15 - Security Services III - DHCP and ARP Inspection

Question 1

What 2 key things do clients use DHCP protocol to do?

Answer 1

• Discover a DHCP server

- Request to lease an address

Question 2

What are the 4 message types exchanged between a DHCP client and server?

Answer 2

• Discover
• Offer
• Request
• Acknowledgement

Question 3

What is a DHCP acknowledgement message?

Answer 3

Sent by the DHCP server to assign the address and also list the following:

• Mask
• Default router
• DNS server IPs

Question 4

What 2 special IP addresses does DHCP make use of for hosts that don’t yet have an IP?

Answer 4

0. 0.0.0 as a source IP

255. 255.255.255 local broadcast

Question 5

Where are DHCP Offer messages addressed to?

Answer 5

255.255.255.255

Question 6

What is included in a DHCP Discover messages to uniquely identify a client?

Answer 6

The client ID which is it’s MAC

Question 7

How do DHCP Offer messages identify who they are intended for, given all hosts receive them?

Answer 7

The client ID (MAC)

Question 8

How can you allow messages from a centralized DHCP server to traverse beyond the local subnet and back?

Answer 8

Make the device a DHCP Relay

ip helper-address {server ip}

Question 9

What effects does the ip helper-address command have on messages coming in from DHCP clients?

Answer 9

1. Look for incoming DHCP messages with destination 255.255.255.255
2. Change said packets source IP to the routers incoming interface IP
3. Change said packets destination IP to the address of the DHCP server (as configured with ip helper-address command)
4. Route the packet to the DHCP server

Question 10

What is the name of the feature enabled by the ip helper-address command?

Answer 10

DHCP Relay

Question 11

What settings must a DHCP server be configured with?

Answer 11

• Subnet ID and Mask
• Reserved (excluded) addresses
• Default router(s)
• DNS IPs

Question 12

What are the 3 DHCP Allocation modes?

Answer 12

• Dynamic
• Automatic
• Static

Question 13

What does Automatic DHCP allocation mode do?

Answer 13

Sets the DHCP lease time to infinite

Question 14

What does Static DHCP allocation mode do?

Answer 14

Pre-configures an IP for a client based on a specific MAC address

Question 15

What 2 criteria identify interfaces that need to have DHCP Relay enabled?

Answer 15

• DHCP Clients exist in the subnet

- DHCP Servers do NOT exist in the subnet

Question 16

How would you configure a switch to use DHCP to lease an address?

Answer 16

interface vlan 1
ip address dhcp
no shutdown

show interfaces vlan 1

Question 17

How can you view details about DHCP configuration for interfaces on that device?

Answer 17

show dhcp lease

Question 18

How can Routers distribute default routes learned on its internet facing interface from the ISP into the network?

Answer 18

Using an interior routing protocol such as OSPF

Question 19

How do you configure an IP to be obtained from DHCP on an interface?

Answer 19

ip address dhcp

Question 20

What does IOS display default routes learned from DHCP as?

Answer 20

A static route with an administrative distance of 254

Question 21

What does IOS use to identify routes that are DHCP learned default routes?

Answer 21

An administrative distance of 254

Question 22

What settings does a host need to work correctly for IPv4?

Answer 22

• Self IP and Subnet mask
• DNS IPs
• Default gateway (router) IP

Question 23

How would you view the IP routing table on a Windows or MAC host?

Answer 23

netstat -rn

Question 24

How would you view the default gateway and DNS servers on a Mac given the ifconfig command doesn’t?

Answer 24

networksetup-getinfo

networksetup-getdnsservers

Question 25

How does DHCP Snooping work?

Answer 25

Switch analyzes incoming messages on specified subset of ports in VLAN depending on if it is a trusted or untrusted port.

If messages appear on

Question 26

What layer does DHCP Snooping operate at?

Answer 26

Layer 2

Question 27

What are DHCP RELEASE and DECLINE messages?

Answer 27

Clients can use DHCP RELEASE to tell the server they don’t need the IP assigned to them anymore

Clients can use DHCP DECLINE to turn down the use of an IP during the DORA flow

Question 28

What are the DHCP Snooping rules for an Untrusted interface

Answer 28

• If normally sent by servers, discard the message
• Filter client DISCOVER and REQUEST messages to check for MAC address consistency between Ethernet frame and DHCP message
• Filter client RELEASE and DECLINE checking the incoming interface + IP vs the DHCP Snooping binding table
• For messages not filtered that result in a DHCP release, add a new entry to the binding table

Question 29

What is the chaddr?

Answer 29

Client Hardware Address field in a DHCP message

Question 30

What is the DHCP Snooping Binding Table?

Answer 30

A table that keeps track of DHCP addresses that are assigned through switch ports. A map of MACs to IPs

Question 31

What is in a DHCP Snooping Binding Table entry?

Answer 31

• Client MAC
• IP
• DHCP Lease time
• VLAN number
• Interface

Question 32

How do you enable DHCP Snooping on a switch?

