Date post: | 20-Jan-2017 |
Category: |
Technology |
Upload: | khnog |
View: | 137 times |
Download: | 0 times |
Topic: How to prevent DHCP Spoofing In Network
ROEURM Channa (Mr.) [email protected]
28-‐‑October 2015 “ Sharing Is The Best Of Communication & SMARTER TEAM “
Presenta(on Objec(ve:
1/. DHCP Server in Network
2/. Overview of DHCP Snooping
3/. Trusted and Untrusted Sources
4/. DHCP ACacker Impact to Network
6/. DHCP Snooping Feature
7/. DHCP Snooping ConfiguraJon
8/. QuesJon and Answer
DHCP Server in Network
Trusted DHCP Server
DHCP Server in Network
Un-‐Trusted
DHCP Sever
Trusted and Untrusted Sources
Trusted Host: devices under your administraJve control are trusted sources include the switches, routers, and servers in your network. Untrusted Host: A DHCP server that is on your network without your knowledge on an untrusted port is called a spurious load DHCP server
Spurious DHCP Server ! Lolz What do they look like ?
Spurious DHCP Server
Untrusted DHCP Server Can Be: 1-‐Wireless Router Reset to Default 2-‐Extended USB Wireless Router or TVBox 3-‐Desktop systems & laptop systems that are loaded with DHCP server -‐ Staffs or Students TesJng Lab DHCP Server -‐ PC which enable or load DHCP Server services 4-‐FAKE/Untrusted Hosts -‐ DHCP ACacker Host -‐ Connect DHCP Server to Network ( By Accident )
Impact to Network
Disadvantages and Impact to Network: 1/. Network Unstable ( Hotel/School ) -‐ Which port …..? -‐ Which Floor….. ? -‐ Which locaJon….. ? 2/. Difficult for troubleshooJng ( Service Provider-‐ISP/Mobile Operator) -‐ PPPoE client get wrong IP address -‐ Mobile get wrong address for communicate -‐ Need deeply invesJgaJon. -‐ Network Engineer is full of STRESS
How to Prevent Untrusted DHCP Server ?
Police ? Hardware Firewall ?
“ The Network Engineer has to know and fix tomorrow problem “ Otherwise; IT man will be “ You are shit ! “
DHCP Snooping Feature
Enable DHCP Snooping to: • Block DHCP Offer on Untrusted port
• Filters out invalid messages
• Rate-‐limits traffic trusted & untrusted
• Maintains DHCP snooping binding database
• By default, it is inacJve on all VLANs.
No(fica(on of DHCP Snooping
Ø DHCP snooping allow the configuraJon of ports as trusted or untrusted. Ø Untrusted ports cannot process DHCP replies. Ø Configure DHCP Snooping on uplinks port to DHCP Server. Ø Don't configure DHCP snooping on client ports
Configure DHCP Snooping
Configure DHCP Snooping
Enables DHCP snooping globally: Cisco-‐SW-‐01# configure terminal Cisco-‐SW-‐01(Config)# ip dhcp snooping
Enables DHCP snooping on VLAN:
Cisco-‐SW-‐01#configure terminal Cisco-‐SW-‐01(Config)# ip dhcp snooping vlan 10,15-‐17
Enabling the Database Agent Cisco-‐SW-‐01#configure terminal Cisco-‐SW-‐01(Config)# ip dhcp snooping database flash:/snooping.db
Configure DHCP Snooping
Configure Gigabit Ethernet port 0/1 as trusted: Cisco-‐SW-‐01# configure terminal Cisco-‐SW-‐01(config)# interface gigabitethernet 0/1 Cisco-‐SW-‐01(config-‐if)# ip dhcp snooping trust Cisco-‐SW-‐01(config-‐if)# do show ip dhcp snooping
Note: Gigabit Ethernet 0/1 is link connected to Trust DHCP SRV.
Cisco-‐SW-‐01# show ip dhcp snooping binding
MacAddress IpAddress Lease(sec) Type VLAN Interface -‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐ -‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐ -‐-‐-‐-‐-‐-‐-‐-‐-‐-‐ -‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐ -‐-‐-‐-‐ -‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐ 00:02:B3:3F:3B:99 5.5.5.5 6943 dhcp-‐snooping 10 GigabitEthernet0/1
Q and A
Thank You for Your AUen(on !