DHCP Snooping

DHCP Snooping:

DHCP Snooping is a layer 2 technique that ensures IP integrity on a layer 2 switched domains by stooping Rouge DHCP servers. How?

  1. By enabling DHCP snooping on Switches
  2. By enabling DHCP snooping on VLAN
  3. And by enabling DHCP snooping trusted ports

What is Rouge DHCP Server and how does it affect networks?

Rouge DHCP Server is an unauthorized destructive DHCP server that is planted intentionally to sniff, reroutes frames, causes man in the middle attacks (MITM), DOS attacks and DHCP starvation attacks (exhausting). But some time it also happens accidentally by plugging in DHCP sever enabled devices in the network, such as Internet modems and WIFI routers.

How does this happen?

DHCP is used to auto-configure the connection information for devices that do not have static IP assignments set.  Unless specifically configured to work together, multiple DHCP servers can cause clients and network devices to receive IP addresses, subnet masks, gateway IP addresses, and other information that can conflict with how the network should be working.  In case of accidental issue the clients after getting the IP addresses, subnet masks, gateway IP addresses is put into situation where the client has nowhere to go and cannot access the corporate network services. However, in case of malicious action it can cause lot more damages, such as DHCP Starvation (exhausting), DOS attach and MITM attacks. And the tricky part in these attacks is the clients have no clue of it. Hence, DHCP snooping is a layer 2 technique to mitigate such attacks.

How does DHCP snooping mitigate these threats and attacks?

 

The DHCP snooping feature performs the following activities:

  • Validates DHCP messages received from untrusted sources and filters out invalid messages.
  • Rate-limits DHCP traffic from trusted and untrusted sources.
  • Builds and maintains the DHCP snooping binding database, which contains information about untrusted hosts with leased IP addresses.
  • Utilizes the DHCP snooping binding database to validate subsequent requests from untrusted hosts.

 

The default trust state of all interfaces/port is untrusted. You must configure DHCP server interfaces as trusted. You can also configure other interfaces as trusted if they connect to devices (such as switches or routers) inside your network. You usually do not configure host port interfaces as trusted.

Advertisements

GNS3 and Secure CRT screen router’s tab name

Recently after some updates on my Windows 7 computer I started to face issue with router names on the console tab while running secure CRT screen in GNS3. The exact issue was every time when I run secure CRT console on GNS3 routers, the name of the routers on the tab is appearing like “Dynamips(0):R1,Console port” whereas the actual name should be just R1, R2, R3 etc. See the screen shot:

sc1

 

For me this is getting very uncomfortable when the numbers of routers grows and it is really difficult to know on which router I am actually working. Therefor I had to search out for the solution and found these two possible fixes.

  1. Right click on the Tab and Rename it. Caveat is you have to do this on each and every router.
  2. Change the terminal parameters from GNS3 preference menu. For this see the screen shots below:

sc2

 

Click on Terminal Settings and remove the /arg %d /T /telnet %h %p and change it to /T /N %d /telnet 127.0.0.1 %p

sc3

 

sc4

After changing the parameters click on Apply and Ok buttons. And then you should see the Routers names exactly on the tab when you open up the consoles.

sc5

Injecting (propagating) Default Route via EIGRP

Default Route: A route that matches the destination of all packets that are not matched by any other route in the IP routing table. It can also be called as the ultimate summary route 0.0.0.0/0 (all IPv4 addresses).

There are different methods to inject default route into EIGRP process:

  1.       Injecting static default route using redistribute command in EIGRP routing process or advertise the static default route.
  2.       Injecting static default route using default-network command.
  3.       Summarized the static default route (0.0.0.0/0)

In all these scenarios one must define the static default route first then you could advertise itredistribute it or create summary-address or make that static route as a default network.

To illustrate these methods I have set up a very simple topology.

image001

All these routers are routing the routes using EIGRP AS 100 except the network 30.1.1.0. This 30.1.1.0 network is emulating a remote network to which R1 and R2 are trying to reach. Hence the task of this lab is to inject default route into R1 and R2 so they can reach network 30.1.1.0.

Let’s check the routing table of each router.

