cancel
Showing results for 
Search instead for 
Did you mean: 

EXOS how to add dhcp security to many vlans?

EXOS how to add dhcp security to many vlans?

Keith9
Contributor III

I have a 5 stack 5520 switch with multiple vlans on it.  I’m trying to program in the trusted DHCP servers for the vlans.

 

Here is the commands I’m pasting in

configure trusted-ports 1:57 trust-for dhcp-server
configure trusted-servers vlan Default add server 10.1.1.1 trust-for dhcp-server
configure trusted-servers vlan VOICE add server 10.1.1.1 trust-for dhcp-server
configure trusted-servers vlan VL2 add server 10.1.1.1 trust-for dhcp-server
configure trusted-servers vlan VL3 add server 10.1.1.1 trust-for dhcp-server
configure trusted-servers vlan VL5 add server 10.1.1.1 trust-for dhcp-server
configure trusted-servers vlan VL6 add server 10.1.1.1 trust-for dhcp-server
configure trusted-servers vlan VL7 add server 10.1.1.1 trust-for dhcp-server
configure trusted-servers vlan VL8 add server 10.1.1.1 trust-for dhcp-server
configure trusted-servers vlan Default add server 10.1.1.2 trust-for dhcp-server
configure trusted-servers vlan VOICE add server 10.1.1.2 trust-for dhcp-server
configure trusted-servers vlan VL2 add server 10.1.1.2 trust-for dhcp-server
configure trusted-servers vlan VL3 add server 10.1.1.2 trust-for dhcp-server
configure trusted-servers vlan VL5 add server 10.1.1.2 trust-for dhcp-server
configure trusted-servers vlan VL6 add server 10.1.1.2 trust-for dhcp-server
configure trusted-servers vlan VL7 add server 10.1.1.2 trust-for dhcp-server
configure trusted-servers vlan VL8 add server 10.1.1.2 trust-for dhcp-server

But after I get to the first 10.1.1.2 IP address above, i get this after the rest of the commands:

Error: No more than 8 trusted DHCP servers can be configured across all vlans.

Its only 2 DHCP servers.  10.1.1.1 and 10.1.1.2 run the Windows Server DHCP clustering service, so I have to put both IP’s in for failover reasons.


What I am initially trying to do is ensure no rouge dhcp servers can be put on the network.


The uplink port is 1:57 (parent of a lacp load sharing link 1:57,2:57,4:57,5:57 to each both X690 core stacks running mlag over those sharing ports).

The servers are all directly into the core switches, so I basically can trust anything on the core switches if that matters.  Nothing in the core switch is plugged into any employee accessible wall jack.  Thats only in the data room.

Is there another way about doing this?

10 REPLIES 10

Keith9
Contributor III

To add arp protection to the above example, is this all I would need?


enable ip-security arp validation vlan VL7 ports 4:25 violation-action drop-packet snmp-trap
enable ip-security arp validation vlan VOICE ports 4:25 violation-action drop-packet snmp-trap

 

Then they couldn’t arp spoof and do a MITM attack?  Are those commands effective enough?

 

 

Keith9
Contributor III

Nevermind, I did a disable port 4:25 and then an enable port 4:25

I then saw the voice entry.  Still didn’t see the PC in the VL7 entry so I ran cmd as admin and ran psexec -s \\computername ipconfig /renew and then i checked again and sure enough the entry showed.

 

The next step I want to do prior to migrating from our Cisco stack to this is test arp inspection.  On Cisco it works hand in hand with the dhcp-snooping.  I want to prevent arp poisoning.  Worked well after we implemented it on Cisco becuase one year a white hat hacker we paid did a pen test and arp spoofed and did a MITM and gave us screen shots and a run down of smb shares he was able to access.  We added the arp spoofing protection and then the next year when they came in to do a pen test, they got nothing.  We definately do not want to lose that functionality moving from Cisco to Extreme.

The last question I have besides tying this into rouge DHCP server protection, ARP inspection and protection is what about static assigned devices such as our printers, monitoring equipment, etc..  Just don’t apply these ip-security commands to those ports?  I guess thats the easy way.  That plus mac security will stop casual insiders from unplugging a printer and connecting in to do an arp spoof (plus they would have to know that we didn’t protect those ports in that way).  In the Cisco side there was an ip bindings command.  A real PITA but it was more secure.  In some areas where they like to play “Musical Chairs” we just trusted those ports.

