From: Carlos Trujillo Jimenez (nergal888@hotmail.com)
Date: Sun Dec 02 2007 - 21:40:26 ART
Hi group.
Dont know If Im doing right the test about source guard feature, Im tryng to
test the stuff I understand about this feature, but the results show me
opposite concepts please guide me what Am I doing wrong or if I am
missunderstanding the concept here.
What I unsderstand about source guard is that it is used to prevent spoofing
attacks in the switch by examining the source IP address of each incoming
packet against the dhcp snooping database (if one exists) or agains the
static mac-to-ip-to-vlan-to-interface manually created table.
So as a test Im working onyl with a 3560 switch and two routers direcctly
connected to its interfaces.
R1 is connected to interface fastethernet 0/1, and R2 is connected to
interface fastethernet 0/2, both ports belong to the same vlan, and both
routers can ping each other.
I copy the results..
r1#show run int fastEthernet 0/0
Building configuration...
Current configuration : 124 bytes
!
interface FastEthernet0/0
mac-address 5678.5678.5678
ip address 192.168.0.1 255.255.255.0
duplex auto
speed auto
r2#show run int fastEthernet 0/0
Building configuration...
Current configuration : 124 bytes
!
interface FastEthernet0/0
mac-address 1234.1234.1234
ip address 192.168.0.2 255.255.255.0
duplex auto
speed auto
r2#ping 192.168.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
r2#
Everithing works normal here.
So I decide to implement source guard feature at the switch and manually
creating the static mac-to-ip-to-vlan-to-interface binding in the switch to
force only Communication between R1 and R2 to be successful ONLY If the
origin ip address of each of its packet is:
R1 192.168.0.1
R2 192.168.0.2
sw1#
ip source binding 5678.5678.5678 vlan 1 192.168.0.1 interface Fa0/1
ip source binding 1234.1234.1234 vlan 1 192.168.0.2 interface Fa0/2
and of course enable the source guard feature in interface fasthernet0/1 and
0/2 where both routers R1 and R2 are attached.
sw1#
interface FastEthernet0/1
ip verify source
!
interface FastEthernet0/2
ip verify source
Now, to test the feture,for example I change the Ip addreess of R2 to
192.168.0.3 so that the mapping is not the same as the one I configured in
the switch. I THINK THERE MUST NOT BE SUCCESFUL THE PING BETWEEN BOTH
ROUTERS... BUT IT STILL WORKS..
r2#show run int fastEthernet 0/0
Building configuration...
Current configuration : 124 bytes
!
interface FastEthernet0/0
mac-address 1234.1234.1234
ip address 192.168.0.2 255.255.255.0
duplex auto
speed auto
end
r2#config t
Enter configuration commands, one per line. End with CNTL/Z.
r2(config)#int fastEthernet 0/0
r2(config-if)#ip address 192.168.0.3 255.255.255.0
r2(config-if)#exit
r2(config)#^Z
r2#ping 192.168.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.1, timeout is 2 seconds:
!!!!!
Please anyone can guide me what Im not understaing here?
Thanks.
This archive was generated by hypermail 2.1.4 : Tue Jan 01 2008 - 12:04:28 ARST