Thursday, February 23, 2012

IP Source Guard



So, after saying I would post about IP source guard in my DHCP Snooping Post I neglected to post much of anything for six months BUT I'm back to fulfill my promise.

IP source guard is basically a dynamic per port access list that will be applied to make sure the device is using the IP address (and mac address if configured) that the computer received during it's DHCP handshake.


As mentioned in the previous article, DHCP snooping is going to keep track of what IP address the device gets from the server.  Then IP source guard ensures that address, stored in the dhcp snooping database, is the only IP allowed to communicate out the port, thereby defeating IP spoofing and some man in the middle attacks.

Picture a malicious user who connects to the network, and receives an IP address.  They then listen to broadcast traffic and ARPs and determine another user's IP/Mac address.  The malicious user could then either send out packets with the neighboring device's IP and pretend to be them, possibly bypassing ACLs that grant the attackee extra access.  Attack two could be that the malicious user simply responds to request's by using the gateway's IP address and appears to be legitimate traffic.

Both of these could be mitigated by IP source guard, as the malicious user, sending any packets out with an IP (or mac) not included in the dhcp snooping database will be dropped.

NOTE* If you configure source guard on a port that doesn't have an entree either learned dynamically by dhcp snooping or manually entered in the ip source binding table, all packets will be dropped

Source guard is not allowed on routed interfaces or etherchannels



Configuration:

Step one -
A. ensure dhcp snooping is enabled on the vlan you intend to use IP source guard on (or you have manually entered all IP/Mac bindings in the ip source binding table)
B. If you enable IP source guard on a trunk interface (multiple vlans) then all vlans are filtered, ensure dhcp snooping is enabled for ALL vlans on the trunk.

Step two -
Determine if some or all of your addresses need to be manually entered:


ip source binding mac-address vlan vlan-id ip-address inteface interface-id


Step three -
Determine if you just want to use source guard based on IP addresses, or both IP and Mac addresses.  If you want to check Mac addresses as well, ensure your DHCP server supports option 82.

interface interface-id

          For just checking IP addresses:

               ip verify source

          For both IP and Mac addresses:

               ip verify source port-security


Step Four -
Verify Config

show ip verify source [interface interface-id]

Verify Bindings

show ip source binding


Step Five -
Save if everything looks good

wri mem

(or if you are studying for an exam)
copy running-config startup-config




Thursday, February 16, 2012

Curious what the Openflow stuff is you are hearing all over? Check Out Ivan Pepelnjak's links to recorded versions of OPENFLOW AND SOFTWARE DEFINED NETWORKING 101 type introduction session on the technology causing all the buzz. Interesting stuff, even if I am very very weary of taking the "brains" out of my switches and placing it in a controller or software situation, if it works well it could very well change the hole concept of networking as we know it.

OSPF Feasible Successors

OSPFv2 Loop-Free Alternate Fast Reroute - Once OSPF has calculated SPF and installed routes in the routing table, it calculates a successor route to destinations, much as EIGRP does. Greatly reduce your down time during re-convergence.

You can find it in the Cisco 15.1 release notes.

 Cisco - Yep
Juniper - Yep
HP - As usual, they probably will get around to it in a couple years...