Cisco DHCP Snooping and IP Device Tracking for IOS ...

IP Device Tracking uses the DHCP Snooping and Address Resolution Protocol (ARP) snooping features to build a database of IP-to-MAC binding ... Home Content LatestContent PopularContent Architecture Certificates CiscoAnyConnect CiscoASA CiscoFirepower CiscoISE CiscoPrime CheckPoint PaloAltoNetworks Routing Switching Wireless CISCOLIVE! Miscellaneous Resources ISETools EEMScripts InfobloxTools UsefulLinks Search About July9,2022 JacobFredriksson SOLIDCONFIG:CiscoDHCPSnoopingandIPDeviceTrackingforIOSDevices(non-SISFbased) IfyouarelookingtodeploythesefeaturesonCiscoIOS-XEswitches(notolderIOS),pleasecheckoutthisarticleinsteadSOLIDCONFIG:CiscoDHCPSnoopingandIPDeviceTrackingforIOS-XEDevices(SISFbased).Thisarticleispartofthe“SOLIDCONFIG”series,inwhichIcoversomeoftheeverydayconfigurationtemplatesIhaveputtogetherovertheyearstoprovideasolidconfigurationalbaseforaspecificfeature,orusecase.IntroductionInthisarticle,wetakealookattheconfigurationstepsfordeployingDHCPSnoopingandIPDeviceTrackingonaccessportsandtrunkportsonCiscoIOSswitches.DHCPSnoopingandIPDeviceTrackingprovidesomeneatsecurityandoperationalfeatures,amongthembeingagreatwaytofindouttheIPaddressesofconnectedendpointswithouthavingtoresorttolookingatARPtablesatthedefaultgatewaysofanetworkandtracingMACaddresses.Thefollowingconfigurationhasbeentestedon:CiscoCatalystC2960CX-8PC-Lrunningversion15.2(7)E4.CiscoCatalystC2960C-8TC-Lrunningversion15.2(7)E4.CiscoCatalystC2960X-24PS-Lrunningversion15.2(7)E4.CiscoCatalystC3560CX-8PC-Srunningversion15.2(7)E6.AboutDHCPSnoopingDHCPSnoopingprovidesafeaturetoprotectagainstrogueDHCPserversinthenetworkbyonlyallowingportsconfiguredas“trusted”topassDHCPservermessages.Theswitchwillintercept(“snoop”)DHCPmessagesandtakeapeekinsideofthemtodeterminewhichIPaddresswasassignedtoaspecificendpointonaport.AfteranendpointhasgonethroughthewholeprocessofDHCPleasing(Discover,Offer,Request,andAcknowledge),theresultwillbeaddedtotheDHCPSnoopingdatabase.RenewalofDHCPIPaddresses(whicharesentasDHCP-REQUESTS)willrefreshtheentryinthedatabase.TheswitchwillalsoclearthedatabaseofacertainDHCPIPaddressifitseesa“DHCP-RELEASE”packetbeingsentfromtheendpointthattheIPaddressinquestionbelongsto. Viewfullsize AboutIPDeviceTrackingIPDeviceTrackingusestheDHCPSnoopingandAddressResolutionProtocol(ARP)snoopingfeaturestobuildadatabaseofIP-to-MACbindingpresentintheswitch,makingiteasytoidentifytheIPaddressofeveryendpointconnectedtotheportsoftheswitch.ARPsnoopingworksbecausetheswitchseesallthedifferentARPProbes/Requests/RepliesbeingsenttoandoutfromtheconnectedendpointsandstoresthisinformationintheIPDeviceTrackingdatabase.Theswitchcanthenuseitsown“ARPProbes”tokeeptheinformationintheIPDeviceTrackingdatabaseup-to-dateandaccurate.Iftheendpointdoesn’tsendorreceiveanyARPProbe/Request/Replyforaperiodoftime,theseIPDeviceTracking“ARPProbes”aresentoutintheportusingtheMACaddressoftheswitchandIPaddress0.0.0.0asthesourceMACandIPaddresses.Theendpoint,ifstillupandrunning,shouldrespondtotheseARPProbes,lettingtheswitchknowtheendpointisstillactive. Viewfullsize