One of the most secure methods of protecting layer two is IP source guard with MAC verification. IP source guard works in conjunction with port security and DHCP snooping to block all ingress traffic not sourced from the IP and MAC recorded in the DHCP snooping database. (This article only discusses IP source guard with MAC verification, port security and option 82 is not necessary if you are not using MAC verification.)

When a client initially connects to a port protected by IP source guard only DHCP discover and request messages are allowed, everything else is dropped. An important point to keep in mind is that at this point no traffic, including DHCP, will cause the switch to add an entry for the client in the CAM table and therefor when the DHCP server responds with an offer the switch will not know where to send the packet and when DHCP snooping is enabled replies from the DHCP server are not flooded out all ports if there is no entry in the CAM, so the DHCP offer will be dropped. To get around this DHCP option 82, or Relay Agent Information, is necessary. Option 82 is a frequently misunderstood value, likely because unlike other options it is not set by the DHCP server, rather it is set by an intermediary device such as a DHCP relay agent or a switch. Option 82 is made up of two TLVs (type, length, value) fields, the circuit ID and remote ID. The values of these fields are up to the vendor, the default for Cisco switches is to use circuit ID to record vlan, module, and port of the interface the request is received through and remote ID for switch’s ID (MAC address). When DHCP snooping is enabled you can view the Option 82 configuration with ‘show ip dhcp snooping’ as seen below.

Switch#show ip dhcp snooping

Switch DHCP snooping is enabled

DHCP snooping is configured on following VLANs:

1

DHCP snooping is operational on following VLANs:

1

DHCP snooping is configured on the following L3 Interfaces:

Insertion of option 82 is enabled

circuit-id default format: vlan-mod-port

remote-id: 000d.2818.cd00 (MAC)

Option 82 on untrusted port is not allowed

Verification of hwaddr field is enabled

Verification of giaddr field is enabled

DHCP snooping trust/rate is configured on the following Interfaces:

Interface                  Trusted    Allow option    Rate limit (pps)

-----------------------    -------    ------------    ----------------

FastEthernet1/0/11         yes        yes             unlimited

Custom circuit-ids:

When a DHCP packet is received on an untrusted port the switch adds the option 82 information and sends it on it’s way, if the option 82 field already exists the packet will be dropped (this behavior can be changed by using the ‘ip dhcp snooping information option allow-untrusted’ command under interface configuration). When the DHCP server receives the discover it is expected to return the values in option 82 with it’s offer, unfortunately not all DHCP servers support this, most glaringly is Microsoft’s server which just ignores option 82. Assuming that the server does support option 82 and returns an offer with the information intact the switch will determine whether it is the originator of the option 82 information by checking whether the MAC address in the remote ID field matches it’s own, it then looks at the VLAN, module, and port carried in the circuit ID field to find out which port the packet should be sent out, the switch then strips option 82 out of the packet and forwards it to the specified port. The same process will occur with the request and ack portion of DHCP. If the offer is sent back from the DHCP server without the option 82 information the switch is unable to determine where the packet should be sent and drops it.

Once the DHCP negotiation is completed the switch will add the IP and MAC mapping to the DHCP snooping table and the MAC address will be eligible to be added to port security and the CAM table. Note that the MAC address is not added by the DHCP snooping process, additional traffic must occur before the MAC address is added.

Now that we know how IP source guard works lets get to the configuration.

  1. Configure the port connected to the DHCP server as trusted.

     Switch(config)#int fa1/0/11
     Switch(config-if)#ip dhcp snooping trust
     Switch(config-if)#exit
    
  2. Enable DHCP snooping globally.

     Switch(config)#ip dhcp snooping
     Switch(config)#ip dhcp snooping vlan 1
    
  3. Configure interface as access port.

     Switch(config)#int fa1/0/12
     Switch(config-if)#switchport mode access
    
  4. Enable port security on the interface. (For more details on port security see my CAM Table Overflow Attack article.)

     Switch(config-if)#switchport port-security
    
  5. Enable IP source guard with MAC verification.

     Switch(config-if)#ip verify source port-security
    

We can verify the configuration with the following commands:

  • As seen above show ip dhcp snooping shows us which VLANs snooping is enabled for, option 82 parameters, and which interfaces are configured as trusted.

  • show ip dhcp snooping binding will display the current bindings for each interface.

      Switch#show ip dhcp snooping binding
      MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface
      ——————  —————  ———-  ————-  —-  ——————–
      00:24:81:68:7F:A3   10.0.0.10        598         dhcp-snooping   1     FastEthernet1/0/12
      Total number of bindings: 1
    
  • Use show port security interface [interface] to see the port security configuration for a particular interface.

    Switch#show port-security
    Secure Port  MaxSecureAddr  CurrentAddr  SecurityViolation  Security Action
                    (Count)       (Count)          (Count)
    —————————————————————————
       Fa1/0/12              1            1                  0         Shutdown
    —————————————————————————
    Total Addresses in System (excluding one mac per port)     : 0
    Max Addresses limit in System (excluding one mac per port) : 12288
    
  • show ip verify source displays the status of each port with IP source guard enabled.

    Switch#show ip verify source
    Interface  Filter-type  Filter-mode  IP-address       Mac-address        Vlan
    ———  ———–  ———–  —————  —————–  —-
    Fa1/0/12   ip-mac       active       10.0.0.10        00:24:81:68:7F:A3  1
    

We’re all done with the configuration, but what exactly are we protected against? Well, pretty much any attack that relies on the ability to spoof the source IP or MAC address, this includes CAM overflow, CAM table poisoning, ARP table poisoning (correction: ARP is not IP-based so it is not affected), and DHCP exhaustion to name a few. The DHCP snooping also protects against rogue DHCP servers.