Re: [OSL | CCIE_Security] Dhcp snooping permenant vs temp binding

[Eugene Pefti]

Nice info.
Couple of moments.
Don't understand what ARP Attack tools have to do with SSH/SSL. See page 54.
The general knowledge about RSA public/private key infrastructure is that the 
traffic between two hosts is encrypted and it is "unfeasible" to crack/brute 
force it.

Second, I don't know what switch platform was used by Yusuf (if it was Yusuf) 
to configure IPSG. On 3650 switch the interface command "ip verify source vlan 
dhcp-snooping" doesn't exist.

SW2(config-if)#ip verify source ?
  port-security  port security
  <cr>

SW2(config-if)#ip verify source vlan dhcp-snooping
                                ^
% Invalid input detected at '^' marker.

Eugene

From: Alexei Monastyrnyi [mailto:alexei...@gmail.com]
Sent: Wednesday, June 06, 2012 6:08 PM
To: Eugene Pefti
Cc: Kingsley Charles; Mike Rojas; ccie_security@onlinestudylist.com
Subject: Re: [OSL | CCIE_Security] Dhcp snooping permenant vs temp binding

There is a nice presentation on this put together by Yusuf.
http://www.cisco.com/web/ME/exposaudi2009/assets/docs/layer2_attacks_and_mitigation_t.pdf%20

check "building the layers" section

A.
On 7 June 2012 08:20, Eugene Pefti 
<eug...@koiossystems.com<mailto:eug...@koiossystems.com>> wrote:
I would say that IP source guard goes hand in hand with DHCP snooping.
Cisco doc says (Catalyst 3650)
"When IP source guard with source IP filtering is enabled on an interface, DHCP 
snooping must be enabled on the access VLAN for that interface"
And then they start configuring IPSG with DHCP snooping as part of it.

I tested it and my findings are that even if you have "ip source binding 
AAAA.BBBB.CCCC vlan XYZ XXX.XXX.XXX.XXX interface Fa0/XX" it is not active 
without DHCP snooping:

SW2#show ip ver source interface Fa0/6
Interface  Filter-type  Filter-mode  IP-address       Mac-address        Vlan
---------  -----------  -----------  ---------------  -----------------  
----------
Fa0/6      ip           inactive-no-snooping-vlan

I had a host obtain an IP address from the DHCP server different from the IP 
address used in "ip source binding" and was able to communicate.
Once I enabled DHCP snooping globally and for the specific VLAN the IPSG 
feature became active and the host wasn't able to communicate with others:

SW2#sh ip verif source inter fa0/6
Interface  Filter-type  Filter-mode  IP-address       Mac-address        Vlan
---------  -----------  -----------  ---------------  -----------------  
----------
Fa0/6      ip           active       174.1.255.2                         102

Eugene


From: 
ccie_security-boun...@onlinestudylist.com<mailto:ccie_security-boun...@onlinestudylist.com>
 
[mailto:ccie_security-boun...@onlinestudylist.com<mailto:ccie_security-boun...@onlinestudylist.com>]
 On Behalf Of Kingsley Charles
Sent: Tuesday, June 05, 2012 9:01 PM
To: Mike Rojas
Cc: ccie_security@onlinestudylist.com<mailto:ccie_security@onlinestudylist.com>
Subject: Re: [OSL | CCIE_Security] Dhcp snooping permenant vs temp binding

ip source binding 1112.3332.2243 vlan 3 1.1.1.1 interface gi0/3 can't be used 
for DHCP snooping. Have you tested it? It can be only used for IPSG validation 
not DHCP packet validation.

With regards
Kings
On Wed, Jun 6, 2012 at 7:35 AM, Mike Rojas 
<mike_c...@hotmail.com<mailto:mike_c...@hotmail.com>> wrote:
I made that mistake on the test, the question clearly said, make sure it 
survives upon reload....

Mike
________________________________
Date: Tue, 5 Jun 2012 20:04:27 -0400
From: fawa...@gmail.com<mailto:fawa...@gmail.com>
To: ccie_security@onlinestudylist.com<mailto:ccie_security@onlinestudylist.com>
Subject: [OSL | CCIE_Security] Dhcp snooping permenant vs temp binding

For the dhcp snooping I learned the hard way the difference between the two 
commands.
The below command is done at exec level and binding will be removed afte a 
reload
3560# ip dhcp snooping binding cccd.1233.3422 vlan 101 1.11.1.1 interface gi0/3

The following is permenant and will not be removed from the config or binding 
database after reboot

3560(config)# ip source binding 1112.3332.2243 vlan 3 1.1.1.1 interface gi0/3

Are you able to pick the difference between the two commands.
Hope this helps.


--
FNK
_______________________________________________ For more information regarding 
industry leading CCIE Lab training, please visit 
www.ipexpert.com<http://www.ipexpert.com/> Are you a CCNP or CCIE and looking 
for a job? Check out 
www.PlatinumPlacement.com<http://www.platinumplacement.com/>

_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com<http://www.ipexpert.com/>

Are you a CCNP or CCIE and looking for a job? Check out 
www.PlatinumPlacement.com<http://www.platinumplacement.com/>


_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com<http://www.ipexpert.com/>

Are you a CCNP or CCIE and looking for a job? Check out 
www.PlatinumPlacement.com<http://www.platinumplacement.com/>


_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com

Are you a CCNP or CCIE and looking for a job? Check out 
www.PlatinumPlacement.com