Tuesday, August 20, 2013

Configure DHCP Snooping on a Cisco Catalyst Switch



“At work I've got a cisco 3750 switch and few end devices which of course are company proprietary, connected to this switch in a separate VLAN. Now these end devices generate dhcp traffic "request" and is being propagated across all the sites where these devices are connected. 

Now I've been reading stuff about dhcp snooping features which is great but in this instance these end devices don't have a DHCP server. In this scenario all these end end devices have got static ip addresses allocated.

Also my senior engineer being very narrow minded wants me to implement this change only on the interface level and not on the configuration level.

Can someone please confirm if I can just only enable "ip dhcp snooping trust" on the interface level which i believe will stop the dhcp traffic?”

The above question is about DHCP snoopingconfiguration. Here we will list some related tech tips and examples to give a response.

Every example in the response post has been tested in a lab environment with a Cisco 3550, Infoblox DHCP servers, a Netgear router as a "rogue" dhcp server, and a MacBook Pro as a client. The 3550 is configured with ip routing and a layer 3 interface on the subnet where the DHCP servers are located (10.0.10.0/24). VLAN 20 has been created on the 3550 with an interface ip address of 10.0.20.254/24. All the DHCP server configuration and helper addresses were tested and working prior to implementing DHCP snooping to eliminate any doubt as to whether the DHCP snooping configuration is working or not. So, let's get started.

For DHCP snooping to work, you have to enable it globally. That is done with the following global configuration command:
Switch(config)#ip dhcp snooping

You also have to tell the switch which VLANs to monitor. In a production environment, this would be the client VLANs, not a transit VLAN that leads to the rest of the network. This is done with the following command:
Switch(config)#ip dhcp snooping vlan 20

At this point DHCP snooping is configured and enabled. There are several default settings that can be modified later, but that can be delt with after we verify things are working. Here is the basic show command to verify DHCP snooping is working (specifically the top few lines):
Switch#show ip dhcp snooping
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:

20
DHCP snooping is operational on following VLANs:

20
DHCP snooping is configured on the following L3 Interfaces:

Insertion of option 82 is enabled
   circuit-id format: vlan-mod-port
    remote-id format: MAC
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Verification of giaddr field is enabled
DHCP snooping trust/rate is configured on the following Interfaces:

Interface                    Trusted     Rate limit (pps)
------------------------     -------     ----------------

Once you verify DHCP snooping is working, you can verify DHCP lease information starts to populate the DHCP snooping binding table on the switch with the following command:
Switch#show ip dhcp snooping binding
MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface
------------------  ---------------  ----------  -------------  ----  --------------------
AA:2C:DD:09:D1:CD   10.0.20.28       28781       dhcp-snooping   20    FastEthernet0/13
Total number of bindings: 1

If you have a DHCP server plugged into a switch with DHCP snooping enabled, or if you have a layer 2 LAN port connected to an upstream switch where the DHCP server resides, you'll have to trust that port. To do this, enter the following command in interface configuration mode:
Switch(config-if)#ip dhcp snooping trust

Any DHCP responses that come from an untrusted port (all the other ports) will simply be dropped without any notification. To test this out, after this was all configured and working, I connected a Netgear router with DHCP enabled into another VLAN 20 access port on the 3550. I forced a DHCP request to be sent out by the client and nothing happened. No log messages or warnings, nothing. Just to be sure the rogue DHCP server was working; I disabled snooping and unplugged the 3550 uplink to the production network. The client received a 192.168.1.2 ip address immediately. I released the IP, reconfigured snooping and tested again. The client received an IP from the authorized DHCP server and nothing happened with the fake DHCP server port.

I wish the switch was smart enough to put the switch-port connected to the rogue DHCP server into err-disable mode, but at least it stops the unauthorized DHCP server from actually handing out IP leases.

This concludes the basic DHCP snooping configuration. For additional information regarding DHCP snooping configuration options, check out these links:
http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/relea...
http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.1/12ew/conf...
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/na...

Also, for reference, here are the relevant parts of my 3550 lab configuration:
interface FastEthernet0/1

 description Layer 3 uplink to production network

 no switchport
 ip address 10.0.10.253 255.255.255.0
 speed 100
 duplex full
!
interface FastEthernet0/12

 description Rogue DHCP server

 switchport access vlan 20
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/13

 description Client

 switchport access vlan 20
 switchport mode access
 spanning-tree portfast
!
interface Vlan20
 ip address 10.0.20.254 255.255.255.0
 ip helper-address 10.0.10.106
 ip helper-address 10.0.10.107

One final thought. If you are rolling this out into production, be sure to do so during a change window and test a client DHCP request with ipconfig /release and ipconfig /renew to be sure it can get an IP address and it shows up in the binding table.

