IP DHCP Snooping

One of the nice layer 2 security features that Cisco provides is DHCP Snooping. I will here provide a simple example of how it can be used.

In short terms, the DHCP snooping is securing that only DHCP offers can come from trusted ports. So it is the network administrators task to secure that the ports pointing to the server is trusted and known.

The setup that I will explain is showed on below picture

DHCP-Snooping-EX

This is a very simple setup. The clients and servers are in the same VLAN. So we will only focus on the Access switch since we are dealing with layer 2 technology.

On the access switch we need to enable the IP DHCP Snooping feature.

Access-Switch(Config)#ip dhcp snooping

When the feature is enabled, the switch will set DHCP Snooping on all VLANs.

If you are using Windows DHCP Server, it is important that you disable the option82.

Access-Switch(Config)#no ip dhcp snooping information option

The DHCP Server was connected to the port Gig 1/0/1. So we need to tell the switch that it is alright to recieve DHCP offers inbound on this connection.

Access-Switch(Config-if)#ip dhcp snooping trust

Now the clients will be able to optain IP addresses from the server.

But why have we done this, the smart thing with DHCP Snooping is that if a user brings a small router o similar with them from home and connects it to the network, by default then if they are in the same VLAN, the clients could get IP addresses from the new “Rouge” DHCP server.

When DHCP Snooping is turned on and the port is not trusted, then all packages containing a DHCP Offer will be dropped when it reaches the port.

Securing only SSH access is allowed

As all IT guys are aware of it is extremely important to secure the data that we are sending over the network. No matter if it is normal file transfer or management traffic to our network devices.

This configuration will have the goal of securing the management access will use SSH to communicate instead of telnet witch is sending the traffic in a non secure way.

First thing we need is a bit of basic configuration. hostname, domain name and a local admin user.

Hostname router
IP domain-name example.org
!
Username cisco privilege 15 secret cisco

Based on the hostname and domain name, we can tell the Cisco IOS unit to create a self-signed certificate. This is then used to secure managment traffic from the management PC to the unit.

crypto key generate rsa modulus 2048

Besides using SSH the goal is not to use the local admin user, so therefore it is necessary to create a AAA login method to ask a radius server to authenticate the management users. If the radius server is down the fallback should be the local user database

aaa new-model
!
aaa authentication login default local
aaa authentication login RWGROUP-Auth group radius local
!
aaa group server radius RWGROUP-Auth
 server name Server1
 server name Server2
!
radius server Server1
address ipv4 10.1.1.2 auth-port 1645 acct-port 1646
key xxxxx
!
radius server Server2
address ipv4 10.2.2.2 auth-port 1645 acct-port 1646
key xxxxx
!
ip radius source-interface Vlan500

Last thing witch is needed is the configuration of the VTY lines. This can be made even more secure by applying the access-class command to secure what networks are able to get access to the VTY lines.

line vty 0 4
 login authentication Radius-Auth
 transport input ssh
line vty 5 15
 login authentication Radius-Auth
 transport input ssh

To use the access-class, it is needed to create an ACL permitting the IP subnet from witch management traffic will come from. In this example there is only 1 class B subnet

access-list 10 permit 10.3.0.0 0.0.255.255

Under the VTY lines the access-class is then defined in an inbound definition.

line vty 0 4
access-class 10 in
line vty 5 15
access-class 10 in

Subnetting Sheet

During my studies for CCNA and CCNP I was introduced to the following table.
In the exams your time can be very limited, using this sheet will help you to answer the subnetting questions a lot faster.

NB! You should still be able to calculate subnets without this!

3rd octet 4th octet
Bits 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8
Mask 128 192 224 240 248 252 254 255 128 192 224 240 248 252 254 255
CIDR /17 /18 /19 /20 /21 /22 /23 /24 /25 /26 /27 /28 /29 /30 /31 /32
Boundary 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1
Class B Subnets 2 4 8 16 32 64 128 256 512 1024 2048 4096 8192 16384
Class C Subnets 2 4 8 16 32 64
Available Host 32766 16382 8190 4094 2046 1022 510 254 126 62 30 14 6 2

DNS Subnet ordering

In bigger networks today there might be multiple VLAN’s.

Example:

VLAN ID   VLAN Name         IP Subnet
10        Server-VLAN-1     10.10.10.0 /24
11        Clients-VLAN-1    10.10.11.0 /24
12        Clients-VLAN-2    10.10.12.0 /24
13        WIFI-VLAN-1       10.10.13.0 /24

If a Windows Active Directory server is installed in the server VLAN, then by default it will serve the clients within it’s own subnet. Eg. when a client as for the domain itself through nslookup.

In order for getting the DNS server to server all the above subnets, it is needed to modify a registry key.
As we have 4 x class c subnets we can use the table below to find the needed value for the registry key. In this example it will be 0x000003FF.

The easy way to make the change is by opening a CMD as admin and write the command:

Dnscmd /Config /LocalNetPriorityNetMask 0x000003FF

After succesfull change it is needed for the server to reboot.

Dnscmd /Config /LocalNetPriorityNetMask **LocalPriorityNet**

NetMask           Binary                                CIDR    Comments                   LocalPriorityNet

255.255.255.255   11111111.11111111.11111111.11111111    /32      Host (single addr)       0x00000000
255.255.255.254   11111111.11111111.11111111.11111110    /31      Unuseable                0x00000001
255.255.255.252   11111111.11111111.11111111.11111100    /30      2  useable               0x00000003
255.255.255.248   11111111.11111111.11111111.11111000    /29      6  useable               0x00000007
255.255.255.240   11111111.11111111.11111111.11110000    /28     14  useable               0x0000000F
255.255.255.224   11111111.11111111.11111111.11100000    /27     30  useable               0x0000001F
255.255.255.192   11111111.11111111.11111111.11000000    /26     62  useable               0x0000003F
255.255.255.128   11111111.11111111.11111111.10000000    /25     126  useable              0x0000007F
255.255.255.0     11111111.11111111.11111111.00000000    /24     “Class C” 254 useable     0x000000ff

255.255.254.0     11111111.11111111.11111110.00000000    /23       2  Class C’s            0x000001FF
255.255.252.0     11111111.11111111.11111100.00000000    /22       4  Class C’s            0x000003FF 
255.255.248.0     11111111.11111111.11111000.00000000    /21       8  Class C’s            0x000007FF
255.255.240.0     11111111.11111111.11110000.00000000    /20      16  Class C’s            0x00000FFF
255.255.224.0     11111111.11111111.11100000.00000000    /19      32  Class C’s            0x00001FFF
255.255.192.0     11111111.11111111.11000000.00000000    /18      64  Class C’s            0x00003FFF
255.255.128.0     11111111.11111111.10000000.00000000    /17     128  Class C’s            0x00007FFF
255.255.0.0       11111111.11111111.00000000.00000000    /16      “Class B”                0x0000ffff
     
255.254.0.0       11111111.11111110.00000000.00000000    /15      2  Class B’s             0x0001FFFF
255.252.0.0       11111111.11111100.00000000.00000000    /14      4  Class B’s             0x0003FFFF
255.248.0.0       11111111.11111000.00000000.00000000    /13      8  Class B’s             0x0007FFFF
255.240.0.0       11111111.11110000.00000000.00000000    /12     16  Class B’s             0x000FFFFF
255.224.0.0       11111111.11100000.00000000.00000000    /11     32  Class B’s             0x001FFFFF
255.192.0.0       11111111.11000000.00000000.00000000    /10     64  Class B’s             0x003FFFFF
255.128.0.0       11111111.10000000.00000000.00000000    /9      128  Class B’s            0x007FFFFF
255.0.0.0         11111111.00000000.00000000.00000000    /8       “Class A”                0x00ffffff
  
254.0.0.0         11111110.00000000.00000000.00000000    /7                                0x01FFFFFF
252.0.0.0         11111100.00000000.00000000.00000000    /6                                0x03FFFFFF
248.0.0.0         11111000.00000000.00000000.00000000    /5                                0x07FFFFFF
240.0.0.0         11110000.00000000.00000000.00000000    /4                                0x0FFFFFFF
224.0.0.0         11100000.00000000.00000000.00000000    /3                                0x1FFFFFFF
192.0.0.0         11000000.00000000.00000000.00000000    /2                                0x3FFFFFFF
128.0.0.0         10000000.00000000.00000000.00000000    /1                                0x7FFFFFFF
0.0.0.0           00000000.00000000.00000000.00000000    /0    IP subnet definition        0xFFFFFFFF

Cisco standalone MAB configuration

One way of securing who is able to connect to the network is by configuring Cisco MAB. This configuration snippet is a Cisco MAB standalone mode.

In general the system will check the local MAC of the client and check it against a radius server. In this case ClearBox Radius server is used, together with a SQL database where the local MAC addresses of clients is entered.

First thing witch needs to be done i enabling a new AAA model, this secures that you can create an authentification method for dot1x witch referes to port authentification. In this case the method is the default and it is configured to use the radius group “Radius-Auth”

aaa new-model
aaa authentication dot1x default group Radius-Auth

After the method it is needed to configure the radius server group “Radius-Auth”. The parameters for the different servers can be different than this configuration, but these are the standards. At the end of the radius server configuration the source interface is specified. In the radius server you can allow only specific IP’s to make radius request so this source IP will normally be the management VLAN of the switch. In this case VLAN99

aaa group server radius Radius-Auth
server name Server1
server name Server2
!
radius server Server1
address ipv4 10.1.1.2 auth-port 1645 acct-port 1646
key xxxxx
!
radius server Server2
address ipv4 10.2.2.2 auth-port 1645 acct-port 1646
key xxxxx
!
ip radius source-interface Vlan99

The last thing witch is needed is the port configuration. The “authentification event” comands is used if there is a failure of either communication with the radius servers or if the clients MAC address is not registered, witch in this case will give the users access to vlan 999 instead of 50. Normally such VLAN would be highly protected and only give access to internet resources.

interface FastEthernet 0/1
switchport access vlan 50
switchport mode access
authentication port-control auto
authentication event fail action authorize vlan 999
authentication event no-response action authorize vlan 999
mab