It sounds like a dogma, Kings Can you please elaborate why? Sent from iPhone
On Jun 24, 2012, at 12:05 AM, "Kingsley Charles" <[email protected]<mailto:[email protected]>> wrote: With ip verify source port-security always have option enabled else the DHCP packet from DHCP server will never find it's way to the client. With regards Kings On Sun, Jun 24, 2012 at 7:36 AM, Eugene Pefti <[email protected]<mailto:[email protected]>> wrote: Hello Ernesto, I just remembered someone posted this question here recently about option 82 use in various scenarios and wanted to comment on it as I ran into a similar situation even though this topic was extensively discussed here and join to your curiosity. First my understanding about this option (mostly as a gotcha) is as follows: A switch performing DHCP Snooping inserts by default the Option 82 into the DHCP messages from clients. However, each DHCP message contains a field called GIADDR where the IP address of the possible relay agent May be recorded if the DHCP message was relayed. Naturally, when a DHCP message passes through a DHCP Snooping switch, it is not relayed (i.e. taken from one VLAN and switched into another), so an access switch does not modify the GIADDR field which remains set to 0.0.0.0. However, at least the Cisco DHCP Server performs a sanity check on received DHCP messages and it drops DHCP messages that contain the Option 82 but whose GIADDR field is set to 0.0.0.0 Moreover, the Option 82 is inserted by the access switches performing the DHCP Snooping and it contains two important parts: 1) The Circuit ID that identifies the port to which the client is connected (the VLAN and the physical port location in a switch) 2) The Remote ID that identifies the access switch to which the client is connected (by the MAC address of the switch) So, having said that we have three different scenarios: 1) IP Source guard IP/MAC checking which is on page 74 of Yusuf’s security presentation. It doesn’t say anything about the DHCP server support of option 82 at all. If read Cisco guide on IPSG http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_44_se/configuration/guide/swdhcp82.html#wp1294425 we can find this Note: When you enable both IP Source Guard and Port Security (exactly as in our first scenario), using the ip verify source port-security interface configuration command, there are two caveats: The DHCP server must support option 82, or the client is not assigned an IP address. So, my understanding here is that if we don’t know anything about the DHCP server support for option 82 we’d better disable this option on the access-layer switch. But Yusuf leaves it enabled! 2) IP Source guard IP checking only. It’s mostly an opposite to what is said above. We don’t have ip verify source port-security and I would like to know why we have to disable this option 3) DAI scenario. Since DAI is heavily dependent on DHCP snooping and having option 82 disabled is a recommendation for DHCP snooping then I’d understand that it is also disabled for DAI. Correct me here if I’m wrong. Eugene From: [email protected]<mailto:[email protected]> [mailto:[email protected]<mailto:[email protected]>] On Behalf Of Ernesto Gonzalez Sent: Tuesday, June 19, 2012 9:48 AM To: [email protected]<mailto:[email protected]> Subject: [OSL | CCIE_Security] no ip dhcp snooping information option This is the Yusuf L2 attack presentation I am referring to: http://www.sanog.org/resources/sanog7/yusuf-L2-attack-mitigation.pdf -- Ernesto Gonzalez G. On Tue, Jun 19, 2012 at 10:20 AM, Ernesto González <[email protected]<mailto:[email protected]>> wrote: Good day guys, I was looking for some clarification on when the "no ip dhcp snooping information option" command is required (to get task points) and when it isn't. There are two workarounds to the option 82 issue: 1. no ip dhcp snooping information option - SW 2. a. (globally) ip dhcp relay information trust-all - IOS DHCP Server b. (interface) ip dhcp relay information trusted - IOS DHCP Server Now the scenarios: Scenario#1 - IPSG NO ip dhcp snooping information option - REQUIRED per Yusuf ex 8.4 Lab # 2 and Yusuf L2 Security presentation page 74 Scenario#2 - IPSG + mac-address validation (port-security) ip dhcp snooping information option - REQUIRED per http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_44_se/configuration/guide/swdhcp82.html#wp1294425 and Yusuf L2 Security presentation page 74 ip dhcp relay information trusted - REQUIRED Scenario#3 - DAI NO ip dhcp snooping information option - REQUIRED per Yusuf L2 Security presentation page 59 Are these correct? Am I missing anything? Thanks for you assistance!!! -- Ernesto Gonzalez G. _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com<http://www.ipexpert.com> Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com<http://www.PlatinumPlacement.com>
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
