cancel
Showing results for 
Search instead for 
Did you mean: 

EXOS how to add dhcp security to many vlans?

EXOS how to add dhcp security to many vlans?

Keith9
Contributor II

I have a 5 stack 5520 switch with multiple vlans on it.  I’m trying to program in the trusted DHCP servers for the vlans.

 

Here is the commands I’m pasting in

configure trusted-ports 1:57 trust-for dhcp-server
configure trusted-servers vlan Default add server 10.1.1.1 trust-for dhcp-server
configure trusted-servers vlan VOICE add server 10.1.1.1 trust-for dhcp-server
configure trusted-servers vlan VL2 add server 10.1.1.1 trust-for dhcp-server
configure trusted-servers vlan VL3 add server 10.1.1.1 trust-for dhcp-server
configure trusted-servers vlan VL5 add server 10.1.1.1 trust-for dhcp-server
configure trusted-servers vlan VL6 add server 10.1.1.1 trust-for dhcp-server
configure trusted-servers vlan VL7 add server 10.1.1.1 trust-for dhcp-server
configure trusted-servers vlan VL8 add server 10.1.1.1 trust-for dhcp-server
configure trusted-servers vlan Default add server 10.1.1.2 trust-for dhcp-server
configure trusted-servers vlan VOICE add server 10.1.1.2 trust-for dhcp-server
configure trusted-servers vlan VL2 add server 10.1.1.2 trust-for dhcp-server
configure trusted-servers vlan VL3 add server 10.1.1.2 trust-for dhcp-server
configure trusted-servers vlan VL5 add server 10.1.1.2 trust-for dhcp-server
configure trusted-servers vlan VL6 add server 10.1.1.2 trust-for dhcp-server
configure trusted-servers vlan VL7 add server 10.1.1.2 trust-for dhcp-server
configure trusted-servers vlan VL8 add server 10.1.1.2 trust-for dhcp-server

But after I get to the first 10.1.1.2 IP address above, i get this after the rest of the commands:

Error: No more than 8 trusted DHCP servers can be configured across all vlans.

Its only 2 DHCP servers.  10.1.1.1 and 10.1.1.2 run the Windows Server DHCP clustering service, so I have to put both IP’s in for failover reasons.


What I am initially trying to do is ensure no rouge dhcp servers can be put on the network.


The uplink port is 1:57 (parent of a lacp load sharing link 1:57,2:57,4:57,5:57 to each both X690 core stacks running mlag over those sharing ports).

The servers are all directly into the core switches, so I basically can trust anything on the core switches if that matters.  Nothing in the core switch is plugged into any employee accessible wall jack.  Thats only in the data room.

Is there another way about doing this?

10 REPLIES 10

Tomasz
Valued Contributor II

Hi Keith,

 

If your goal is just to get rid of unwanted DHCP traffic, I’d recommend the approach I mentioned. I can arrange some online meeting to show and tell, as I’m just about to apply this approach in my small lab environment (aim to turn it into a reference design for my potential deployments if I had any lol). You can also take a class, ECS Extreme Control (or two topics within ECS Extreme Management Center) might be relevant, but before you spend any money take a look if that’s what you’re looking for.

If you aim to also get ARP validation, I didn’t play with it that much, perhaps static ARP entries could feed the process for statically addressed devices?

However, in the end MAC/IP pair can also be spoofed, then if you aim to prevent MitM, my predictions are you might need some professional tool of a kind (such as IPS systems), depending on the budget. In the meantime (or for just some damage control) I’d consider to deeply review all other security best practices for a network. I’m not an IT Security expert however… Interested to see more opinions in this thread.

 

Hope that helps,

Tomasz

Keith9
Contributor II

I’d love to, I just don’t know how to even begin to configure or setup that without making a mistake and causing an outage or trouble tickets with end users.

 

Right now I can have dhcp trusted on ports facing that server, that works.  I can have arp validation on and that works for any device that uses DHCP to get an IP address, but I can’t use any arp validation on ports with static IP's like printers or special devices like UPS’s, PDU’s, etc…

 

For example, I have a printer with a static IP address of 10.2.2.145 in vlan VL2 on port 2:22.
If I have this command on:
enable ip-security dhcp-snooping vlan VL2 port 2:22 violation-action drop-packet snmp-trap
the printer is not reachable and the log is spammed with messages like this:
03/22/2021 14:08:51.64 <Warn:ipSecur.drpPkt> Slot-1: ARP violation occurred on port 2:22. Packet was dropped.
03/22/2021 14:08:51.64 <Warn:ipSecur.arpViol> Slot-1: An ARP violation was detected on vlan VL2 port 2:22 violating IP 10.2.2.145 violating MAC 00:26:AB:7B:42:66 violation type Invalid IP-MAC Binding

The second I run:
Disable ip-security dhcp-snooping vlan VL2 port 2:22 violation-action drop-packet snmp-trap
The ping starts to respond.

I then tried an ip-security source-ip-lockdown command reccomended by gtac.


While the continuous ping is running if I enter
enable ip-security source-ip-lockdown port 2:22
the ping immediately ceases until I run
disable ip-security source-ip-lockdown

So I guess we can only do arp spoofing protection on ports where devices do DHCP?

I recognize we could go entirely DHCP and use DHCP reservations for many things, but without redoing the entire network and re-IP'ing all printers or unique devices, whats the solution here?  Sure a dynamic policy via nac and netsight is the holy grail, but like I said I’m not even sure how to get started.  Do they have an online class I can take?

 

Tomasz
Valued Contributor II

Hi Keith,

 

Just some food for thoughts regarding unwanted DHCPs, what if you implemented authentication-based or staticly applied Policy feature with zero trust/least privilege approach? All ports deny all, permit just what they need (e.g. Printer, AP, Phone, HR, CxO, Admins, Guests etc.), disable unused ports. Then they’d be only allowed to call DHCP server for IP assignment. If any policy on the DC side, a policy for DHCP server to permit DHCP Client as a destination port of course. 😉

Regarding MitM, I’m afraid some sophisticated approach is needed. Even pure IEEE 802.1X authentication might be exploited by MitM (a “pass through” device that allows the client to authenticate, then sends packets into the network with the same SMAC and SIP - that’s why VLAN separation + Policy with zero trust approach might be helpful for damage control - and Policy instead of ACL just because it’s much easier to deploy and maintain).

 

Hope that helps,

Tomasz

Keith9
Contributor II

The more I’m diving into this the more confused I’m getting.

 

Do I also need this?

enable ip-security arp learning learn-from-dhcp vlan VL7 ports 4:25
enable ip-security arp learning learn-from-dhcp vlan VOICE ports 1:1-48,2:1-48,3:1-48,4:1-48,5:1-48

 

I mean is that what makes the connection between dhcp-snooping and arp? In the Cisco switches, you had to have dhcp-snooping on and running for a while then you could enable the arp protection.  But this is a new switch so I want to put it all on at once because as a device moves to it, it will do a dhcp request when its reconnected to the new port.

 

I just want to make sure of two things.

  1. no possibility for rouge dhcp servers
  2. no possibility for arp spoofing attacks

In those two requirements, though 90% of the network is DHCP, the remaining are static IPs, so I need a solution for such.

What about this command:
enable ip-security arp gratuitous-protection <vlan name>

 

What exactly is that doing?

GTM-P2G8KFN