Professional Documents
Culture Documents
2 0 0 9 , C is c o S y s t e m s , In c . A ll r ig h t s r e s e r v e d .
T 1 1 /2 o f th e le a s e h a s b e e n u s e d T 2 7 /8 o f th e le a s e h a s b e e n u s e d
2 0 0 9 , C is c o S y s t e m s , I n c . A ll r ig h t s r e s e r v e d .
DHCP R elea s e
2 0 0 9 , C is c o S y s t e m s , I n c . A ll r ig h t s r e s e r v e d .
sen t ou t a s L a y er2
DHCP R eq u est : t h e cl ien t b roa d ca st s t o t h e p ref erred server. A n im p l icit d ecl in e t o ot h ers. t h e server a ssig n s a n I P t h e server rej ect s t h e DHCP N A CK : req u est f rom t h e cl ien t DHCP Decl in e: a d d ress
NOTE: T h e rep l y f rom server m a y con t a in n ot on l y t h e cl ien t s L a y er3 a d d ress ( I P A d d ress) b u t a l so ot h er im p ort a n t con f ig u ra t ion p a ra m et ers su ch a s t h e su b n et m a sk , d ef a u l t rou t er a n d Dom a in N a m e S y st em ( DN S ) server. T h e DHCP A CK con t a in s t h e a l l n ecessa ry I P/ L ea se p a ra m et ers ( DN S server, W I N S server, N et B I O S N od e t y p e, d om a in n a m e, T 1 / T 2 t im ers, G a t ew a y , et c.) .
2 0 0 9 , C is c o S y s t e m s , In c . A ll r ig h t s r e s e r v e d .
DHCP O f f er (server-to-client)
2 0 0 9 , C is c o S y s t e m s , In c . A ll r ig h t s r e s e r v e d .
2 0 0 9 , C is c o S y s t e m s , In c . A ll r ig h t s r e s e r v e d .
Du p lica te p a ck ets? ?
Why do you think my laptop was sent T WO D H C P O f f er s?
2 0 0 9 , C is c o S y s t e m s , In c . A ll r ig h t s r e s e r v e d .
DHCP A CK (server-to-client)
2 0 0 9 , C is c o S y s t e m s , In c . A ll r ig h t s r e s e r v e d .
Client messages:
selecting r enew r eb ind I nit/ R eb o o t
Discover R eq u est ( 4 k in d s) :
S er v er messages:
O f f er A C K N A K
Decl in e R el ea se I n f orm
2 0 0 9 , C is c o S y s t e m s , I n c . A ll r ig h t s r e s e r v e d .
DHCPOF F ER Serv er to client in resp onse to DHCPDISCOVER w ith of f er of conf ig u ration p aram eters.
Message:
U se:
DHCPREQ U EST Client m essag e to serv ers eith er ( a) req u esting of f ered p aram eters f rom one serv er and im p licitly declining of f ers f rom all oth ers, ( b) conf irm ing correctness of p rev iou sly allocated address af ter, e. g . , sy stem reboot, or ( c) ex tending th e lease on a p articu lar netw ork address. DHCPA CK Serv er to client w ith conf ig u ration p aram eters, inclu ding com m itted netw ork address.
DHCPN A K Serv er to client indicating client' s notion of netw ork address is incorrect ( e. g . , client h as m ov ed to new su bnet) or client' s lease as ex p ired DHCPDECL IN E Client to serv er indicating netw ork address is already in u se. Ex am p le: self -A RP detects of f ered IP address is already in u se. DHCPREL EA SE Client to serv er relinq u ish ing netw ork address and cancelling rem aining lease.