R1:

Gateway of last resort is not set 

       1.0.0.0/24 is subnetted, 1 subnets

C       1.1.1.0 is directly connected, FastEthernet0/0

     2.0.0.0/24 is subnetted, 1 subnets

D       2.1.1.0 [90/307200] via 1.1.1.2, 00:13:47, FastEthernet0/0

     20.0.0.0/24 is subnetted, 1 subnets


D     20.1.1.0 [90/409600] via 1.1.1.2, 00:13:47, FastEthernet0/0

     10.0.0.0/24 is subnetted, 1 subnets

C       10.1.1.0 is directly connected, Loopback0

R2:Both the routers doesn’t contain 30.0.0.0 network. This is simply because R3 is not advertising it. So both the routers can’t reach it.

Gateway of last resort is not set 

     1.0.0.0/24 is subnetted, 1 subnets

C       1.1.1.0 is directly connected, FastEthernet0/0

     2.0.0.0/24 is subnetted, 1 subnets

C       2.1.1.0 is directly connected, FastEthernet0/1

     20.0.0.0/24 is subnetted, 1 subnets

C       20.1.1.0 is directly connected, Loopback0

     10.0.0.0/24 is subnetted, 1 subnets

D       10.1.1.0 [90/409600] via 1.1.1.1, 00:15:14, FastEthernet0/0

Redistributing Static Default route:

Let’s first try with injecting default route using redistribute command under EIGRP process. So, first we need
to define a static route on R2. Why R2 because it is directly connected to R3.

R2#config t

Enter configuration commands, one per line.  End with CNTL/Z.

R2(config)#ip route 0.0.0.0 0.0.0.0 f0/1 (0.0.0.0 means any route that is currently not in the routing table & will be forwarded to f0/1 interface)

R2(config)#router eigrp 100

R2(config-router)#redistribute static metric 1544 10 255 1 1500   

Now let’s check the routing table of R1:

Gateway of last resort is 1.1.1.2 to network 0.0.0.0 

     1.0.0.0/24 is subnetted, 1 subnets

C       1.1.1.0 is directly connected, FastEthernet0/0

     2.0.0.0/24 is subnetted, 1 subnets

D       2.1.1.0 [90/307200] via 1.1.1.2, 00:28:59,FastEthernet0/0

     20.0.0.0/24 is subnetted, 1 subnets

D       20.1.1.0 [90/409600] via 1.1.1.2, 00:28:59,FastEthernet0/0

     10.0.0.0/24 is subnetted, 1 subnets

C       10.1.1.0 is directly connected, Loopback0

D*EX 0.0.0.0/0 [170/1686016] via 1.1.1.2, 00:00:06, FastEthernet0/0

As you can see the default route has been successfully redistributed into R1.  D*EX means this route is a candidate default and it is redistributed via 1.1.1.2. Gateway of last resort is also the same interface for unknown network (0.0.0.0). Let’s try to ping 30.0.0.0 network from R1.

R1#ping 30.1.1.1

Type escape sequence to abort. 

Sending 5, 100-byte ICMP Echos to 30.1.1.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 24/44/68 ms

Once could also configure more specific static route if the network is known clearly. Like in our example we have clear information about the destination network right? (30.1.1.0) So we can configure static route as:
ip route 30.1.1.0 255.255.255.0 f0/1
However, the caveat is this wouldn’t be a candidate default route! Let’s test configuration and check the routing table on R1.

R2#config

Configuring from terminal, memory, or network [terminal]? t

Enter configuration commands, one per line.  End with CNTL/Z.

R2(config)#no ip route 0.0.0.0 0.0.0.0 FastEthernet0/1

R2(config)#ip route 30.1.1.0 255.255.255.0 f0/1

R2(config)#

R1#sh ip route

Gateway of last resort is not set 

     1.0.0.0/24 is subnetted, 1 subnets

C       1.1.1.0 is directly connected, FastEthernet0/0

     2.0.0.0/24 is subnetted, 1 subnets

D       2.1.1.0 [90/307200] via 1.1.1.2, 00:12:49, FastEthernet0/0

     20.0.0.0/24 is subnetted, 1 subnets

D       20.1.1.0 [90/409600] via 1.1.1.2, 00:12:54, FastEthernet0/0

     10.0.0.0/24 is subnetted, 2 subnets

C       10.41.41.0 is directly connected, Serial0/0

C       10.1.1.0 is directly connected, Loopback0

     30.0.0.0/24 is subnetted, 1 subnets

D EX    30.1.1.0 [170/1686016] via 1.1.1.2, 00:05:16, FastEthernet0/0 

If you carefully analyze the routing table then you would observe that the route is no more candidate default it is just an external route and gateway of last resort is also not set. Because * is not there in between D EX. * means candidate default. Let’s try to ping this network.

