From: Scott Vermillion (scott_ccie_list@it-ag.com)
Date: Sun Dec 02 2007 - 22:04:11 ART
I haven't done any labs using source-guard in quite some time, so I'm not
speaking with any authority here. But something stuck in my head a quick
check of the DocCD reveals the following:
" When IP source guard with source IP filtering is enabled on an interface,
DHCP snooping must be enabled on the access VLAN to which the interface
belongs."
So even though you've created a static mapping, the way I read the above
(under "IP Source Guard Configuration Guidelines"), you still have to enable
DHCP snooping on the VLAN. Funny though, they don't show enabling DHCP
snooping in the config example given.
Anyway, it's worth a shot...
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Carlos Trujillo Jimenez
Sent: Sunday, December 02, 2007 5:40 PM
To: ccielab@groupstudy.com
Subject: SOURCE-GUARD FEATURE TEST
Hi group.
Dont know If Im doing right the test about source guard feature, Im tryng to
test the stuff I understand about this feature, but the results show me
opposite concepts please guide me what Am I doing wrong or if I am
missunderstanding the concept here.
What I unsderstand about source guard is that it is used to prevent spoofing
attacks in the switch by examining the source IP address of each incoming
packet against the dhcp snooping database (if one exists) or agains the
static mac-to-ip-to-vlan-to-interface manually created table.
So as a test Im working onyl with a 3560 switch and two routers direcctly
connected to its interfaces.
R1 is connected to interface fastethernet 0/1, and R2 is connected to
interface fastethernet 0/2, both ports belong to the same vlan, and both
routers can ping each other.
I copy the results..
r1#show run int fastEthernet 0/0
Building configuration...
Current configuration : 124 bytes
!
interface FastEthernet0/0
mac-address 5678.5678.5678
ip address 192.168.0.1 255.255.255.0
duplex auto
speed auto
r2#show run int fastEthernet 0/0
Building configuration...
Current configuration : 124 bytes
!
interface FastEthernet0/0
mac-address 1234.1234.1234
ip address 192.168.0.2 255.255.255.0
duplex auto
speed auto
r2#ping 192.168.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
r2#
Everithing works normal here.
So I decide to implement source guard feature at the switch and manually
creating the static mac-to-ip-to-vlan-to-interface binding in the switch to
force only Communication between R1 and R2 to be successful ONLY If the
origin ip address of each of its packet is:
R1 192.168.0.1
R2 192.168.0.2
sw1#
ip source binding 5678.5678.5678 vlan 1 192.168.0.1 interface Fa0/1
ip source binding 1234.1234.1234 vlan 1 192.168.0.2 interface Fa0/2
and of course enable the source guard feature in interface fasthernet0/1 and
0/2 where both routers R1 and R2 are attached.
sw1#
interface FastEthernet0/1
ip verify source
!
interface FastEthernet0/2
ip verify source
Now, to test the feture,for example I change the Ip addreess of R2 to
192.168.0.3 so that the mapping is not the same as the one I configured in
the switch. I THINK THERE MUST NOT BE SUCCESFUL THE PING BETWEEN BOTH
ROUTERS... BUT IT STILL WORKS..
r2#show run int fastEthernet 0/0
Building configuration...
Current configuration : 124 bytes
!
interface FastEthernet0/0
mac-address 1234.1234.1234
ip address 192.168.0.2 255.255.255.0
duplex auto
speed auto
end
r2#config t
Enter configuration commands, one per line. End with CNTL/Z.
r2(config)#int fastEthernet 0/0
r2(config-if)#ip address 192.168.0.3 255.255.255.0
r2(config-if)#exit
r2(config)#^Z
r2#ping 192.168.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.1, timeout is 2 seconds:
!!!!!
Please anyone can guide me what Im not understaing here?
Thanks.
This archive was generated by hypermail 2.1.4 : Tue Jan 01 2008 - 12:04:28 ARST