Notes: This configuration was tested in a lab environment. If you use this configuration to modify a production environment, you do so at your own risk. The information in this post is provided as an example so you can custom tailor it to your own network. Don't blame me if this information is misused and causes an outage to production systems.


More Related Cisco Tech Tips:

Friday, August 9, 2013

Configure a Cisco Router to be a Frame Relay Switch

If you are studying for the TSHOOT exam, it is a good idea to familiarize yourself with the topology. I've been working on creating a lab that mocks the TSHOOT topology and it has forced me to recall how to setup a Cisco router to act like a Frame Relay switch. 

Here is the topology that I've built. As you can see, it closely resembles the topology that Cisco has provided on their site. Since their doc doesn't provide specific DLCIs, I've used the most logical numbers I could think of.

The first step in configuring a Cisco router to act like a frame relay switch is to enable frame relay switching:
FR(config)#frame-relay switching

Once enabled, you then configure the serial interfaces connected to the other routers.
interface Serial0/0
 description Link to R4
 no ip address
 encapsulation frame-relay
 clock rate 64000
 no frame-relay inverse-arp
 frame-relay lmi-type ansi
 frame-relay intf-type dce
 frame-relay route 403 interface Serial0/1 304
!
interface Serial0/1
 description Link to R3
 no ip address
 encapsulation frame-relay
 clock rate 64000
 no frame-relay inverse-arp
 frame-relay lmi-type ansi
 frame-relay intf-type dce
 frame-relay route 302 interface Serial0/2 203
 frame-relay route 304 interface Serial0/0 403
!
interface Serial0/2
 description Link to R2
 no ip address
 encapsulation frame-relay
 clock rate 64000
 no frame-relay inverse-arp
 frame-relay lmi-type ansi
 frame-relay intf-type dce
 frame-relay route 201 interface Serial0/3 102
 frame-relay route 203 interface Serial0/1 302
!
interface Serial0/3
 description Link to R1
 no ip address
 encapsulation frame-relay
 clock rate 64000
 no frame-relay inverse-arp
 frame-relay lmi-type ansi
 frame-relay intf-type dce
 frame-relay route 102 interface Serial0/2 201

Then all you need to do is configure the other routers and connect them to your "switch". Here are the configs for the other router serial interfaces for reference:
!R1
interface Serial0/0
 no ip address
 encapsulation frame-relay
 no frame-relay inverse-arp
 frame-relay lmi-type ansi
!
interface Serial0/0.12 point-to-point
 ip address 10.1.1.1 255.255.255.252
 frame-relay interface-dlci 102

!R2
interface Serial0/0
 no ip address
 encapsulation frame-relay
 no frame-relay inverse-arp
 frame-relay lmi-type ansi
!
interface Serial0/0.12 point-to-point
 ip address 10.1.1.2 255.255.255.252
 frame-relay interface-dlci 201  
!
interface Serial0/0.23 point-to-point
 ip address 10.1.1.5 255.255.255.252
 frame-relay interface-dlci 203  

!R3
interface Serial0/0
 no ip address
 encapsulation frame-relay
 no frame-relay inverse-arp
 frame-relay lmi-type ansi
!
interface Serial0/0.23 point-to-point
 ip address 10.1.1.6 255.255.255.252
 frame-relay interface-dlci 302  
!
interface Serial0/0.34 point-to-point
 ip address 10.1.1.9 255.255.255.252
 frame-relay interface-dlci 304

!R4
interface Serial0/0
 no ip address
 encapsulation frame-relay
 no frame-relay inverse-arp
 frame-relay lmi-type ansi
!
interface Serial0/0.34 point-to-point
 ip address 10.1.1.10 255.255.255.252
 frame-relay interface-dlci 403  

References used for this configuration are as follows:
Cisco Press Book - Cisco Frame Relay Configurations Chapter (ciscopress.com)
Comprehensive Guide to Configuring and Troubleshooting Frame Relay (cisco.com)
TSHOOT Topology PDF (cisco.com)
---From http://tekcert.com/

More Cisco Tech Tips:

Friday, August 2, 2013

Cisco 881 STILL HERE for Five TYPES Offices



Cisco 881 is STILL HERE AFTER EoL and EoS Notices for Main Cisco 800 Series Items. The Cisco 880 Series is ideally suited for deployment in a small office or in a small office that is part of a large network, most often with a secure VPN connection.








