Thursday, February 23, 2012
IP Source Guard
So, after saying I would post about IP source guard in my DHCP Snooping Post I neglected to post much of anything for six months BUT I'm back to fulfill my promise.
IP source guard is basically a dynamic per port access list that will be applied to make sure the device is using the IP address (and mac address if configured) that the computer received during it's DHCP handshake.
As mentioned in the previous article, DHCP snooping is going to keep track of what IP address the device gets from the server. Then IP source guard ensures that address, stored in the dhcp snooping database, is the only IP allowed to communicate out the port, thereby defeating IP spoofing and some man in the middle attacks.
Picture a malicious user who connects to the network, and receives an IP address. They then listen to broadcast traffic and ARPs and determine another user's IP/Mac address. The malicious user could then either send out packets with the neighboring device's IP and pretend to be them, possibly bypassing ACLs that grant the attackee extra access. Attack two could be that the malicious user simply responds to request's by using the gateway's IP address and appears to be legitimate traffic.
Both of these could be mitigated by IP source guard, as the malicious user, sending any packets out with an IP (or mac) not included in the dhcp snooping database will be dropped.
NOTE* If you configure source guard on a port that doesn't have an entree either learned dynamically by dhcp snooping or manually entered in the ip source binding table, all packets will be dropped
Source guard is not allowed on routed interfaces or etherchannels
Configuration:
Step one -
A. ensure dhcp snooping is enabled on the vlan you intend to use IP source guard on (or you have manually entered all IP/Mac bindings in the ip source binding table)
B. If you enable IP source guard on a trunk interface (multiple vlans) then all vlans are filtered, ensure dhcp snooping is enabled for ALL vlans on the trunk.
Step two -
Determine if some or all of your addresses need to be manually entered:
ip source binding mac-address vlan vlan-id ip-address inteface interface-id
Step three -
Determine if you just want to use source guard based on IP addresses, or both IP and Mac addresses. If you want to check Mac addresses as well, ensure your DHCP server supports option 82.
interface interface-id
For just checking IP addresses:
ip verify source
For both IP and Mac addresses:
ip verify source port-security
Step Four -
Verify Config
show ip verify source [interface interface-id]
Verify Bindings
show ip source binding
Step Five -
Save if everything looks good
wri mem
(or if you are studying for an exam)
copy running-config startup-config
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment