Layer 2 Security:LAB

Layer 2 Security:LAB

DHCP Snooping, Dynamic ARP inspection, Port Security

Exercise 4 – Configuring Layer 2 Security Features

Sometimes a network could have traffic that is malicious. These types of traffic cannot be filtered with an access-list. For example, if we have clients that are configured to dynamically get an IP address from a DHCP server, there’s a risk that an attacker can set up a rogue DHCP server and provide an IP address to a client using his IP as a gateway. The client’s network traffic would then directly travel to the attacker.

Layer 2 security features provide another aspect of security on layer 2, where you can protect your users from illegal DHCP servers. This is called DHCP snooping.

You can also configure MAC address filtering per switchport and prevent illegal PCs from getting access to the network.

In this exercise, you will learn how to configure different layer 2 security features.

Learning Outcomes

After completing this exercise, you will be able to:

  • Configure DHCP Snooping
  • Configure Dynamic ARP Inspection
  • Configure Port Security

Task 1 – Configuring DHCP Snooping

When a DHCP client wants to get an IP address from a DHCP server, a broadcast DHCP discover message is sent to the DHCP servers requesting an offer. When a server gets that message, it sends an offer message that contains an actual IP address. The DHCP client accepts the first offer by sending a DHCP request message back to the server.

When you enable DHCP snooping on your switch, you are actually telling the switch to track DCHP discover and DHCP offer messages. When you enable DHCP snooping on a switch, all interfaces will be in an untrusted state, which means they will block the DHCP offer messages. If you leave it like this, you will block a legal DHCP server on your network too. You need to trust the interface where your DHCP server is connected and also configure all uplinks to other switches as trusted. In this task, you will configure NYCORE2 as DHCP client and NYWAN1 as a DHCP server and enable DHCP snooping on NYCORE1.

Step 1

Connect to NYCORE1 and enable DHCP snooping globally as well as for all VLANs (in our case, we only have VLAN1).

Type the following commands (press Enter after each command):

NYCORE1#

configure terminal

 

NYCORE1(config)#

ip dhcp snooping

 

NYCORE1(config)#

ip dhcp snooping vlan 1

 

NYCORE1(config)#

no ip dhcp snooping information option

 

You will see the following output:

NYCORE1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
NYCORE1(config)#ip dhcp snooping
NYCORE1(config)#ip dhcp snooping vlan 1
NYCORE1(config)#no ip dhcp snooping information option
NYCORE1(config)#

 

Note:

By default, the switch adds option 82 to the DHCP discover message before passing it to the DHCP server. The DHCP server then drops those packets. You need to disable this feature on a switch.

My Output:

Step 2

Connect to NYWAN1 and configure it as a DHCP server. You will make the server assign IP addresses between the range 192.168.16.200 – 192.168.16.254.

Type the following commands (press Enter after each command):

NYWAN1#

configure terminal

 

NYWAN1(config)#

ip dhcp excluded-address 192.168.16.1 192.168.16.199

 

NYWAN1(config)#

ip dhcp pool POOL

 

NYWAN1(dhcp-config)#

network 192.168.16.0 255.255.255.0

 

NYWAN1(dhcp-config)#

default-router 192.168.16.1

 

NYWAN1(dhcp-config)#

exit

 

NYWAN1(config)#

exit

 

You will see the following output:

NYWAN1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
NYWAN1(config)#ip dhcp excluded-address 192.168.16.1 192.168.16.199
NYWAN1(config)#ip dhcp pool POOL
NYWAN1(dhcp-config)#network 192.168.16.0 255.255.255.0
NYWAN1(dhcp-config)#default-router 192.168.16.1
NYWAN1(dhcp-config)#exit
NYWAN1(config)#exit
NYWAN1#

 

My Output:

Step 3

Connect to NYCORE2 and make port Fa1/0/23 as a routed port. You will also configure it as a DHCP client.

