CCNP Exam Prep Tips and Must Knows about DHCP Snooping

couplestudy120743353Things You Need to Know about DHCP Snooping

DHCP Attacks

  • An attacker sets up a rogue DHCP server
  • An attacker replies to a valid client DHCP request
  • An attacker assigns IP configuration information that establishes a rogue device as a client default gateway
  • An attacker floods the DHCP server with requests

DHCP Snooping

  • Allows the configuration of ports as trusted or untrusted
  • Untrusted ports cannot forward DHCP replies
  • Configure DHCP trust on the uplinks to a DHCP server
  • Do not configure DHCP trust on client ports
  • Switch(config)# ip dhcp snooping
  • Switch(config)# ip dhcp snooping information option
  • Switch(config)# ip dhcp snooping vlan 10, 20
  • Switch(config)#interface fa0/1
  • Switch(config-if)# switchport access vlan 10
  • Switch(config-if)# ip dhcp limit rate 50
  • Switch(config)# interface fa0/24
  • Switch(config-if)# switchport mode trunk
  • Switch(config-if)# switchport trunk allowed vlan 10, 20
  • Switch(config-if)# ip dhcp snooping trust

ARP Poisoning

  • Host A sends an ARP request for MAC address of default gateway
  • Default gateway replies with its MAC and IP address; DG also updates its ARP cache
  • Host A binds MAC address of DG to DG’s IP address
  • Attacker sends ARP binding its own MAC address with the IP address of the DG
  • Host A now binds MAC address of attacker to the IP address of DG, and DG binds MAC address of attacker with IP address of host A
  • Packets are now diverted through the attacker

Dynamic ARP Inspection (DAI)

  • Protect against ARP poisoning
  • Uses DHCP Snooping binding table (DHCP Snooping is required for DAI)
  • Tracks IP-to-MAC bindings from DHCP transactions
  • Drops gratuitous ARPs
  • Stops ARP poisoning and man-in-the-middle attacks
  • Rate-limits ARP requests from client ports
  • Untrusted ports undergo DAI validation

Configuring DAI

  • Switch(config)# ip dhcp snooping
  • Switch(config)# ip dhcp snooping vlan 10, 20
  • Switch(config)# ip arp inspection vlan 10, 20
  • Switch(config)#interface fa0/1
  • Switch(config-if)# switchport access vlan 10
  • Switch(config-if)# ip dhcp limit rate 50
  • Switch(config)# interface fa0/24
  • Switch(config-if)# switchport mode trunk
  • Switch(config-if)# switchport trunk allowed vlan 10, 20
  • Switch(config-if)# ip dhcp snooping trust
  • Switch(config-if)# ip dhcp arp inspection trust

IP Source Guard

  • Protects against spoofed IP addresses
  • Uses the DHCP snooping binding table (DHCP Snooping must be enabled)
  • Tracks IP addresses to port associations
  • Dynamically programs port ACLs to drop traffic not originating from an IP address assigned via DHCP

Configuration with DHCP Snooping, DAI, and Source Guard:

  • Switch(config)# ip dhcp snooping
  • Switch(config)# ip dhcp snooping vlan 10, 20
  • Switch(config)# ip arp inspection vlan 10, 20
  • Switch(config)#interface fa0/1
  • Switch(config-if)# switchport access vlan 10
  • Switch(config-if)# ip dhcp limit rate 50
  • Switch(config-if)# ip verify source port-security
  • Switch(config)# interface fa0/24
  • Switch(config-if)# switchport mode trunk
  • Switch(config-if)# switchport trunk allowed vlan 10, 20
  • Switch(config-if)# ip dhcp snooping trust
  • Switch(config-if)# ip dhcp arp inspection trust

Configuration of Secure Shell

  • Switch(config)# username Student password C1sc0
  • Switch(config)#ip domain-name corporate.com
  • Switch(config)# crypto key generate rsa
  • Switch(config)# ip ssh version 2
  • Switch(config)# line vty 0 15
  • Switch(config-line)# login local
  • Switch(config-line)# transport input ssh

Configuration of HTTP Server

  • Switch(config)#access-list 100 permit ip 10.1.1.0 0.0.0.255 any
  • Switch(config)# username Student password C1sc0
  • Switch(config)#ip domain-name corporate.com
  • Switch(config)# crypto key generate rsa
  • Switch(config)# no ip http server
  • Switch(config)# ip http secure-server
  • Switch(config)# http access-class 100 in
  • Switch(config)# http authentication local

Switch Security Recommendations

  • Configure system passwords
  • Authenticate admin access via TACACS+ server
  • Configure encrypted or hashed passwords
  • Secure physical access to the console
  • Secure Telnet access with ACL
  • Use SSH when possible
  • Configure system warning banners
  • Use Syslog to log system messages
  • Disable unused services
  • Secure switch protocols
  • Trim CDP and LLDP and use only as needed
  • Secure STP
  • Mitigate compromises through a switch
  • Take precautions for trunk links
  • Minimize physical port access
  • Establish standard access port configuration for both unused and used ports
  • Shut down unused ports

Be sure you can configure:

  • Port Security
  • DHCP Snooping
  • DAI
  • IP Source Guard
  • AAA Authentication
  • 802.1X Authentication
  • VLAN access maps
  • Secure Shell
  • HTTPS

Be sure you are familiar with:

  • show port-security [interface] [address]
  • show ip dhcp snooping
  • show ip dhcp conflict
  • DHCP spoofing
  • ARP poisoning and Dynamic ARP inspection (DAI)
  • Authentication
  • Authorization
  • Accounting
  • Switch security recommendations
In this article

Join the Conversation