1 0 .1 .2 .0 /2 4
I P H elp er
1 0 .1 .1 .0 /2 4 .1 .2
S er v er
Client-C
DHCP
Client-B
.1
0 1 6 3 2
OP Co d e (1 )
H TY P E (1 )
SE CONDS (2 )
TRANSACTION ID (4)
H L E N (1 )
H OP S (1 )
U NU SE D (2 )
SE RV E R IP ADDRE SS (4)
1 0
D esc r i p t i o n o f f i el d s i n a D H C P m essage
F I EL D op OC TETS 1 D ES C R I P TI ON M essa g e op cod e / m essa g e t y p e. Ha rd w a re a d d ress t y p e, see A R P 1 = B O O T R E Q U E S T , 2 = B O O T R E PL Y N u m b ers" R F C; e.g ., ' 1 ' = 1 0 m b Ha rd w a re a d d ress l en g t h ( e.g . ' 6 ' f or
h op s 1 Cl ien t set s t o z ero, op t ion a l l y u sed b y rel a y a g en t s w h en b oot in g via a rel a y a g en t . 4 T ra n sa ct ion I D, a ra n d om n u m b er ch osen b y t h e cl ien t , u sed b y t h e cl ien t a n d server t o a ssocia t e m essa g es a n d resp on ses b et w een a cl ien t a n d a server. 2 F la g s
secs 2 F il l ed in b y cl ien t , secon d s el a p sed sin ce cl ien t b eg a n a d d ress a cq u isit ion or ren ew a l p rocess. cia d d r 4 in B O U N D, R E N E W req u est s. y ia d d r 4 f la g s
S ia d d r 4 I P a d d ress of n ex t server t o u se in b oot st ra p ; ret u rn ed in DHCPO F F E R , DHCPA CK b y server. g ia d d r 4 via a rel a y a g en t . ch a d d r 1 6 Cl ien t h a rd w a re a d d ress.
sn a m e 6 4 t erm in a t ed st rin g .
DHCP Of f e r
DHCP Di s c o v e r y B ro a d c a s t V ic tim
192.168.1.122
A tta c k e r
2 0 0 9 , C is c o S y s t e m s , I n c . A ll r ig h t s r e s e r v e d .
A dd tex t
11
Do I Trust You?
DHCP Snooping relies on correct identification of Trusted and Untrusted ports. Default = A ll Ports Untrusted
R o u te rs S e rv e rs
untrusted
untrusted
untrusted untrusted T r u s t e d
2 0 0 9 , C is c o S y s t e m s , In c . A ll r ig h t s r e s e r v e d .
DHCP S e rv e r
12
Switch forwards DHCP requests from untrusted access ports only to T rusted ports. All other types of DHCP traffic from untrusted access ports dropped. I f network DHCP serv er not local to the switch, trust the uplink port O ptional insertion and remov al of DHCP option 8 2 data into/ from DHCP messag es
B uilding a DHCP b inding tab le containing client I P address, client MAC address, port, V L AN numb er DoS attack on DHCP serv er is prev ented b y rate limiting DHCP pack ets per access port
DHCP Snooping
DHCP Offer
u nt r u s t e d
2 0 0 9 , C is c o S y s t e m s , In c . A ll r ig h t s r e s e r v e d .
13
DH C P B i n d i n g Ta b l e
Contains binding entries for local u ntru sted p orts only
I nclu des both static entries and dy nam ic entries learned v ia D H CP gleaning
6 bytes 4 bytes 2 bytes 4 bytes 4 bytes M A C A ddress L ease Tim er Port B inding Ty pe
2 0 0 9 , C is c o S y s t e m s , In c . A ll r ig h t s r e s e r v e d .
I P A ddress V L A N Id
4 bytes
14
DHCP R e le a s e
untrusted untrusted untrusted untrusted trusted
2 0 0 9 , C is c o S y s t e m s , In c . A ll r ig h t s r e s e r v e d .
DHCP S e rv e r
15
DHCP L e a s e Q u e r y
untrusted untrusted untrusted untrusted t r u s t e d
2 0 0 9 , C is c o S y s t e m s , In c . A ll r ig h t s r e s e r v e d .
