*********************************** Cisco - Preventing Snooping Attacks *********************************** DHCP Snooping ============= - Mitigates the risk of a rogue DHCP server existing on the network - Ports configured as trusted or untrusted - All DHCP requests are intercepted by the switch - DHCP replies on untrusted ports are discarded and source port is shutdown - Switch creates database of DHCP "Bindings" as legitimate replies received - Configuration Steps - Define Trusted Ports - Enable DHCP Snooping - Define What VLANs to enable DHCP snooping on IP Source Guard =============== - Mitigates the risk of maliscious hosts spoofing their source IP address - Takes advantage of MAC-To-IP mappings stored in the DHCP snooping database - Static entries can also be configured for non-DHCP hosts - Packets must pass conditions in order to pass thhrough switch * Source IP identical to IP learned by DHCP snooping/Static entry * Source MAC identical to MAC learned by switch and DHCP Snooping/Static entry - Dynamic ACL or port security is used to filter traffic - Configuration Steps * Enable DHCP Snooping * Enable Port Security (if detecting MAC Spoofing is required) * Configure Static Entries for non-DHCP hosts * Enable Source Guard (Per Interface) Dynamic ARP Inspection (DAI) ============================ - Mitigates the risk of ARP poisoning/ARP spoofing - Uses either static entries or those learned through DHCP snooping - Ports classed as trusted/untrusted - Ports connecting other switches should be trusted - Switches checks ARP replies received on untrusted port - Invalid ARP replies are dropped and logged - Configuration Steps * Define trusted interfaces * Confiigure ARP access-list for non-DHCP hosts * Enable DAI on required VLANs - MAC Access-list (Filter is checked first then the DHCP snooping database - Checking of DHCP snooping database can be skipped if required - Only MAC/IP in the ARP reply are checked, additional ethernet level checks can be enabled * Source MAC * Destination MAC * IP Configure DHCP Snooping ======================= **Enable DHCP Snooping** :: ip dhcp snooping **Specify VLANs to have DHCP Snooping applied** :: ip dhcp snooping vlan [] **Specify Trusted Interfaces** :: interface [no] ip dhcp snooping trust **Limit rate of DHCP requests** :: interface [no] ip dhcp snooping limit rate **Add option 82 to DHCP request** *Note: Enabled By Default* :: [no] ip dhcp snooping information option **Verify DHCP Snooping** :: show ip dhcp snooping [binding] Configuring IP Source Guard =========================== **Configure Static Binding** :: ip source binding vlan interface **Enable IP Source Guard on an interface** :: interface ip verify source [port-security] **Verify IP source Guard Status** :: show ip verify source [interface ] **Verify Source Bindings** :: show ip source binding [] [] [dhcp-snooping|static] [interface ] [vlan ] Configuring Dynamic ARP Inspection (DAI) ======================================== **Configure Trusted Interfaces** :: interface ip arp inspection trust **Enable DAI on required VLANs** :: ip arp inspection vlan **Define MAC Access List foor non-DHCP hosts** :: arp access-list permit ip host mac host [log] **Apply Filter** :: ip arp inspection filter vlan [static] **Apply additional packet validations** :: ip arp inspection validate {[src-mac] [dst-mac] [ip]} **Display DAI Status** :: show ip arp inspection