Task 1.18

eborgardeborgard
in CCNP General

Hi!

I am looking at the task in the CCNP workbook relating to DHCP snooping and DAI and bullet point 3 says to allow for static address for R4 and R6.  I am not sure how to approach this task.  Anyone going through the workbook that might have completed this task already?

Erick

· Share on FacebookShare on Twitter

Comments

  • Brian McGahanBrian McGahan mod
    <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">





    DAI relies on the DHCP Snooping Binding Database to figure out what ARP
    replies should be allowed.  The problem is that if there are devices on
    the segment that aren't running DHCP, the Snooping Binding Database
    will not be populated with their IP address and MAC address pair, and
    therefore their ARP request/replies will be dropped.  To make a static
    exception to DAI an ARP ACL is needed, with permit statements for their
    individual IP address and MAC address pairings.





    HTH,



    Brian McGahan, CCIE #8593
    (R&S/SP/Security)

    [email protected]



    Internetwork Expert, Inc.

    http://www.INE.com

    Toll Free: 877-224-8987 x 705

    Outside US: 775-826-4344 x 705

    Online Community: http://www.IEOC.com

    CCIE Blog: http://blog.INE.com






    eborgard wrote:

    Hi!

    I am looking at the task in the CCNP workbook relating to DHCP
    snooping and DAI and bullter point 3 says to allow for static address
    for R4 and R6.  I am not sure how to approach this task.  Anyone going
    through the workbook that might have completed this task already?

    Erick







    Internetwork Expert - The Industry Leader in CCIE Preparation

    http://www.internetworkexpert.com



    · Share on FacebookShare on Twitter
  • eborgardeborgard
    Thanks Brian.

    To the Cisco docs!

    Erick

    On Tue, Oct 13, 2009 at 2:09 PM, Brian McGahan <[email protected]> wrote:
    DAI relies on the DHCP Snooping Binding Database to figure out what ARP
    replies should be allowed.  The problem is that if there are devices on
    the segment that aren't running DHCP, the Snooping Binding Database
    will not be populated with their IP address and MAC address pair, and
    therefore their ARP request/replies will be dropped.  To make a static
    exception to DAI an ARP ACL is needed, with permit statements for their
    individual IP address and MAC address pairings.





    HTH,



    Brian McGahan, CCIE #8593
    (R&S/SP/Security)

    [email protected]



    Internetwork Expert, Inc.

    http://www.INE.com

    Toll Free: 877-224-8987 x 705

    Outside US: 775-826-4344 x 705

    Online Community: http://www.IEOC.com

    CCIE Blog: http://blog.INE.com






    eborgard wrote:

    Hi!

    I am looking at the task in the CCNP workbook relating to DHCP
    snooping and DAI and bullter point 3 says to allow for static address
    for R4 and R6.  I am not sure how to approach this task.  Anyone going
    through the workbook that might have completed this task already?

    Erick







    Internetwork Expert - The Industry Leader in CCIE Preparation

    http://www.internetworkexpert.com







    Internetwork Expert - The Industry Leader in CCIE Preparation

    http://www.internetworkexpert.com



    · Share on FacebookShare on Twitter
  • eborgardeborgard

    Brian,

    Thanks for the reply.  One other question if that's ok.  Wouldn't it be acceptable to trust the interfaces for devices that aren't running DHCP?  I'm a little confused by that.

    Thanks,

    Erick

    · Share on FacebookShare on Twitter
  • Brian McGahanBrian McGahan mod
    <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">





    Trust them under which feature? DHCP Snooping or DAI?





    Brian McGahan, CCIE #8593
    (R&S/SP/Security)

    [email protected]



    Internetwork Expert, Inc.

    http://www.INE.com

    Toll Free: 877-224-8987 x 705

    Outside US: 775-826-4344 x 705

    Online Community: http://www.IEOC.com

    CCIE Blog: http://blog.INE.com






    eborgard wrote:

    Brian,

    Thanks for the reply.  One other question if that's ok.  Wouldn't
    it be acceptable to trust the interfaces for devices that aren't
    running DHCP?  I'm a little confused by that.

    Thanks,

    Erick







    Internetwork Expert - The Industry Leader in CCIE Preparation

    http://www.internetworkexpert.com



    · Share on FacebookShare on Twitter
  • eborgardeborgard
    Honestly, I thought I understood, but now I'm not so sure. :(  I guess if we trust using DHCP then the ARP broadcast are never inspected? 

    I did find this link though.  Maybe this can help me understand a little more.


    http://ccietobe.blogspot.com/2009/01/dynamic-arp-inspection-with-non-dhcp.html

    Thanks,

    Erick


    On Tue, Oct 13, 2009 at 2:47 PM, Brian McGahan <[email protected]> wrote:

    Trust them under which feature? DHCP Snooping or DAI?






