DHCP Snooping, IP Source Guard and Port Security

Unanswered Question
Apr 25th, 2008
User Badges:

Hi to all,


I've already implemented DHCP Snooping, IP Source guard and PSecurity on some access-switches L3 capable and all was working fine...


Right now I've implemented these feature on a mixed infrastructure where access is based on L2 feature and the Distribution are L3 and have a few question...moreover access are connected in a redundant way to the Distributon switch


L2 switch don't support IP Source Guard so this should be configured on Distribution switch...are there chances to block on L2 switches static IP Address setup by users??? Since only DHCP snooping is configurable on Access L2 I've only to opportunity to block Rogue DHCP Servers... and not static :-(

So I should block static IP Address on my Distribution Node...


Before I've spoken about redundant uplink from Access L2 to Distribution...if DHCP Snooping on Distribution switch is enabled what happen if one uplink fail and traffic is forwarded to the other uplink since DHCP Snooping has an entry that states IP XXXX is coming from the uplink that now is down...a security violation appears...


Finally on the Access switch, in some case only one switch, is attached 2 APs

the client is roaming between AP depending which one is "offering" better coverage...what happen client roams and the switch since has Psercurity configured register a security violation blockin Access to the client...are there opportunity to setup Psecurity in a way to ignore this special situation?


Thanks to all for a feedback




  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 2.5 (2 ratings)
Loading.
tstanik Fri, 05/02/2008 - 06:19
User Badges:
  • Bronze, 100 points or more

For the Configuring of DHCP Snooping, IP Source Guard, and IPSG for Static Hosts refer the below link which will help you : :

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/37sg/configuration/guides/dhcp.html


For the port security configuration follow the URL :

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/37sg/configuration/guides/port_sec.html#wp1148274


cisco_lad2004 Fri, 05/02/2008 - 07:08
User Badges:
  • Gold, 750 points or more

I have partial replies to you questions:


1-if u configure dynamic arp inspection on distribution it will block any IPs not assigned by DHCP, ie configured by users.


2-with DHCP snooping, it does not matter if uplink is down. the binding table will hold mapping for mac address and assigned IP Address, as well as lease offered by DHCP. these parameters are related to users and not uplink.

if second switch does not have an entry on its binding table and 1st one is down, then u have a problem. but only if Dynamic arp inspection is enabled else the host has an ip address already and will continue to use it during the allowed lease.


3-I don't understand why roaming hosts have an issue? are u using sticky option ? else if a switch sees a known mac address re appearing from another port, it will simply flush entry from CAM and update.


these are goos questions, and I hope few more will join in to reply and debate.


HTH


Sam


oguarisco Sun, 05/04/2008 - 22:45
User Badges:

Hi Sam,

thanks for the useful information, this are my comments on your points.


1. Is not the combination of DHCP Snooping and IPSource Guard which blocks any IP not assigned by DHCP, ie configured by user?

DynARP inspection is not setup to avoid ARP attack like Spoofing and Poisoning and to limit the numer of ARP requested received from an host


2. Yes, you're right but If I configure DHCP Snooping and IP Source Guard on the Distribution L3 switch then I have a problem since IP Source Guard take care of the mapping IP:MAC:switchport so if one host will connect to an Access stack, and later moves on the office and connect to another Access Stack then I have definitely a problem...since the Distribution see the same IP:MAC but on another port


3. It should be the way I thought... I've 2 APs on one Access swith where I've activated the following configuration

switchport port-security

switchport port-security maximum 100

switchport port-security violation restrict

switchport port-security aging time 120

switchport port-security aging type inactivity


When clients are roaming and this happens many times the switch logs a PSECURITY VIOLATION which blocks the connection from the PC that has done roaming...this sound strange:-)))


Tnx

Omar

Actions

This Discussion