Home > DHCP Snooping

DHCP Snooping

September 4th, 2017 in SWITCH 300-115 Go to comments

Quick review of DHCP Spoofing:

DHCP_Spoofing_Attack.jpg

DHCP spoofing is a type of attack in that the attacker listens for DHCP Requests from clients and answers them with fake DHCP Response before the authorized DHCP Response comes to the clients. The fake DHCP Response often gives its IP address as the client default gateway -> all the traffic sent from the client will go through the attacker computer, the attacker becomes a “man-in-the-middle”.

The attacker can have some ways to make sure its fake DHCP Response arrives first. In fact, if the attacker is “closer” than the DHCP Server then he doesn’t need to do anything. Or he can DoS the DHCP Server so that it can’t send the DHCP Response.

DHCP snooping can prevent DHCP spoofing attacks. DHCP snooping is a Cisco Catalyst feature that determines which switch ports can respond to DHCP requests. Ports are identified as trusted and untrusted.

DHCP_Spoofing_Attack_Trust_Untrust_Ports.jpg

Only ports that connect to an authorized DHCP server are trusted, and allowed to send all types of DHCP messages. All other ports on the switch are untrusted and can send only DHCP requests. If a DHCP response is seen on an untrusted port, the port is shut down.

Question 1

Explanation

To retain the bindings across switch reloads, you must use the DHCP snooping database agent. Without this agent, the bindings established by DHCP snooping are lost upon switch reload. Connectivity is lost as well.

Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/25ew/configuration/guide/conf/dhcp.html#wp1090370

Question 2

Explanation

Static DHCP snooping binding defines a mapping between a fixed IP address and the client’s MAC address. Each entry in the DHCP snooping binding database includes the MAC address of the host, the leased IP address, the lease time, the binding type, and the VLAN number and interface information associated with the host. This is how to configure a static DHCP snooping binding entry:

Switch#ip dhcp snooping binding mac-address vlan vlan-id ip-address interface interface expiry seconds

Question 3

Explanation

IP Source Guard provides source IP address filtering on a Layer 2 port to prevent a malicious host from impersonating a legitimate host by assuming the legitimate host’s IP address. The feature uses dynamic DHCP snooping and static IP source binding to match IP addresses to hosts on untrusted Layer 2 access ports.

Initially, all IP traffic on the protected port is blocked except for DHCP packets. After a client receives an IP address from the DHCP server, or after static IP source binding is configured by the administrator, all traffic with that IP source address is permitted from that client. Traffic from other hosts is denied. This filtering limits a host’s ability to attack the network by claiming a neighbor host’s IP address.

Therefore if the switch receives a packet that does not match any entries found in the DHCP binding database, that packet is assumed to be spoofed and will be discarded.

Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/ipsrcgrd.html

Question 4

Explanation

The command “ip verify source port-security” enables IP source guard with source IP and MAC address filtering. When using this command, there are two caveats:
+ The DHCP server must support option 82, or the client is not assigned an IP address.
+ The MAC address in the DHCP packet is not learned as a secure address. The MAC address of the DHCP client is learned as a secure address only when the switch receives non-DHCP data traffic.

Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960/software/release/12-2_53_se/configuration/guide/2960scg/swdhcp82.html

Question 5

Explanation

The following restrictions apply to IP source guard:
+ Supported only on ingress Layer 2 ports (including access and trunk ports)
+ Supported only in hardware; not applied to any traffic that is processed in software.
+ Does not support filtering of traffic based on MAC address.
+ Is not supported on private VLANs.

Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SY/configuration/guide/sy_swcg/ip_source_guard.pdf

Question 6

Explanation

The DHCP snooping binding database contains information about untrusted hosts with leased IP addresses. Each entry in the DHCP snooping binding database includes the MAC address of the host, the leased IP address, the lease time, the binding type, the VLAN number and interface information associated with the host.

Question 7

Explanation

The port connected to a DHCP server should be configured as trusted port with the “ip dhcp snooping trust” command. Other ports connecting to hosts are untrusted ports by default.

Question 8

Explanation

DHCP snooping database contains MAC address-to-IP address bindings which Dynamic ARP Inspection (DAI) uses to determine the validity of an ARP packet.

Question 9

Explanation

When IP Source Guard with source IP filtering is enabled on an untrusted interface, DHCP snooping must be enabled because it filters traffic based on IP information stored in the corresponding DHCP binding table entry.