Type the following commands (press Enter after each command):

NYCORE2#

configure terminal

 

NYCORE2(config)#

interface fastethernet1/0/23

 

NYCORE2(config-if)#

no switchport

 

NYCORE2(config-if)#

ip address dhcp

 

NYCORE2(config-if)#

no shutdown

 

NYCORE2(config-if)#

exit

 

NYCORE2(config)#

exit

 

You will see the following output:

NYCORE2#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
NYCORE2(config)#interface fastethernet1/0/23
NYCORE2(config-if)#no switchport
NYCORE2(config-if)#ip address dhcp
NYCORE2(config-if)#no shutdown
NYCORE2(config-if)#exit
NYCORE2(config)#exit
NYCORE2#

 

My Output:

Step 4

You will now verify if the port has received the IP address. To do this, type the following command:

NYCORE2#

show interface fastethernet1/0/23

 

Press Enter.

You will see the following output:

NYCORE2#show interface fastethernet1/0/23
FastEthernet1/0/23 is up, line protocol is up (connected)
  Hardware is Fast Ethernet, address is 10bd.18e1.a141 (bia 10bd.18e1.a141)
  Internet address will be negotiated using DHCP
  MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive set (10 sec)
  Full-duplex, 100Mb/s, media type is 10/100BaseTX
  input flow-control is off, output flow-control is unsupported
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 00:00:00, output 00:00:04, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
<------Output Omitted ------->
NYCORE2#

 

My Output:

Notice from the above output, the port doesn’t have an IP address assigned to it yet.

Step 5

You will now make the port where your DHCP server is connected as trusted.

Connect to NYCORE1 and type the following commands (press Enter after each command):

NYCORE1(config)#

interface fastethernet1/0/2

 

NYCORE1(config-if)#

ip dhcp snooping trust

 

NYCORE1(config-if)#

exit

 

NYCORE1(config)#

exit

 

You will see the following output:

NYCORE1(config)#interface fastethernet1/0/2
NYCORE1(config-if)#ip dhcp snooping trust
NYCORE1(config-if)#exit
NYCORE1(config)#exit
NYCORE1#

 

My Output:

Step 6

Now verify if the client has received an IP address.

Connect to NYCORE2 and type the following command:

NYCORE2#

show interface fastethernet1/0/23

 

Press Enter.

You will see the following output:

NYCORE2#show interface fastethernet1/0/23
FastEthernet1/0/23 is up, line protocol is up (connected)
  Hardware is Fast Ethernet, address is 10bd.18e1.a141 (bia 10bd.18e1.a141)
Internet address is 192.168.16.200/24
  MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
     reliability 255/255, txload 1/255, rxload 1/255
<------Output Omitted ------->
NYCORE2#

 

Notice that after you tell the switch to trust our DHCP address, the client gets an IP address.

APPLIED CONFIGS FROM STEP 3 ONWARDS ON NYCORE1 INSTEAD OF NYCORE2, TIME TO RESOLVE

First I will see if I can apply same configurations to nycore2 without creating any issues

Step 3:

Step 4:

Note it says Internet address will be negotiated using DHCP, good sign lets see if we can get one assigned.

Step 5?:

 

NYCORE1 has an IP address but NYCORE2 still does not, perhaps I need to tell NYCORE to trust the port towards NYCORE1?

Still no luck, after reviewing previous steps I noticed we have issued no switchport on NYCORE1, lets rectify that…

Check on NYCORE2

SUCCESS! NYCORE2 has received it’s IP address from the DHCP server. Lesson learnt: Read closely, saves time.

Task 2 – Configuring Dynamic ARP Inspection (DAI)

DAI is another layer 2 security feature that protects the switch from an attack like ARP poisoning. It checks all ARP packets on untrusted interfaces, compares it with the DHCP snooping database. If the information doesn’t match, it will drop the packet. In this task, you will configure an IP address on NYACCESS1 switch. You will use the same IP address that the DHCP server assigned to NYCORE2 in the previous task. You will also try to ping the DHCP server (NYWAN1 router) with a MAC address that is different from the one that NYCORE1 has in its DHCP snooping database.

Step 1

First, you will check the DHCP snooping database on NYCORE1.

Connect to NYCORE1 and type the following command:

NYCORE1#

show ip dhcp snooping binding

 

Press Enter.

