0029_Cisco: DHCP Snooping & DAI

#DHCP Snooping
#Works on Layer 2 only
#Must be activated on all switches for DHCP traffic
#Usually, uplink ports are configured as Trusted and downlink ports remains Untrusted
#Helps to prevent DHCP Starvation attack 
#Helps to prevent DHCP Poisoning (Man in the Middle), very simular to ARP Poisining
#It creates records in the DHCP Snooping Table. Needs for Dynamic ARP Inspection, IP Source Guard.

#Option 82 = DHCP Relay Agent Information Option, helps to identify an interface and VLAN, the DHCP REQUEST came
#	-Circuit ID - VLAN identificator 
#	-Remote ID	- switch MAC address


#DHCP Snooping filters messages
-----------------------------------------
#	DHCP Server		|	DHCP Client		|	
#	 - OFFER		|	 - DISCOVER		|
#	 - ACK			|	 - REQUEST		|
#	 - NAK			|	 - RELEASE		|
#	(opposite ACK)	|	 - DECLINE		|
#	 to decline 	|	 (decline IP)	|
#     a clients		|					|
#	   request 		|					|
-----------------------------------------

#If the packet comes from Trusted interface, then packet goes without checking
#If the packet comes from Untrusted interface, then checking:
#	-if the packet comes from DHCP server - the packet will be dropped
#	-if the packet comes from DHCP client, then checking:
#		-in the DISCOVER/REQUEST messages copmares MACs (MAC must be equal NIC=CHADDR), if = , then permit, != reject.
#		-in the RELEASE/DECLINE messages copmares IP addr NIC with DHCP Snooping Binding Table, if =, then permitm != reject

enable
	configure terminal
		ip dhcp shooping							#to activate dhcp snooping
		ip dhcp snooping vlan 1						#to activate dhcp snooping for a certain VLAN
		ip dhcp snooping limit rate <packets/sec>	#to prevent DHCP Starvation
		no ip dhcp snooping information option		#to disable DHCP Snooping Option 82
	interface <interface>
		ip dhcp snooping trust						#to make an interface as a Trust (<-DHCP server connected)
	show ip dhcp snooping binding					#to show DHCP Snooping Table
	show ip dhcp snooping trust						#to show Trust interfaces 


#DAI (Dynamic ARP Inspection)
#DAI only filters ARP messages. All interfaces are Untrusted by default
#	Typically, all interfaces connected to other network devices (switches, routers) should be configured as Trusted
#	The interfaces witch connected to end ports should remain Untrusted
#DAI inspects the sender`s MAC address and sender`s IP field of ARP messages recieved on Untrusted interfaces
#	check that there is a matching entry in the DHCP Snooping Binding Table
#		-if there is a matching entry, the ARP message is forwarding normally
#		-if there is no matching entry, the ARP message is discarded
#
#DAI doesn`t check ARP messages recieved on Trusted interfaces. They forwarded as a normal
#ARP ACLs can be manually configured to map IP addresses/MAC addresses for DAI to check. Useful for hosts that don`t use DHCP
#Like DHCP Snooping, DAI supports rate limit to prevent attackers from overlearning the switch with ARP messages

#DHCP Snooping and DAI both are require work from switch`s CPU
#Even if attackers messages are blocked, they can overload the CPU with ARP messages

#Example
#R1<=====>g0/0(SW2)g0/1<======>g0/0(SW1)===hosts

#SW2
enable
	configure terminal
		interface-range g0/0-1
			ip arp inspection trust
			exit

#SW1
		interface g0/0
			ip arp inspection trust
			ip inspection limit rate 25 burst interval 2	#it allows 25 requests per 2 seconds
			exit
	show ip arp inspection
		
		errdisable recovery cause arp-inspection
		
#DAI optional checks (looks in to the ARP message boby)
		ip arp inspection validate {dst-mac | ip | src-mac}	#to check more than one options, add them into one command
#Example
		ip arp inspection validate dst-mac ip				#next command will rewrite the previous one
		

#ARP ACLs
#SVI switches don`t have  DHCP Binding Table
#Example
		arp access-list ARP-ACL-1
			permit ip host 192.168.1.100 mac host 0c29.0001.2f68
			exit
		ip arp inspection filter ARP-ACL-1 vlan 10
	show ip arp inspection