16
AN Y DHCP m e s s a g e
untrusted
untrusted
2 0 0 9 , C is c o S y s t e m s , In c . A ll r ig h t s r e s e r v e d .
DHCP S e rv e r
17
DR O PPE D! !
DHCP O f f e r DHCP Ac k DHCP N a c k
DHCP L e a s e Q u e r y
untrusted
DHCP L e a s e Q u e r y
untrusted untrusted trusted
DHCP S e rv e r
2 0 0 9 , C is c o S y s t e m s , In c . A ll r ig h t s r e s e r v e d .
18
Ha c im p r e le a d d
k e e r a s re
r s o e s s
a tte m p ts to n a te y o u a n d y o u r IP . S R C M AC = BB AA
S R C M AC = AA
2 0 0 9 , C is c o S y s t e m s , In c . A ll r ig h t s r e s e r v e d .
19
W h a t i s p re v e n te d ( N o re l a y f or YO U ! ! ) .
DR O PPE D! !
DHCP p a c k e t w i t h n o n -z e r o g ia d d r fie ld .
U ntrusted p o rt 3/ 1
U ntrusted p o rt 3/ 3
trusted
2 0 0 9 , C is c o S y s t e m s , In c . A ll r ig h t s r e s e r v e d .
20
DH C P R e l a y p a c k e t d rop p e d ! !
D H C P R el a y A g ent Int v l a n 3 i p a dd 3.3.3.3 D H C P D i sc o v er G i a ddr = 3.3.3.3
2 /1
S w i t c h -B
V l a n-3
3 /2 5
Ag g r e g a t i o n S w
D H C P S no o p i ng D H C P S erv er
D H C P D i sc o v er
U ntrusted Interf a c e
Cu s t o m e r -B
A ggregation Sw itch w ith DHCP Snooping enab led drops DHCP pack et on untrusted port w ith non-z ero giaddr field.
Th e Solution:
2 0 0 9 , C is c o S y s t e m s , In c . A ll r ig h t s r e s e r v e d .
21
DH C P S n oop i n g - C on f i g ura ti on
D H C P D i sc o v er
2 /1
E d g e S w itc h
R e l a y Ag e n t R e l a y Ag e n t
D H C P S erv er
D H C P D i sc o v er
Cu s t o m e r -B
E nsure th at DHCP Serv er and th e R elay A gent ( if it ex ists) are already fully functional b efore y ou configure DHCP Snooping.
Co n f i g u r e t h i s o n p o r t s l e a d i n g t o t r u s t e d DHCP S e r v e r s o r o n u p l i n k p o r t s t o Ag g r e g a t i o n S w i t c h e s .
2 0 0 9 , C is c o S y s t e m s , In c . A ll r ig h t s r e s e r v e d .
22
2 /0 /1
E d g e S w itc h
R e l a y Ag e n t R e l a y Ag e n t
D H C P S erv er
D H C P D i sc o v er
Cu s t o m e r -B
Sw itch ( config) # interface gigab iteth ernet2 / 0 / 1 Sw itch ( config-if) # ip dh cp snooping lim it rate 10 0
Pr e v e n t s DHCP Do S a t t a c k s t h a t w o u l d o v e r w h e l m t h e DHCP S e r v e r .
DHCP Snooping can also b e configured on Priv ate V L A N s. M ust configure only on th e Prim ary V L A N w ill b e dy nam ically propagated to all Secondary V L A N s. N o w ay ( currently ) to h av e different DHCP Snooping configurations applied to Secondary V L A N s all residing under th e sam e Prim ary V L A N .
2 0 0 9 , C is c o S y s t e m s , In c . A ll r ig h t s r e s e r v e d .
23
DH C P S n oop i n g V e ri f i c a ti on
2 0 0 9 , C is c o S y s t e m s , In c . A ll r ig h t s r e s e r v e d .
24
DH C P R e l a y A g e n t
Best practice is to store DHCP Binding Database ex ternal l y to th e sw itch .