    Brian McGahan, CCIE #8593
    (R&S/SP/Security)

    [email protected]



    Internetwork Expert, Inc.

    http://www.INE.com

    Toll Free: 877-224-8987 x 705

    Outside US: 775-826-4344 x 705

    Online Community: http://www.IEOC.com

    CCIE Blog: http://blog.INE.com






    eborgard wrote:

    Brian,

    Thanks for the reply.  One other question if that's ok.  Wouldn't
    it be acceptable to trust the interfaces for devices that aren't
    running DHCP?  I'm a little confused by that.

    Thanks,

    Erick







    Internetwork Expert - The Industry Leader in CCIE Preparation

    http://www.internetworkexpert.com






    Internetwork Expert - The Industry Leader in CCIE Preparation

    http://www.internetworkexpert.com



    · Share on FacebookShare on Twitter
  • eborgardeborgard

    Ok.  I think I understand now.  Correct me if I go in the wrong direction.  If there are host on the network that had static IP addresses like a printer for example, we can create an arp ACL to allow that IP to MAC pair for that port, but if an attacker tried to use the printers port to initiate an attack, then those ARP requests would be dropped with DAI because although the IP address might be the same, the MAC address would be different so those requests/replies would be dropped.  I hope I got that right.  I think I got confused wondering why we couldn't just trust the ports going to the routers because they would be secured from the outside world.  I was not considering that we were using the routers as an example for a typical host environment.

    Erick

    · Share on FacebookShare on Twitter
  • Brian McGahanBrian McGahan mod
    <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">





    The key is that "trusting the port" from a DAI inspection is
    configuring the ARP ACL.  Also your example is correct assuming the
    attacker has the wrong MAC address but the correct IP address.





    Brian McGahan, CCIE #8593
    (R&S/SP/Security)

    [email protected]



    Internetwork Expert, Inc.

    http://www.INE.com

    Toll Free: 877-224-8987 x 705

    Outside US: 775-826-4344 x 705

    Online Community: http://www.IEOC.com

    CCIE Blog: http://blog.INE.com






    eborgard wrote:

    Ok.  I think I understand now.  Correct me if I go in the wrong
    direction.  If there are host one the network that had static IP
    addresses like a printer for example, we can create an arp ACL to allow
    that IP to MAC pair for that port, but if an attacker tried to use the
    printers port to initiate an attack, then those ARP requests would be
    dropped with DAI because although the IP address might be the same, the
    MAC address would be different so those requests/replies would be
    dropped.  I hope I got that right.  I think I got confused wondering
    why we couldn't just trust the ports going to the routers because they
    would be secured from the outside world.  I was not considering that we
    were using the routers as an example for a typical host environment.

    Erick







    Internetwork Expert - The Industry Leader in CCIE Preparation

    http://www.internetworkexpert.com



    · Share on FacebookShare on Twitter
  • eborgardeborgard
    Hey thanks Brian.  I appreciate the help in understanding the concept! 

    Kind Regards,

    Erick

    On Tue, Oct 13, 2009 at 4:11 PM, Brian McGahan <[email protected]> wrote:
    The key is that "trusting the port" from a DAI inspection is
    configuring the ARP ACL.  Also your example is correct assuming the
    attacker has the wrong MAC address but the correct IP address.






    Brian McGahan, CCIE #8593
    (R&S/SP/Security)

    [email protected]



    Internetwork Expert, Inc.

    http://www.INE.com

    Toll Free: 877-224-8987 x 705

    Outside US: 775-826-4344 x 705

    Online Community: http://www.IEOC.com

    CCIE Blog: http://blog.INE.com






    eborgard wrote:

    Ok.  I think I understand now.  Correct me if I go in the wrong
    direction.  If there are host one the network that had static IP
    addresses like a printer for example, we can create an arp ACL to allow
    that IP to MAC pair for that port, but if an attacker tried to use the
    printers port to initiate an attack, then those ARP requests would be
    dropped with DAI because although the IP address might be the same, the
    MAC address would be different so those requests/replies would be
    dropped.  I hope I got that right.  I think I got confused wondering
    why we couldn't just trust the ports going to the routers because they
    would be secured from the outside world.  I was not considering that we
    were using the routers as an example for a typical host environment.

    Erick







    Internetwork Expert - The Industry Leader in CCIE Preparation

    http://www.internetworkexpert.com






    Internetwork Expert - The Industry Leader in CCIE Preparation

    http://www.internetworkexpert.com



    · Share on FacebookShare on Twitter
Sign In or Register to comment.