Friday, December 30, 2011

DHCP Based Security Part 2: IP Source Guard

This is post two in a three post series on DHCP based switching security technologies.  Previously I looked at DHCP Snooping, and now I'm going to look at IP Source Guard.

IP Source Guard builds upon the foundation laid with DHCP Snooping by using the DHCP snooping binding database to enforce the address assignments that DHCP has handed out.  The idea being that you can enable IP Source Guard on the ports that were deemed "untrusted" by DHCP Snooping to ensure that only the IP address assigned via DHCP can actually talk to the rest of the network.  You can also take it a step further and configure IP Source Guard to enforce the IP to MAC binding created by DHCP on an untrusted port.  This draconian security measure ensures that only hosts explicitly granted an IP address via DHCP are allowed to communicate on the port they are connected to.

As a prerequisite, if you haven't already figured it out, before you enable IP Source Guard you must already have DHCP Snooping configured and working.

For this post we're using the same topology that we used in the previous post on DHCP Snooping.



Since this is about an hour after I made the first post, I still have everything configured and ready to go.  I'm going to start by enabling IP Source Guard. As I said above, IP Source Guard is enabled on a per-port basis, and on ports that are "untrusted" according to DHCP Snooping.  First we'll configure IP only source guard. After that we'll do IP/MAC source guard.

Cat2(config)#int f0/6
Cat2(config-if)#ip verify source
Cat2(config-if)#


Ta Da!  That's all there is to it.  We are now enforcing our DHCP IP asignments to the ports they were assigned to.  A little verification is always a good thing.

Cat2#sh ip verify source int f0/6
Interface  Filter-type  Filter-mode  IP-address       Mac-address        Vlan
---------  -----------  -----------  ---------------  -----------------  ----------
Fa0/6      ip           active       10.6.7.10                           67


If we look at the output we see we're looking at Fa0/6, that our filter-type is IP, and the address that is bound to that port.  This correlates to out snooping binding database (since this is where the information came from)

Cat2#sh ip dhcp snooping binding
MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface
------------------  ---------------  ----------  -------------  ----  --------------------
00:0A:B8:1A:50:80   10.6.7.10        84081       dhcp-snooping   67    FastEthernet0/6
Total number of bindings: 1


To test, I'm going to add a loopback to R6, a static route to R7, and ping from R6 to R7 using the loopback as a source address.

R6(config-if)#int lo0
*Dec 30 06:44:18.782: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback0, changed state to up
R6(config-if)#ip add 10.6.6.6 255.255.255.255
R6(config-if)#


 

R7(config)#ip route 10.6.6.6 255.255.255.255 10.6.7.10
R7(config)#do sh ip ro static
     10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
S       10.6.6.6/32 [1/0] via 10.6.7.10



R6(config-if)#do ping 10.6.7.7 sou lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.6.7.7, timeout is 2 seconds:
Packet sent with a source address of 10.6.6.6
.....
Success rate is 0 percent (0/5)


Nope, no ping action around here.  Let's just quickly disable IP Source Guard and try again...

Cat2(config)#int f0/6
Cat2(config-if)#no ip verify source

 

R6(config-if)#do ping 10.6.7.7 sou lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.6.7.7, timeout is 2 seconds:
Packet sent with a source address of 10.6.6.6
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms


OK, so it appears to be working!  Good stuff.

One more example, let's change our interface on R6 from DHCP to a static IP.  This will mean that no DHCP snooping binding database entry will be created, which means that the IP source guard bindings won't be populated...

R6(config-if)#int f0/0
R6(config-if)#ip add 10.6.7.200 255.255.255.0
R6(config-if)#

Cat2#sh ip verify source
Interface  Filter-type  Filter-mode  IP-address       Mac-address        Vlan
---------  -----------  -----------  ---------------  -----------------  ----------
Fa0/6      ip           active       deny-all                            67


'deny-all' ?  That doesn't look good...

R6(config-if)#do ping 10.6.7.7

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.6.7.7, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)


Yup, that's not good at all.  Big fat denied.

Next, we can take this a step further and enforce the IP to MAC binding as well (Just in case we REALLY don't trust our users).  You need to be careful here because there's a few things working behind the scenes that can cause you a little grief if you're not careful.  I'll try to walk through them here as best I can.

First, I'm changing R6 back to DHCP (not shown).  Then I'll enable IP/MAC filtering in IP Source Guard by using the 'port-security' keyword.

Cat2(config)#int f0/6
Cat2(config-if)#ip verify source port-security
Cat2(config-if)#
Cat2(config-if)#do sh ip verify source
Interface  Filter-type  Filter-mode  IP-address       Mac-address        Vlan
---------  -----------  -----------  ---------------  -----------------  ----------
Fa0/6      ip-mac       active       10.6.7.3         permit-all         67


We now see that that the filter-type has changed to 'ip-mac' and that there is something under 'Mac-address'.  However, while MAC filtering has been enabled, right now we see 'permit-all' which really isn't any filtering at all.  Te way to populate the 'Mac-address' column properly is to enlist the help of another security feature, port security.  Let's add that.

Cat2(config-if)#switchport port-security

That's all we need.  You don't actually have to specify the MAC, or use sticky-mac to grab it, or anything else.  Let's verify...

Cat2(config-if)#do sh ip verify source
Interface  Filter-type  Filter-mode  IP-address       Mac-address        Vlan
---------  -----------  -----------  ---------------  -----------------  ----------
Fa0/6      ip-mac       active       10.6.7.4         00:0A:B8:19:AB:78  67


Looking good.  We now have out MAC.  But, and this is a big BUT, things are horribly broken at this point.  You're going to be deceived because if you try and ping from R6 it'll work, but if you do a shut/no shut on the port you're going to find that DHCP is no longer functioning!

What?  Why?

Well this is where those things behind the scenes I referred to above kicks in.  The switch needs port-security functionality to properly learn the MAC needed in the IP Source Guard table, but because port-security is enabled the switch cannot properly populate it's mac-address-table!  If I shut/no shut f0/0 on R6, and then look at the mac-address-table on Cat2 we'll see there's nothing there.

R6(config-if)#shut
R6(config-if)#no shut
R6(config-if)#
*Dec 30 22:48:19.331: %LINK-5-CHANGED: Interface FastEthernet0/0, changed state to administratively down
*Dec 30 22:48:20.331: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to down
*Dec 30 22:48:21.467: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
*Dec 30 22:48:22.467: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up

Cat2(config-if)#do sh mac-add int f0/6
          Mac Address Table
-------------------------------------------

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----


Further, this also does actually screw with IP Source Guard!

Cat2(config-if)#do sh ip verify sour
Interface  Filter-type  Filter-mode  IP-address       Mac-address        Vlan
---------  -----------  -----------  ---------------  -----------------  ----------
Fa0/6      ip-mac       active       deny-all         deny-all           67


That's a lot of deny-all.  Too much for my liking.

This is where IP Source Guard has a huge Gotcha.  It was working just fine, and even told us it was working fine...  But it was not working properly and this little hiccup could really screw with you come Lab day!

OK, how do we fix this?  The answer is back in our old friend DHCP Option 82.

If you refer back to my last post, I made mention of a problem where when you enable DHCP Snooping that option 82 was inserted, and a GIADDR of all zeros was used by the switch.  I also mentioned that by default Cisco routers will drop a DCHP packet with a GIADDR of all zeros.  I also presented two different ways to resolve this issue.  In this scenario, I opted to use the fix on the switch.

Cat2(config)#no ip dhcp snooping information option

Well, here is where this choice comes back to haunt me.  To solve out little problem we are actually required to insert DHCP option 82 on the switch!  I haven't been able to locate any specific documentation that explains exactly why this is, but I'm guessing that it has something to do with how the switch learns MAC addresses when DHCP Snooping and Source Guard are enabled (duh...).  Either way, you MUST enable option 82 insertion, and therefore you MUST configure your routers to trust DHCP packets with a GIADDR address of all zeros.

Cat2(config)#ip dhcp snooping information option

R7(config)#ip dhcp relay information trust-all

*Dec 30 23:15:18.615: %DHCP-6-ADDRESS_ASSIGN: Interface FastEthernet0/0 assigned DHCP address 10.6.7.5, mask 255.255.255.0, hostname R6


Success!

And now we verify.

Cat2#sh ip verify source
Interface  Filter-type  Filter-mode  IP-address       Mac-address        Vlan
---------  -----------  -----------  ---------------  -----------------  ----------
Fa0/6      ip-mac       active       10.6.7.5         00:0A:B8:19:AB:78  67


Perfect.  Back to where we were before we decided to bounce our DHCP client port.

Finally, let's test out our IP/MAC filtering to make sure it's working the way we expect.

R6(config-if)#do ping 10.6.7.7

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.6.7.7, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R6(config-if)#mac-address 1234.5678.90ab
R6(config-if)#do ping 10.6.7.7

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.6.7.7, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R6(config-if)#no mac-address 1234.5678.90ab
R6(config-if)#do ping 10.6.7.7

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.6.7.7, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R6(config-if)#


Looks good!

One last thing.  Just like DHCP Snooping you can also create static binding.  For whatever reason, with DHCP Snooping you do this with an EXEC mode command, but in IP Source Guard you use a Config mode command.

Cat2(config)#ip source binding AAAA.BBBB.CCCC vlan 67 1.2.3.4 int f0/6
Cat2(config)#end
*Mar  1 01:22:21.535: %SYS-5-CONFIG_I: Configured from console by console

Cat2#sh ip verify source
Interface  Filter-type  Filter-mode  IP-address       Mac-address        Vlan
---------  -----------  -----------  ---------------  -----------------  ----------
Fa0/6      ip-mac       active       10.6.7.5         00:0A:B8:19:AB:78  67
Fa0/6      ip-mac       active       1.2.3.4          AA:AA:BB:BB:CC:CC  67



Next up, Dynamic ARP Inspection.

Previously, DHCP Snooping.

References:

http://www.cisco.com/en/US/partner/docs/switches/lan/catalyst3560/software/release/12.2_58_se/configuration/guide/swdhcp82.html#wp1335312

http://www.cisco.com/en/US/partner/docs/switches/lan/catalyst3560/software/release/12.2_58_se/command/reference/cli1.html#wp11900252

http://www.cisco.com/en/US/partner/docs/switches/lan/catalyst3560/software/release/12.2_58_se/command/reference/cli1.html#wp11898301

http://www.cisco.com/en/US/partner/docs/switches/lan/catalyst3560/software/release/12.2_58_se/command/reference/cli3.html#wp1948361

No comments:

Post a Comment