topic Re: EXOS how to add dhcp security to many vlans? in ExtremeSwitching (EXOS/Switch Engine)

EXOS how to add dhcp security to many vlans?

Keith9 — Fri, 19 Mar 2021 02:13:01 GMT

I have a 5 stack 5520 switch with multiple vlans on it. I’m trying to program in the trusted DHCP servers for the vlans.

Here is the commands I’m pasting in

configure trusted-ports 1:57 trust-for dhcp-server
configure trusted-servers vlan Default add server 10.1.1.1 trust-for dhcp-server
configure trusted-servers vlan VOICE add server 10.1.1.1 trust-for dhcp-server
configure trusted-servers vlan VL2 add server 10.1.1.1 trust-for dhcp-server
configure trusted-servers vlan VL3 add server 10.1.1.1 trust-for dhcp-server
configure trusted-servers vlan VL5 add server 10.1.1.1 trust-for dhcp-server
configure trusted-servers vlan VL6 add server 10.1.1.1 trust-for dhcp-server
configure trusted-servers vlan VL7 add server 10.1.1.1 trust-for dhcp-server
configure trusted-servers vlan VL8 add server 10.1.1.1 trust-for dhcp-server
configure trusted-servers vlan Default add server 10.1.1.2 trust-for dhcp-server
configure trusted-servers vlan VOICE add server 10.1.1.2 trust-for dhcp-server
configure trusted-servers vlan VL2 add server 10.1.1.2 trust-for dhcp-server
configure trusted-servers vlan VL3 add server 10.1.1.2 trust-for dhcp-server
configure trusted-servers vlan VL5 add server 10.1.1.2 trust-for dhcp-server
configure trusted-servers vlan VL6 add server 10.1.1.2 trust-for dhcp-server
configure trusted-servers vlan VL7 add server 10.1.1.2 trust-for dhcp-server
configure trusted-servers vlan VL8 add server 10.1.1.2 trust-for dhcp-server

But after I get to the first 10.1.1.2 IP address above, i get this after the rest of the commands:

Error: No more than 8 trusted DHCP servers can be configured across all vlans.

Its only 2 DHCP servers. 10.1.1.1 and 10.1.1.2 run the Windows Server DHCP clustering service, so I have to put both IP’s in for failover reasons.

What I am initially trying to do is ensure no rouge dhcp servers can be put on the network.

The uplink port is 1:57 (parent of a lacp load sharing link 1:57,2:57,4:57,5:57 to each both X690 core stacks running mlag over those sharing ports).

The servers are all directly into the core switches, so I basically can trust anything on the core switches if that matters. Nothing in the core switch is plugged into any employee accessible wall jack. Thats only in the data room.

Is there another way about doing this?

Re: EXOS how to add dhcp security to many vlans?

Keith9 — Fri, 19 Mar 2021 02:18:30 GMT

I may be overthinking it…

Could I just do this instead?

configure trusted-ports 1:57 trust-for dhcp-server

Like I said that is the parent port of an LACP sharing group of 4 ports to the core. Everything on the core is trusted.

If thats the case how do I remove what the switch took so far:

sh configuration | i trusted
configure trusted-ports 1:57 trust-for dhcp-server
configure trusted-servers vlan Default add server 10.1.1.1 trust-for dhcp-server
configure trusted-servers vlan VL2 add server 10.1.1.1 trust-for dhcp-server
configure trusted-servers vlan VL3 add server 10.1.1.1 trust-for dhcp-server
configure trusted-servers vlan VL5 add server 10.1.1.1 trust-for dhcp-server
configure trusted-servers vlan VL6 add server 10.1.1.1 trust-for dhcp-server
configure trusted-servers vlan VL7 add server 10.1.1.1 trust-for dhcp-server
configure trusted-servers vlan VL8 add server 10.1.1.1 trust-for dhcp-server
configure trusted-servers vlan VOICE add server 10.1.1.1 trust-for dhcp-server

I tried unconfigure or delete, nothing in tab completion looks like it would do the trick?

Re: EXOS how to add dhcp security to many vlans?

Stefan_K_ — Fri, 19 Mar 2021 03:59:48 GMT

Yes. You either configure a trusted port or an DHCP-Server per VLAN.

Note that you also have to enable DHCP-snooping.

More information: How To: How to configure DHCP Snooping on EXOS | Extreme Portal (force.com)

Not sure if this is the right approach. Afaik you only need to configure the edge switches. (If you meant that all ports on the core are configured as trusted ports)

Can’t test it right know, but I would try

configure trusted-servers vlan Default delete server 10.1.1.1

or similar.

(That’s the Extreme roulette - you never know if its unconfigure, delete… 🙂

Re: EXOS how to add dhcp security to many vlans?

Keith9 — Fri, 19 Mar 2021 04:06:07 GMT

Thanks that worked to remove those trusted servers.

By everything on the core is trusted I mean there is no dhcp snooping going on at all. The only thing on the core that has anything to do with dhcp is the bootprelay commands taking our vlans and pointing them to our dhcp servers.

