CCIE L2 security, a FRAME of reference...
We are putting the final touches together for the CCSP bootcamp that is launching soon. (PS, it is going to ROCK! :) ) As I was going through the demo’s on L2 security, I was reminded of how this topic is often an Achilles heel for many CCIE candidates, both R/S and Security.
This blog post is to refresh your memories and provide some examples for layer 2 security on the Catalyst switch. We will begin with DHCP snooping.
I have a friend “wink, wink” who many years ago at a conference configured his Windows NT 4.0 server (ah the memories), as a DHCP server, and had almost 100 clients routing through his laptop. The only problem with this, besides really slow performance for everyone, was the fact that he was just another attendee at the conference, and was running a rogue DHCP server. Of course today, we would never allow that to happen, as we would use DHCP snooping to place all ports in an untrusted state, with the exception of the real DHCP server(s).
In the examples below, on SW1; R1, R2 and R3 are connected to ports Fa0/1, Fa0/2 and Fa0/3 respectively. R1 is the valid DHCP server, so we specify port Fa0/1 as a trusted DHCP port
DHCP snooping prevents protects against rogue servers, but it also provides another huge benefit, and that is the DHCP snooping binding table which is built dynamically and includes the clients MAC, IP, Lease time, Binding Type, VLAN# and Switch Port that client is connected to. This is huge, because now we can add on other features, like Source Guard. Source Guard uses the snooping binding table, and prevents a host from “borrowing” its neighbors IP address. If the source IP coming in on a switch port doesn’t match the IP in the binding table, the packet is dropped at the switch!
But wait, there is more. :) We have all probably heard about a L2 man in the middle attack, where the attacker poisons the arp cache of a host and it's gateway, and then eavesdrops on every frame/packet between them. Because we have the DHCP snooping table, we can stop malicious ARPs from getting into the VLAN. Once again, with ARP inspection enabled, and leveraging the snooping table, if the MAC withing the ARP doesn’t match the table, the switch kills it.
So in summary, DHCP snooping builds the binding table. Source Guard uses the table to prevent IP address spoofing/borrowing. ARP inspection uses the table to prevent malicious/incorrect ARP packets from performing ARP cache poisoning.
The configurations, embedded notes, validations and show commands are below.
R1
! Excluded static addresses used by R1 and SW1
ip dhcp excluded-address 123.0.0.1
ip dhcp excluded-address 123.0.0.7
ip dhcp pool MYPOOL
network 123.0.0.0 255.255.255.0
domain-name INE.com
!
interface Loopback0
ip address 1.1.1.1 255.255.255.0
!
interface FastEthernet0/0
! We used mac addresses that would be easily identifiable
mac-address 0011.1111.1111
! The command below allows the DHCP option inbound to server
ip dhcp relay information trusted
ip address 123.0.0.1 255.255.255.0
!
router ospf 1
network 0.0.0.0 255.255.255.255 area 0
!
! Configured R1 as an NTP server so SW1 could have synced time
ntp master 1
R2
interface Loopback0
ip address 2.2.2.2 255.255.255.0
!
interface FastEthernet0/0
mac-address 0022.2222.2222
ip address dhcp
!
router ospf 1
network 0.0.0.0 255.255.255.255 area 0
R3
interface Loopback0
ip address 3.3.3.3 255.255.255.0
!
interface FastEthernet0/0
mac-address 0033.3333.3333
ip address dhcp
!
router ospf 1
network 0.0.0.0 255.255.255.255 area 0
SW1
ip dhcp snooping vlan 123
! In a production network, you would want to be careful to not exceed
! the space available in flash for storage.
ip dhcp snooping database flash:/jan7snoop.txt
ip dhcp snooping
!
ip arp inspection vlan 123
! The validate includes ARP validation for IP and source/destination MAC addresses
ip arp inspection validate ip src-mac dst-mac
!
!
interface FastEthernet0/1
Description Connection to R1, the real DHCP server
switchport access vlan 123
switchport mode access
! Because the DHCP server has a static address, there will never be
! a dynamic entry in the snooping table for R1. We could create
! and ARP access list, and use it for to compliment the dynamic table.
ip arp inspection trust
! Because R1 is a DHCP server, we have to “DHCP trust” this interface.
ip dhcp snooping trust
!
interface FastEthernet0/2
Description Connection to R2, a DHCP client
switchport access vlan 123
switchport mode access
! This next command is the Source Guard, that prevents IP Spoofing
ip verify source
!
interface FastEthernet0/3
Description Connection to R3, a DHCP client
switchport access vlan 123
switchport mode access
! This next command is the Source Guard, that prevents IP Spoofing
ip verify sourceinterface Vlan123
ip address 123.0.0.7 255.255.255.0
!