  
These types of offices can include the following:
• Small remote office: The Cisco 880 Series can connect users in a small remote office, such as an insurance, lawyer, or sales office. When connecting to the main office, VPN encryption and integrated security such as firewall and intrusion prevention protect the network at the perimeter. The Cisco 880 with the Cisco Unified Border Element Series can also support connection to SIP trunking voice-over-IP (VoIP) services provided by the service provider. Additionally, IT managers can centrally manage the remote site to quickly troubleshoot any network problems. For added reliability, customers can also use the integrated 3G or ISDN backup or connect through an external modem if the primary broadband link fails. Integrated secure unified WLAN connectivity simplifies the deployment and management devices at the remote site. Redundant WAN links offer business continuity, enabling nondisruptive business operation.
• Virtual office: The Cisco 880 Series is ideal for corporate teleworkers who have a mix of broadband connection types such as DSL, 3G, and Metro Ethernet. The Cisco 880 Voice gateway and SRST Series provides a secure virtual office with all the collaborative services such as data, voice, and fax services. SRST helps ensure voice services are operational in case of WAN link failure, and redundant WAN links help ensure business continuity. QoS features in the Cisco 880 Series allow for connection of an IP or analog phone to the router, giving voice traffic precedence over data applications. Integrated WLAN support in the Cisco 880 Series helps ensure that if wireless connectivity is used it is secure. (Refer to the Cisco Virtual Office Solution, http://www.cisco.com/go/cvo, for more information.)
• Remote call-center agent: Similar to teleworking applications, this solution extends the Cisco IP Contact Center solution for telephone call-center agents to remote sites. With a high-quality, secure connection through the Cisco 880 Series, call-center agents can be dispersed away from costly call-center facilities while maintaining secure and productive voice and data access in their homes. SRST and business-continuity solutions in the Cisco 880 Series provide reliability and continuous business operation. Alternatively, the remote call-center agent can be provided with SIP trunking service with service demarcation provided by Cisco Unified Border Element features and the central call center can forward calls to the remote call-center agent through the remote-office SIP trunk.
• Retail VPN: Retail stores migrating from dialup connections for point-of-sale transactions can use the Cisco 880 Series to take advantage of low-cost broadband access with the required security to comply with payment-card-industry (PCI) and other data security requirements. They can then add multiple devices and applications to the store network to take advantage of the increased bandwidth and also incorporate optional WLAN support to enable secure mobility and enhance productivity.
• Managed services: Service providers and value-added resellers can use the Cisco 880 Series as a platform to offer differentiated business-class security, voice, and WLAN services for small business customers. With built-in analog and digital voice ports and the ability to upgrade to a 5 user Cisco Unified Communications Manager Express IP PBX, service providers can now offer all the Unified communications benefits to small and medium businesses. The SIP trunking connectivity features of the Cisco 880 with Cisco Unified Border Element Series Router can provide the high-quality VoIP service needed through the service provider cloud.

Deployment Scenarios with A Cisco 880 Series


















Here we list the main features and benefits of the Cisco 880 Series Integrated Services Routers.
Feature
Benefit
Increased performance to run concurrent services
• Cisco 880 Series Router performance allows customers to take advantage of broadband network speeds while running secure, concurrent data, voice, video, and wireless services.
Enhanced security
• An integrated stateful and application inspection firewall provides network perimeter security.
• High-speed IPsec 3DES and AES encryption offers data privacy over the Internet.
• Intrusion prevention enforces security policy in a larger enterprise or service provider network.
• Content filtering offers category-based URL classification and blocking, thus providing increased productivity and better use of company resources.
WAN diversity
• Multiple WAN links include Fast Ethernet, multimode VDSL2/ADSL2/2+, multimode G.SHDSL, 3G, and ISDN.
Redundant WAN links
• Redundant WAN links provide business continuity and WAN diversity with.
Four-port 10-/100-Mbps managed switch
• The Cisco 880 Series allows for connection of multiple devices in a small office, with the ability to designate a port as the network edge.
• An optional external PoE adapter powers IP phones and external access points to avoid individual power supplies or power injectors.
• VLANs allow for secure segmentation of network resources.
CON/AUX port
• A single dual-purpose port provides direct connection to a console or external modem for management or backup access points.
Optional 802.11g/n access point
• This broadband router offers a secure integrated access point in a single device.
• This integrated Wi-Fi access point offers IEEE 802.11n 2.0 standard support for mobile access to high-bandwidth data, voice, and video applications through the use of multiple-input, multiple-output (MIMO) technology that provides increased throughput, reliability, and predictability.
• The Cisco 880 Series supports both autonomous and unified modes.
Real-time clock
• A built-in real-time clock maintains an accurate date and time for applications that require an accurate time stamp, such as logging and digital certificates.
Voice Gateway (supported on 881V and 887VA-V voice models)
• Provides voice gateway functionality with the ability to upgrade to a 5 user Cisco Unified Communications Manager Express or 5 user SRST)
SRST (supported on SRST voice models)
• SRST provides business continuity for voice when the WAN link fails by switching calls to the PSTN.
Cisco Unified Border Element (supported on Cisco Unified Border Element voice models)
• Support for SIP trunk connectivity, including demarcation and interworking, is based on a Cisco Unified Border Element feature license.
• Transcoding of media is not supported on the Cisco 880 Series Cisco Unified Border Element feature set.
Cisco Configuration Professional
• Cisco Configuration Professional uses smart wizards and task-based tutorials, which resellers and customers can use to quickly and easily deploy, configure, and monitor a Cisco access router without requiring knowledge of the Cisco IOS Software command-line interface (CLI).
Unified wireless management
• Configuration and management of access points is automated and simplified without manual intervention.
• A unified hybrid remote-edge access point (HREAP) provides the following:
• WLAN services to remote and branch offices without deploying a WLAN controller at each location
• Central configuration and control of unified WLAN services for remote offices through a WAN link
• Flexibility in setting up wireless access at remote locations by specifying how traffic is to be bridged or tunneled