R1#ping 30.1.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 30.1.1.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max =24/53/84 ms

Good! We are able to get there, the only concern is, it is not a candidate default. 

Advertising Static Default route:

Now let’s play with one more variation. In this we will use the same static route but instead of redistributing it we will advertise this into EIGRP process. We will use static route of all zeros 0.0.0.0/0 and advertise it. And when we advertise the static route it will be internal EIGRP route to the neighbor router. 

R2#config t

R2(config)#no ip route 30.1.1.0 255.255.255.0 f0/1

R2(config)#ip route 0.0.0.0 0.0.0.0 f0/1

R2(config)#router eigrp 100

R2(config-router)#no redistribute static metric 1544 10 255 1 1500

R2(config-router)#network 0.0.0.0

Let’s check the routing table of R1

Gateway of last resort is 1.1.1.2 to network 0.0.0.0

      1.0.0.0/24 is subnetted, 1 subnets

C       1.1.1.0 is directly connected, FastEthernet0/0

     2.0.0.0/24 is subnetted, 1 subnets

D       2.1.1.0 [90/307200] via 1.1.1.2, 00:34:47, FastEthernet0/0

     20.0.0.0/24 is subnetted, 1 subnets

D       20.1.1.0 [90/409600] via 1.1.1.2, 00:34:52, FastEthernet0/0

     10.0.0.0/24 is subnetted, 2 subnets

C       10.41.41.0 is directly connected, Serial0/0

C       10.1.1.0 is directly connected, Loopback0

D*   0.0.0.0/0 [90/307200] via 1.1.1.2, 00:01:43, FastEthernet0/0

As you can see we have successfully advertised the default route here. Here is the route is indicated as D this means this is a normal EIGRP route and it is a candidate default. Similarly, one could also use the following method:

R2(config)#ip route 30.1.1.0 255.255.255.0 f0/1

R2(config)#router eigrp 100

R2(router)#network 30.0.0.0

The second method will not create candidate default!

Summarizing the Static Default
route:

We will use the same default route (0.0.0.0/0)

Configuration snapped:

R2(config)#ip route 0.0.0.0 0.0.0.0 f0/1

R2(config)#interface f0/0

R2(config-if)#ip summary-address eigrp 100 0.0.0.0 0.0.0.0

Alright, now let’s try with Default-Network command and track how it goes.  

With the default-network command we can advertise a non-zero network number as the default network. To do so following two conditions must be always TRUE:

  1. The network number must be a class full network number (Class A, B or C).
  2. And the network must be in the routing table of the originating router.

Keeping these two conditions in mind we have to change the IP addressing scheme in our topology.

Notice: The network between R2 and R3 is change to class A. And IP addresses on both the interfaces have changed accordingly. I have also added one more router, R4 to see how the default network propagates in the network.

Since R2 is originating the default-network it should have this route in its routing table right? Let’s go and check it:

R2#sh ip route

Gateway of last resort is not set

      1.0.0.0/24 is subnetted, 1 subnets

C       1.1.1.0 is directly connected, FastEthernet0/0

C    2.0.0.0/8 is directly connected, FastEthernet0/1

     20.0.0.0/24 is subnetted, 1 subnets

C       20.1.1.0 is directly connected, Loopback0

     10.0.0.0/24 is subnetted, 2 subnets

D       10.41.41.0 [90/2195456] via 1.1.1.1, 00:30:47, FastEthernet0/0

D       10.1.1.0 [90/409600] via 1.1.1.1, 00:30:47, FastEthernet0/0

     30.0.0.0/24 is subnetted, 1 subnets

R2 does have the network: C 2.0.0.0/8 is directly connected, FastEthernet0/1

Alright so both the conditions are TRUE so we are all set to go!

Again we need to define one static route to 30.1.1.0 network via
2.1.1.2 on R3

Ip route 30.1.1.0 255.255.255.0 2.1.1.2

Now let’s define the default network:

Ip default-network 2.0.0.0

Configuration snapped:

R2#config t

Enter configuration commands, one per line.  End with CNTL/Z.

R2(config)#ip route 30.1.1.0 255.255.255.0 2.1.1.2

R2(config)#ip default-network 2.0.0.0

R2(config)#end

 

Let’s check its routing table.

R2#sh ip routeAs you can see we have candidate default (C*) and static routes (S) both.

Gateway of last resort is not set 

     1.0.0.0/24 is subnetted, 1 subnets

C       1.1.1.0 is directly connected, FastEthernet0/0

C*   2.0.0.0/8 is directly connected, FastEthernet0/1

     20.0.0.0/24 is subnetted, 1 subnets

C       20.1.1.0 is directly connected, Loopback0

     10.0.0.0/24 is subnetted, 2 subnets

D       10.41.41.0 [90/2195456] via 1.1.1.1, 00:38:27,FastEthernet0/0

D       10.1.1.0 [90/409600] via 1.1.1.1, 00:38:27,FastEthernet0/0

     30.0.0.0/24 is subnetted, 1 subnets

S       30.1.1.0 [1/0] via 2.1.1.2

R2#

Let’s ping the remote network address 30.1.1.1

R2#ping 30.1.1.1 

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 30.1.1.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max =
28/35/48 ms

R2#

Let’s check the routing table of R4:

R4#sh ip route

Gateway of last resort is 10.41.41.1 to network 2.0.0.0

 

      1.0.0.0/24 is subnetted, 1 subnetsSure enough, we do have the candidate default (D*) via EIGRP and we are able to ping the remote network as well. And this method is effective for advertising connection to the Internet.

D       1.1.1.0 [90/2195456] via 10.41.41.1, 05:34:00, Serial0/0

D*   2.0.0.0/8 [90/2221056] via 10.41.41.1, 00:04:19, Serial0/0

     20.0.0.0/24 is subnetted, 1 subnets

D       20.1.1.0 [90/2323456] via 10.41.41.1, 02:28:07, Serial0/0

     10.0.0.0/24 is subnetted, 2 subnets

C       10.41.41.0 is directly connected, Serial0/0

D       10.1.1.0 [90/2297856] via 10.41.41.1, 05:34:00, Serial0/0

R4#ping 30.1.1.1 

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 30.1.1.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max =60/65/68 ms

R4#

 

 

BGP Synchronization rule and why is it there?

The BGP Synchronization rule states that – “A BGP router should not use or advertise a route learned by iBGP to an external neighbor, unless that route is local or learned from the IGP (EIGRP, OSPF, RIP or ISIS). Because this synchronization rule is a loop prevention mechanism in old days and it is enabled by default, since not all routers were BGP speakers then. Hence synchronization is enabled to ensure that there are no black holes inside the ISP AS. Intermediate routers only taking part in IGP would know how to route traffic in the destination.

But now this rule comes disabled by default and one could also disable it if one of the following conditions is true:

  1. Your AS does not pass traffic from one AS to another AS
  2. All the transit routes in your AS run BGP.

When you disable synchronization it allows routers to carry fewer routes in the IGP and allow BGP to converge more quickly.

OSPF Lab

OSPF Lab
OSPF is configured on routers R2 and R3. R2’s S0/0 interface and R3’s S0/1 interface are in Area 0. R3’s Loopback0 interface is in Area 3.

topology
ospf lab topology

Tasks:

R1’s S0/0 interface in Area 12
R2’s S0/1 interface in Area 12
Use the appropriate mask such that only R1’s S0/0 and R2’s S0/1 could be in Area 12.
Area 12 should not receive any external or inter-area routes (except the default route).

Solution and Explanations:

The tasks states that we need to configure R1’s S0/0 and R2’s S0/1 interfaces in area 12, that too using an appropriate mask such that only R1’s s0/0 and R2’s s0/1 in area 12. So here we need to device wild card bits. If you look at the IP address on the Serial link between R1 and R2 the mask is /30 (CIDR) i.e. 255.255.255.252. Now we know that /30 means there will only two usable IP addresses and this is a preferred method of assigning IP addresses on serial interfaces. To get a perfect wild card bits to include just two IP addresses we need to subtract the default mask of 255.255.255.252 from 255.255.255.255

255.255.255.255

255.255.255.252

============

0.      0.      0.    3 (wild card bits)

============

It is easy to find out the wild card bits if the mask (/30) is in CIDR notation. However, if it is a class full mask like (/8, /16 or /24) it wouldn’t be a perfect one. In such case take down the IP addresses and do binary calculation. Like in the network the IP addresses between R1 and R2 are: 192.168.4.5 and 192.168.4.6

192.168.4.5

192.168.4.6

Now convert the fourth octet into binary and group the common bits. The first to third octets are already common, because all the octets are same 192.168.4;

128 64 32 16 8 4 2 1
5 0 0 0 0 0 1 0 1
6 0 0 0 0 0 1 1 0

Now count the number of bits that are common from the above conversion, it is 6 bits right? Now add all the common bits from each octet to get the mask (CIDR).