Answer 32

ip dhcp snooping
ip dhcp snooping vlan 11
no ip dhcp snooping information option

OPTIONAL
interface Ge0/1
ip dhcp snooping trust

Question 33

How do you enable an interface to be trusted by DHCP Snooping?

Answer 33

ip dhcp snooping trust

Question 34

How do you show DHCP Snooping config information?

Answer 34

show ip dhcp snooping

Question 35

What does “Insertion of option 82 is disabled” mean?

Answer 35

That Option 82 DHCP header field that is inserted by DHCP Relay agents is disabled, which is necessary when the device is not acting as a relay agent (L3 switch too)

Question 36

How do you make DHCP Snooping work on a switch that is NOT also a DHCP relay agent?

Answer 36

Disabled Option 82 feature

no ip dhcp snooping information option

Question 37

How does DHCP Snooping prevent attacks that involve it being overwhelmed by large volumes of messages?

Answer 37

Optional feature that tracks the number of incoming DHCP messages over a 1 second period and if the limit is exceeded moves the port into err-disabled state

Question 38

How can you set the DHCP Snooping rate limit?

Answer 38

Interface subcommand:

ip dhcp snooping limit rate {number}

Question 39

How do you allow an interface to automatically recover from being moved into err-disabled by DHCP Snooping rate limit trigger?

Answer 39

errdisable recovery cause dhcp-rate-limit

errdisable recovery interval 30

Question 40

What two sources of data does DAIs core feature compare incoming ARP messages with?

Answer 40

• DHCP Snooping binding table

- ARP ACLs

Question 41

What is gratuitous ARP?

Answer 41

An ARP reply message sent without having received a request. Essentially a host informing all hosts in the subnet about its MAC address

Question 42

What do gratuitous ARPs allow attackers to do?

Answer 42

Make other hosts change their ARP tables

Question 43

What does the DHCP Snooping feature record about a DHCP message?

Answer 43

The IP address leased to a host and that hosts MAC

Question 44

What does DAI do for untrusted ports?

Answer 44

Compares the ARP message’s origin IP and MAC to entries in the DHCP Snooping binding table.

It lets the ARP through if the IP and MAC matches an entry in the table

Question 45

What type of ports should be trusted by DAI?

Answer 45

Anything other than links to end user devices

Question 46

What are ARP ACLs?

Answer 46

Used by DAI as lists of statically configured correct pairs of IP and MACs.

DAI looks in both the DHCP Snooping binding data and these ARP ACLs

Question 47

What other message comparisons can be made that cause an ARP message to be discarded?

Answer 47

• Ethernet header Source MAC != Origin MAC
• ARP Replies where Destination MAC != Target MAC
• Messages with unexpected IPs in the two ARP IP fields

Question 48

True/False: DAI does it’s work in the Switch CPU and DHCP does it’s work in the Switch ASIC

Answer 48

False. They both do their work on the CPU

Question 49

What is the downside of DAI with respects to DoS?

Answer 49

Because it uses the CPU it is susceptible to DoS attacks

Question 50

True/False: DAI defaults to the ‘untrusted’ setting

Answer 50

True

Question 51

How do you enable ARP inspection?

Answer 51

ip arp inspection vlan 11

interface Ge0/1
ip arp inspection trust

Question 52

What happens if you just enable DAI but not DHCP Snooping or configure ARP ACLs?

Answer 52

The switch would filter all ARPs entering all untrusted ports in the configured VLAN

Question 53

How do you show ARP inspection information including variables and counters?

Answer 53

show ip arp inspection

Question 54

How do you show the DHCP Snooping binding table?

Answer 54

show ip dhcp snooping binding

Question 55

How do you show ARP inspection statistics?

Answer 55

show ip arp inspection statistics

Question 56

What is a key difference between DAI and DHCP Snooping rate limiting with respect to defaults?

Answer 56

DAI defaults to use rate limits for all interfaces (trusted and untrusted)

DHCP Snooping defaults to not using rate limits

Question 57

What is a key difference between DAI and DHCP Snooping rate limiting with respect to intervals?

Answer 57

DAI allows configuration of the burst interval (number of seconds over which the rate is measured)

DHCP Snooping does not define a burst setting

Question 58

How do you allow automatic recovery from the errdisable state when ARP inspection was the cause?

Answer 58

errdisable recovery cause arp-inspection

errdisable recovery interval 30

Question 59

How do you modify the rate limit settings for ARP inspection?

Answer 59

ip arp inspection limit rate 8 burst interval 4

Question 60

What is the default rate limit and burst settings for ARP inspection?

Answer 60

15 messages over a 1 second burst

Question 61

How do you view ARP inspection settings for each interface?

Answer 61

show ip arp inspection interfaces

Question 62

How do you enable additional ARP inspection options?

Answer 62

ip arp inspection validate { dst-mac | ip | src-mac }

Question 63

True/False: DHCP Snooping could be implemented on L2 switches

Answer 63

True