DHCP Snooping

# Attack Scenario

DHCP Snooping
- Enable on Switch
- Enable on VLAN
- ID Trusted Ports

SW2#conf terminal

! Enable the feature
SW2(config)#ip dhcp snooping

! Set directory to save database 
SW2(config)#ip dhcp snooping database flash:/snoopy.db

! Enable the feature for VLAN
SW2(config)#ip dhcp snooping vlan 123

! Configure Trust port (DHCP Server)
SW2(config)#interface fas 0/3
SW2(config-if)#description trunk leading to real DHCP server
SW2(config-if)#ip dhcp snooping trust
* Note: accepts OFFERS and ACKs

* Note: If we use IOS DHCP server, we have to execute next command 

Router(config)# ip dhcp relay information trust

! Configure user ports
SW2(config)#interface fas 0/1
SW2(config-if)#description user port
SW2(config-if)#ip dhcp snooping limit rate 10
* Note: 10 pps  (Packet per second)

SW2(config-if)#switchport port-security
SW2(config-if)#switchport port-security maximum 5

SW2#show ip dhcp snooping
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
123
DHCP snooping is operational on following VLANs:
123
DHCP snooping is configured on the following L3 Interfaces:
Insertion of option 82 is enabled
   circuit-id format: vlan-mod-port
    remote-id format: MAC
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Verification of giaddr field is enabled
DHCP snooping trust/rate is configured on the following Interfaces:
Interface                    Trusted     Rate limit (pps)
------------------------     -------     ----------------
FastEthernet0/1              no          10
FastEthernet0/3              yes         unlimited

SW2#show ip dhcp snooping binding
MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface
------------------  ---------------  ----------  -------------  ----  --------------------
00:0C:29:16:57:AC   10.123.0.3       85971       dhcp-snooping  123   FasEthernet0/2 
Total number of bindings: 1

Port-Security Trunk Port

SW2(config)#default interface fastEthernet 0/2
Interface FastEthernet0/2 set to default configuration

SW2(config)#int fas0/2
SW2(config-if)#switchport trunk encapsulation dot1q
SW2(config-if)#switchport mode trunk
SW2(config-if)#switchport port-security maximum 50 vlan 123
SW2(config-if)#switchport port-security violation restrict
SW2(config-if)#switchport port-security
SW2(config-if)#do show run in fas 0/2
!
interface FastEthernet0/2
 switchport trunk encapsulation dot1q
 switchport mode trunk
 switchport port-security maximum 50 vlan 123
 switchport port-security
 switchport port-security violation restrict
 shutdown
end

Port-Secuity Access Port

# Attack Scenario

Port Security to the rescue
- Dynamic,Static,Sticky
- Violation Actions
- Access or Trunk

SW2(config)#default interface fa0/1
Interface FastEthernet0/1 set to default configuration

SW2(config)#int fas 0/1

! Set port type-No Dynamic Ports
SW2(config-if)#switchport mode access

! Set the access VLAN
SW2(config-if)#switchport access vlan 123

! Set the maximum MAC addresses, default is 1
SW2(config-if)#switchport port-security maximum 5

! Set aging parameters 5 minutes of inactiviy
SW2(config-if)#switchport port-security aging type inactivity
SW2(config-if)#switchport port-security aging time 5

! Set violation action, default is shutdown
SW2(config-if)#switchport port-security violation restrict

! Add a static MAC address
SW2(config-if)#switchport port-security mac-address 0000.6783.0000

! Remember to enable the feature
SW2(config-if)#switchport port-security

SW2(config-if)#do show run in fas 0/1
!
interface FastEthernet0/1
 switchport access vlan 123
 switchport mode access
 switchport port-security maximum 5
 switchport port-security
 switchport port-security aging time 5
 switchport port-security violation restrict
 switchport port-security aging type inactivity
 switchport port-security mac-address 0000.6783.0000
end

SW2(config-if)#do show port-security address
          Secure Mac Address Table
------------------------------------------------------------------------
Vlan    Mac Address       Type                     Ports   Remaining Age
                                                              (mins)
----    -----------       ----                     -----   -------------
 123    0000.6783.0000    SecureConfigured         Fa0/1        -
------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port)     : 0
Max Addresses limit in System (excluding one mac per port) : 5120

SW2(config-if)#do show port-security interface fas 0/1
Port Security              : Enabled
Port Status                : Secure-down
Violation Mode             : Restrict
Aging Time                 : 5 mins
Aging Type                 : Inactivity
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 5
Total MAC Addresses        : 1
Configured MAC Addresses   : 1
Sticky MAC Addresses       : 0
Last Source Address:Vlan   : 0000.0000.0000:0
Security Violation Count   : 0