Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
826
Views
5
Helpful
3
Replies

DHCP Snooping, IP Source Guard and Port Security

oguarisco
Level 3
Level 3

‎04-25-2008 12:27 AM - edited ‎03-05-2019 10:36 PM

Hi to all,

I've already implemented DHCP Snooping, IP Source guard and PSecurity on some access-switches L3 capable and all was working fine...

Right now I've implemented these feature on a mixed infrastructure where access is based on L2 feature and the Distribution are L3 and have a few question...moreover access are connected in a redundant way to the Distributon switch

L2 switch don't support IP Source Guard so this should be configured on Distribution switch...are there chances to block on L2 switches static IP Address setup by users??? Since only DHCP snooping is configurable on Access L2 I've only to opportunity to block Rogue DHCP Servers... and not static :-(

So I should block static IP Address on my Distribution Node...

Before I've spoken about redundant uplink from Access L2 to Distribution...if DHCP Snooping on Distribution switch is enabled what happen if one uplink fail and traffic is forwarded to the other uplink since DHCP Snooping has an entry that states IP XXXX is coming from the uplink that now is down...a security violation appears...

Finally on the Access switch, in some case only one switch, is attached 2 APs

the client is roaming between AP depending which one is "offering" better coverage...what happen client roams and the switch since has Psercurity configured register a security violation blockin Access to the client...are there opportunity to setup Psecurity in a way to ignore this special situation?

Thanks to all for a feedback

Labels:
0 Helpful
3 Replies 3

tstanik
Level 5
Level 5

‎05-02-2008 06:19 AM

For the Configuring of DHCP Snooping, IP Source Guard, and IPSG for Static Hosts refer the below link which will help you : :

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/37sg/configuration/guides/dhcp.html

For the port security configuration follow the URL :

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/37sg/configuration/guides/port_sec.html#wp1148274

cisco_lad2004
Level 5
Level 5

‎05-02-2008 07:08 AM

I have partial replies to you questions:

1-if u configure dynamic arp inspection on distribution it will block any IPs not assigned by DHCP, ie configured by users.

2-with DHCP snooping, it does not matter if uplink is down. the binding table will hold mapping for mac address and assigned IP Address, as well as lease offered by DHCP. these parameters are related to users and not uplink.

if second switch does not have an entry on its binding table and 1st one is down, then u have a problem. but only if Dynamic arp inspection is enabled else the host has an ip address already and will continue to use it during the allowed lease.

3-I don't understand why roaming hosts have an issue? are u using sticky option ? else if a switch sees a known mac address re appearing from another port, it will simply flush entry from CAM and update.

these are goos questions, and I hope few more will join in to reply and debate.

HTH

Sam

oguarisco
Level 3
Level 3
In response to cisco_lad2004

‎05-04-2008 10:45 PM

Hi Sam,

thanks for the useful information, this are my comments on your points.

1. Is not the combination of DHCP Snooping and IPSource Guard which blocks any IP not assigned by DHCP, ie configured by user?

DynARP inspection is not setup to avoid ARP attack like Spoofing and Poisoning and to limit the numer of ARP requested received from an host

2. Yes, you're right but If I configure DHCP Snooping and IP Source Guard on the Distribution L3 switch then I have a problem since IP Source Guard take care of the mapping IP:MAC:switchport so if one host will connect to an Access stack, and later moves on the office and connect to another Access Stack then I have definitely a problem...since the Distribution see the same IP:MAC but on another port

3. It should be the way I thought... I've 2 APs on one Access swith where I've activated the following configuration

switchport port-security

switchport port-security maximum 100

switchport port-security violation restrict

switchport port-security aging time 120

switchport port-security aging type inactivity

When clients are roaming and this happens many times the switch logs a PSECURITY VIOLATION which blocks the connection from the PC that has done roaming...this sound strange:-)))

Tnx

Omar

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card