Question 10

Explanation

The function of DAI is:

+ Intercepts all ARP requests and responses on untrusted ports
+ Verifies that each of these intercepted packets has a valid IP-to-MAC address binding before updating the local ARP cache or before forwarding the packet to the appropriate destination
+ Drops invalid ARP packets

On untrusted ports, the switch captures all ARP packets (both request and reply) and then validates the Source Protocol and Source Hardware address values against the snooping table database for that port.
If the MAC address and IP address and the corresponding port do not match the snooping database entry, the ARP packets are dropped. DAI thus prevents the node from specifying a non-legitimate IP-MAC address binding which differs from what was given by the DHCP server.

Question 11

Explanation

The DHCP snooping database stores at least 8,000 bindings.

Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/snoodhcp.html

Question 12

Explanation

IP Source Guard is a security feature that restricts IP traffic on untrusted Layer 2 ports by filtering traffic based on the DHCP snooping binding database or manually configured IP source bindings

Initially, all IP traffic on the protected port is blocked except for DHCP packets. After a client receives an IP address from the DHCP server, or after static IP source binding is configured by the administrator, all traffic with that IP source address is permitted from that client. Traffic from other hosts is denied. This filtering limits a host’s ability to attack the network by claiming a neighbor host’s IP address.

Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SY/configuration/guide/sy_swcg/ip_source_guard.html

Before enabling IP Source Guard, DHCP Snooping must be enabled as a prerequisite. Let’s see an example of how to configure IP Source Guard.

IP_Source_Guard.jpg

Enable DHCP Snooping first:

Switch(config)#ip dhcp snooping
Switch(config)#ip dhcp snooping vlan 1
Switch(config)#int fa0/1
Switch(config-if)#ip dhcp snooping trust
Switch(config)#int fa0/14
Switch(config-if)#ip dhcp snooping limit rate 20

Next we can start configuring IP Source Guard.

Switch(config)#int fa0/14
Switch(config-if)#ip verify source

IP Source Guard is configured at the access layer (in this case under interface Fa0/14) and uses the DHCP Snooping database, or static IP binding entries, to dynamically create ACLs on a per-port basis. Any traffic which doesn’t match the binding entries is dropped in hardware.

If we want to enable IP source guard with source IP and MAC address filtering, use the command “ip verify source port-security” instead (Port security and option 82 is not necessary if you are not using MAC verification).

Well now maybe you understand about IP source guard. Let’s learn about option 82.

When a client initially connects to a port protected by IP source guard (Fa0/14 of the switch in the above case) only DHCP discover and request messages are allowed, everything else is dropped. An important point to keep in mind is that at this point no traffic, including DHCP, will cause the switch to add an entry for the client in the CAM table and therefore when the DHCP server responds with an offer the switch will not know where to send the packet. And when DHCP snooping is enabled, replies from the DHCP server are not flooded out all ports if there is no entry in the CAM, so the DHCP offer will be dropped. To get around this, DHCP option 82 (or Relay Agent Information) is necessary. Option 82 is a frequently misunderstood value, likely because unlike other options it is not set by the DHCP server, rather it is set by an intermediary device such as a DHCP relay agent or a switch. Option 82 is made up of two fields, the circuit ID and remote ID.

When a DHCP packet is received on an untrusted port the switch adds the option 82 information and sends it on it’s way, if the option 82 field already exists the packet will be dropped (this behavior can be changed by using the ‘ip dhcp snooping information option allow-untrusted’ command under interface configuration). When the DHCP server receives the discover it is expected to return the values in option 82 with it’s offer. Assuming that the server does support option 82 and returns an offer with the information intact, the switch will determine whether it is the originator of the option 82 information by checking whether the MAC address in the remote ID field matches it’s own, it then looks at the VLAN, module, and port carried in the circuit ID field to find out which port the packet should be sent out, the switch then strips option 82 out of the packet and forwards it to the specified port. The same process will occur with the request and ack portion of DHCP. If the offer is sent back from the DHCP server without the option 82 information the switch is unable to determine where the packet should be sent and drops it.

Reference: http://vcabbage.com/networking/2010/08/07/ip-source-guard.html

Question 13

Question 14

Explanation

DHCP snooping is a security feature that acts like a firewall between untrusted hosts and trusted DHCP servers. The DHCP snooping feature performs the following activities:

+ Validates DHCP messages received from untrusted sources and filters out invalid messages.
+ Rate-limits DHCP traffic from trusted and untrusted sources.
+ Builds and maintains the DHCP snooping binding database, which contains information about untrusted hosts with leased IP addresses.
+ Utilizes the DHCP snooping binding database to validate subsequent requests from untrusted hosts.

Reference: https://www.cisco.com/en/US/docs/general/Test/dwerblo/broken_guide/snoodhcp.html

Comments
Comment pages
1 2 761
  1. rava
    November 20th, 2016

    Q11
    At least 8000 bindings can be stored on DHCP snooping database with Releases after 12.2(18)SXF5.

