From: Kirk Graham (kgraham@instructors.net)
Date: Thu Dec 23 2004 - 12:56:53 GMT-3
Tim, I was asking you questions about YOUR problem. I get it.
Is this a Lab network or a Production network. If its a lab, as I was
assuming, then I'd guess you have access to the client and could answer
whether or not the client got the IP address requested.
If you can post the output of a "debug ip packet dump", then we can all see
what the SRC MAC address is, and decode the DHCP request to see the client
MAC address embedded within. That will let everyone know whether the
console message is accurate or not.
If its a production network, then it could be anyone that's generating the
request. But looking back in the forwarding tables you could narrow down to
where the offending client exists.
There are several ways you can snoop a src mac address, as has been said
here before.
HTH,
Kirk
At 09:35 AM 12/23/2004, ccie2be wrote:
>Kirk,
>
>No, I don't have a sniffer or anything like that.
>
>As far as the client getting an ip address, obviously, if the 3550 drops the
>dhcp packet from the client, the client won't get
>
>an address. If the 3550 doesn't drop the dhcp packet, then whether or not
>the client gets an address depends on several other factors -
>
>does the dhcp server have additional addresses to hand out, is the 3550
>configured to relay the dhcp packets correctly, etc.
>
>The thing to understand about dhcp snooping is that it's a security
>feature - it's not there to stop dhcp clients from getting an ip address.
>
>It's there to stop rogue dhcp clients from interfering with the dhcp
>process.
>
>HTH, Tim
>----- Original Message -----
>From: "Kirk Graham" <kgraham@instructors.net>
>To: "ccie2be" <ccie2be@nyc.rr.com>
>Sent: Thursday, December 23, 2004 9:50 AM
>Subject: Re: mac address spoofing & dhcp snooping
>
>
> > You don't have a sniffer trace or "debug ip packet dump" output do you?
> >
> > Just curious myself.
> >
> > Does the client "get" an IP address??? I'm guessing that it doesn't if
>DHCP
> > snooping is enabled. IF that's disabled, does the client get an address???
> >
> > Thanks,
> > Kirk
> >
> > At 08:35 AM 12/23/2004, you wrote:
> > >Hey Joe,
> > >
> > >Thanks for getting back to me on this.
> > >
> > >I should have been more clear but I was referrring to
> > >
> > >dhcp packet from the dhcp client to the first hop device
> > >
> > >which in this case would be a 3550 with dhcp snooping enabled
> > >
> > >and acting as a dhcp relay.
> > >
> > >What I want to confirm is this:
> > >
> > >As the dhcp packet leaves the dhcp client on it's way
> > >
> > >to the dhcp server, the frame's source mac address will ALWAYS
> > >
> > >be the same as the client hardware address carried inside the
> > >
> > >frame unless one or the other of those mac addresses have been
> > >
> > >spoofed, true?
> > >
> > >Since the dhcp snooping process on the 3550 will always drop
> > >
> > >the frame if those 2 mac addresses are not the same, I just wanted to
>make
> > >
> > >sure that if the 3550 did drop the dhcp frame, I can correctly conclude
>that
> > >
> > >something is wrong because there's no legit reason those 2 address would
>be
> > >different.
> > >
> > >The situation I have in mind is when the mac address is set manually as
>is
> > >done sometimes
> > >
> > >in IBM centric IT shops. ( This scenario is probably far-fetched but
>just
> > >wanted to make sure.)
> > >
> > >Thanks, Tim
> > >
> > >----- Original Message -----
> > >From: "Joe Smith" <j333smith@hotmail.com>
> > >To: <ccielab@groupstudy.com>
> > >Sent: Thursday, December 23, 2004 8:45 AM
> > >Subject: RE: mac address spoofing & dhcp snooping
> > >
> > >
> > > > When a packet is routed/forwarded the layer 2 header is stripped and
> > > > replaced. Therefore, if the packet is not from the local network the
> > >source
> > > > MAC address will be different then the MAC address in the DHCP packet.
> > >And
> > > > yes it is very easy to spoof a local network source MAC address and/or
> > > > change the mac address in the DHCP packet.
> > > >
> > > > J3
> > > >
> > > > >From: "ccie2be" <ccie2be@nyc.rr.com>
> > > > >Reply-To: "ccie2be" <ccie2be@nyc.rr.com>
> > > > >To: "Group Study" <ccielab@groupstudy.com>
> > > > >Subject: mac address spoofing & dhcp snooping
> > > > >Date: Wed, 22 Dec 2004 18:47:54 -0500
> > > > >
> > > > >Hi guys,
> > > > >
> > > > >Is it possible to spoof the source mac address of an outgoing frame?
> > > > >
> > > > >I ask because when dhcp snooping is enabled on a 3550, it checks
> > > > >
> > > > >to see if the source mac address of the frame is the same as the mac
> > > > >address
> > > > >
> > > > >inside the dhcp packet.
> > > > >
> > > > >If the 2 mac addresses are different, the 3550 will drop the packet.
> > > > >
> > > > >Besides spoofing the source mac address, are there any possible
>reasons
> > > > >
> > > > >the source mac address would be different from the mac address
>contained
> > > > >
> > > > >inside the packet?
> > > > >
> > > > >TIA, Tim
> > > > >
> > > >
> >_______________________________________________________________________
> > > > >Subscription information may be found at:
> > > > >http://www.groupstudy.com/list/CCIELab.html
> > > >
> > > > _________________________________________________________________
> > > > Dont just search. Find. Check out the new MSN Search!
> > > > http://search.msn.click-url.com/go/onm00200636ave/direct/01/
> > > >
> > > >
>_______________________________________________________________________
> > > > Subscription information may be found at:
> > > > http://www.groupstudy.com/list/CCIELab.html
> > >
> > >_______________________________________________________________________
> > >Subscription information may be found at:
> > >http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Mon Jan 03 2005 - 10:31:29 GMT-3