! When writing the DHCP snooping table to flash, the switch complains
! if it is not synchronized to an NTP server.
ntp server 123.0.0.1
So lets take a look at some show commands, first on the DHCP server R1. It shows that it handed out IP addresses via DHCP to 2 devices, using 123.0.0.6 and 123.0.0.8 (looks like someone was bringing the clients up and down a few times for testing) ☺
r1# show ip dhcp binding
Bindings from all pools not associated with VRF:
IP address Client-ID/ Lease expiration Type
Hardware address/
User name
123.0.0.6 0063.6973.636f.2d30. Jan 08 2010 08:11 AM Automatic
3032.322e.3232.3232.
2e32.3232.322d.4661.
302f.30
123.0.0.8 0063.6973.636f.2d30. Jan 08 2010 08:11 AM Automatic
3033.332e.3333.3333.
2e33.3333.332d.4661.
302f.30
It looks like R1 has OSPF learned routes with next hops that match the DHCP addresses we handed out.
r1# show ip ospf neighborNeighbor ID Pri State Dead Time Address Interface
2.2.2.2 1 FULL/DROTHER 00:00:33 123.0.0.6 FastEthernet0/0
3.3.3.3 1 FULL/BDR 00:00:32 123.0.0.8 FastEthernet0/0
r1# show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static routeGateway of last resort is not set
1.0.0.0/24 is subnetted, 1 subnets
C 1.1.1.0 is directly connected, Loopback0
2.0.0.0/32 is subnetted, 1 subnets
O 2.2.2.2 [110/2] via 123.0.0.6, 00:01:21, FastEthernet0/0
3.0.0.0/32 is subnetted, 1 subnets
O 3.3.3.3 [110/2] via 123.0.0.8, 00:01:11, FastEthernet0/0
123.0.0.0/24 is subnetted, 1 subnets
C 123.0.0.0 is directly connected, FastEthernet0/0
r1#
It also appears that these 2 OSPF neighbors are in deed R2 and R3 based on the router-id.
r1# show ip ospf neighborNeighbor ID Pri State Dead Time Address Interface
2.2.2.2 1 FULL/DROTHER 00:00:36 123.0.0.6 FastEthernet0/0
3.3.3.3 1 FULL/BDR 00:00:39 123.0.0.8 FastEthernet0/0
r1#
Lets jump over to SW1, and look first at the DHCP snooping binding table, to verify that it is in order.
sw1# show ip dhcp snooping binding
MacAddress IpAddress Lease(sec) Type VLAN Interface
------------------ --------------- ---------- ------------- ---- --------------------
00:22:22:22:22:22 123.0.0.6 86053 dhcp-snooping 123 FastEthernet0/2
00:33:33:33:33:33 123.0.0.8 86062 dhcp-snooping 123 FastEthernet0/3
Total number of bindings: 2
To look at source guard, we use the following commands. Remember, source guard is leveraging the information from the DHCP snooping binding table.
sw1# show ip source binding
MacAddress IpAddress Lease(sec) Type VLAN Interface
------------------ --------------- ---------- ------------- ---- --------------------
00:22:22:22:22:22 123.0.0.6 86020 dhcp-snooping 123 FastEthernet0/2
00:33:33:33:33:33 123.0.0.8 86029 dhcp-snooping 123 FastEthernet0/3
Total number of bindings: 2sw1# show ip verify source
Interface Filter-type Filter-mode IP-address Mac-address Vlan
--------- ----------- ----------- --------------- ----------------- ----
Fa0/2 ip active 123.0.0.6 123
Fa0/3 ip active 123.0.0.8 123
Next, lets look at some output regarding the Dynamic ARP Inspection (DAI). The only interface we trusted was Fa0/1.
sw1# show ip arp inspection interfacesInterface Trust State Rate (pps) Burst Interval
--------------- ----------- ---------- --------------
Fa0/1 Trusted None N/A
Fa0/2 Untrusted 15 1
Fa0/3 Untrusted 15 1
Fa0/4 Untrusted 15 1
Fa0/5 Untrusted 15 1sw1# show ip arp inspection vlan 123
Source Mac Validation : Enabled
Destination Mac Validation : Enabled
IP Address Validation : EnabledVlan Configuration Operation ACL Match Static ACL
---- ------------- --------- --------- ----------
123 Enabled ActiveVlan ACL Logging DHCP Logging Probe Logging
---- ----------- ------------ -------------
123 Deny Deny Off
sw1# show ip arp inspection statistics vlan 123Vlan Forwarded Dropped DHCP Drops ACL Drops
---- --------- ------- ---------- ---------
123 39 1 1 0Vlan DHCP Permits ACL Permits Probe Permits Source MAC Failures
---- ------------ ----------- ------------- -------------------
123 21 0 0 0Vlan Dest MAC Failures IP Validation Failures Invalid Protocol Data
---- ----------------- ---------------------- ---------------------
123 0 0 0
sw1#
With ARP inspection in place, lets go to R2, and view our MAC address
To begin, we have the L2 information for R1 and R3, and our own MAC address of 002.2222.2222 We can confirm this with a couple different commands.
r2# show arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 123.0.0.1 8 0011.1111.1111 ARPA FastEthernet0/0
Internet 123.0.0.6 - 0022.2222.2222 ARPA FastEthernet0/0
Internet 123.0.0.8 8 0033.3333.3333 ARPA FastEthernet0/0r2# show int fa 0/0 | inc bia
Hardware is AmdFE, address is 0022.2222.2222 (bia 000f.3431.1da0)
Now, we will change the MAC address of our Fa0/0 interface.
r2(config)#int fa 0/0
r2(config-if)#mac-address 0022.2222.2224
Lets generate an ARP request by attempting to ping a local resource that is not currently in our ARP cache.
r2(config-if)# do ping 123.0.0.10Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 123.0.0.10, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
Lets see what messages are popping up on the console of SW1.
SW1
%SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa0/2, vlan 123.([0022.2222.222<strong>4</strong>/123.0.0.6/0000.0000.0000/123.0.0.10/08
So the ARP never left the gate, because the MAC address that we were trying to use as part of the ARP request didn’t match the snooping table.
One last piece. Lets take a look at the Source Guard in action. R3 is directly connected to 123.0.0.0, and has routing updates for the loopback interfaces of R1 and R2 as well.
r3# show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static routeGateway of last resort is not set
1.0.0.0/32 is subnetted, 1 subnets
O 1.1.1.1 [110/2] via 123.0.0.1, 00:12:34, FastEthernet0/0
2.0.0.0/32 is subnetted, 1 subnets
O 2.2.2.2 [110/2] via 123.0.0.6, 00:12:34, FastEthernet0/0
3.0.0.0/24 is subnetted, 1 subnets
C 3.3.3.0 is directly connected, Loopback0
123.0.0.0/24 is subnetted, 1 subnets
C 123.0.0.0 is directly connected, FastEthernet0/0
r3#
A ping to the directly connected, working OSPF neighbor 123.0.0.1 should work, right?
r3# ping 123.0.0.1Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 123.0.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/4 ms
r3#
It does in fact work. Now lets source the ping from our loopback 0. If you scroll up and look at the routing table of R1, it has a route back to R3’s 3.3.3.3 as well.
r3# ping 123.0.0.1 so lo 0Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 123.0.0.1, timeout is 2 seconds:
Packet sent with a source address of 3.3.3.3
.....
Success rate is 0 percent (0/5)
r3#
So why is this ping not working? Source guard. We are sourcing the packet from 3.3.3.3, and that doesn’t match the snooping table, and so the switch rejects it. To do a quick verification, we can remove the source guard from the switch port that R3 is connected to, and try it again.
sw1(config)#int fa 0/3
sw1(config-if)#no ip verify source
And now, drum roll please, the ping.
r3#ping 123.0.0.1 so lo 0Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 123.0.0.1, timeout is 2 seconds:
Packet sent with a source address of 3.3.3.3
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
r3#
Remember, if we aren’t using DHCP in our network, and still want to use these features, we can create manual snooping and arp inspection entries, and get the same effect. Our workbooks have extensive examples and explanations.
The transparent mode ASA firewall, has it’s own set of tricks for L2 security as well, and we’ll leave that for another day.
Best wishes from the INE team!
