Cisco DHCP Snooping and IP Device Tracking for IOS-XE ...

IP Device Tracking uses the DHCP Snooping and Address Resolution Protocol (ARP) snooping features to build a database of IP-to-MAC binding ... Home Content LatestContent PopularContent Architecture Certificates CiscoAnyConnect CiscoASA CiscoFirepower CiscoISE CiscoPrime CheckPoint PaloAltoNetworks Routing Switching Wireless CISCOLIVE! Miscellaneous Resources ISETools EEMScripts InfobloxTools UsefulLinks Search About July9,2022 JacobFredriksson SOLIDCONFIG:CiscoDHCPSnoopingandIPDeviceTrackingforIOS-XEDevices(SISFbased) IfyouarelookingtodeploythesefeaturesonolderIOSswitches(notthenewerIOS-XE),pleasecheckoutthisarticleinsteadSOLIDCONFIG:CiscoDHCPSnoopingandIPDeviceTrackingforIOSDevices(non-SISFbased).Thisarticleispartofthe“SOLIDCONFIG”series,inwhichIcoversomeoftheeverydayconfigurationtemplatesIhaveputtogetherovertheyearstoprovideasolidconfigurationalbaseforaspecificfeature,orusecase.IntroductionInthisarticle,wetakealookattheconfigurationstepsfordeployingDHCPSnoopingandIPDeviceTrackingonaccessportsandtrunkportsonCiscoIOS-XEswitchesusingthenewSISF-basedconfiguration.DHCPSnoopingandIPDeviceTrackingprovidesomeneatsecurityandoperationalfeatures,amongthembeingagreatwaytofindouttheIPaddressesofconnectedendpointswithouthavingtoresorttolookingatARPtablesatthedefaultgatewaysofanetworkandtracingMACaddresses.Thefollowingconfigurationhasbeentestedon:CiscoCatalystC9200L-48T-4Xrunningversion16.12.5.CiscoCatalystC9200L-48P-4Xrunningversion17.3.5.AboutDHCPSnoopingDHCPSnoopingprovidesafeaturetoprotectagainstrogueDHCPserversinthenetworkbyonlyallowingportsconfiguredas“trusted”topassDHCPservermessages.Theswitchwillintercept(“snoop”)DHCPmessagesandtakeapeekinsideofthemtodeterminewhichIPaddresswasassignedtoaspecificendpointonaport.AfteranendpointhasgonethroughthewholeprocessofDHCPleasing(Discover,Offer,Request,andAcknowledge),theresultwillbeaddedtotheDHCPSnoopingdatabase.RenewalofDHCPIPaddresses(whicharesentasDHCP-REQUESTS)willrefreshtheentryinthedatabase.TheswitchwillalsoclearthedatabaseofacertainDHCPIPaddressifitseesa“DHCP-RELEASE”packetbeingsentfromtheendpointthattheIPaddressinquestionbelongsto. Viewfullsize AboutIPDeviceTrackingIPDeviceTrackingusestheDHCPSnoopingandAddressResolutionProtocol(ARP)snoopingfeaturestobuildadatabaseofIP-to-MACbindingpresentintheswitch,makingiteasytoidentifytheIPaddressofeveryendpointconnectedtotheportsoftheswitch.ARPsnoopingworksbecausetheswitchseesallthedifferentARPProbes/Requests/RepliesbeingsenttoandoutfromtheconnectedendpointsandstoresthisinformationintheIPDeviceTrackingdatabase.Theswitchcanthenuseitsown“ARPProbes”tokeeptheinformationintheIPDeviceTrackingdatabaseup-to-dateandaccurate.Iftheendpointdoesn’tsendorreceiveanyARPProbe/Request/Replyforaperiodoftime,theseIPDeviceTracking“ARPProbes”aresentoutintheportusingtheMACaddressoftheswitchandIPaddress0.0.0.0asthesourceMACandIPaddresses.Theendpoint,ifstillupandrunning,shouldrespondtotheseARPProbes,lettingtheswitchknowtheendpointisstillactive. Viewfullsize