  2. AXX
    December 22nd, 2016

    Q11 – minimum is not equal to: 1) can store, 2) at least, or 3) up to

    Guidelines and Limitations
    DHCP snooping has the following configuration guidelines and limitations:

    •The DHCP snooping database can store 2000 bindings.

    http://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/4_1/nx-os/security/configuration/guide/sec_nx-os-cfg/sec_dhcpsnoop.html

    DHCP Snooping Configuration Restrictions

    • With releases earlier than Release 12.2(18)SXF5, the DHCP snooping database stores a maximum of 512 bindings. If the database attempts to add more than 512 DHCP bindings, all bindings are removed from the database.

    • With Release 12.2(18)SXF5 and later releases, the DHCP snooping database stores at least 8,000 bindings.

    http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SXF/native/configuration/guide/swcg/snoodhcp.pdf

    DHCP Snooping Binding Database
    When DHCP snooping is enabled, the switch uses the DHCP snooping binding database to store information about untrusted interfaces. The database can have up to 8192 bindings.

    http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_dhcp/configuration/xe-3s/asr903/dhcp-xe-3s-asr903-book/dhcp-features.html

    DHCP Snooping Configuration Restrictions
    • The DHCP snooping database stores at least 12,000 bindings

    http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SY/configuration/guide/sy_swcg/dhcp_snooping.pdf

  3. shrek
    December 23rd, 2016

    in Q7 it ask “Which command is needed to enable DHCP snooping …” not “which command is needed to configure a port as a trusted port” so the answer should be “ip dhcp snooping” not “ip dhcp snooping trust” right? please correct me if i’m wrong.
    thnk u in advance

  4. Jake
    December 27th, 2016

    Q7 is correct because the last part of the question specifies it “if a switchport is connected to a DHCP server”. The questions is asking about port configuration not global.

  5. noman
    January 11th, 2017

    Which option is the minimum number of bindings that the DHCP snooping databas can store???

    2000
    8000

  6. Anonymous
    January 11th, 2017

    8000 binding

  7. Digit-All
    May 21st, 2017

    Shrek “ip dhcp snooping trust” is specific to an interface connected to dhcp server while “ip dhcp snooping” is a global command. So, answer is correct.

  8. abrakapokus
    July 3rd, 2017

    I don’t get Q10, if it is the one I think it is.
    There is a trusted server and iit says we have to Configure the static DHCP snooping binding entry. Isn’t DHCP snooping database made for untrusted hosts??

  9. abrakapokus
    July 3rd, 2017

    Untrusted interfaces, sorry, I think I got it.

  10. anyone
    July 3rd, 2017

    @abrakaokus, Q10 is “Which switch feature determines validity based on IP-to-MAC address bindings that are stored in a trusted database?” Answer is A – Dynamic ARP Inspection (DAI)

    When DHCP snooping is enabled, switch ports are categorized as trusted or untrusted. Legitimate DHCP servers can be found on trusted ports, whereas all other hosts sit behind untrusted ports. The DHCP snooping feature just cares about if the reply is coming from a trusted port or not when making decisions.

    Dynamic ARP Inspection (DIA) utilizes the DHCP snooping database specifically the IP-to-MAC address bindings when making decisions but since the database would not have entries for addresses that were configured statically (not assigned by DHCP), you would need to configure an ARP access list that defines static MAC-IP address bindings that are permitted.

    Does this help?

  11. abrakapokus
    July 3rd, 2017

    Thank you a lot for the prompt reply.
    It does help a lot, although I was refering to another question. But now I see the explanation is the same. :)
    The question was: “A server with a statically assigned IP address is attached to a switch that is provisioned for DHCP
    snooping. For more protection against malicious attacks, the network team is considering enabling
    dynamic ARP inspection alongside DHCP snooping. Which solution ensures that the server
    maintains network reachability in the future?”
    with the correct answer being: “Configure a static DHCP snooping binding entry on the switch.”

    I was having some concerns about entries in DHCP snooping binding database but with this and a bit more investigating I believe I resolved them all.
    Thank you!

  12. varv
    July 9th, 2017

    Hello Everyone!

    I have CCNP Switch 300-115 exam in 2 days. Can you guys please provide me Updated Dumps?

    My email ID: venkatesh1593 at gmail dot com

    Thanks a lot!

  13. CCNP boy
    August 7th, 2017

    Are the Qs still valid to pass this exam ? or is there a lot of new Qs ?

Comment pages
1 2 761
  1. No trackbacks yet.