C P U If stored locally in flash/b ootflash, datab ase m u st b e erased and re-w ritten for ev ery new entry. intensiv ecan lock u p the sw itch.
If sw itch crashes or reloads, all entries / lease info lost and can k ill the D H C P S noop ing p rocess.
Sw itch ( Config) # ip dh cp snooping datab ase tftp: / / 19 2 . 16 8 . 1. 1/ Snoop-data. dh cp Sw itch ( Config) # ip dh cp snooping datab ase w rite-delay 15
S p ec i f y th e dura ti o n f o r w h i c h th e tra nsf er sh o ul d b e del a y ed a f ter th e b i ndi ng da ta b a se c h a ng es. T h e ra ng e i s f ro m 15 to 8 6 4 0 0 sec o nds. T h e def a ul t i s 30 0 sec o nds ( 5 m i nutes) .
2 0 0 9 , C is c o S y s t e m s , In c . A ll r ig h t s r e s e r v e d .
25
DH C P R e l a y A g e n t C a v e a t
F rom
F or network -b ased U RL s ( such as T F T P and F T P) , you must create an empty file at the config ured U RL b efore the switch can write b inding s to the b inding file at that U RL . See the documentation for your T F T P serv er to determine whether you must first create an empty file on the serv er; some T F T P serv ers cannot b e config ured this way. W hat will you see if you DO N T hav e a 0 -b yte file to start with??
Cat3750# show ip d hc p sn oopin g d a t a b a se A g e n t U R L : tf tp : / / 1 9 2 . 1 6 8 . 1 . 1 / S n o o p -d ata. d h c p
M e a n in g T h e s w itc h c a n n o t c r e a te th is file fr o m s c r a tc h . T h e s e r v e r m u s t a lr e a d y c o n t a i n a 0 -b y t e f i l e w i t h t h i s n a m e f o r t h i s t o w o r k .
2 0 0 9 , C is c o S y s t e m s , In c . A ll r ig h t s r e s e r v e d .
26
R e stri c ti n g A l l oc a te d A d d re sse s
Customers Ch a l l en g e: 1 . 2 . 3 . H ow c a n I en sure th a t ea c h sw i tc h i s on l y a l l oc a ted a ma x i mum of X a d d resses f rom my D H CP P ool ? H ow c a n I en sure th a t p ort 2 / 1 on S w i tc h -B f rom my D H CP P ool ? i s on l y a l l oc a ted a ma x i mum of X a d d resses
W h a t i f someon e i n Customer-Cs n etw ork i s a ttemp ti n g a D H CP D oS a tta c k ( sen d i n g mul ti p l e D H CP D i sc ov er/ R eq uest messa g es to c omp l etel y ex h a ust th e D H CP A d d ress P ool ) ? H ow c a n I p rev en t th a t?
Ag g r e g a t i o n S w
DHCP S e rv e r
S w i t c h -A Cu s t o m e r -A
S w i t c h -B 4 /1 2 /1 Cu s t o m e r -B
S w i t c h -C Cu s t o m e r -C
S w i t c h -D Cu s t o m e r -D
27
DH C P O p ti on -8 2
Ag g r e g a t i o n S w
D C H P p a c k et w / O p ti o n-8 2 i nserted D C H P p a c k et w / O p ti o n-8 2 i nserted D H C P S erv er
S w i tc h -C Customer-C
S w i tc h -D Customer-D
S w i t c h -A
O p ti o n-8 2
S w i t c h -B 4 /1 2 /1 Cu s t o m e r -B
O p ti o n-8 2
Cu s t o m e r -A
1. 2 .
Th is option giv es descriptiv e inform ation ab out th e dev ice/ port th at receiv ed th e DHCP m essage.
2 0 0 9 , C is c o S y s t e m s , In c . A ll r ig h t s r e s e r v e d .
O ption-8 2 allow s trusted access dev ices to insert th is option into ( and rem ov e from ) DHCP Pack ets.
28
DH C P O p ti on -8 2
0 2-a a -11-11-22-11 O p ti o n-8 2 R em o te-i d = 0 2-a a -11-11-22-11 C i rc ui t-i d = 3-2-1 D H C P D i sc o v er O p ti o n-8 2
2 /1
S w i t c h -B
Ag g r e g a t i o n S w
D H C P D i sc o v er
-3
Im
Cu s t o m e r -B
o nl y a l l o w m a x i m um o f th a t c o m b i na a nd C i rc ui t-ID
1.
Sw itch adds R em ote-I D and Circuit-I D sub -options into O ption8 2 data. Circuit-I D default is port identifier in th e form at v lan-m od-port
2 0 0 9 , C is c o S y s t e m s , In c . A ll r ig h t s r e s e r v e d .
2 .
ip d h c p s n o o pin g v l a n vlan in f o r m a t io n o pt io n f o r m a t t y pe c ir c u it -id s t r in g A S C I I -s t r i ng Sp ecif y th e VL A N and p ort identif ier, u sing a VL A N ID in th e rang e of 1 to 4 0 9 4 . T h e def au lt circu it ID is th e p ort identif ier, in th e f orm at v l a n -m o d -po r t . Y ou can conf ig u re th e circu it ID to be a string of 3 to 6 3 A SCII ch aracters ( no sp aces) . ( Op tional) Conf ig u re th e circu it-ID su bop tion f or th e sp ecif ied interf ace.
29
DH C P O p ti on -8 2 Te c h n i c a l De ta i l s
D eb ug i p dh c p sno o p i ng p a c k et
2 0 0 9 , C is c o S y s t e m s , In c . A ll r ig h t s r e s e r v e d .
Circuit-I D
0 x 1 = S u b o p t i o n t y p e s p e c i f y i n g C i r c u i t -I D 0 x 6 = T o t a l L e n g t h o f C i r c u i t -I D 0 x 0 = C i r c u i t -I D T y p e f ie ld
in f o rm a tio n :
0 x 4 = L e n g t h o f t h e C i r c u i t -i d ( V L A N
0 x 0 = F i r s t B y t e o f C i r c u i t -I D ( u n u s e d i n t h i s c a s e s i n c e V L A N -1 w i l l b e c o n t a i n e d i n t h e s e c o n d b y t e b u t t h i s f i e l d w o u l d b e a n o n -z e r o n u m b e r i f r e p r e s e n t i n g a n y V L A N a b o v e V L A N -2 5 5 ) 0 x 1 = V L A N -1 0 x 3 = S l o t -3 0 x 6 = P o r t -6 R e m o te -I D in f o rm a tio n im m e d ia te l y f o l l o w s : S u b o p t io n a d d r e s s b y d e fa u lt) M A C
+ M o d u le + P o r t )
0 x 2 = S u b o p t i o n T y p e f o r R e m o t e -I D 0 x 0 = R e m o t e -i d T y p e
0 x 8 = T o t a l L e n g t h ( i n b y t e s ) o f R e m o t e -I D 0 x 6 = R e m o t e -i d L e n g t h ( L e n g t h o f M A C
A d d re s s o f
30
DH C P O p ti on -8 2 C a v e a ts
D H CP D i sc ov er O p ti on -8 2
02-a a -1 1 -1 1 -22-1 1
O p ti o n-8 2
R e m o t e -i d = 02-a a -1 1 -1 1 -22-1 1
W h a t th e h ec k i s T H A T ? ?
C i rc ui t-i d = 3-2-1
A g g reg a ti on S w
S w i tc h -B
D H CP D i sc ov er Customer-B
D H C P S erv er
1. 2 .
DHCP Serv ers m ust b e configured to recogniz e and respond in som e w ay to DHCP O ption-8 2 oth erw ise pack ets m ay b e dropped.
Sw itch es receiv ing DHCP m essages containing O ption-8 2 w ill DR O P THE M if receiv ed on an untrusted interface! ! Th e solution for aggregation sw itch es:
S w itc h (c o n fig )# ip d h c p s n o o p in g in fo r m a tio n o p tio n
T h i s i s t h e DE F AU L T s e t t i n g . R e m o v e it if u n s u p p o r te d b y t h e DHCP S e r v e r .
S w i t c h ( c o n f i g ) # i p d h c p s n o o p i n g i n f o r m a t i o n o p t i o n a l l o w -u n t r u s t e d
2 0 0 9 , C is c o S y s t e m s , In c . A ll r ig h t s r e s e r v e d .
31
2 0 0 9 , C is c o S y s t e m s , In c . A ll r ig h t s r e s e r v e d .
32
M IM
AR P Ca c h e
AR P Ca c h e
Router R Host
2 0 0 9 , C is c o S y s t e m s , In c . A ll r ig h t s r e s e r v e d .
33
M IM
I PB
AR P Ca c h e
I PA Router R
AR P Ca c h e
MAC
Host
34
M IM
I PB
AR P Ca c h e
MACB Router R
I PA
AR P Ca c h e
MAC
Host
2 0 0 9 , C is c o S y s t e m s , In c . A ll r ig h t s r e s e r v e d .
35
M IM
I PB
AR P Ca c h e
MACB Router R
I PA
AR P Ca c h e
MAC
Host
36
M IM
I PB
AR P Ca c h e
MACM Router R
I PA
AR P Ca c h e
MAC
Host
Malicious Host M
2 0 0 9 , C is c o S y s t e m s , In c . A ll r ig h t s r e s e r v e d .
37
M IM
I PB
AR P Ca c h e
MACM Router R
I PA
AR P Ca c h e
MAC
Host
38
DO S A tta c k A tta c k i n g th e d e f a ul t g a te w a y
L ay er 3 N etw ork
I PA ARP Request Router R
AR P Ca c h e
DHCP Serv er
I PB
AR P Ca c h e
I PB
MACA
MACB
Malicious Host M
2 0 0 9 , C is c o S y s t e m s , In c . A ll r ig h t s r e s e r v e d .
39
DO S A tta c k A tta c k i n g th e d e f a ul t g a te w a y
L ay er 3 N etw ork
I PA
AR P Ca c h e
DHCP Serv er
I PB
AR P Ca c h e
MACR
I PB
MACA
MACB
Malicious Host M
2 0 0 9 , C is c o S y s t e m s , In c . A ll r ig h t s r e s e r v e d .
40
DO S A tta c k A tta c k i n g th e d e f a ul t g a te w a y
L ay er 3 N etw ork
I PA U ser T r a f f i c Router R
AR P Ca c h e
DHCP Serv er
I PB
AR P Ca c h e
MACR
I PB
MACA
MACB
Malicious Host M
2 0 0 9 , C is c o S y s t e m s , In c . A ll r ig h t s r e s e r v e d .
41
DO S A tta c k A tta c k i n g th e d e f a ul t g a te w a y
L ay er 3 N etw ork
I PA
AR P Ca c h e
DHCP Serv er
I PB
AR P Ca c h e
MACR Router R
I PB
MACA
MACM
Malicious Host M
2 0 0 9 , C is c o S y s t e m s , In c . A ll r ig h t s r e s e r v e d .
42
DO S A tta c k A tta c k i n g th e d e f a ul t g a te w a y
L ay er 3 N etw ork
I PA U ser T r a f f i c Router R
AR P Ca c h e
DHCP Serv er
I PB
AR P Ca c h e
MACR
I PB
MACA
MACM
Malicious Host M
2 0 0 9 , C is c o S y s t e m s , In c . A ll r ig h t s r e s e r v e d .
43
Avaya demonstrated a variation of AR P p oisoning at th eir c u stomer b riefing c enter u sing C isc o g ear
R ec o rd D a ta
After interc ep ting a netw ork c onnec tion, p ac k ets c ontaining G . 7 1 1 voic e data are c ol l ec ted and th e p h one c onversation is rec orded and th en rep l ayed
Stealing Passwords
E m a il S e r v e r
D emonstrated l ive to C isc o senior ex ec u tives in th e C isc o netw ork T ool s are p u b l ic l y avail ab l e w ith G U I and b i-direc tional sp oofs: E tterc ap and D sniff E asil y tau g h t in 5 minu tes
Si
V ic tim
44
E ach inter cepted pack et is v er if ied f or v al id IP-to-M AC A sol u tion w ith no ch ang e to th e end u ser or h ost conf ig u r ations
Dynamic ARP Inspection
Gratuitous ARP
S w itch inter cepts al l ARP r eq u ests and r epl ies on th e u ntr u sted access por ts
b ind ing
u ntr u sted
2 0 0 9 , C is c o S y s t e m s , In c . A ll r ig h t s r e s e r v e d .
45
R elies on sam e concepts of T r u sted and U ntr u sted por ts as DHCP Snooping.
Ports are untrusted b y default
46
A R P In sp e c ti on P roc e d ure
T r u sted I / F ?
N o Y es
E th er n et & IP v 4
Y es N o
N o
M a tc h A R P A C L ?
Y es
Y es
A c ti o n ?
D en y
Per m i t
D r o p & lo g in v a lid A R P p a c k et
2 0 0 9 , C is c o S y s t e m s , In c . A ll r ig h t s r e s e r v e d .
F o r w a r d v a lid A R P p a c k et
47
A R P In sp e c ti on O v e rv i e w
A n A R P r eq u est/ r esponse pack et is consid er ed v alid if it m eets the f ollow ing cr iter ia:
2 ) 1) 3 ) O ptional: Sender M A C M andatory : Sender < M A C , = = I P , V L A N > triplet is v alid O ptional ( for A R P response) : T a rg et M A C = = D es t i na t i o n M A C So u rc e M A C
0 x 0 8 0 6 ( ARP)
0 x 0 1 ( E th er n et)
0 x 0 8 0 0 ( I Pv 4)
2 0 0 9 , C is c o S y s t e m s , In c . A ll r ig h t s r e s e r v e d .
48
B a si c DA I C on f i g ura ti on
T w o D esig n M eth odol og ies:
1 . 2 . L eav e all edg e ports as U ntrusted Config ure DAI on ev ery switch in the network .
T rust all interfaces connected to network ing dev ices ( routers, switches, etc) . Config ure DAI on all E dg e switches ( assuming that hosts are only connected to E dg e switches) .
Cat6 5 0 0 # conf t E nter configuration com m ands, one per line. E nd w ith CN TL / Z . Cat6 5 0 0 ( config) # ip arp inspection v lan 1-12 Cat6 5 0 0 ( config) # interface fasteth ernet3 / 2 5 Cat6 5 0 0 ( config-if) # ip arp inspection trust Cat6 5 0 0 ( config-if) # end
2 0 0 9 , C is c o S y s t e m s , In c . A ll r ig h t s r e s e r v e d .
49
DA I i n a c ti on ! ! ( 1 )
DHCP-g i v e n a d d r e s s o f 1 .1 .1 .1
V L A N -1 3/ 6
DAI -e n a b l e d S w itc h
6 5 0 0
V L A N -1
3/ 7
A dm i n S h ut
F a 0 /0 1.1.1.1
2 0 0 9 , C is c o S y s t e m s , In c . A ll r ig h t s r e s e r v e d .
50
DA I i n a c ti on ! ! ( 2 )
DHCP-g i v e n a d d r e s s o f 1 .1 .1 .1
V L A N -1 3/ 6
DAI -e n a b l e d S w itc h
6 5 0 0
V L A N -1
3/ 7
A dm i n S h ut
F a 0 /0 1.1.1.1
A s soon as th e routers F astE th ernet interface com es up it w ill perform gratuitous A R Plets see w h at h appens! !
