RE: SOURCE-GUARD FEATURE TEST

From: Carlos Trujillo Jimenez (nergal888@hotmail.com)
Date: Sun Dec 02 2007 - 22:13:26 ART

• Next message: M e: "Re: OSPF Issue"
• Previous message: Scott Vermillion: "RE: SOURCE-GUARD FEATURE TEST"
• Maybe in reply to: Carlos Trujillo Jimenez: "SOURCE-GUARD FEATURE TEST"
• Next in thread: Paul Dardinski: "RE: SOURCE-GUARD FEATURE TEST"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Thanks a lot Scott!!
I enabled dhcp snooping feature, and everything works as expected! when dhcp
snooping is turned on, the ping test from router to router stops to work as
expected.

sw1(config)#ip dhcp snooping
sw1(config)#ip dhcp snooping vlan 1

r2#ping 192.168.0.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
r2#

well, I was confused with dhcp snooping because Im not using the feature,
and dont have a dhcp client or server in my test network, but seems that
without enabling it.. source guard dont works!

Thanks again for the answer scott.

>From: "Scott Vermillion" <scott_ccie_list@it-ag.com>
>X-OriginalArrivalTime: 03 Dec 2007 01:05:08.0575 (UTC)
>FILETIME=[8C2D36F0:01C83548]
>
>I haven't done any labs using source-guard in quite some time, so I'm not
>speaking with any authority here. But something stuck in my head a quick
>check of the DocCD reveals the following:
>
>" When IP source guard with source IP filtering is enabled on an interface,
>DHCP snooping must be enabled on the access VLAN to which the interface
>belongs."
>
>So even though you've created a static mapping, the way I read the above
>(under "IP Source Guard Configuration Guidelines"), you still have to
>enable
>DHCP snooping on the VLAN. Funny though, they don't show enabling DHCP
>snooping in the config example given.
>
>Anyway, it's worth a shot...
>
>-----Original Message-----
>From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
>Carlos Trujillo Jimenez
>Sent: Sunday, December 02, 2007 5:40 PM
>To: ccielab@groupstudy.com
>Subject: SOURCE-GUARD FEATURE TEST
>
>Hi group.
>
>Dont know If Im doing right the test about source guard feature, Im tryng
>to
>
>test the stuff I understand about this feature, but the results show me
>opposite concepts please guide me what Am I doing wrong or if I am
>missunderstanding the concept here.
>
>
>What I unsderstand about source guard is that it is used to prevent
>spoofing
>
>attacks in the switch by examining the source IP address of each incoming
>packet against the dhcp snooping database (if one exists) or agains the
>static mac-to-ip-to-vlan-to-interface manually created table.
>
>So as a test Im working onyl with a 3560 switch and two routers direcctly
>connected to its interfaces.
>R1 is connected to interface fastethernet 0/1, and R2 is connected to
>interface fastethernet 0/2, both ports belong to the same vlan, and both
>routers can ping each other.
>
>I copy the results..
>
>
>r1#show run int fastEthernet 0/0
>Building configuration...
>
>Current configuration : 124 bytes
>!
>interface FastEthernet0/0
>mac-address 5678.5678.5678
>ip address 192.168.0.1 255.255.255.0
>duplex auto
>speed auto
>
>r2#show run int fastEthernet 0/0
>Building configuration...
>
>Current configuration : 124 bytes
>!
>interface FastEthernet0/0
>mac-address 1234.1234.1234
>ip address 192.168.0.2 255.255.255.0
>duplex auto
>speed auto
>
>r2#ping 192.168.0.1
>
>Type escape sequence to abort.
>Sending 5, 100-byte ICMP Echos to 192.168.0.1, timeout is 2 seconds:
>!!!!!
>Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
>r2#
>
>Everithing works normal here.
>So I decide to implement source guard feature at the switch and manually
>creating the static mac-to-ip-to-vlan-to-interface binding in the switch to
>force only Communication between R1 and R2 to be successful ONLY If the
>origin ip address of each of its packet is:
>R1 192.168.0.1
>R2 192.168.0.2
>
>sw1#
>ip source binding 5678.5678.5678 vlan 1 192.168.0.1 interface Fa0/1
>ip source binding 1234.1234.1234 vlan 1 192.168.0.2 interface Fa0/2
>
>and of course enable the source guard feature in interface fasthernet0/1
>and
>
>0/2 where both routers R1 and R2 are attached.
>
>sw1#
>interface FastEthernet0/1
>ip verify source
>!
>interface FastEthernet0/2
>ip verify source
>
>
>Now, to test the feture,for example I change the Ip addreess of R2 to
>192.168.0.3 so that the mapping is not the same as the one I configured in
>the switch. I THINK THERE MUST NOT BE SUCCESFUL THE PING BETWEEN BOTH
>ROUTERS... BUT IT STILL WORKS..
>
>
>r2#show run int fastEthernet 0/0
>Building configuration...
>
>Current configuration : 124 bytes
>!
>interface FastEthernet0/0
>mac-address 1234.1234.1234
>ip address 192.168.0.2 255.255.255.0
>duplex auto
>speed auto
>end
>
>r2#config t
>Enter configuration commands, one per line. End with CNTL/Z.
>r2(config)#int fastEthernet 0/0
>r2(config-if)#ip address 192.168.0.3 255.255.255.0
>r2(config-if)#exit
>r2(config)#^Z
>r2#ping 192.168.0.1
>
>Type escape sequence to abort.
>Sending 5, 100-byte ICMP Echos to 192.168.0.1, timeout is 2 seconds:
>!!!!!
>
>
>Please anyone can guide me what Im not understaing here?
>
>Thanks.
>
>_________________________________________________________________
>Charla con tus amigos en lmnea mediante MSN Messenger:
>http://messenger.latam.msn.com/
>
>_______________________________________________________________________
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html
>

• Next message: M e: "Re: OSPF Issue"
• Previous message: Scott Vermillion: "RE: SOURCE-GUARD FEATURE TEST"
• Maybe in reply to: Carlos Trujillo Jimenez: "SOURCE-GUARD FEATURE TEST"
• Next in thread: Paul Dardinski: "RE: SOURCE-GUARD FEATURE TEST"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue Jan 01 2008 - 12:04:28 ARST