices wishing to join a Local Area Network (LAN) or wireless LAN. 802.1X Wireless/Wired Authentication The mechanism was a port-based network access control which used agents, the software running on client devices that provide credentials to the authenticator to control access to the network. Another means to control access to a public network such as one serving a coffee shop or in a hotel, is a captive portal. If you've ever connected to a network in an airport, hotel, or coffee shop, you might recall interacting with a web page, sometimes agreeing t
Read more

CISCO : Dynamic Multipoint Virtual Private Network (DMVPN) | ITNETWORKS

-
Image
1- Definition   DMVPN is a technology that's used in secure networks exchanging data between them without needing to redirect traffic through a  headquarter  server  or router . Dynamic Multipoint VPN ( DMVPN ) is a Cisco IOS Software solution for building reliable IPsec Virtual Private Networks (VPN). DMVPN basically is a centralized architecture that provides easier management and implementation for deployments that need very specific access controls, authorizations and restrictions for diverse branches, users, applications and partners. DMVPN + IPSEC 2- Benefits DMVPN provides the ability to create dynamic VPNs without configuring static tunnels between remote peers, including Internet Protocol (IP), IPSEC and Key Management Protocol (ISAKMP peers).   DMVPN is designed  to make HUB-AND-SPOKE   topology  by statically configuring the hub IP address on the spokes, no other changes are needed  in the configuration ns of the hub to accept ne
Read more

Issues with CISCO WIRELESS Controller (And resolution) | IT NETWORKS

-
Image
On Cisco Wireless controller 5520, The Access POINTS try to join the Controller by bringing up a connection through the CAPWAP Tunnel, you can see these attempts through the AP log itself. The problem is that the DHCP server when trying to serve IP Addresses it shows the error BAD_ADDRESS in front of each IP assigned. So I Took a single access point, started debugging it, after that, I noticed that the CAPWAP connection was empty of errors BUT!! it was trying to resolve this name  CISCO-CAPWAP-CONTROLLER This resolution is made with DNS protocol, of course, I honestly wasn't so sure of what I was doing, so I added a new entry in my DNS server and it's corresponding IP was the Controller's after that magically all the Access Points where UP and showed UP on my controller. The controller I'm working with is the CISCO WIRELESS CONTROLLER 5520 Model:  AIR-CT5520-K9 Software Version:  8.3.150.0 Image of the controller Learn
Read more