From: ccie2be (ccie2be@nyc.rr.com)
Date: Thu Dec 23 2004 - 13:15:36 GMT-3
Kirk,
Oops, I mis-understood your question.
I don't have a 3550 so I was trying to "fill-in" the missing information
from the documentation
and visualize what should be going on versus what could be going on.
Basically, what I'm trying to do is make sure I understand the concepts so
well
that when I'm taking the lab and they tell me to do something like,
"Configured your network so that spoofed dhcp ip address requests are
filtered.",
I don't spend 15 minutes trying to figure out how to create an acl to do
that.
My feeling is that the most difficult part of the lab isn't doing the
configurations, it's figuring out
what should be done.
tim
----- Original Message -----
From: "Kirk Graham" <kgraham@instructors.net>
To: "Group Study" <ccielab@groupstudy.com>
Sent: Thursday, December 23, 2004 10:56 AM
Subject: Re: mac address spoofing & dhcp snooping
> Tim, I was asking you questions about YOUR problem. I get it.
>
> Is this a Lab network or a Production network. If its a lab, as I was
> assuming, then I'd guess you have access to the client and could answer
> whether or not the client got the IP address requested.
>
> If you can post the output of a "debug ip packet dump", then we can all
see
> what the SRC MAC address is, and decode the DHCP request to see the client
> MAC address embedded within. That will let everyone know whether the
> console message is accurate or not.
>
> If its a production network, then it could be anyone that's generating the
> request. But looking back in the forwarding tables you could narrow down
to
> where the offending client exists.
>
> There are several ways you can snoop a src mac address, as has been said
> here before.
>
> HTH,
> Kirk
>
> At 09:35 AM 12/23/2004, ccie2be wrote:
> >Kirk,
> >
> >No, I don't have a sniffer or anything like that.
> >
> >As far as the client getting an ip address, obviously, if the 3550 drops
the
> >dhcp packet from the client, the client won't get
> >
> >an address. If the 3550 doesn't drop the dhcp packet, then whether or
not
> >the client gets an address depends on several other factors -
> >
> >does the dhcp server have additional addresses to hand out, is the 3550
> >configured to relay the dhcp packets correctly, etc.
> >
> >The thing to understand about dhcp snooping is that it's a security
> >feature - it's not there to stop dhcp clients from getting an ip address.
> >
> >It's there to stop rogue dhcp clients from interfering with the dhcp
> >process.
> >
> >HTH, Tim
> >----- Original Message -----
> >From: "Kirk Graham" <kgraham@instructors.net>
> >To: "ccie2be" <ccie2be@nyc.rr.com>
> >Sent: Thursday, December 23, 2004 9:50 AM
> >Subject: Re: mac address spoofing & dhcp snooping
> >
> >
> > > You don't have a sniffer trace or "debug ip packet dump" output do
you?
> > >
> > > Just curious myself.
> > >
> > > Does the client "get" an IP address??? I'm guessing that it doesn't if
> >DHCP
> > > snooping is enabled. IF that's disabled, does the client get an
address???
> > >
> > > Thanks,
> > > Kirk
> > >
> > > At 08:35 AM 12/23/2004, you wrote:
> > > >Hey Joe,
> > > >
> > > >Thanks for getting back to me on this.
> > > >
> > > >I should have been more clear but I was referrring to
> > > >
> > > >dhcp packet from the dhcp client to the first hop device
> > > >
> > > >which in this case would be a 3550 with dhcp snooping enabled
> > > >
> > > >and acting as a dhcp relay.
> > > >
> > > >What I want to confirm is this:
> > > >
> > > >As the dhcp packet leaves the dhcp client on it's way
> > > >
> > > >to the dhcp server, the frame's source mac address will ALWAYS
> > > >
> > > >be the same as the client hardware address carried inside the
> > > >
> > > >frame unless one or the other of those mac addresses have been
> > > >
> > > >spoofed, true?
> > > >
> > > >Since the dhcp snooping process on the 3550 will always drop
> > > >
> > > >the frame if those 2 mac addresses are not the same, I just wanted to
> >make
> > > >
> > > >sure that if the 3550 did drop the dhcp frame, I can correctly
conclude
> >that
> > > >
> > > >something is wrong because there's no legit reason those 2 address
would
> >be
> > > >different.
> > > >
> > > >The situation I have in mind is when the mac address is set manually
as
> >is
> > > >done sometimes
> > > >
> > > >in IBM centric IT shops. ( This scenario is probably far-fetched but
> >just
> > > >wanted to make sure.)
> > > >
> > > >Thanks, Tim
> > > >
> > > >----- Original Message -----
> > > >From: "Joe Smith" <j333smith@hotmail.com>
> > > >To: <ccielab@groupstudy.com>
> > > >Sent: Thursday, December 23, 2004 8:45 AM
> > > >Subject: RE: mac address spoofing & dhcp snooping
> > > >
> > > >
> > > > > When a packet is routed/forwarded the layer 2 header is stripped
and
> > > > > replaced. Therefore, if the packet is not from the local network
the
> > > >source
> > > > > MAC address will be different then the MAC address in the DHCP
packet.
> > > >And
> > > > > yes it is very easy to spoof a local network source MAC address
and/or
> > > > > change the mac address in the DHCP packet.
> > > > >
> > > > > J3
> > > > >
> > > > > >From: "ccie2be" <ccie2be@nyc.rr.com>
> > > > > >Reply-To: "ccie2be" <ccie2be@nyc.rr.com>
> > > > > >To: "Group Study" <ccielab@groupstudy.com>
> > > > > >Subject: mac address spoofing & dhcp snooping
> > > > > >Date: Wed, 22 Dec 2004 18:47:54 -0500
> > > > > >
> > > > > >Hi guys,
> > > > > >
> > > > > >Is it possible to spoof the source mac address of an outgoing
frame?
> > > > > >
> > > > > >I ask because when dhcp snooping is enabled on a 3550, it checks
> > > > > >
> > > > > >to see if the source mac address of the frame is the same as the
mac
> > > > > >address
> > > > > >
> > > > > >inside the dhcp packet.
> > > > > >
> > > > > >If the 2 mac addresses are different, the 3550 will drop the
packet.
> > > > > >
> > > > > >Besides spoofing the source mac address, are there any possible
> >reasons
> > > > > >
> > > > > >the source mac address would be different from the mac address
> >contained
> > > > > >
> > > > > >inside the packet?
> > > > > >
> > > > > >TIA, Tim
> > > > > >
> > > > >
> > >_______________________________________________________________________
> > > > > >Subscription information may be found at:
> > > > > >http://www.groupstudy.com/list/CCIELab.html
> > > > >
> > > > > _________________________________________________________________
> > > > > Dont just search. Find. Check out the new MSN Search!
> > > > > http://search.msn.click-url.com/go/onm00200636ave/direct/01/
> > > > >
> > > > >
> >_______________________________________________________________________
> > > > > Subscription information may be found at:
> > > > > http://www.groupstudy.com/list/CCIELab.html
> > > >
> > >
>_______________________________________________________________________
> > > >Subscription information may be found at:
> > > >http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Mon Jan 03 2005 - 10:31:29 GMT-3