I've been trying to think of way to keep only certain users from using our conference room data jacks. Port-security won't help as there are multiple ports in the conference rooms going to the same switch and it is not scalable. We don't use dot1x at the moment so, that is out but, I tried DAI in a lab. I configured dhcp-snooping and turn it on for the VLAN and then added verify source to each port. Now, when the device gets a address from DHCP, it allows that device on the network. On the DHCP side, I created reservations and only the macs that have reservations will get ip addresses. When I give a device a address other than the one it learned by DHCP, the port denies it access.
Do I need to put the ip verify source on each interface to make this work or would dhcp snooping be enough?
Is this working because it checks the dhcp database - then, if the MAC to IP entry is in there it allows access?
Solved! Go to Solution.
ip verify-source is IP Source Guard not DAI and it won't do anything against someone spoofing its MAC address to get a valid DHCP IP address( you should then also consider implementing port security), all it does is prevent IP spoofing.
Yes it uses the DHCP snooping database but it could also be configured for static IPs just as DAI is also relying on DHCP snooping but can be configured for static IPs.
Yes you'll have to use it on every access port.
I don't want to go the static route as I am trying not to create any added administration. I just want to set up DHCP-snooping on the switches that are going to have the conference room VLAN. Then, the only administration will be making reservations on the DHCP scope. What was the last comment you made refering to, "Yes you'll have to use it on every access port." ? You me untrust every port that I want the DHCP database checked?
all DHCP snooping prevents is Rogue DHCP server by only permitting server responses on trusted ports and putting by default all ports in the vlan as untrusted.It can also prevent DHCP starvation attacks by rate limiting requests on untrusted ports.If you're using IP Source guard then you'll have to enter the ip verify source command on every access port.
In my lab, I only configured a DHCP server with a range from 192.168.1.1 - 255 and a Router of 192.168.1.1. I gave the switch a VLAN 1 interface IP of 192.168.1.1. Then configured DHCP snooping for VLAN 1(really only so I had a database of addresses) then, IP verify source on the ports. The result is that my laptop could only connect if I got an address from the DHCP server. If, after getting an IP from the DHCP server I statically gave myself that same IP I got from the DHCP server, the device would still ping the gateway but, if I gave it my device one that my device did not get from the DHCP server it would not ping the gateway.
I'm trying to understand why it is working. From what I understand about DHCP snooping is that it stops an untrusted port from handing out addresses and limits requests like you said.
Is it the DHCP snooping that is stopping the connections or is it IP source guard with the ip verify source config checking the DHCP snooping database? Or, is there something else happening?
Sorry about the confusion with the DAI. I dont't know what I was thinking.
Ultimately, what I am trying to accomplish is to keep unauthorized users from accessing our network in conference rooms. Port security won't work in this situation as there are many ports in these conference rooms that connect to the same switch. You can only configure a group of MACs to one port on a switch, and also this method isn't very scalable. Every time I need to add a device that needs to connect, I would have to go to every switch that has a conference room and add that new MAC.
So, in addition to the switch config that I used in the lab, I would only allow the "allowed devices"(MACs) to get DHCP addresses from the DHCP server.