2. I think this is more for 6500/4500 and maybe for 3750 platforms. On 7 June 2012 12:11, Eugene Pefti <[email protected]> wrote:
> Nice info.**** > > Couple of moments. **** > > Don’t understand what ARP Attack tools have to do with SSH/SSL. See page > 54.**** > > The general knowledge about RSA public/private key infrastructure is that > the traffic between two hosts is encrypted and it is “unfeasible” to > crack/brute force it.**** > > ** ** > > Second, I don’t know what switch platform was used by Yusuf (if it was > Yusuf) to configure IPSG. On 3650 switch the interface command “ip verify > source vlan dhcp-snooping” doesn’t exist. **** > > ** ** > > SW2(config-if)#ip verify source ?**** > > port-security port security**** > > <cr>**** > > ** ** > > SW2(config-if)#ip verify source vlan dhcp-snooping**** > > ^**** > > % Invalid input detected at '^' marker.**** > > ** ** > > Eugene**** > > ** ** > > *From:* Alexei Monastyrnyi [mailto:[email protected]] > *Sent:* Wednesday, June 06, 2012 6:08 PM > *To:* Eugene Pefti > *Cc:* Kingsley Charles; Mike Rojas; [email protected] > > *Subject:* Re: [OSL | CCIE_Security] Dhcp snooping permenant vs temp > binding**** > > ** ** > > There is a nice presentation on this put together by Yusuf.**** > > > http://www.cisco.com/web/ME/exposaudi2009/assets/docs/layer2_attacks_and_mitigation_t.pdf%20 > **** > > **** > > check "building the layers" section**** > > **** > > A.**** > > On 7 June 2012 08:20, Eugene Pefti <[email protected]> wrote:**** > > I would say that IP source guard goes hand in hand with DHCP snooping.**** > > Cisco doc says (Catalyst 3650)**** > > “When IP source guard with source IP filtering is enabled on an interface, > DHCP snooping must be enabled on the access VLAN for that interface”**** > > And then they start configuring IPSG with DHCP snooping as part of it.**** > > **** > > I tested it and my findings are that even if you have “ip source binding > AAAA.BBBB.CCCC vlan XYZ XXX.XXX.XXX.XXX interface Fa0/XX” it is not active > without DHCP snooping:**** > > **** > > SW2#show ip ver source interface Fa0/6 **** > > Interface Filter-type Filter-mode IP-address Mac-address > Vlan**** > > --------- ----------- ----------- --------------- ----------------- > ----------**** > > Fa0/6 ip inactive-no-snooping-vlan**** > > **** > > I had a host obtain an IP address from the DHCP server different from the > IP address used in “ip source binding” and was able to communicate.**** > > Once I enabled DHCP snooping globally and for the specific VLAN the IPSG > feature became active and the host wasn’t able to communicate with others: > **** > > **** > > SW2#sh ip verif source inter fa0/6**** > > Interface Filter-type Filter-mode IP-address Mac-address > Vlan**** > > --------- ----------- ----------- --------------- ----------------- > ----------**** > > Fa0/6 ip active 174.1.255.2 > 102**** > > **** > > Eugene**** > > **** > > **** > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Kingsley Charles > *Sent:* Tuesday, June 05, 2012 9:01 PM > *To:* Mike Rojas > *Cc:* [email protected] > *Subject:* Re: [OSL | CCIE_Security] Dhcp snooping permenant vs temp > binding**** > > **** > > ip source binding 1112.3332.2243 vlan 3 1.1.1.1 interface gi0/3 can't be > used for DHCP snooping. Have you tested it? It can be only used for IPSG > validation not DHCP packet validation. > > With regards > Kings**** > > On Wed, Jun 6, 2012 at 7:35 AM, Mike Rojas <[email protected]> wrote:* > *** > > I made that mistake on the test, the question clearly said, make sure it > survives upon reload.... > > Mike **** > ------------------------------ > > Date: Tue, 5 Jun 2012 20:04:27 -0400 > From: [email protected] > To: [email protected] > Subject: [OSL | CCIE_Security] Dhcp snooping permenant vs temp binding**** > > **** > > For the dhcp snooping I learned the hard way the difference between the > two commands.**** > > The below command is done at exec level and binding will be removed afte a > reload**** > > 3560# ip dhcp snooping binding cccd.1233.3422 vlan 101 1.11.1.1 interface > gi0/3**** > > **** > > The following is permenant and will not be removed from the config or > binding database after reboot**** > > **** > > 3560(config)# ip source binding 1112.3332.2243 vlan 3 1.1.1.1 interface > gi0/3**** > > **** > > Are you able to pick the difference between the two commands.**** > > Hope this helps.**** > > > > -- > FNK**** > > _______________________________________________ For more information > regarding industry leading CCIE Lab training, please visit > www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com <http://www.platinumplacement.com/>**** > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com <http://www.platinumplacement.com/>**** > > **** > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com <http://www.platinumplacement.com/>**** > > ** ** >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
