{"id":821,"date":"2024-12-14T02:36:57","date_gmt":"2024-12-13T23:36:57","guid":{"rendered":"https:\/\/itgen.itbumper.com\/?page_id=821"},"modified":"2024-12-14T02:36:58","modified_gmt":"2024-12-13T23:36:58","slug":"0029_cisco-dhcp-snooping-dai","status":"publish","type":"page","link":"https:\/\/itgen.itbumper.com\/?page_id=821","title":{"rendered":"0029_Cisco: DHCP Snooping &amp; DAI"},"content":{"rendered":"<p style=\"text-align: justify;\" data-tadv-p=\"keep\">DHCP Snooping is a security feature that monitors and filters DHCP messages between clients and servers. It builds a binding table of trusted IP-to-MAC addresses to prevent rogue DHCP servers.<\/p>\n<p style=\"text-align: justify;\" data-tadv-p=\"keep\">DAI (Dynamic ARP Inspection) prevents ARP spoofing by inspecting ARP packets in the network. It verifies ARP packets against the DHCP Snooping binding table or static ARP ACLs to ensure only valid IP-to-MAC mappings are allowed.<\/p>\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; title: ; notranslate\" title=\"\">\n#DHCP Snooping\n#Works on Layer 2 only\n#Must be activated on all switches for DHCP traffic\n#Usually, uplink ports are configured as Trusted and downlink ports remains Untrusted\n#Helps to prevent DHCP Starvation attack \n#Helps to prevent DHCP Poisoning (Man in the Middle), very simular to ARP Poisining\n#It creates records in the DHCP Snooping Table. Needs for Dynamic ARP Inspection, IP Source Guard.\n\n#Option 82 = DHCP Relay Agent Information Option, helps to identify an interface and VLAN, the DHCP REQUEST came\n#\t-Circuit ID - VLAN identificator \n#\t-Remote ID\t- switch MAC address\n\n\n#DHCP Snooping filters messages\n-----------------------------------------\n#\tDHCP Server\t\t|\tDHCP Client\t\t|\t\n#\t - OFFER\t\t|\t - DISCOVER\t\t|\n#\t - ACK\t\t\t|\t - REQUEST\t\t|\n#\t - NAK\t\t\t|\t - RELEASE\t\t|\n#\t(opposite ACK)\t|\t - DECLINE\t\t|\n#\t to decline \t|\t (decline IP)\t|\n#     a clients\t\t|\t\t\t\t\t|\n#\t   request \t\t|\t\t\t\t\t|\n-----------------------------------------\n\n#If the packet comes from Trusted interface, then packet goes without checking\n#If the packet comes from Untrusted interface, then checking:\n#\t-if the packet comes from DHCP server - the packet will be dropped\n#\t-if the packet comes from DHCP client, then checking:\n#\t\t-in the DISCOVER\/REQUEST messages copmares MACs (MAC must be equal NIC=CHADDR), if = , then permit, != reject.\n#\t\t-in the RELEASE\/DECLINE messages copmares IP addr NIC with DHCP Snooping Binding Table, if =, then permitm != reject\n\nenable\n\tconfigure terminal\n\t\tip dhcp shooping\t\t\t\t\t\t\t#to activate dhcp snooping\n\t\tip dhcp snooping vlan 1\t\t\t\t\t\t#to activate dhcp snooping for a certain VLAN\n\t\tip dhcp snooping limit rate &lt;packets\/sec&gt;\t#to prevent DHCP Starvation\n\t\tno ip dhcp snooping information option\t\t#to disable DHCP Snooping Option 82\n\tinterface &lt;interface&gt;\n\t\tip dhcp snooping trust\t\t\t\t\t\t#to make an interface as a Trust (&lt;-DHCP server connected)\n\tshow ip dhcp snooping binding\t\t\t\t\t#to show DHCP Snooping Table\n\tshow ip dhcp snooping trust\t\t\t\t\t\t#to show Trust interfaces \n\n\n#DAI (Dynamic ARP Inspection)\n#DAI only filters ARP messages. All interfaces are Untrusted by default\n#\tTypically, all interfaces connected to other network devices (switches, routers) should be configured as Trusted\n#\tThe interfaces witch connected to end ports should remain Untrusted\n#DAI inspects the sender`s MAC address and sender`s IP field of ARP messages recieved on Untrusted interfaces\n#\tcheck that there is a matching entry in the DHCP Snooping Binding Table\n#\t\t-if there is a matching entry, the ARP message is forwarding normally\n#\t\t-if there is no matching entry, the ARP message is discarded\n#\n#DAI doesn`t check ARP messages recieved on Trusted interfaces. They forwarded as a normal\n#ARP ACLs can be manually configured to map IP addresses\/MAC addresses for DAI to check. Useful for hosts that don`t use DHCP\n#Like DHCP Snooping, DAI supports rate limit to prevent attackers from overlearning the switch with ARP messages\n\n#DHCP Snooping and DAI both are require work from switch`s CPU\n#Even if attackers messages are blocked, they can overload the CPU with ARP messages\n\n#Example\n#R1&lt;=====&gt;g0\/0(SW2)g0\/1&lt;======&gt;g0\/0(SW1)===hosts\n\n#SW2\nenable\n\tconfigure terminal\n\t\tinterface-range g0\/0-1\n\t\t\tip arp inspection trust\n\t\t\texit\n\n#SW1\n\t\tinterface g0\/0\n\t\t\tip arp inspection trust\n\t\t\tip inspection limit rate 25 burst interval 2\t#it allows 25 requests per 2 seconds\n\t\t\texit\n\tshow ip arp inspection\n\t\t\n\t\terrdisable recovery cause arp-inspection\n\t\t\n#DAI optional checks (looks in to the ARP message boby)\n\t\tip arp inspection validate {dst-mac | ip | src-mac}\t#to check more than one options, add them into one command\n#Example\n\t\tip arp inspection validate dst-mac ip\t\t\t\t#next command will rewrite the previous one\n\t\t\n\n#ARP ACLs\n#SVI switches don`t have  DHCP Binding Table\n#Example\n\t\tarp access-list ARP-ACL-1\n\t\t\tpermit ip host 192.168.1.100 mac host 0c29.0001.2f68\n\t\t\texit\n\t\tip arp inspection filter ARP-ACL-1 vlan 10\n\tshow ip arp inspection\n\t\n\n\t\t\n<\/pre><\/div>","protected":false},"excerpt":{"rendered":"<p>DHCP Snooping is a security feature that monitors and filters DHCP messages between clients and servers. It builds a binding table of trusted IP-to-MAC addresses to prevent rogue DHCP servers. DAI (Dynamic ARP Inspection) prevents ARP spoofing by inspecting ARP packets in the network. It verifies ARP packets against the DHCP Snooping binding table or &hellip; <a href=\"https:\/\/itgen.itbumper.com\/?page_id=821\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;0029_Cisco: DHCP Snooping &amp; DAI&#8221;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"footnotes":""},"categories":[],"tags":[],"_links":{"self":[{"href":"https:\/\/itgen.itbumper.com\/index.php?rest_route=\/wp\/v2\/pages\/821"}],"collection":[{"href":"https:\/\/itgen.itbumper.com\/index.php?rest_route=\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/itgen.itbumper.com\/index.php?rest_route=\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/itgen.itbumper.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/itgen.itbumper.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=821"}],"version-history":[{"count":1,"href":"https:\/\/itgen.itbumper.com\/index.php?rest_route=\/wp\/v2\/pages\/821\/revisions"}],"predecessor-version":[{"id":822,"href":"https:\/\/itgen.itbumper.com\/index.php?rest_route=\/wp\/v2\/pages\/821\/revisions\/822"}],"wp:attachment":[{"href":"https:\/\/itgen.itbumper.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=821"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/itgen.itbumper.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=821"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/itgen.itbumper.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=821"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}