The first octet of both IP address is 192 i.e. all 8 bits are common

The second octet of both IP address is 168 i.e. all 8 bits are common

The third octet of both IP address is 4 i.e. all 8 bits are common.

In the fourth octet the IP addresses are different 5 and 6 so there are 6 common bits.

Therefore the sum of all common bits would be: 8+8+8+6 = 30

This (30) is the CIDR notation to represent the mask.

Now we need to derive subnet mask for each octet. Smart people can tell it just looking at those common bits, which is 255.255.255.252

If you are not good at IP addressing than using following table one can get the mask.

Mask                 128      192      224      240      248      252      254      255

Bits Position       1        2          3           4            5           6          7          8

Now again we don’t have to worry about the first three octets because all them are common. So the mask would be 255. How? and why?

8 bits common means all 8 bits are all 1s =11111111 = 255 (1+2+ 4+8+16+32+64+128 Binary values)

Thus we get the following subnet mask!

8

8 8 6
11111111. 11111111. 11111111.

11111100

255. 255. 255.

252

Once we get the subnet mask we can use inverse mask to get the wild card bits.

255.255.255.255

255.255.255.252

===========

0.       0.    0.    3 (wild card bits)

===========

So with this we have found out the exact wild card bits to include only 192.168.4.5 and 192.168.4.6 ip addresses into OSPF area 12. See the configuration below.

R1(config)#router ospf 1

R1(config-router)#network 192.168.4.4 0.0.0.3 area 12

R1(config-router)#end

R2(config)#router ospf 1

R2(config-router)#network 192.168.4.4 0.0.0.3 area 12

R2(config-router)#end

If you are not sure about the network address (192.168.4.4) that I have used above than refer here

Now our second task is to prevent any external or inter-area routes into area 12 except the default route.

To achieve this task we have to apply the OSPF concept of TSA (totally stubby area) in area 12. TSA is cisco propriety and a router on which you are configuring TSA has to be a cisco router. By configuring area 12 as a TSA it blocks type 3, 4, and 5 LSAs from entering into area 12.

OSPF LSA Types and its details

LSA Type Description Details
1 Router LSA Generated by all routers in an area to describe their directly attached links
2 Network LSA Advertised by the DR of the broadcast network (does not cross ABR)
3 Summary LSA Advertised by the ABR of origination area
4 Summary LSA Generated by the ABR of the originating area to advertise an ASBR to all other areas in the AS
5 AS external LSA Used by the ASBR to advertise networks from other AS
7 Defined for NSSAs Generated by an ASBR inside a Not-so-stubby area to describe routes redistributed into the NSSA

 

OSPF LSA types that are allowed and are not allowed in area types.

Area Type Type 1 &2 (within area ) Type 3 (from other area) Type 4 Type 5 Type 7
Standard & Backbone Yes Yes Yes Yes Yes
Stub Yes Yes No No No
TAS Yes No No No No
NSSA Yes Yes No No No
TAS NSSA Yes No No No Yes

 

With this information let’s go and check the routing table of R1 and see what kind of routes are there.

Gateway of last resort is not set

192.168.4.0/30 is subnetted, 1 subnets

C       192.168.4.4 is directly connected, Serial0/0

R1#

Just the directly connected network only.

Let’s configure area 12 as a TSA, for this you need to configure R1 as a stub and R2 as a stub with no-summary keyword:

R1#config t

Enter configuration commands, one per line.  End with CNTL/Z.

R1(config)#router ospf 1

R1(config-router)#area 12 stub

 

ABR

R2(config)#router ospf 1

R2(config-router)#area 12 stub no-summary

 

Now let’s check the routing table of R1.

R1#sh ip route

Gateway of last resort is 192.168.4.6 to network 0.0.0.0

192.168.4.0/30 is subnetted, 1 subnets

C       192.168.4.4 is directly connected, Serial0/0

O*IA 0.0.0.0/0 [110/65] via 192.168.4.6, 00:00:21, Serial0/0

R1#

As expected we have a default route from the ABR (R2 router).