Bothofthesefeaturesarealsoveryusefulwhendeployingsecured(authenticated)wiredportsusingaRADIUSserverlikeCiscoISE,wheretheconnectedhost’sIPaddressneedstobeinsertedintoDownloadableAccessControlLists(dACL).TheDeviceSensorusesbothofthesefeaturestofeedtheRADIUSserverwithIPaddressinformationusingRADIUSAccountingUpdatepackets.Now,timetogetintotheconfigurationsteps.GlobalDHCPSnoopingandIPDeviceTrackingConfigurationThisistheglobalconfigurationneededtogetbothIPDHCPSnoopingandIPDeviceTrackingupandrunning.DHCPSnoopingisenabledperVLAN,butsinceitismainlyanaccesslayerfeature,youshouldbefinebyalwaysenablingitforallVLANS(1-4094).Comparedtothe“older”IOSsoftware,mostoftheconfigurationforIPDeviceTrackinginIOS-XEisdoneintheglobalconfigurationasdifferentDeviceTrackingPolicies,whicharethenappliedtotheinterfacesoftheswitch.Fortrunkports,theIPDeviceTrackingPolicyconfigurationwilldisableallkindsofdevicetracking,sincewedonotwantthisfeaturerunningatallontrunkports.Foraccessports,theIPDeviceTrackingPolicyconfigurationwilllimitthetrackingto2MACaddresses,forexample,oneMACaddressforaVOIPphoneandoneMACaddressforaPCconnectedbehindit. ipdhcpsnooping noipdhcpsnoopinginformationoption ipdhcpsnoopingvlan1-4094 ipdhcpsnoopingdatabaseflash:dhcp-snooping-db.txt device-trackingtrackingauto-source !DeviceTrackingPolicyforTrunkPorts device-trackingpolicyDISABLE-IP-TRACKING     trackingdisable     trusted-port     device-roleswitch !DeviceTrackingPolicyforAccessPorts device-trackingpolicyIP-TRACKING     limitaddress-count2     security-levelglean     noprotocolndp     noprotocoldhcp6     trackingenablereachable-lifetime30 TrunkPortInterfaceConfigurationIwouldrecommendconfiguringthetrunkportsbeforetheaccessports.Thisconfigurationwillconfigurethetrunkportsas“trusted”,meaningDHCPservermessagesareallowedtobereceivedontheseports.SinceDHCPserversareusuallylocatedupstreaminthedatacenterorsimilar,makesuretoconfigurethisonallofyourtrunkports.ThisconfigurationalsoappliesaDeviceTrackingPolicywithtrackingdisables,sinceitisafeaturemoresuitedforuseonaccessports,wheretheendpointsareconnected. interfaceTe1/1/1     switchportmodetrunk     switchportnonegotiate     ipdhcpsnoopingtrust     device-trackingattach-policyDISABLE-IP-TRACKING AccessPortInterfaceConfigurationThisconfigurationwillconfigureyouraccessportstorate-limitthenumberofDHCPpacketsthatcanbereceivedontheport(persecond).Thereisnoneedtoconfiguretheportas“untrusted”sincethatisthedefaultstate.IPDeviceTrackingwillbeconfiguredaccordingtotheDeviceTrackingPolicyweconfiguredearlierintheglobalconfiguration. interfacerangeGigabit0/1-24     switchportmodeaccess     switchportaccessvlanXXX     switchportnonegotiate     device-trackingattach-policyIP-TRACKING     ipdhcpsnoopinglimitrate20 ShowCommandsUsethecommand“showipdhcpsnoopingbinding”toseetheIPaddressesofallendpointsdiscoveredusingDHCPSnooping. Viewfullsize Usethecommand“showdevice-trackingdatabase”toseetheIPaddressesofallendpointsdiscoveredusingeithertheDHCPSnoopingortheIPDeviceTracking’sARPSnoopingfeature.Forexample,theendpointintheimagebelowusesastaticIPaddress,soitwasdiscoveredusingARPSnooping. Viewfullsize NewerPostIncreaseCertificateValidityPeriodinWindowsServerCertificateServicesOlderPostSOLIDCONFIG:CiscoDHCPSnoopingandIPDeviceTrackingforIOSDevices(non-SISFbased) WIRESANDWI.FI Clicktoreadmoreabouttheauthor. MORECONTENTYoucansearchforcontentusingtheboxbelow,orbrowsepostsbypublishedyearandmonth. ARCHIVE October2022 1 September2022 1 August2022 8 July2022 3 June2022 2 May2022 4 April2022 4 March2022 3 February2022 5 January2022 3 December2021 1 November2021 1 September2021 1 August2021 1 June2021 1 May2021 2 March2021 1 October2020 1 September2020 1 August2020 3 July2020 1 March2020 1 February2020 1 January2020 3 October2019 3 September2019 2 August2019 3 June2019 1 April2019 2 July2018 1 May2018 1 March2018 1 May2017 3 April2017 5 CYBERSECURITY&NETWORKINGBLOG