 

 

Keith9
Contributor III

Ok so its been a day and I still don’t see any entries for voice or data (VL7) vlans on one of the test ports.


Here’s the commands involved for test port 4:25

enable ip-security dhcp-snooping vlan VL7 port 4:25 violation-action drop-packet snmp-trap
enable ip-security dhcp-snooping vlan VOICE port 4:25 violation-action drop-packet snmp-trap
 

and towards the uplink port on the switch

enable ip-security dhcp-snooping vlan Default port 1:57 violation-action none
enable ip-security dhcp-snooping vlan GUEST-INET port 1:57 violation-action none
enable ip-security dhcp-snooping vlan MDM-INET port 1:57 violation-action none
enable ip-security dhcp-snooping vlan VL2 port 1:57 violation-action none
enable ip-security dhcp-snooping vlan VL3 port 1:57 violation-action none
enable ip-security dhcp-snooping vlan VL5 port 1:57 violation-action none
enable ip-security dhcp-snooping vlan VL6 port 1:57 violation-action none
enable ip-security dhcp-snooping vlan VL7 port 1:57 violation-action none
enable ip-security dhcp-snooping vlan VL8 port 1:57 violation-action none
enable ip-security dhcp-snooping vlan VOICE port 1:57 violation-action none
configure trusted-ports 1:57 trust-for dhcp-server


(Pretty sure I only need it on the parent uplink port of this lag)

Load Sharing Monitor
Config    Current Agg     Min    Ld Share        Ld Share  Agg Link  Link Up
Master    Master  Control Active Algorithm Flags Group     Mbr State Transitions
================================================================================
  1:57   1:57     LACP       1    L3_L4     A     1:57      Y     A       1
                                  L3_L4           2:57      Y     A       1
                                  L3_L4           4:57      Y     A       1
                                  L3_L4           5:57      Y     A       1
================================================================================

 

sh ip-security dhcp-snooping vlan VL7
DHCP Snooping enabled on ports: 4:25, 1:57
Trusted Ports: 1:57
Trusted DHCP Servers: None
Bindings Restoration     : Enabled
Bindings Filename        : 1600md-access-c.xsf
Bindings File Location   :
         Primary Server  : 10.1.0.4, TFTP
         Secondary Server: None
Bindings Write Interval  : 30 minutes
Bindings last uploaded at: Fri Mar 19 09:28:57 2021

------------------------------------
Port            Violation-action
------------------------------------
4:25            drop-packet, snmp-trap
 

 

sh ip-security dhcp-snooping entries VL7
------------------------------------------------------------------
Vlan: VL7
------------------------------------------------------------------
                                    Lease Time    Server    Client
IP Addr         MAC Addr            (hh:mm:ss)    Port      Port
-------         --------            ----------    ------    ------

Total number of entries : 0
 

sh ip-security dhcp-snooping entries VOICE
------------------------------------------------------------------
Vlan: VOICE
------------------------------------------------------------------
                                    Lease Time    Server    Client
IP Addr         MAC Addr            (hh:mm:ss)    Port      Port
-------         --------            ----------    ------    ------

Total number of entries : 0
 

Keith9
Contributor III

Thanks that worked to remove those trusted servers.

 

By everything on the core is trusted I mean there is no dhcp snooping going on at all.  The only thing on the core that has anything to do with dhcp is the bootprelay commands taking our vlans and pointing them to our dhcp servers.

Really what I mean about everything trusted at the core is nobody has access to plug anything in there.  Nothing on the core switch ports are patched to a patch panel where a regular person would have access.  To plug into the core they would need to break into the computer room, and that would set off security and also text us that the door was open.

I’ll play with this a bit more.

 

Stefan_K_
Valued Contributor

Yes. You either configure a trusted port or an DHCP-Server per VLAN.

Note that you also have to enable DHCP-snooping. 

More information: How To: How to configure DHCP Snooping on EXOS | Extreme Portal (force.com) 

Not sure if this is the right approach. Afaik you only need to configure the edge switches. (If you meant that all ports on the core are configured as trusted ports)

Can’t test it right know, but I would try 

configure trusted-servers vlan Default delete server 10.1.1.1

or similar.

(That’s the Extreme roulette - you never know if its unconfigure, delete… 🙂 

GTM-P2G8KFN