Really what I mean about everything trusted at the core is nobody has access to plug anything in there. Nothing on the core switch ports are patched to a patch panel where a regular person would have access. To plug into the core they would need to break into the computer room, and that would set off security and also text us that the door was open.

I’ll play with this a bit more.

Re: EXOS how to add dhcp security to many vlans?

Keith9 — Fri, 19 Mar 2021 20:54:43 GMT

Ok so its been a day and I still don’t see any entries for voice or data (VL7) vlans on one of the test ports.

Here’s the commands involved for test port 4:25

enable ip-security dhcp-snooping vlan VL7 port 4:25 violation-action drop-packet snmp-trap
enable ip-security dhcp-snooping vlan VOICE port 4:25 violation-action drop-packet snmp-trap

and towards the uplink port on the switch

enable ip-security dhcp-snooping vlan Default port 1:57 violation-action none
enable ip-security dhcp-snooping vlan GUEST-INET port 1:57 violation-action none
enable ip-security dhcp-snooping vlan MDM-INET port 1:57 violation-action none
enable ip-security dhcp-snooping vlan VL2 port 1:57 violation-action none
enable ip-security dhcp-snooping vlan VL3 port 1:57 violation-action none
enable ip-security dhcp-snooping vlan VL5 port 1:57 violation-action none
enable ip-security dhcp-snooping vlan VL6 port 1:57 violation-action none
enable ip-security dhcp-snooping vlan VL7 port 1:57 violation-action none
enable ip-security dhcp-snooping vlan VL8 port 1:57 violation-action none
enable ip-security dhcp-snooping vlan VOICE port 1:57 violation-action none
configure trusted-ports 1:57 trust-for dhcp-server

(Pretty sure I only need it on the parent uplink port of this lag)

Load Sharing Monitor
Config Current Agg Min Ld Share Ld Share Agg Link Link Up
Master Master Control Active Algorithm Flags Group Mbr State Transitions
================================================================================
1:57 1:57 LACP 1 L3_L4 A 1:57 Y A 1
L3_L4 2:57 Y A 1
L3_L4 4:57 Y A 1
L3_L4 5:57 Y A 1
================================================================================

sh ip-security dhcp-snooping vlan VL7
DHCP Snooping enabled on ports: 4:25, 1:57
Trusted Ports: 1:57
Trusted DHCP Servers: None
Bindings Restoration : Enabled
Bindings Filename : 1600md-access-c.xsf
Bindings File Location :
Primary Server : 10.1.0.4, TFTP
Secondary Server: None
Bindings Write Interval : 30 minutes
Bindings last uploaded at: Fri Mar 19 09:28:57 2021

------------------------------------
Port Violation-action
------------------------------------
4:25 drop-packet, snmp-trap

sh ip-security dhcp-snooping entries VL7
------------------------------------------------------------------
Vlan: VL7
------------------------------------------------------------------
Lease Time Server Client
IP Addr MAC Addr (hh:mm:ss) Port Port
------- -------- ---------- ------ ------

Total number of entries : 0

sh ip-security dhcp-snooping entries VOICE
------------------------------------------------------------------
Vlan: VOICE
------------------------------------------------------------------
Lease Time Server Client
IP Addr MAC Addr (hh:mm:ss) Port Port
------- -------- ---------- ------ ------

Total number of entries : 0

Re: EXOS how to add dhcp security to many vlans?

Keith9 — Fri, 19 Mar 2021 21:03:16 GMT

Nevermind, I did a disable port 4:25 and then an enable port 4:25

I then saw the voice entry. Still didn’t see the PC in the VL7 entry so I ran cmd as admin and ran psexec -s \\computername ipconfig /renew and then i checked again and sure enough the entry showed.

The next step I want to do prior to migrating from our Cisco stack to this is test arp inspection. On Cisco it works hand in hand with the dhcp-snooping. I want to prevent arp poisoning. Worked well after we implemented it on Cisco becuase one year a white hat hacker we paid did a pen test and arp spoofed and did a MITM and gave us screen shots and a run down of smb shares he was able to access. We added the arp spoofing protection and then the next year when they came in to do a pen test, they got nothing. We definately do not want to lose that functionality moving from Cisco to Extreme.

The last question I have besides tying this into rouge DHCP server protection, ARP inspection and protection is what about static assigned devices such as our printers, monitoring equipment, etc.. Just don’t apply these ip-security commands to those ports? I guess thats the easy way. That plus mac security will stop casual insiders from unplugging a printer and connecting in to do an arp spoof (plus they would have to know that we didn’t protect those ports in that way). In the Cisco side there was an ip bindings command. A real PITA but it was more secure. In some areas where they like to play “Musical Chairs” we just trusted those ports.

Re: EXOS how to add dhcp security to many vlans?

Keith9 — Fri, 19 Mar 2021 22:53:48 GMT

To add arp protection to the above example, is this all I would need?

enable ip-security arp validation vlan VL7 ports 4:25 violation-action drop-packet snmp-trap
enable ip-security arp validation vlan VOICE ports 4:25 violation-action drop-packet snmp-trap

Then they couldn’t arp spoof and do a MITM attack? Are those commands effective enough?

