01-31-2009 05:34 PM - edited 03-06-2019 03:47 AM
<p>Hi every body!</p>
<p>Let say we have a switch which is configured with dhcp snooping anf ip source guard.</p>
<p> dhcp server-------sw f0/1------------h1</p>
<p>Let say hi sends dhcp reques message and get an ip1 assigned. Dhcp snooping database was updated accordingly with the entry</p>
<p>mac 1 ip1 f0/1</p>
<p>Now i replace the h1 and plug in hub to f0/1.</p>
<p>h1 and h2(another host0 is connected to hub.</p>
<p>h2 sends the dhcp req now what would happen?</p>
<p>Will ip source guard feature kick in?</p>
<p> </p>
<p>Thanks a lot!</p>
Solved! Go to Solution.
02-01-2009 03:16 AM
Hi Sarah,
When (IP Source-Guard) is enabled, the Switch Creats Port Access-list and filters or IP traffic coming to the interface.
Only the traffic Source by the DHCP which are in the DHCP binding database are allowed.
HTH
Mohamed
02-03-2009 05:16 AM
Saraha,
Just i got a chance to view your forum.
You mention that if DHCP snooping & IP Source guard is enabled in the switch, only the traffic matching the rule or binding is allowed.
But the fact is in ip source guard enabled switch in any condition the IP traffic is blocked except for the following:
1. DHCP packets, which DHCP snooping inspects and then forward
2. IP traffic from static ip source entries that you have configured.
Kindly let me know if you have difference of opinion
R.B.Kumar
01-31-2009 06:15 PM
No, the other hosts will be allowed to obtain an IP address and communicate as normal. The DHCP snooping binding table will show three entries for that interface and IP source guard will check against all three entries as it checks incoming IP packets.
01-31-2009 10:45 PM
Thanks a lot!
02-01-2009 03:16 AM
Hi Sarah,
When (IP Source-Guard) is enabled, the Switch Creats Port Access-list and filters or IP traffic coming to the interface.
Only the traffic Source by the DHCP which are in the DHCP binding database are allowed.
HTH
Mohamed
02-01-2009 06:44 AM
Thanks a lot Mohammed!
Accoding to my book if switch is configured with dhcp snooping feature, then ip source guard uses dhcp snooping database to dynamically creates port acl. So for example sw-------------h1 If hi has already auquired ip address, then dhcp snooping database will have a entry something like:
IP1----mac1-------port1 ( assuming h1 is connected to port1 on switch)
Now switch creates a dynamic port acl from snooping database which in essence, will allow ip traffic or mac traffic or both from h1 depending upon how we configured the ip source guard feature. At end of the acl, there would be implicit deny.
Now my question is if we replace h1 by h2 . Assume h2 is new brand computer.
From port acl perspective which is created by sw earlier, the traffic from h2 will be denied because of implicit deny at end of acl.
From snooping dhcp database perspective, switch will try to match the either src ip or src mac or both against the entry found against the port 1. Which again will result in denial and thius packet from h2 will be denied by sw.
The question if switch does allow h2 's traffic, it will cause security breach because h2 could be rogue computer. If switch drops the traffic from h2, again h2 could be genuine computer which replaced h1 because it is no more functional.
The answer lies how would the switch behave if it does not find entry for the src ip or src mac1 or both against the port in its snooping database, will it block or permit that frame?
thanks a lot!
02-01-2009 05:47 PM
Here is the answer for anyone who may have similar question.
First understand the ip source guard feature.
Manually: Manually means we have to configure port acl under the interface. Since there could be no more than one port ip acl and port mac acl., therefore it follows that only one host is expected to connect to the interface.
we can configure the ip source guard feature for an interface by manually configuring these two port acl. i.e ip acl and mac acl.
The same result can also be acheived if dhcp snooping feature is in use.
Switch configured with dhcp snooping feature builds its database called snooping database. which has entry something like this:
ip1 mac 1 port1 vlan lease
switch configured with dhcp snooping and ip source guard feature use this database to generate port acls. For example for port 1, two port acls will be created automatically.
allow ip1
allow mac1.
Now basics out of the way, let get back to my own questions.
dhcp server-------sw f0/1------------h1
Let say hi sends dhcp reques message and get an ip1 assigned. Dhcp snooping database was updated accordingly with the entry
mac 1 ip1 f0/1 ( just showed the pertinent feilds)
Now i replace the h1 and plug in hub to f0/1.
h1 and h2(another host) is connected to hub.
h2 sends the dhcp req now what would happen?
Will ip source guard feature kick in?
yes, the ip source guardfeature will kick in
here is why. ip source guard feature just check two things mac address and ip. it does not care about the payload in ip packet, the payload could be dhcp message or any other udp ot tcp pdu.
when h1 now connected to hub, sends the ip packets to switch, switch will let it through. But when h2 sends the ip packet, it will be dropped because h2' ip and mac did not match the entry in snooping database against the f0/1.
From port acl perspective. two dynamically port acl under f0/1 do not match with the h2's ip and mac, as there is implicit deny at the end, thus h2's packets ended up being denied.
thanks a lot!
02-03-2009 05:16 AM
Saraha,
Just i got a chance to view your forum.
You mention that if DHCP snooping & IP Source guard is enabled in the switch, only the traffic matching the rule or binding is allowed.
But the fact is in ip source guard enabled switch in any condition the IP traffic is blocked except for the following:
1. DHCP packets, which DHCP snooping inspects and then forward
2. IP traffic from static ip source entries that you have configured.
Kindly let me know if you have difference of opinion
R.B.Kumar
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide