6.2 Describe common access layer threat mitigation techniques

6.2 Describe common access layer threat mitigation techniques

6.2.a 802.1x
I couldn’t get the 802.1x port authentication working on GNS3. Will try later.
6.2.b DHCP snooping
dhcp snooping lab.png

I setup a lab like the one above using IOU images.

The config consists of two DHCP servers (Routers) running on vlan 100. R1 is a trunk port and R2 is on a access port. Before DHCP snooping was allowed R2 was able to issue DHCP leases to the VPCs.
Here is the dhcp config on R1:
dhcp config

Here is the debugging output of a rejected DHCP binding with DHCP snooping enabled:
ip dhcp reje

Here is the debug output of a successful DHCP binding from R1 on the trusted trunk port:

*Jan 14 09:28:48.928: DHCP_SNOOPING: received new DHCP packet from input interface (Ethernet0/3)
*Jan 14 09:28:48.928: DHCP_SNOOPING: process new DHCP packet, message type: DHCPDISCOVER, input interface: Et0/3, MAC da: ffff.ffff.ffff, MAC sa: 0050.7966.6801, IP da: 255.255.255.255, IP sa: 0.0.0.0, DHCP ciaddr: 0.0.0.0, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: 0050.7966.6801
*Jan 14 09:28:48.928: DHCP_SNOOPING: add relay information option.
*Jan 14 09:28:48.928: DHCP_SNOOPING_SW: Encoding opt82 CID in vlan-mod-port format
*Jan 14 09:28:48.928: DHCP_SNOOPING_SW: Encoding opt82 RID in MAC address format
IOU1#
*Jan 14 09:28:48.928: DHCP_SNOOPING: binary dump of relay info option, length: 20 data:
0x52 0x12 0x1 0x6 0x0 0x4 0x0 0x64 0x0 0x3 0x2 0x8 0x0 0x6 0xAA 0xBB 0xCC 0x0 0x1 0x0 
*Jan 14 09:28:48.928: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (100)
*Jan 14 09:28:48.928: DHCP_SNOOPING_SW: bridge packet send packet to port: Ethernet0/0, vlan 100.
*Jan 14 09:28:49.928: DHCP_SNOOPING: received new DHCP packet from input interface (Ethernet0/3)
*Jan 14 09:28:49.928: DHCP_SNOOPING: process new DHCP packet, message type: DHCPDISCOVER, input interface: Et0/3, MAC da: ffff.ffff.ffff, MAC sa: 0050.7966.6801, IP da: 255.255.255.255, IP sa: 0.0.0.0, DHCP ciaddr: 0.0.0.0, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: 0050.7966.6801
*Jan 14 09:28:49.928: DHCP_SNOOPING: add relay information option.
*Jan 14 09:28:49.928: DHCP_SNOOPING_SW: Encoding opt82 CID in vlan-mod-port format
*Jan 14 09:28:49.928: DHCP_SNOOPING_SW: Encoding opt82 RID in MAC address format
*Jan 14 09:28:49.928: DHCP_SNOOPING: binary dump of relay info option, length: 20 data:
0x52 0x12 0x1 0x6 0x0 0x4 0x0 0x64 0x0 0x3 0x2 0x8 0x0 0x6 0xAA 0xBB 0xCC 0x0 0x1 0x0 
*Jan 14 09:28:49.928: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (100)
*Jan 14 09:28:49.928: DHCP_SNOOPING_SW: bridge packet send packet to port: Ethernet0/0, vlan 100.
IOU1#
*Jan 14 09:28:50.958: DHCP_SNOOPING: received new DHCP packet from input interface (Ethernet0/0)
*Jan 14 09:28:50.958: DHCP_SNOOPING: received new DHCP packet from input interface (Ethernet0/0)
*Jan 14 09:28:50.958: DHCP_SNOOPING: binary dump of option 82, length: 20 data:
0x52 0x12 0x1 0x6 0x0 0x4 0x0 0x64 0x0 0x3 0x2 0x8 0x0 0x6 0xAA 0xBB 0xCC 0x0 0x1 0x0 
*Jan 14 09:28:50.958: DHCP_SNOOPING: binary dump of extracted circuit id, length: 8 data:
0x1 0x6 0x0 0x4 0x0 0x64 0x0 0x3 
*Jan 14 09:28:50.958: DHCP_SNOOPING: binary dump of extracted remote id, length: 10 data:
0x2 0x8 0x0 0x6 0xAA 0xBB 0xCC 0x0 0x1 0x0 
*Jan 14 09:28:50.958: DHCP_SNOOPING_SW: opt82 data indicates local packet
*Jan 14 09:28:50.958: DHCP_SNOOPING: process new DHCP packet, message type: DHCPOFFER, input interface: Et0/0, MAC da: 0050.7966.6801, MAC sa: ca01.2ee4.0000, IP da: 10.0.0.3, IP sa: 10.0.0.1, DHCP ciaddr: 0.0.0.0, DHCP yiaddr: 10.0.0.3, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: 0050.7966.6801
*Jan 14 09:28:50.958: DHCP_SNOOPING: remove relay information option.
*Jan 14 09:28:50.958: DHCP_SNOOPING: direct forward dhcp replyto output port: Ethernet0/3.
*Jan 14 09:28:50.958: DHCP_SNOOPING: binary dump of option 82, length: 20 data:
0x52 0x12 0x1 0x6 0x0 0x4 0x0 0x64 0x0 0x3 0x2 0x8 0x0 0x6 0xAA 0xBB 0xCC 0x0 0x1 0x0 
*Jan 14 09:28:50.958: DHCP_SNOOPING: binary dump of extracted circuit id, length: 8 data:
0x1 0x6 0x0 0x4 0x0 0x64 0x0 0x3 
*Jan 14 09:28:50.958: DHCP_SNOOPING: binary dump of extracted remote id, length: 10 data:
0x2 0x8 0x0 0x6 0xAA 0xBB 0xCC 0x0 0x1 0x0 
*Jan 14 09:28:50.958: DHCP_SNOOPING_SW: opt82 data indicates local packet
*Jan 14 09:28:50.959: DHCP_SNOOPING: process new DHCP packet, message type: DHCPOFFER, input interface: Et0/0, MAC da: 0050.7966.6801, MAC sa: ca01.2ee4.0000, IP da: 10.0.0.3, IP sa: 10.0.0.1, DHCP ciaddr: 0.0.0.0, DHCP yiaddr: 10.0.0.3, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: 0050.7966.6801
IOU1#
*Jan 14 09:28:50.959: DHCP_SNOOPING: remove relay information option.
*Jan 14 09:28:50.959: DHCP_SNOOPING: direct forward dhcp replyto output port: Ethernet0/3.
IOU1#
*Jan 14 09:28:52.928: DHCP_SNOOPING: received new DHCP packet from input interface (Ethernet0/3)
*Jan 14 09:28:52.928: DHCP_SNOOPING: process new DHCP packet, message type: DHCPREQUEST, input interface: Et0/3, MAC da: ca01.2ee4.0000, MAC sa: 0050.7966.6801, IP da: 255.255.255.255, IP sa: 0.0.0.0, DHCP ciaddr: 10.0.0.3, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: 0050.7966.6801
*Jan 14 09:28:52.928: DHCP_SNOOPING: add relay information option.
*Jan 14 09:28:52.928: DHCP_SNOOPING_SW: Encoding opt82 CID in vlan-mod-port format
*Jan 14 09:28:52.928: DHCP_SNOOPING_SW: Encoding opt82 RID in MAC address format
*Jan 14 09:28:52.928: DHCP_SNOOPING: binary dump of relay info option, length: 20 data:
0x52 0x12 0x1 0x6 0x0 0x4 0x0 0x64 0x0 0x3 0x2 0x8 0x0 0x6 0xAA 0xBB 0xCC 0x0 0x1 0x0 
*Jan 14 09:28:52.929: DHCP_SNOOPING_SW: bridge packet send packet to port: Ethernet0/0, vlan 100.
*Jan 14 09:28:52.944: DHCP_SNOOPING: received new DHCP packet from input interface (Ethernet0/0)
*Jan 14 09:28:52.944: DHCP_SNOOPING: binary dump of option 82, length: 20 data:
0x52 0x12 0x1 0x6 0x0 0x4 0x0 0x64 0x0 0x3 0x2 0x8 0x0 0x6 0xAA 0xBB 0xCC 0x0 0x1 0x0 
*Jan 14 09:28:52.945: DHCP_SNOOPING: binary dump of extracted circuit id, length: 8 data:
0x1 0x6 0x0 0x4 0x0 0x64 0x0 0x3 
*Jan 14 09:28:52.945: DHCP_SNOOPING: binary dump of extracted remote id, length: 10 data:
0x2 0x8 0x0 0x6 0xAA 0xBB 0xCC 0x0 0x1 0x0 
*Jan 14 09:28:52.945: DHCP_SNOOPING_SW: opt82 data indicates local packet
*Jan 14 09:28:52.945: DHCP_SNOOPING: process new DHCP packet, message type: DHCPACK, input interface: Et0/0, MAC da: 0050.7966.6801, MAC sa: ca01.2ee4.0000, IP da: 10.0.0.3, IP sa: 10.0.0.1, DHCP ciaddr: 10.0.0.3, DHCP yiaddr: 10.0.0.3, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: 0050.7966.6801
*Jan 14 09:28:52.945: DHCP_SNOOPING_SW: opt82 data indicates local packet
*Jan 14 09:28:52.945: DHCP_SNOOPING: add binding on port Ethernet0/3.
IOU1#
*Jan 14 09:28:52.945: DHCP_SNOOPING: added entry to table (index 2)

*Jan 14 09:28:52.945: DHCP_SNOOPING: dump binding entry: Mac=00:50:79:66:68:01 Ip=10.0.0.3 Lease=2678400    Type=dhcp-snooping Vlan=100 If=Ethernet0/3
*Jan 14 09:28:52.945: DHCP_SNOOPING_SW no entry found for 0050.7966.6801 0.0.0.100 Ethernet0/3
*Jan 14 09:28:52.945: DHCP_SNOOPING_SW host tracking not found for update add dynamic (10.0.0.3, 0.0.0.0, 0050.7966.6801) vlan 100
*Jan 14 09:28:52.945: DHCP_SNOOPING: remove relay information option.
*Jan 14 09:28:52.945: DHCP_SNOOPING: direct forward dhcp replyto output port: Ethernet0/3.

 

Finally here is the IOU config (Switch):

ip dhcp snooping vlan 100
ip dhcp snooping information option allow-untrusted
ip dhcp snooping
!
! snip
!
! trusted port
interface Ethernet0/0
 switchport trunk encapsulation dot1q
 switchport mode trunk
 duplex auto
 ip dhcp snooping trust
!
interface Ethernet0/1
 switchport access vlan 100
 switchport mode access
 duplex auto
!
interface Ethernet0/2
 switchport access vlan 100
 switchport mode access
 duplex auto
!
interface Ethernet0/3
 switchport access vlan 100
 switchport mode access
 duplex auto
! 

6.2.c Nondefault native VLAN
For security reasons it is best to leave the default vlan 1 unused. I do this by default now. Simply assign all access ports to be in a vlan other than 1, and use any other vlan as your “default” vlan.

Full lab here.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s