CCIE R&S Advanced Technologies Class v4.5 - DHCP Snooping, Dynamic ARP Inspection (DAI), IP Source Guard

Transcript

1	Introduction	0h 43m
2	Using the Cisco Documentation	0h 52m
3	Ethernet Overview, Layer 2 Switchports, Trunking, ISL, 802.1q, DTP	0h 47m
4	VTP, VTP Authentication, VTP Pruning	1h 02m
5	VTP Prune Eligible List, VTP Transparent, VTP Troubleshooting, Trunk Allowed List, Extended VLANs	0h 48m
6	VLAN and VTP Review	0h 19m
7	SVIs, Native Routed Interfaces, Router-on-a-Stick	0h 46m
8	Layer 2 EtherChannel, EtherChannel Load Balancing, Layer 3 EtherChannel	0h 57m
9	802.1q Tunneling, Layer 2 Protocol Tunneling, EtherChannel over 802.1q Tunneling	1h 03m
10	STP Root Bridge Election, STP Root Port Election, STP Designated Port Election, STP Priority, STP Cost, STP Port-Priority	1h 46m
11	STP Review	0h 12m
12	STP Timers, STP PortFast	0h 34m
13	STP UplinkFast	0h 11m
14	STP BackboneFast	0h 12m
15	STP BPDU Filter	0h 13m
16	STP BPDU Guard	0h 11m
17	STP Root Guard	0h 11m
18	STP Loop Guard, Unidirectional Link Detection (UDLD)	0h 11m
19	Multiple Spanning-Tree Protocol (MST)	0h 40m
20	Rapid Spanning-Tree Protocol (RSTP), Rapid-PVST	0h 18m
21	MST with Multiple Regions	0h 33m
22	Flex Links	0h 16m
23	Frame Relay	0h 39m
24	Frame Relay Configuration Part 1	0h 34m
25	Frame Relay Configuration Part 2	0h 41m
26	Frame Relay Switching	0h 27m
27	Back-to-Back Frame Relay	0h 08m
28	Frame-Relay End-to-End Keepalives	0h 18m
29	PPP, PPP PAP Authentication, PPP CHAP Authentication	0h 59m
30	PPPoFR, PPPoE	0h 40m
31	Transparent Bridging, IRB	0h 32m
32	Fallback Bridging	0h 14m
33	IP Routing Overview, Switching Paths, Static Routing	0h 42m
34	Static Routing Examples	0h 25m
35	IP Default-Gateway, IP Default-Network	0h 14m
36	On-Demand Routing (ODR)	0h 07m
37	Floating Static Routes	0h 10m
38	Backup Interface	0h 29m
39	Enhanced Object Tracking, IP SLA, Reliable Static Routing	0h 21m
40	Policy Routing	0h 43m
41	GRE Tunneling, GRE Recursive Routing Errors	0h 27m
42	Reliable Backup Interface with GRE	0h 25m
43	RIP Overview, RIP Versions, RIP Auto-Summary	0h 48m
44	RIP Split-Horizon, RIP Timers	0h 22m
45	RIP Broadcast Updates, IP Directed Broadcast, IP Broadcast-Address, Smurf Attacks, Fraggle Attacks	0h 16m
46	RIP Unicast Updates	0h 03m
47	RIP Offset-List	0h 18m
48	RIP Authentication	0h 11m
49	RIP Summarization	0h 10m
50	Prefix-Lists, RIP Distribute-List Filtering, RIP Administrative Distance Filtering	0h 48m
51	RIP Default Routing, RIP Conditional Default Routing	0h 18m
52	RIP Triggered, RIP Validate Update Source,	0h 12m
53	EIGRP Overview	0h 29m
54	EIGRP Auto-Summary	0h 07m
55	EIGRP Split-Horizon	0h 11m
56	EIGRP Update Types, EIGRP Neighbor, EIGRP Passive-Interface	0h 24m
57	EIGRP Hello-Interval, EIGRP Hold-Time	0h 05m
58	EIGRP Authentication	0h 11m
59	EIGRP Time Based Authentication	0h 25m
60	EIGRP Path Selection, EIGRP Metric Weights, EIGRP Traffic Engineering	0h 47m
61	EIGRP Unequal Cost Load Balancing, EIGRP Variance	0h 19m
62	EIGRP QUERY, EIGRP Summarization, EIGRP Leak-Map	0h 28m
63	EIGRP Stub Router Advertisement	0h 22m
64	EIGRP Default Routing	0h 13m
65	EIGRP Route Filtering	0h 11m
66	EIGRP Router-ID	0h 07m
67	Miscellaneous EIGRP Features	0h 02m
68	OSPF Overview	0h 27m
69	Establishing OSPF Adjacencies, Understanding the OSPF Database	0h 43m
70	OSPF Network Type Broadcast, OSPF DR/BDR Election, OSPF over NBMA, OSPF Network Type Non-Broadcast and Point-to-Multipoint	0h 56m
71	OSPF Network Type Point-to-Point, OSPF Network Type Mismatch	0h 13m
72	OSPF Network Type Point-to-Multipoint Non-Broadcast, OSPF Per Neighbor Cost	0h 17m
73	OSPF Network Type Loopback	0h 02m
74	OSPF Path Selection	0h 27m
75	OSPF Convergence Timers	0h 09m
76	OSPF Authentication	0h 12m
77	OSPF Summarization	0h 32m
78	OSPF Stub Areas, OSPF Totally Stubby Areas, OSPF NSSAs, OSPF Totally NSSAs	0h 40m
79	Controlling OSPF NSSA Redistribution	0h 02m
80	OSPF Type 7 to 5 Translator Election, OSPF LSA Type 3 Filter, OSPF Forwarding Address Suppression	0h 24m
81	Route Redistribution Overview	0h 36m
82	Route Redistribution Configuration & Verification, Connected Redistribution	0h 22m
83	OSPF External Path Selection, TCL PING Scripting	0h 33m
84	Routing Loops Overview, EIGRP Route Loop Prevention	0h 55m
85	Metric Based Routing Loops, Route Tagging	0h 46m
86	Administrative Distance Based Routing Loops, Debug IP Routing, IP Route Profile	0h 58m
87	BGP Overview, BGP Peering Types	0h 51m
88	Establishing BGP Peerings, EBGP Multihop, BGP Neighbor Disable Connected Check, BGP TTL Security	0h 49m
89	BGP 4-Byte ASNs	0h 20m
90	BGP Local AS, BGP Peer Groups	0h 30m
91	BGP Next-Hop Self, BGP Next-Hop Processing	0h 30m
92	BGP Route Reflectors	0h 37m
93	Large Scale BGP Route Reflectors with Clusters	0h 34m
94	BGP Confederation	0h 37m
95	BGP NLRI Advertisements, BGP Network Statement, BGP Redistribution	0h 43m
96	BGP Aggregation, BGP Aggregation & Summary-Only, BGP Aggregation & Unsuppress-Map	0h 46m
97	BGP Origin, BGP Aggregation & AS-Set, BGP Aggregation & Advertise-Map	0h 22m
98	BGP Conditional Route Injection	0h 21m
99	BGP Bestpath Selection, BGP Multipath, BGP Weight	0h 53m
100	BGP Local Preference, BGP Local Preference and Communities, BGP AS-Path Prepending,	0h 30m
101	BGP MED, BGP MED Missing As Worst, BGP Deterministic MED	0h 17m
102	BGP Communites, BGP Regular Expressions	0h 43m
103	BGP Filtering, BGP Convergence Timers, BGP Default Routing, Miscellaneous BGP Features	0h 24m
104	MPLS Overview, MPLS Label Distribution Protocol (LDP)	1h 05m
105	MPLS Tunnels, MPLS Penultimate Hop Popping (PHP)	0h 40m
106	MPLS Layer 3 VPNs Overview, VRF Lite	0h 36m
107	MPLS Layer 3 VPNs and VPNv4 BGP	1h 08m
108	MPLS Layer 3 VPN Verification & Troubleshooting	0h 49m
109	MPLS Layer 3 VPN OSPF PE-CE Routing Overview	0h 06m
110	MPLS Layer 3 VPN OSPF PE-CE Routing Path Selection & Sham-Links	2h 01m
111	MPLS Layer 3 VPN OSPF PE-CE Routing Loop Prevention & Down-Bit, OSPF Capability VRF-Lite	0h 40m
112	IPv6 Overview, IPv6 ICMPv6 ND, IPv6 over NBMA	0h 44m
113	IPv6 Routing Overview, IPv6 Static Routing	0h 28m
114	IPv6 RIPng	0h 20m
115	IPv6 EIGRPv6	0h 09m
116	IPv6 OSPFv3	0h 31m
117	MP-BGP for IPv6	0h 26m
118	IPv6 Tunneling	1h 13m
119	Multicast Overview, IGMP	0h 34m
120	PIM Overview	0h 18m
121	PIM Dense Mode	1h 03m
122	PIM Sparse Mode	0h 30m
123	PIM Sparse Mode Configuration	0h 36m
124	PIM Sparse Mode RPF & RP Troubleshooting	0h 27m
125	Auto-RP, Multicast over GRE Tunnels	0h 53m
126	Bootstrap Router (BSR), Bidirectional PIM, Source Specific Multicast (SSM)	0h 40m
127	MSDP, Anycast RP	0h 27m
128	IPv6 Multicast Routing	0h 24m
129	QoS Overview, IntServ QoS, DiffServ QoS, IP Precedence, DSCP, MQC, HQF	0h 41m
130	MQC Classification	0h 44m
131	FIFO, FQ, WFQ, CBWFQ, HQF	0h 50m
132	LLQ	0h 23m
133	WRED	0h 31m
134	Traffic Shaping, Traffic Policing	0h 40m
135	Frame Relay Traffic Shaping (FRTS)	0h 33m
136	RSVP	0h 07m
137	Catalyst 3560 QoS	1h 00m
138	IOS Security Overview, Access Lists (ACLs)	0h 58m
139	Time Based ACLs, Dynamic ACLs	0h 33m
140	Reflexive ACLs	0h 21m
141	TCP Intercept, Content Based Access Control (CBAC)	0h 34m
142	Zone Based Policy Firewall (ZBPF)	1h 09m
143	AAA, Local Authentication, Local Authorization, Role Based CLI Access	0h 43m
144	Port Security, Static CAM Entries, Storm Control, 802.1X Authentication, PACLs, RACLs, VLAN Access Maps (VACLs)	0h 48m
145	DHCP Snooping, Dynamic ARP Inspection (DAI), IP Source Guard	0h 12m
146	Protected Ports, Private VLANs	0h 25m
147	IP Services Overview, HSRP	1h 10m
148	VRRP, GLBP	0h 28m
149	NAT	0h 42m
150	DHCP, DNS	0h 30m
151	NetFlow	0h 09m
152	WCCP, Miscellaneous IP Services	0h 06m
153	System Management Overview, NTP, NTP Authentication	0h 24m
154	SNMP, RMON	0h 38m
155	Syslog, Telnet, SSH, Banners	0h 21m
156	EEM Scripting, Miscellaneous System Management	0h 26m
Total Duration		81h 42m

Slides - Diagrams

Slides - Introduction

Slides - Ethernet Switching

Slides - Advanced Ethernet Switching

Slides - Frame Relay

Slides - PPP

Slides - Transport Bridging

Slides - Redistribution

Slides - IOS Security

Slides - Layer 2 Security

Slides - IP Services

Slides - System Management

0:00:13	In our next section for Layer 2 security, we're going to
0:00:16	talk about the DHCP snooping, dynamic ARP inspection and
0:00:21	IP source guard features that are designed to
0:00:23	prevent against Layer 2 spoofing attacks on the LAN.
0:00:29	Now the potential issue that we could run into on the
0:00:32	access segment that is going down to the end hosts
0:00:35	is that the IP version 4 ARP protocol
0:00:38	and the BOOTP server and client which is going to be used
0:00:43	for DHCP has no protection mechanisms built into the
0:00:46	protocol itself to validate if the sender of either the
0:00:52	DHCP offer or the ARP response is actually
0:00:56	the legitimate user.
0:00:59	And the attack that could be implemented in the Layer 2
0:01:03	LAN is typically known as a Layer 2 man in the middle attack
0:01:07	or an MIM attack.
0:01:11	Now the way that this works is that on the LAN we have
0:01:17	a victim host that's the legitimate user
0:01:21	and we have the attacker
0:01:23	that are on the same Layer 2 segment.
0:01:27	Now typically this segment is then going to attach to
0:01:29	a router
0:01:31	which somehow is going to connect to the DHCP server.
0:01:37	What is supposed to happen is that when
0:01:39	the host sends the DHCP request
0:01:48	the router's going to forward this to the server
0:01:50	the server is going to reply back with the DHCP offer.
0:01:56	And this is going to contain whatever the pool information
0:02:00	is for the particular segment the IP address, the default gateway,
0:02:04	the DNS server etc.
0:02:08	Now once the DHCP request goes out onto the LAN
0:02:11	there's nothing preventing someone else from sending
0:02:15	a DHCP offer which potentially could have a legitimate pool
0:02:21	address, so it's the correct subnet that is for that link
0:02:25	but it would change the default gateway from the router's
0:02:30	address to the attacker.
0:02:41	Now when this occurs, the final result is that the victim is
0:02:45	going to say that my default gateway for this particular
0:02:48	segment is going this way as opposed to the
0:02:52	the legitimate path which is supposed to go to the router.
0:02:56	But once the attacker receives the traffic in, it's going to transparently
0:03:01	forward it onto the router, so the traffic does actually forward
0:03:05	out to the rest of the network correctly and it's transparent
0:03:10	to the victim.
0:03:12	So this is why it's considered a man in the middle attack
0:03:15	because essentially the attacker is running some sort of packet
0:03:18	analyzer or some sort of sniffer in order to grab the
0:03:21	traffic off of the wire, but it still eventually gets to the
0:03:25	destination so the victim doesn't know that there's a problem
0:03:28	to begin with.
0:03:30	Now there's a couple of different ways that this can be implemented.
0:03:33	One way would be to configure a rouge DHCP server or basically
0:03:38	a wrong DHCP server onto the LAN where the attacker
0:03:42	is sending out leases instead of what the DHCP
0:03:45	server is supposed to do.
0:03:48	So the switches that are in the Layer 2 network
0:03:52	they then need to protect against this case. To make sure
0:03:54	that when the DHCP request comes in that the DHCP
0:04:00	offer is coming in the correct Layer 2 port.
0:04:03	And this is what the DHCP snooping feature is
0:04:06	designed to do.
0:04:09	So with DHCP snooping, the switch is going to know
0:04:12	where the DHCP server is supposed to be located
0:04:16	and where the DHCP clients are located.
0:04:20	The link that is connecting to the server where it's directly --
0:04:22	whether it is directly attached or whether
0:04:25	it's through a Layer 2 trunk link, this is going to be
0:04:28	the interface that is trusted.
0:04:32	So the only thing we need to configure for the feature
0:04:35	is just to enable it globally and then on the link that is
0:04:39	pointing towards the server this should be the trusted interface.
0:04:44	So the end result of this is that when the DHCP
0:04:49	offer comes in, it's only going to be coming from the interface that is
0:04:55	trusted, so in this case if the attacker sends
0:04:58	the offer, the Layer 2 switch that receives this in
0:05:04	it's going to block this response because it
0:05:08	says that this is my trusted port going this way
0:05:11	as opposed to the other interfaces which are actually facing downstream.
0:05:18	Now once the switch knows where the DHCP is located
0:05:22	and where the client's requests are coming in
0:05:24	from, it's going to build a mapping table that is
0:05:29	constructed of the IP address that was allocated
0:05:33	the Mac address of the client and the port that it is associated with.
0:05:39	So this is known as the DHCP snooping binding database.
0:05:44	It's similar to the ARP cache on the router
0:05:47	where we're binding an IP address to a Mac address.
0:05:50	Now with this information, the switch can then run
0:05:53	two additional features which are known as
0:05:56	the dynamic ARP inspection
0:06:00	and the IP source guard feature
0:06:02	which are to actually filter Layer 3 packets
0:06:07	as they're received in the interfaces or Layer 3
0:06:10	ARP packets.
0:06:13	So the other potential spoofing problem
0:06:16	is that on this LAN segment we can prevent against the
0:06:19	DHCP request coming in or the DHCP response coming
0:06:23	in the wrong interface, but it doesn't necessarily protect
0:06:27	against the case where the attacker basically says
0:06:32	that the Mac address of the router, so let's say the
0:06:36	Mac address A maps to the IP address 1
0:06:43	If the attacker sends an ARP reply
0:06:48	which is known as a gratuitous ARP, so it's
0:06:50	an ARP reply without an ARP request coming in
0:06:53	that says IP address 1 is bound to Mac address
0:06:58	B which is the one that's assigned on the attacker's interface.
0:07:04	It then again means transparently the Layer 2 is going to go from the
0:07:08	victim to the attacker, the attacker to the router and
0:07:11	then out, so even though the attack is not against the DHCP server
0:07:17	in this case, we're using the ARP protocol, we end up in the
0:07:21	same result. There's a man in the middle attack going
0:07:25	through the attacking host.
0:07:29	Now to prevent against this, the switch can take
0:07:33	that DHCP snooping database that was built based on the
0:07:37	requests and the offer and use this to inspect
0:07:42	the ARP packets.
0:07:46	So based on the mappings that were created in that binding table
0:07:50	the switch is already going to know what particular
0:07:52	IP addresses correspond to which particular Mac addresses
0:07:56	and what are the interfaces that they're located on.
0:08:00	So in order to enable this, we only need to say
0:08:02	ip arp inspection and the particular VLAN
0:08:05	then for any interfaces that we do not have
0:08:08	the manual -- or excuse me, that we do not have the automatic
0:08:11	bindings on like the a Layer 2 trunk link that
0:08:15	goes to another switch, that would be the trusted
0:08:19	interface.
0:08:21	Now the problem with this is that it's possible that
0:08:25	DHCP is not going to be used for all allocations
0:08:29	which typically is going to be the case for the router's
0:08:32	address on the segment, so if the router's address is
0:08:35	assigned statically, we need to tell the switch what is the
0:08:39	IP address to Mac address binding for the router.
0:08:43	And this is going to be applied as an ARP access list
0:08:48	that has both the IP address and the Mac address binding.
0:08:52	So in this particular case, if this was VLAN 10
0:08:58	we would create an ARP access list that says Mac address
0:09:01	A is associated with IP address 1
0:09:05	so if a gratuitous ARP or again essentially an ARP
0:09:09	reply comes in from the attacker, the switch is
0:09:13	automatically going to drop that on the interface.
0:09:16	Then lastly, the third feature we can use this for is the
0:09:18	IP source guard which is actual filtering of the data plain packets.
0:09:25	So we're taking the DHCP snooping and the dynamic ARP
0:09:27	inspection logic one step further that says if I already
0:09:31	know what the IP address and the Mac address binding
0:09:34	is supposed to be on a per port basis
0:09:37	I can simply turn on IP source guard, the IP verify
0:09:41	source command that says for every packet I receive inbound
0:09:46	I'm going to check the IP address against the Mac address.
0:09:49	If that matches what is in my DHCP snooping database
0:09:54	then I'm going to allow the packet inbound.
0:09:57	If it doesn't match it, then that is going to be dropped.
0:10:02	So typically these three features you would run
0:10:04	them all in conjunction on the LAN. DHCP snooping,
0:10:08	dynamic ARP inspection and IP source guard.
0:10:13	Now some of the potential issues that you need to be aware
0:10:15	of that with DHCP snooping
0:10:17	you need to make sure that you're trusting whatever
0:10:20	port is connecting to the DHCP server even if it is
0:10:24	a Layer 2 trunk link.
0:10:27	So whatever faces upstream towards the server, those have to be the
0:10:30	trusted interfaces.
0:10:33	Now additionally, when the Layer 2 switch does this
0:10:36	snooping, it's going to add an information option
0:10:40	which is known as DHCP option 82
0:10:45	that some DHCP servers do not support.
0:10:50	So when the actual request gets from the client to the
0:10:53	server, if the server doesn't support this type of formatting
0:10:56	of the packet, they could reject it.
0:10:59	Now if you actually test this on the command line, you'll
0:11:01	see that the IOS DHCP server implementation
0:11:04	does not support this.
0:11:07	So the router is going to reject any of the packets that
0:11:10	went through DHCP snooping.
0:11:14	So there's two ways that you could fix this.
0:11:17	You could either get the server to allow this.
0:11:20	So that's going to be up to the actual application of the
0:11:23	DHCP server or you could tell the switch not to
0:11:26	add the information option.
0:11:28	If we say no ip dhcp snooping information option, it's
0:11:31	not going to insert the option number 82
0:11:34	Now all three of these features if we look at the documentation
0:11:39	under the configuration guide for the switches
0:11:43	these are going to be under configuring DHCP
0:11:45	features and IP source guard and then dynamic
0:11:48	ARP inspection.
0:11:51	So when you look at the configurations for these, there's
0:11:52	really not that much syntax that goes along with it.
0:11:56	It's more to understand what are these designed to prevent
0:11:59	against in the first place which is the Layer 2
0:12:02	spoofing of the DHCP server.
0:12:05	The ARP address poisoning of the default gateway on the
0:12:09	segment or the actual source spoofing that's prevented
0:12:15	against with the IP source guard.
0:12:18	But again, typically all three of these are normally used
0:12:21	in conjunction with each other.

Now Viewing

CCIE R&S Advanced Technologies Class v4.5
Title:	CCIE R&S Advanced Technologies Class v4.5
Duration:	81h 42m
The CCIE Routing & Switching Advanced Technologies Class is the first step in understanding CCIE level technologies and is a companion to the Advanced Technologies Lab Workbook. Each technology you need to know for the CCIE Routing & Switching lab will be described in detail using an instructor led hands on demonstration. The class consists of over 80 hours of in depth explanations and examples.
Get instant access to our entire library!
	Sign Up
Download this Course
$299.00	Add to Cart

DHCP Snooping, Dynamic ARP Inspection (DAI), ...

Create Bookmark