2 0 0 9 , C is c o S y s t e m s , In c . A ll r ig h t s r e s e r v e d .
51
DA I i n a c ti on ! ! ( 3 )
DHCP-g i v e n a d d r e s s o f 1 .1 .1 .1
V L A N -1 3/ 6
DAI -e n a b l e d S w itc h
6 5 0 0
V L A N -1
3/ 7
A dm i n S h ut
G ratuitous A R P from
2 0 0 9 , C is c o S y s t e m s , In c . A ll r ig h t s r e s e r v e d .
52
DA I f or n on -DH C P h osts
N otice th at in th is ex am ple, th e router h as b een giv en a v alid, static address of 1. 1. 1. 6 / 2 4 . B ut b ecause it is connected to an untrusted port and does not participate in DHCP, nob ody can A R P for it!
DHCP-g i v e n a d d r e s s o f 1 .1 .1 .1
V L A N -1
3/ 6
DAI -e n a b l e d S w itc h
6 5 0 0
V L A N -1
3/ 7
2 0 0 9 , C is c o S y s t e m s , In c . A ll r ig h t s r e s e r v e d .
53
DA I f or n on -DH C P h osts ( 2 )
Th e Solution: A R P A ccess-L ist
S e n d e r o f AR P R e s p o n s e
a n y t a r g e t IPa d d r e s s
S e n d e rs M AC a d d r e s s
a n y t a r g e t M AC a d d r e s s
DHCP-g i v e n a d d r e s s o f 1 .1 .1 .1
V L A N -1
3/ 6
DAI -e n a b l e d S w itc h
6 5 0 0
V L A N -1
3/ 7
2 0 0 9 , C is c o S y s t e m s , In c . A ll r ig h t s r e s e r v e d .
54
A R P A C L E x a m p le
Conf igu r ing A R P A CL
(c o n f i g -a r p -n a c l ) # (C o n f i g ) # a r p a c c e s s -l i s t d e n y (c o n f i g -a r p -n a c l ) # p e r m i t p e r m i t i p a r p _ a c l _ 1 i p h o s t a n y
IP w i l l a p p l y to b o th A R P req uests a nd resp o nses. A l terna ti v el y y o u c a n a l so sp ec i f y R eq uest o r R esp o nse.
(c o n f i g -a r p -n a c l ) #
i p
1 0 . 1 . 1 . 0
1 0 . 1 . 1 . 1 a n y
m a c
0 . 0 . 0 . 2 5 5
m a c
m a c
h o s t
a n y
0 0 0 0 . 0 0 0 1 . 0 0 0 2
A pply ing A R P A CL to a V L A N
(c o n f i g ) # (c o n f i g ) # o r i p a r p i n s p e c t i o n f i l t e r i p a r p i n s p e c t i o n f i l t e r
a r p _ a c l _ 1 a r p _ a c l _ 1
v l a n v l a n 5
5 s t a t i c
55
R a te -L i m i ti n g of A R P tra f f i c
ARP packets are rate-l i m i ted to prev en t a d en i al o f -serv i ce attack o n U n tru sted i n terf aces. D ef au l t i s 1 5 pps T ru sted i n terf aces are n o t rate-l i m i ted
( co n f i g -i f ) # i p arp i n specti o n l i m i t < x > to rai se o r l o w er th i s l i m i t. E x ceed i n g th e l i m i t cau ses th e i n terf ace to b e pl aced i n to E rrd i sab l e state.
2 0 0 9 , C is c o S y s t e m s , In c . A ll r ig h t s r e s e r v e d .
56
Th e E n d
2 0 0 2 , C is c o S y s t e m s , In c . A ll r ig h t s r e s e r v e d .
57