Jan
07

We are putting the final touches together for the CCSP bootcamp that is launching soon.  (PS, it is going to ROCK! :) ) As I was going through the demo’s on L2 security, I was reminded of how this topic is often an Achilles heel for many CCIE candidates, both R/S and Security.

This blog post is to refresh your memories and provide some examples  for layer 2 security on the Catalyst switch. We will begin with DHCP snooping.

I have a friend “wink, wink” who many years ago at a conference configured his Windows NT 4.0 server (ah the memories), as a DHCP server, and had almost 100  clients routing through his laptop. The only problem with this, besides really slow performance for everyone, was the fact that he was just another attendee at the conference, and was running a rogue DHCP server. Of course today, we would never allow that to happen, as we would use DHCP snooping to place all ports in an untrusted state, with the exception of the real DHCP server(s).

In the examples below, on SW1; R1, R2 and R3 are connected to ports Fa0/1, Fa0/2 and Fa0/3 respectively. R1 is the valid DHCP server, so we specify port Fa0/1 as a trusted DHCP port

DHCP snooping prevents protects against rogue servers, but it also provides another huge benefit, and that is the DHCP snooping binding table which is built dynamically and includes the clients MAC, IP, Lease time, Binding Type, VLAN# and Switch Port that client is connected to. This is huge, because now we can add on other features, like Source Guard. Source Guard uses the snooping binding table, and prevents a host from “borrowing” its neighbors IP address. If the source IP coming in on a switch port doesn’t match the IP in the binding table, the packet is dropped at the switch!

But wait, there is more. :) We have all probably heard about a L2 man in the middle attack, where the attacker poisons the arp cache of a host and it’s gateway, and then eavesdrops on every frame/packet between them. Because we have the DHCP snooping table, we can stop malicious ARPs from getting into the VLAN. Once again, with ARP inspection enabled, and leveraging the snooping table, if the MAC withing the ARP doesn’t match the table, the switch kills it.

So in summary, DHCP snooping builds the binding table.  Source Guard uses the table to prevent IP address spoofing/borrowing. ARP inspection uses the table to prevent malicious/incorrect ARP packets from performing ARP cache poisoning.

The configurations, embedded notes, validations and show commands are below.

R1

!  Excluded static addresses used by R1 and SW1
ip dhcp excluded-address 123.0.0.1
ip dhcp excluded-address 123.0.0.7
ip dhcp pool MYPOOL
 network 123.0.0.0 255.255.255.0
 domain-name INE.com
!
interface Loopback0
 ip address 1.1.1.1 255.255.255.0
!
interface FastEthernet0/0
! We used mac addresses that would be easily identifiable
  mac-address 0011.1111.1111
! The command below allows the DHCP option inbound to server
  ip dhcp relay information trusted
  ip address 123.0.0.1 255.255.255.0
!
router ospf 1
  network 0.0.0.0 255.255.255.255 area 0
!
!  Configured R1 as an NTP server so SW1 could have synced time
ntp master 1

R2

interface Loopback0
  ip address 2.2.2.2 255.255.255.0
!
interface FastEthernet0/0
  mac-address 0022.2222.2222
  ip address dhcp
!
router ospf 1
  network 0.0.0.0 255.255.255.255 area 0

R3

interface Loopback0
  ip address 3.3.3.3 255.255.255.0
!
interface FastEthernet0/0
  mac-address 0033.3333.3333
  ip address dhcp
!
router ospf 1
  network 0.0.0.0 255.255.255.255 area 0

SW1

ip dhcp snooping vlan 123
! In a production network, you would want to be careful to not exceed
! the space available in flash for storage.
ip dhcp snooping database flash:/jan7snoop.txt
ip dhcp snooping
!
ip arp inspection vlan 123
! The validate includes ARP validation for IP and source/destination MAC addresses
ip arp inspection validate ip src-mac dst-mac
!
!
interface FastEthernet0/1
  Description Connection to R1, the real DHCP server
  switchport access vlan 123
  switchport mode access
! Because the DHCP server has a static address, there will never be
! a dynamic entry in the snooping table for R1.  We could create
! and ARP access list, and use it for to compliment the dynamic table.
  ip arp inspection trust
! Because R1 is a DHCP server, we have to “DHCP trust” this interface.
  ip dhcp snooping trust
!
interface FastEthernet0/2
  Description Connection to R2, a DHCP client
  switchport access vlan 123
  switchport mode access
! This next command is the Source Guard, that prevents IP Spoofing
  ip verify source
!
interface FastEthernet0/3
  Description Connection to R3, a DHCP client
  switchport access vlan 123
  switchport mode access
! This next command is the Source Guard, that prevents IP Spoofing
  ip verify source

interface Vlan123
  ip address 123.0.0.7 255.255.255.0
!
! When writing the DHCP snooping table to flash, the switch complains
! if it is not synchronized to an NTP server.
ntp server 123.0.0.1

So lets take a look at some show commands, first on the DHCP server R1. It shows that it handed out IP addresses via DHCP to 2 devices, using 123.0.0.6 and 123.0.0.8 (looks like someone was bringing the clients up and down a few times for testing) ☺

r1# show ip dhcp binding
Bindings from all pools not associated with VRF:
IP address          Client-ID/              Lease expiration        Type
Hardware address/
User name
123.0.0.6           0063.6973.636f.2d30.    Jan 08 2010 08:11 AM    Automatic
3032.322e.3232.3232.
2e32.3232.322d.4661.
302f.30
123.0.0.8           0063.6973.636f.2d30.    Jan 08 2010 08:11 AM    Automatic
3033.332e.3333.3333.
2e33.3333.332d.4661.
302f.30

It looks like R1 has OSPF learned routes with next hops that match the DHCP addresses we handed out.

r1# show ip ospf neighbor

Neighbor ID     Pri   State           Dead Time   Address         Interface
2.2.2.2           1   FULL/DROTHER    00:00:33    123.0.0.6       FastEthernet0/0
3.3.3.3           1   FULL/BDR        00:00:32    123.0.0.8       FastEthernet0/0
r1# show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

1.0.0.0/24 is subnetted, 1 subnets
C       1.1.1.0 is directly connected, Loopback0
2.0.0.0/32 is subnetted, 1 subnets
O       2.2.2.2 [110/2] via 123.0.0.6, 00:01:21, FastEthernet0/0
3.0.0.0/32 is subnetted, 1 subnets
O       3.3.3.3 [110/2] via 123.0.0.8, 00:01:11, FastEthernet0/0
123.0.0.0/24 is subnetted, 1 subnets
C       123.0.0.0 is directly connected, FastEthernet0/0
r1#

It also appears that these 2 OSPF neighbors are in deed R2 and R3 based on the router-id.

r1# show ip ospf neighbor

Neighbor ID     Pri   State           Dead Time   Address         Interface
2.2.2.2           1   FULL/DROTHER    00:00:36    123.0.0.6       FastEthernet0/0
3.3.3.3           1   FULL/BDR        00:00:39    123.0.0.8       FastEthernet0/0
r1#

Lets jump over to SW1, and look first at the DHCP snooping binding table, to verify that it is in order.

sw1# show ip dhcp snooping binding
MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface
------------------  ---------------  ----------  -------------  ----  --------------------
00:22:22:22:22:22   123.0.0.6        86053       dhcp-snooping   123   FastEthernet0/2
00:33:33:33:33:33   123.0.0.8        86062       dhcp-snooping   123   FastEthernet0/3
Total number of bindings: 2

To look at source guard, we use the following commands. Remember, source guard is leveraging the information from the DHCP snooping binding table.

sw1# show ip source binding
MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface
------------------  ---------------  ----------  -------------  ----  --------------------
00:22:22:22:22:22   123.0.0.6        86020       dhcp-snooping   123   FastEthernet0/2
00:33:33:33:33:33   123.0.0.8        86029       dhcp-snooping   123   FastEthernet0/3
Total number of bindings: 2

sw1# show ip verify source
Interface  Filter-type  Filter-mode  IP-address       Mac-address        Vlan
---------  -----------  -----------  ---------------  -----------------  ----
Fa0/2      ip           active       123.0.0.6                           123
Fa0/3      ip           active       123.0.0.8                           123

Next, lets look at some output regarding the Dynamic ARP Inspection (DAI). The only interface we trusted was Fa0/1.

sw1# show ip arp inspection interfaces

Interface        Trust State     Rate (pps)    Burst Interval
---------------  -----------     ----------    --------------
Fa0/1            Trusted               None               N/A
Fa0/2            Untrusted               15                 1
Fa0/3            Untrusted               15                 1
Fa0/4            Untrusted               15                 1
Fa0/5            Untrusted               15                 1

sw1# show ip arp inspection vlan 123

Source Mac Validation      : Enabled
Destination Mac Validation : Enabled
IP Address Validation      : Enabled

Vlan     Configuration    Operation   ACL Match          Static ACL
----     -------------    ---------   ---------          ----------
123     Enabled          Active

Vlan     ACL Logging      DHCP Logging      Probe Logging
----     -----------      ------------      -------------
123     Deny             Deny              Off

sw1# show ip arp inspection statistics vlan 123

Vlan      Forwarded        Dropped     DHCP Drops      ACL Drops
----      ---------        -------     ----------      ---------
123             39              1              1              0

Vlan   DHCP Permits    ACL Permits  Probe Permits   Source MAC Failures
----   ------------    -----------  -------------   -------------------
123             21              0              0                     0

Vlan   Dest MAC Failures   IP Validation Failures   Invalid Protocol Data
----   -----------------   ----------------------   ---------------------
123                   0                        0                       0
sw1#

With ARP inspection in place, lets go to R2, and view our MAC address

To begin, we have the L2 information for R1 and R3, and our own MAC address of 002.2222.2222 We can confirm this with a couple different commands.

r2# show arp
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  123.0.0.1               8   0011.1111.1111  ARPA   FastEthernet0/0
Internet  123.0.0.6               -   0022.2222.2222  ARPA   FastEthernet0/0
Internet  123.0.0.8               8   0033.3333.3333  ARPA   FastEthernet0/0

r2# show int fa 0/0 | inc bia
Hardware is AmdFE, address is 0022.2222.2222 (bia 000f.3431.1da0)

Now, we will change the MAC address of our Fa0/0 interface.

r2(config)#int fa 0/0
r2(config-if)#mac-address 0022.2222.2224

Lets generate an ARP request by attempting to ping a local resource that is not currently in our ARP cache.

r2(config-if)# do ping 123.0.0.10

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 123.0.0.10, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

Lets see what messages are popping up on the console of SW1.

SW1

%SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa0/2, vlan 123.([0022.2222.2224/123.0.0.6/0000.0000.0000/123.0.0.10/08

So the ARP never left the gate, because the MAC address that we were trying to use as part of the ARP request didn’t match the snooping table.

One last piece. Lets take a look at the Source Guard in action. R3 is directly connected to 123.0.0.0, and has routing updates for the loopback interfaces of R1 and R2 as well.

r3# show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

1.0.0.0/32 is subnetted, 1 subnets
O       1.1.1.1 [110/2] via 123.0.0.1, 00:12:34, FastEthernet0/0
2.0.0.0/32 is subnetted, 1 subnets
O       2.2.2.2 [110/2] via 123.0.0.6, 00:12:34, FastEthernet0/0
3.0.0.0/24 is subnetted, 1 subnets
C       3.3.3.0 is directly connected, Loopback0
123.0.0.0/24 is subnetted, 1 subnets
C       123.0.0.0 is directly connected, FastEthernet0/0
r3#

A ping to the directly connected, working OSPF neighbor 123.0.0.1 should work, right?

r3# ping 123.0.0.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 123.0.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/4 ms
r3#

It does in fact work. Now lets source the ping from our loopback 0. If you scroll up and look at the routing table of R1, it has a route back to R3’s 3.3.3.3 as well.

r3# ping 123.0.0.1 so lo 0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 123.0.0.1, timeout is 2 seconds:
Packet sent with a source address of 3.3.3.3
.....
Success rate is 0 percent (0/5)
r3#

So why is this ping not working? Source guard. We are sourcing the packet from 3.3.3.3, and that doesn’t match the snooping table, and so the switch rejects it. To do a quick verification, we can remove the source guard from the switch port that R3 is connected to, and try it again.

sw1(config)#int fa 0/3
sw1(config-if)#no ip verify source

And now, drum roll please, the ping.

r3#ping 123.0.0.1 so lo 0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 123.0.0.1, timeout is 2 seconds:
Packet sent with a source address of 3.3.3.3
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
r3#

Remember, if we aren’t using DHCP in our network, and still want to use these features, we can create manual snooping and arp inspection entries, and get the same effect. Our workbooks have extensive examples and explanations.

The transparent mode ASA firewall, has it’s own set of tricks for L2 security as well, and we’ll leave that for another day.

Best wishes from the INE team!


You can leave a response, or trackback from your own site.

13 Responses to “CCIE L2 security, a FRAME of reference…”

 
  1. TacACK says:

    Great resource!

    You rock man!

  2. ccie mate says:

    Great post. I enjoyed reading it.

  3. Colin West says:

    Hi,

    Nice article. Looking forward to the CCSP program. Will there also be a tech lab workbook to accompany the CCSP CoD?
    Kind Rgds,

    Colin

    • Hi Colin- I don’t believe a tech lab workbook is planned for CCSP. A person who wanted to practice could simple follow the recorded CCSP presentation, which is available for students who attend the class, or purchase the on-demand version, and pause when needed. Students will have the diagrams and topology information presented in the class. Our CCIE security v5, volume 1 workbook has all the topics, with great explanations and walk-throughs of the solutions.

  4. Rizzo says:

    Hi

    Very well explained and I like the way you narrated it. :) Example with real world alerts and hints put cherry on top and make it so simple to eat it. Yes, real brain food.

    I would like to see more of Layer2 & 3 Attacks along with Mitigation methods. Could you please also add IPS42xx Tutorials ? I guess most of guys knows IDS and Inline mode but lacking understand of implement it.

    Thanks in Advance

  5. C. says:

    Hi,

    Many thanks for this great article.
    But one thins makes me pulling my hair off :

    Following the example above, does this mean that Source Guard must be disbled on a port that is connected to a Router ?

    Many thanks in advance.
    /C.

  6. RoutSec says:

    Thanks for this great article. It is greatly appreciated!

  7. GFC_Cisco says:

    Well.. if you want to become a good network engineer, it’s not about just reading books, watching videos and so on.. You must have this page as your HOME page, this way you will remeber and learn things that you won’t find in books or videos, at least not explained in a way that is easily “digested”. This blog rocks !!

    Thanks INE

  8. Ian Finlayson says:

    Excellent Review…. Thanks for this!!

  9. Sunil Shah says:

    Your hands-on experience speaks louder than words. I am sure there is much more to be learned and gained from you…many thanks.

  10. Null0 says:

    Great post, it was great to see all the features complement each other.

  11. Paul Gilbert says:

    I have a question. Can we enable DHCP snooping on a L3 switch (3750 for example) and acting as a DHCP server?

  12. Hello Paul –

    I tested this on a 3560, and it seemed to have no problem.

    SW1#show ip int brief | ex una
    Interface IP-Address OK? Method Status Protocol
    Vlan1 10.0.0.7 YES manual up up
    SW1#

    SW1#show ip dhcp snooping binding
    MacAddress IpAddress Lease(sec) Type VLAN Interface
    —————— ————— ———- ————- —- ——————–
    00:0F:F7:43:97:40 10.0.0.2 86382 dhcp-snooping 1 FastEthernet0/1
    Total number of bindings: 1

    SW1#show run | begin dhcp
    ip dhcp excluded-address 10.0.0.7
    !
    ip dhcp pool SWITCHPOOL
    network 10.0.0.0 255.255.255.0
    !
    !
    ip dhcp snooping vlan 1
    ip dhcp snooping
    !

    Best wishes.

 

Leave a Reply

Categories

CCIE Bloggers