ip source guard

Answered Question
Jan 31st, 2009

<p>Hi every body!</p>

<p>Let say we have a switch which is configured with dhcp snooping anf ip source  guard.</p>

<p>   dhcp server-------sw f0/1------------h1</p>

<p>Let say hi sends dhcp reques message and get  an ip1 assigned. Dhcp snooping database was updated accordingly with the entry</p>

<p>mac 1 ip1  f0/1</p>

<p>Now i replace the h1 and plug in hub to f0/1.</p>

<p>h1 and h2(another host0 is connected to hub.</p>

<p>h2 sends the dhcp req now what would happen?</p>

<p>Will ip source guard feature kick in?</p>

<p> </p>

<p>Thanks a lot!</p>

I have this problem too.
0 votes
Correct Answer by hclisschennai about 7 years 10 months ago

Saraha,

Just i got a chance to view your forum.

You mention that if DHCP snooping & IP Source guard is enabled in the switch, only the traffic matching the rule or binding is allowed.

But the fact is in ip source guard enabled switch in any condition the IP traffic is blocked except for the following:

1. DHCP packets, which DHCP snooping inspects and then forward

2. IP traffic from static ip source entries that you have configured.

Kindly let me know if you have difference of opinion

R.B.Kumar

Correct Answer by Mohamed Sobair about 7 years 10 months ago

 

 

Hi Sarah,

When (IP Source-Guard) is enabled, the Switch Creats Port Access-list and filters or IP traffic coming to the interface.

Only the traffic Source by the DHCP which are in the DHCP binding database are allowed.

 

HTH

Mohamed

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
schmij01 Sat, 01/31/2009 - 18:15

No, the other hosts will be allowed to obtain an IP address and communicate as normal.  The DHCP snooping binding table will show three entries for that interface and IP source guard will check against all three entries as it checks incoming IP packets.

Correct Answer
Mohamed Sobair Sun, 02/01/2009 - 03:16

 

 

Hi Sarah,

When (IP Source-Guard) is enabled, the Switch Creats Port Access-list and filters or IP traffic coming to the interface.

Only the traffic Source by the DHCP which are in the DHCP binding database are allowed.

 

HTH

Mohamed

sarahr202 Sun, 02/01/2009 - 06:44

Thanks a lot Mohammed!

Accoding to my book if switch is configured with dhcp snooping feature, then ip source guard uses dhcp snooping database to dynamically creates port acl. So for example   sw-------------h1   If hi has already auquired ip address, then dhcp snooping database will have a entry something like:

IP1----mac1-------port1 ( assuming h1 is connected to port1 on switch)

Now switch creates a dynamic port acl from snooping database which in essence, will allow ip traffic or mac traffic or both from h1 depending upon how we configured the ip source guard feature. At end of the acl, there would be implicit deny.

Now my question is if we replace h1 by h2 . Assume h2  is new brand computer.

From port acl perspective which is created by sw  earlier, the traffic from h2 will be denied because of implicit deny at end of acl.

From snooping dhcp database perspective, switch will try to match the either src ip or  src mac or both against the entry found against the port 1. Which again will result in denial and thius packet from h2 will be  denied by sw.

 

The question  if switch does allow h2  's traffic, it will cause security breach because h2 could be rogue computer. If switch drops the traffic from h2, again h2 could be genuine computer which replaced h1 because it is no more functional.

The answer lies how would the switch behave if it does not find entry for the src ip or src mac1 or both against the port in its snooping database, will it block or permit that frame?

thanks a lot!

 

sarahr202 Sun, 02/01/2009 - 17:47

Here is the answer for anyone who may have similar question.

First understand the ip source guard feature.

Manually:   Manually means we have to configure port acl under the interface. Since there could be no more than one port ip acl and port mac acl., therefore it follows that only one host is expected to connect to the interface.

we can configure the ip source guard feature for an interface by manually configuring these two port acl. i.e ip acl and mac acl.

The same result can also be acheived if dhcp snooping feature is in use.

Switch configured with dhcp snooping feature builds its database called snooping database. which  has entry  something like this:

ip1 mac 1 port1 vlan lease

switch configured with dhcp snooping and ip source guard feature use this database to generate port acls. For example for port 1, two port acls will be created automatically.

allow ip1

allow mac1.

Now basics out of the way, let get back to my own questions.

  dhcp server-------sw f0/1------------h1

 

Let say hi sends dhcp reques message and get  an ip1 assigned. Dhcp snooping database was updated accordingly with the entry

mac 1 ip1  f0/1 ( just showed the pertinent feilds)

 

Now i replace the h1 and plug in hub to f0/1.

h1 and h2(another host) is connected to hub.

h2 sends the dhcp req now what would happen?

Will ip source guard feature kick in?

yes, the ip source guardfeature will kick in

here is why. ip source guard feature just check two things  mac address and ip. it does not care about the payload in ip packet, the payload could be dhcp message or any other udp ot tcp pdu.

when h1 now connected to hub, sends the ip packets to switch, switch will let it through.  But when h2 sends the ip packet, it will be dropped because h2' ip and mac  did not match the entry in snooping database against the f0/1.

From port acl perspective. two dynamically port acl under  f0/1 do not match with the h2's ip  and mac, as there is implicit deny at the end, thus h2's packets ended  up being denied.

thanks a lot!

 

Correct Answer
hclisschennai Tue, 02/03/2009 - 05:16

Saraha,

Just i got a chance to view your forum.

You mention that if DHCP snooping & IP Source guard is enabled in the switch, only the traffic matching the rule or binding is allowed.

But the fact is in ip source guard enabled switch in any condition the IP traffic is blocked except for the following:

1. DHCP packets, which DHCP snooping inspects and then forward

2. IP traffic from static ip source entries that you have configured.

Kindly let me know if you have difference of opinion

R.B.Kumar

Actions

This Discussion