Re: EXOS how to add dhcp security to many vlans?

Keith9 — Sat, 20 Mar 2021 01:55:31 GMT

The more I’m diving into this the more confused I’m getting.

Do I also need this?

enable ip-security arp learning learn-from-dhcp vlan VL7 ports 4:25
enable ip-security arp learning learn-from-dhcp vlan VOICE ports 1:1-48,2:1-48,3:1-48,4:1-48,5:1-48

I mean is that what makes the connection between dhcp-snooping and arp? In the Cisco switches, you had to have dhcp-snooping on and running for a while then you could enable the arp protection. But this is a new switch so I want to put it all on at once because as a device moves to it, it will do a dhcp request when its reconnected to the new port.

I just want to make sure of two things.

no possibility for rouge dhcp servers
no possibility for arp spoofing attacks

In those two requirements, though 90% of the network is DHCP, the remaining are static IPs, so I need a solution for such.

What about this command:
enable ip-security arp gratuitous-protection <vlan name>

What exactly is that doing?

Re: EXOS how to add dhcp security to many vlans?

Tomasz — Mon, 22 Mar 2021 22:51:53 GMT

Hi Keith,

Just some food for thoughts regarding unwanted DHCPs, what if you implemented authentication-based or staticly applied Policy feature with zero trust/least privilege approach? All ports deny all, permit just what they need (e.g. Printer, AP, Phone, HR, CxO, Admins, Guests etc.), disable unused ports. Then they’d be only allowed to call DHCP server for IP assignment. If any policy on the DC side, a policy for DHCP server to permit DHCP Client as a destination port of course. 😉

Regarding MitM, I’m afraid some sophisticated approach is needed. Even pure IEEE 802.1X authentication might be exploited by MitM (a “pass through” device that allows the client to authenticate, then sends packets into the network with the same SMAC and SIP - that’s why VLAN separation + Policy with zero trust approach might be helpful for damage control - and Policy instead of ACL just because it’s much easier to deploy and maintain).

Hope that helps,

Tomasz

Re: EXOS how to add dhcp security to many vlans?

Keith9 — Tue, 23 Mar 2021 01:51:45 GMT

I’d love to, I just don’t know how to even begin to configure or setup that without making a mistake and causing an outage or trouble tickets with end users.

Right now I can have dhcp trusted on ports facing that server, that works. I can have arp validation on and that works for any device that uses DHCP to get an IP address, but I can’t use any arp validation on ports with static IP's like printers or special devices like UPS’s, PDU’s, etc…

For example, I have a printer with a static IP address of 10.2.2.145 in vlan VL2 on port 2:22.
If I have this command on:
enable ip-security dhcp-snooping vlan VL2 port 2:22 violation-action drop-packet snmp-trap
the printer is not reachable and the log is spammed with messages like this:
03/22/2021 14:08:51.64 <Warn:ipSecur.drpPkt> Slot-1: ARP violation occurred on port 2:22. Packet was dropped.
03/22/2021 14:08:51.64 <Warn:ipSecur.arpViol> Slot-1: An ARP violation was detected on vlan VL2 port 2:22 violating IP 10.2.2.145 violating MAC 00:26:AB:7B:42:66 violation type Invalid IP-MAC Binding

The second I run:
Disable ip-security dhcp-snooping vlan VL2 port 2:22 violation-action drop-packet snmp-trap
The ping starts to respond.

I then tried an ip-security source-ip-lockdown command reccomended by gtac.

While the continuous ping is running if I enter
enable ip-security source-ip-lockdown port 2:22
the ping immediately ceases until I run
disable ip-security source-ip-lockdown

So I guess we can only do arp spoofing protection on ports where devices do DHCP?

I recognize we could go entirely DHCP and use DHCP reservations for many things, but without redoing the entire network and re-IP'ing all printers or unique devices, whats the solution here? Sure a dynamic policy via nac and netsight is the holy grail, but like I said I’m not even sure how to get started. Do they have an online class I can take?

Re: EXOS how to add dhcp security to many vlans?

Tomasz — Tue, 23 Mar 2021 02:35:39 GMT

Hi Keith,

If your goal is just to get rid of unwanted DHCP traffic, I’d recommend the approach I mentioned. I can arrange some online meeting to show and tell, as I’m just about to apply this approach in my small lab environment (aim to turn it into a reference design for my potential deployments if I had any lol). You can also take a class, ECS Extreme Control (or two topics within ECS Extreme Management Center) might be relevant, but before you spend any money take a look if that’s what you’re looking for.

If you aim to also get ARP validation, I didn’t play with it that much, perhaps static ARP entries could feed the process for statically addressed devices?

However, in the end MAC/IP pair can also be spoofed, then if you aim to prevent MitM, my predictions are you might need some professional tool of a kind (such as IPS systems), depending on the budget. In the meantime (or for just some damage control) I’d consider to deeply review all other security best practices for a network. I’m not an IT Security expert however… Interested to see more opinions in this thread.

Hope that helps,

Tomasz