A Summary of Cisco 880 Series Router
Cisco 880 Series Integrated Services Routers combine increased network performance with advanced security to allow small-office customers to get the most from their broadband connections for both data and voice applications. With models supporting different broadband technologies such as DSL, 3G, and Metro Ethernet, the Cisco 880 Series can be deployed at any small-office location. Optional integrated 802.11g/n wireless capabilities provide true business-class WAN and WLAN access in a single solution. With the Cisco 880 Series, enterprise IT managers and service providers can take advantage of a solution that can be easily set up at the remote site and can be centrally managed to reduce ongoing operational costs.

Here let’s have an OVERVIEW on the Cisco 881/k9:
Cisco 881-K9, hot Ethernet security router, provides collaborative business solutions for secure voice and data communication to small businesses and enterprise teleworkers. The Cisco 881-K9 router delivers features, including firewall, content filtering, VPNs, and WLANs, at broadband speeds to small offices. Easy deployment and centralized management features enable the Cisco 881/K9 to be deployed by enterprises or service providers in small branch offices or small businesses.

To get the general features of Cisco 881/K9
Device Type: Router - 4-port switch (integrated)
Enclosure Type: Desktop
Connectivity Technology: Wired
Data Link Protocol: Ethernet, Fast Ethernet
Capacity: IPSec VPN tunnels: 20
Network / Transport Protocol: L2TP, IPSec, DHCP, DNS, L2TPv3, DDNS
Routing Protocol: RIP-1, RIP-2, HSRP, VRRP, GRE, policy-based routing (PBR)
Remote Management Protocol: Telnet, SNMP 3, HTTP, HTTPS, FTP, SSH, CLI
Encryption Algorithm: LEAP, DES, Triple DES, MD5, SSL, TLS, PEAP, TTLS, TKIP, WPA, WPA2, WPA-PSK, PKI, 128-bit AES, 192-bit AES, 256-bit AES
Authentication Method: RADIUS, TACACS+
Features: Firewall protection, DHCP support, NAT support, VLAN support, auto-uplink (auto MDI/MDI-X), Stateful Packet Inspection (SPI), MAC address filtering, High Availability, Class-Based Weighted Fair Queuing (CBWFQ), Weighted Fair Queuing (WFQ), Virtual Route Redundancy Protocol (VRRP) support, Access Control List (ACL) support, Quality of Service (QoS), DHCP server, DNS proxy
Compliant Standards: IEEE 802.1D, IEEE 802.1Q, IEEE 802.1x
RAM: 256 MB (installed) / 768 MB (max) - DDR2 SDRAM - SO DIMM 200-pin
Flash Memory: 128 MB
Status Indicators: Port status, power
Interfaces: LAN: 4 x 10Base-T/100Base-TX - RJ-45 ¦ Management: 1 x console - RJ-45 ¦ WAN: 1 x 10Base-T/100Base-TX - RJ-45 ¦ USB: 1 x 4 PIN USB Type A
Expansion Slots Total (Free) 1 (1) x ExpressCard ¦ 1 (1) x memory - SO DIMM 200-pin
Power Device: Power adapter - external - 60 Watt
Voltage Required: AC 120/230 V (50/60 Hz)
Compliant Standards: IEC 61000-3-2, VCCI-II, EN55024, EN55022 Class B, ICES-003 Class B, AS/NZS 60950-1, CS-03, EN 60555-2, UL 60950-1, IEC 60950-1, FCC CFR47 Part 15 B, CSA C22.2 No. 60950-1
OS Provided: Cisco IOS Advanced Security

More Related Cisco 880 Info, such as Cisco 880 Series Data Models, Cisco IOS Software Support, System Specifications , DSL Specifications, etc. you can see:
Cisco 880 Series Integrated Services Routers Data Sheet
http://www.cisco.com/en/US/prod/collateral/routers/ps380/data_sheet_c78_459542_ps380_Products_Data_Sheet.html
Cisco 800 Series Routers: End-of-Life and End-of-Sale Notices
http://www.cisco.com/en/US/products/hw/routers/ps380/prod_eol_notices_list.html

More Cisco 800 Series Topics: