With *ip verify source port-security* always have option enabled else the DHCP packet from DHCP server will never find it's way to the client.
With regards Kings On Sun, Jun 24, 2012 at 7:36 AM, Eugene Pefti <[email protected]>wrote: > Hello Ernesto,**** > > I just remembered someone posted this question here recently about option > 82 use in various scenarios and wanted to comment on it as I ran into a > similar situation even though this topic was extensively discussed here and > join to your curiosity. First my understanding about this option (mostly as > a gotcha) is as follows:**** > > ** ** > > A switch performing DHCP Snooping inserts by default the Option 82 into > the DHCP messages from clients.**** > > However, each DHCP message contains a field called GIADDR where the IP > address of the possible relay agent **** > > May be recorded if the DHCP message was relayed. Naturally, when a DHCP > message passes through a DHCP **** > > Snooping switch, it is not relayed (i.e. taken from one VLAN and switched > into another), so an access switch **** > > does not modify the GIADDR field which remains set to 0.0.0.0. However, at > least the Cisco DHCP Server **** > > performs a sanity check on received DHCP messages and it drops DHCP > messages that contain the Option 82 **** > > but whose GIADDR field is set to 0.0.0.0 **** > > ** ** > > Moreover, the Option 82 is inserted by the access switches performing the > DHCP Snooping and it contains two important parts:**** > > **1) **The Circuit ID that identifies the port to which the client > is connected (the VLAN and the physical port location in a switch)**** > > **2) **The Remote ID that identifies the access switch to which the > client is connected (by the MAC address of the switch)**** > > ** ** > > So, having said that we have three different scenarios:**** > > ** ** > > **1) **IP Source guard IP/MAC checking which is on page 74 of > Yusuf’s security presentation. It doesn’t say anything about the DHCP > server support of option 82 at all.**** > > If read Cisco guide on IPSG **** > > > http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_44_se/configuration/guide/swdhcp82.html#wp1294425 > **** > > we can find this Note:**** > > *When you enable both IP Source Guard and Port Security (exactly as in > our first scenario), using the ip verify source port-security interface > configuration command, there are two caveats: * > > * The DHCP server must support option 82, or the client is not assigned > an IP address.* > > ** ** > > So, my understanding here is that if we don’t know > anything about the DHCP server support for option 82 we’d better disable > this option on the access-layer switch. But Yusuf leaves it enabled!**** > > ** ** > > **2) **IP Source guard IP checking only. It’s mostly an opposite to > what is said above. We don’t have *ip verify source port-security* and I > would like to know why we have to disable this option **** > > **** > > **3) **DAI scenario. Since DAI is heavily dependent on DHCP snooping > and having option 82 disabled is a recommendation for DHCP snooping then > I’d understand that it is also disabled for DAI. Correct me here if I’m > wrong.**** > > ** ** > > Eugene**** > > ** ** > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Ernesto Gonzalez > *Sent:* Tuesday, June 19, 2012 9:48 AM > *To:* [email protected] > *Subject:* [OSL | CCIE_Security] no ip dhcp snooping information option*** > * > > ** ** > > This is the Yusuf L2 attack presentation I am referring to: > > http://www.sanog.org/resources/sanog7/yusuf-L2-attack-mitigation.pdf > > -- > Ernesto Gonzalez G.**** > > On Tue, Jun 19, 2012 at 10:20 AM, Ernesto González <[email protected]> > wrote:**** > > *Good day guys, > > I was looking for some clarification on when the "no ip dhcp snooping > information option" command is required (to get task points) and when it > isn't. > > There are two workarounds to the option 82 issue: > > 1. no ip dhcp snooping information option - SW > 2. a. (globally) ip dhcp relay information trust-all - IOS DHCP Server > b. (interface) ip dhcp relay information trusted - IOS DHCP Server > > Now the scenarios: > > Scenario#1 - IPSG* > > *NO ip dhcp snooping information option* - REQUIRED per Yusuf ex 8.4 Lab > # 2 and Yusuf L2 Security presentation page 74 > > *Scenario#2 - IPSG + mac-address validation (port-security) > * > *ip dhcp snooping information option* - REQUIRED per > http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_44_se/configuration/guide/swdhcp82.html#wp1294425and > Yusuf L2 Security presentation page 74 > *ip dhcp relay information trusted* - REQUIRED > > *Scenario#3 - DAI* > > *NO ip dhcp snooping information option* - REQUIRED per Yusuf L2 Security > presentation page 59 > > *Are these correct? Am I missing anything? > > Thanks for you assistance!!! > > -- > Ernesto Gonzalez G.***** > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