You will see the following output:

NYCORE1#show ip dhcp snooping binding
MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface
------------------  ---------------  ----------  -------------  ----  --------------------
10:BD:18:E1:A1:41   192.168.16.20085712       dhcp-snooping   1     FastEthernet1/0/23
00:12:D9:40:DA:D8   192.168.16.201   86371       dhcp-snooping   1     FastEthernet1/0/24
Total number of bindings: 2
NYCORE1#

 

My Output:

Mine slightly differs, I assume from previous task mistake. Fingers crossed we don’t encounter any issues, will monitor closely.

Step 2

You will now configure dynamic ARP inspection on NYCORE1.

Type the following commands (press Enter after each command):

NYCORE1#

configure terminal

 

NYCORE1(config)#

ip arp inspection vlan 1

 

NYCORE1(config)#

exit

 

You will see the following output:

NYCORE1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
NYCORE1(config)#ip arp inspection vlan 1
NYCORE1(config)#exit
NYCORE1#

 

My Output:

Step 3

Connect to NYACCESS1 and configure interface vlan 1 with the IP address 192.168.16.200. This address is already available in the DHCP snooping table on NYCORE1 switch, but it is bound to another MAC address (MAC address of interface fastethernet1/0/23 on NYCORE2). So, by creating the same IP address, you are simulating an attacker on a network.

Type the following commands (press Enter after each command):

NYACCESS1#

configure terminal

 

NYACCESS1(config)#

interface vlan 1

 

NYACCESS1(config-if)#

ip add 192.168.16.200 255.255.255.0

 

NYACCESS1(config-if)#

exit

 

NYACCESS1(config)#

exit

 

You will see the following output:

NYACCESS1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
NYACCESS1(config)#interface vlan 1
NYACCESS1(config-if)#ip add 192.168.16.200 255.255.255.0
NYACCESS1(config-if)#exit
NYACCESS1(config)#exit
NYACCESS1#

 

AAAAND have encountered a new issue. NYACCESS1 is requesting a password. This has happened previously, I assume when other users assign one when using the lab.

 

Have tried all generic passwords and passwords I could think of used within the PracticeLabs. Will try logging off and reopening Labs.

SUCCESS

Reconfigured devices in accordance with Task 1 with no issues

Step 1 and 2 of Task 2

Step 3 We are back on track

Step 4

Now try to ping the DHCP server from NYACCESS1. To do this, issue the following command:

NYACCESS1#

ping 192.168.16.3

 

Press Enter.

You will see the following output:

NYACCESS1#ping 192.168.16.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.16.3, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
NYACCESS1#

 

Notice the ping was unsuccessful.

Step 5

Connect to NYCORE1 and check the log messages.

You will see the following output:

*Mar  1 00:43:56.992: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa1/0/1, vlan 1.([74a2.e63c.5a50/192.168.16.1/0012.d940.
dad8/192.168.16.201/00:43:56 UTC Mon Mar 1 1993])
*Mar  1 00:44:27.283: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa1/0/1, vlan 1.([74a2.e63c.5a50/192.168.16.1/0012.d940.
dad8/192.168.16.201/00:44:27 UTC Mon Mar 1 1993])

 

You can see from the above output that DAI is blocking invalid ARPs messages.

My Output:

DAI is working.

Task 3 – Configuring Port Security

When you configure port security on a switch, you are actually telling the switch to filter the MAC address. In this task, you will enable port security on NYCORE1 and check what happens with the port when you violate security.

Step 1

Connect to NYCORE1 and check the MAC address table. To do this, issue the following command:

NYCORE1#

show mac address-table

 

Press Enter.

You will see the following output:

NYCORE1#show mac address-table
<----- Output omitted ------>
 All    ffff.ffff.ffff    STATIC      CPU
   1    0012.d940.dad8    DYNAMIC     Fa1/0/24
   1    10bd.18e1.a11a    DYNAMIC     Fa1/0/24
   1    10bd.18e1.a141    DYNAMIC     Fa1/0/23
   1    74a2.e63c.5a50    DYNAMIC     Fa1/0/1
   1    7c0e.ce98.b630    DYNAMIC     Fa1/0/24
   1    fc5b.3955.6030    DYNAMIC     Fa1/0/2
Total Mac Addresses for this criterion: 26
NYCORE1#

 

Notice that on port Fa1/0/24, you have 3 MAC addresses that are learned.

My Output:

Step 2

You will now enable port security on the Fa1/0/24 port and limit it to allow just 1 MAC address.

Type the following commands (press Enter after each command):

NYCORE1#

configure terminal

 

NYCORE1(config)#

interface fastethernet1/0/24

 

NYCORE1(config-if)#

switchport port-security

 

You will see the following output:

NYCORE1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
NYCORE1(config)#interface fastethernet1/0/24
NYCORE1(config-if)#switchport port-security
Command rejected: FastEthernet1/0/24 is a dynamic port.
NYCORE1(config-if)#

 

Notice that you can enable port-security only on access ports.

Type the following commands (press Enter after each command):

NYCORE1(config-if)#

switchport mode access

 

NYCORE1(config-if)#

switchport port-security

 

You will see the following output:

NYCORE1(config-if)#switchport mode access
NYCORE1(config-if)#switchport port-security
*Mar  1 00:50:12.416: %PM-4-ERR_DISABLE: psecure-violation error detected on Fa1/0/24, putting Fa1/0/24 in err-disable state

 

By default, when you enable port-security on a port, the port can learn only one MAC address. When port learns the second MAC address, there will be a violation in port-security, and the port will be put in an err-disabled state.

My Output:

No ERR_DISABLE notice, perhaps it is just taking it’s time

Step 3

You can change this behavior by allowing the port to learn 2 MAC addresses on this port.

Change the maximum number of MAC address on this port to two by issuing the following command:

NYCORE1(config-if)#

switchport port-security maximum 2

 

Press Enter.

You will see the following output:

NYCORE1(config-if)#switchport port-security maximum 2
NYCORE1(config-if)#

 

Step 4

Since the port is in an err-disabled mode, type the following commands (press Enter after each command) to recover it:

NYCORE1(config-if)#

shutdown

 

NYCORE1(config-if)#

no shutdown

 

NYCORE1(config-if)#

exit

 

NYCORE1(config)#

exit

 

You will see the following output:

NYCORE1(config-if)#shutdown
NYCORE1(config-if)#no shutdown
*Mar  1 00:55:10.220: %LINK-5-CHANGED: Interface FastEthernet1/0/24, changed state to administratively down
NYCORE1(config-if)#
*Mar  1 00:55:13.181: %LINK-3-UPDOWN: Interface FastEthernet1/0/24, changed state to up
*Mar  1 00:55:14.187: %LINEPROTO-5-
NYCORE1(config-if)#exit
NYCORE1(config)#exit
NYCORE1#

 

My Output:

DAI still making it hard to read, will issue command to turn off DAI for now

Step 5

Now verify the port security configuration on NYCORE1 switch.

NYCORE1#

show port-security

 

Press Enter.

You will see the following output:

NYCORE1#show port-security
Secure Port  MaxSecureAddr  CurrentAddr  SecurityViolation  Security Action
                (Count)       (Count)          (Count)
---------------------------------------------------------------------------
Fa1/0/24              2            2                  0         Shutdown
---------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port)     : 1
Max Addresses limit in System (excluding one mac per port) : 6144
NYCORE1#

 

Notice that the default violation action is to shutdown the port. This can be changed by issuing the following commands (press Enter after each command):

NYCORE1#

configure terminal

 

NYCORE1(config)#

interface fastethernet1/0/24

 

NYCORE1(config-if)#

switchport port-security violation ?

 

You will see the following output:

NYCORE1#configure terminal
NYCORE1(config)#interface fastethernet1/0/24
NYCORE1(config-if)#switchport port-security violation ?
  protect   Security violation protect mode
  restrict  Security violation restrict mode
  shutdown  Security violation shutdown mode

NYCORE1(config-if)#switchport port-security violation

 

In the first two options, the interface will not go to err-disabled state, and it will stay up and running. It will only block frames for the MAC address that violates the port- security. Traffic from legal MAC addresses (MAC addresses that didn’t violate port-security) will be allowed on an interface.

My Output:

COMMANDS: switchport port-security (apply port security on access port)

You completed the following exercises: • Exercise 4 – Configuring Layer 2 Security Features

You should now be able to:

  • Configure DHCP Snooping
  • Configure Dynamic ARP Inspection
  • Configure Port Security

 

r0tZ Avatar

Leave a Reply

Your email address will not be published. Required fields are marked *