Bothofthesefeaturesarealsoveryusefulwhendeployingsecured(authenticated)wiredportsusingaRADIUSserverlikeCiscoISE,wheretheconnectedhost’sIPaddressneedstobeinsertedintoDownloadableAccessControlLists(dACL).TheDeviceSensorusesbothofthesefeaturestofeedtheRADIUSserverwithIPaddressinformationusingRADIUSAccountingUpdatepackets.Now,timetogetintotheconfigurationsteps.GlobalDHCPSnoopingandIPDeviceTrackingConfigurationThisistheglobalconfigurationneededtogetbothIPDHCPSnoopingandIPDeviceTrackingupandrunning.DHCPSnoopingisenabledperVLAN,butsinceitismainlyanaccesslayerfeature,youshouldbefinebyalwaysenablingitforallVLANS(1-4094). ipdhcpsnooping noipdhcpsnoopinginformationoption ipdhcpsnoopingvlan1-4094 ipdhcpsnoopingdatabaseflash:dhcp-snooping-db.txt ipdevicetrackingprobeauto-source ipdevicetrackingprobedelay10 ipdevicetrackingprobeinterval30 TrunkPortInterfaceConfigurationIwouldrecommendconfiguringthetrunkportsbeforetheaccessports.Thisconfigurationwillconfigurethetrunkportsas“trusted”,meaningDHCPservermessagesareallowedtobereceivedontheseports.SinceDHCPserversareusuallylocatedupstreaminthedatacenterorsimilar,makesuretoconfigurethisonallofyourtrunkports.ThisconfigurationalsosortofdisablesIPDeviceTrackingonthetrunkports,sinceitisafeaturemoresuitedforuseonaccessports,wheretheendpointsareconnected. interfaceTe1/0/1     switchportmodetrunk     switchportnonegotiate     ipdhcpsnoopingtrust     ipdevicetrackingmaximum0 AccessPortInterfaceConfigurationThisconfigurationwillconfigureyouraccessportstorate-limitthenumberofDHCPpacketsthatcanbereceivedontheport(persecond).Thereisnoneedtoconfiguretheportas“untrusted”sincethatisthedefaultstate.TheIPDeviceTrackingconfigurationwilllimitthetrackingto2MACaddresses,forexample,oneMACaddressforaVOIPphoneandoneMACaddressforaPCconnectedbehindit. interfacerangeGigabit0/1-24     switchportmodeaccess     switchportaccessvlanXXX     switchportnonegotiate     ipdevicetrackingmaximum2     ipdhcpsnoopinglimitrate20 ShowCommandsUsethecommand“showipdhcpsnoopingbinding”toseetheIPaddressesofallendpointsdiscoveredusingDHCPSnooping. Viewfullsize Usethecommand“showipdevicetrackingall”toseetheIPaddressesofallendpointsdiscoveredusingeithertheDHCPSnoopingortheIPDeviceTracking’sARPSnoopingfeature.Forexample,theendpointintheimagebelowusesastaticIPaddress,soitwasdiscoveredusingARPSnooping. Viewfullsize NewerPostSOLIDCONFIG:CiscoDHCPSnoopingandIPDeviceTrackingforIOS-XEDevices(SISFbased)OlderPostCiscoCatalyst9KDNALicenseregistrationfornon-DNACenternetworks(IOS-XE17.3+) WIRESANDWI.FI Clicktoreadmoreabouttheauthor. MORECONTENTYoucansearchforcontentusingtheboxbelow,orbrowsepostsbypublishedyearandmonth. ARCHIVE October2022 1 September2022 1 August2022 8 July2022 3 June2022 2 May2022 4 April2022 4 March2022 3 February2022 5 January2022 3 December2021 1 November2021 1 September2021 1 August2021 1 June2021 1 May2021 2 March2021 1 October2020 1 September2020 1 August2020 3 July2020 1 March2020 1 February2020 1 January2020 3 October2019 3 September2019 2 August2019 3 June2019 1 April2019 2 July2018 1 May2018 1 March2018 1 May2017 3 April2017 5 CYBERSECURITY&NETWORKINGBLOG