Hi !
Under you will see my post about Ip DHCP snooping in english, I donn't have so many experience in writing in english, so you have to forgive me ;) I t will be great when you could correct me for making this post better :)
In my opinion Cisco device is not used In 100%. Often happened that company acquire very expensive devise and use it like ordinary cheap switch. Cisco gives as so unbelievable possibility as prevent against some unpredictable surprises. Some example of this surprise can be some wild dhcp server in our network. It doesn’t matter if wild dhcp get to our network because some user install this services on own computer or some admin install server for testing. Network administrator must prevent against this unwonted situations special when we have so advanced tools like cisco device.
Ok lets start from the beginning.
This is first command,which turn on the dhcp reqest filtering
Config)# ip dhcp snooping
Next we must show what vlan we want filtering.
Config)# ip dhcp snooping vlan xx
In next steps we will see very interesting commands. When we use dhcp-agent command, switch starts searching information about ip binding by information included in option 82. Unnecessary not every dhcp server send option 82 information and switch start blocking requests special when you are using dhcp-relay agent . Using this command we are forcing swith to not searching information putted in to option 82
Config)# no ip dhcp snooping information option
There is the option to force switch to put onself option 82 information in to the dhcp packets
Config)# ip dhcp snooping information option
I read somewhere in the interent that when we have gateway vlan interfejs set on the switch we must put command below on this interface
Config-if)# ip helper-address 10.128.0.11
Config-if)# ip dhcp relay information trusted
Don’t forget to putting trust command on the interfejs where dhcp are connected
Config-if)# ip dhcp snooping trust
We must remember that when we use this command on trunk interface to another switch that’s mean that we let in all dhcp reqest packet from dhcp server connect to this another switch even if some of this dhcp server is illegal. This is the reason that we must set ip dhcp snooping on all switch connect in our network.
Using ip dhcp snooping we can defend against many dhcp request what can deplete our ip address pool. Put this command on interfeis connect to each host wich parameter 5. Parametr 5 means how meny reqesut on one second port can recive dhcp request.
Config-if)# ip dhcp snooping limit rate
In the end “show command” shows information,which mac address get ip address. Switch gater itself this information from dhcp reqest packet, which received from port where is turn on ip dhcp snooping trust option
Switch# show ip dhcp snooping binding
MacAddress IP Address Lease (seconds) Type VLAN Interface
----------- ----------- ---------------- ----- ----- ------------
0000.0100.0201 10.0.0.1 1600 dynamic 100 FastEthernet2/1
When our dhcp ip spoofing is working, we can implement ip arp inspection. Mac address and ip address will be checking by binding address from dhcp serwer
Conf)# ip arp inspection vlan xxx
And here we are. We secured Network against problem, which in very optimistic case can only block our network traffic. In the worst scenario wild dhcp server can be used for stealing some important data. It takes only 5 minutes to implementing this but we score defence against some serius danger.
All we have in downstairs link
http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.1/13ew/configuration/guide/dhcp.html
Subskrybuj:
Komentarze do posta (Atom)
Brak komentarzy:
Prześlij komentarz