ACFrOgC B3yylYbk-of8x9 YBdxTjBNXvzCxp9LvWXGHScoJpHvAMJn6yALLe4KudqsbAIxDehvisq2kVPPrgKfnPFxzTggnyAZpSCw5LaprghnbTetGV4WGC-NRyGJt0wc 29SQvYTJfVisTAky

www.youtube.
com/shahinazelkasrawy
Chapter #7
Volume #2
www.facebook.com/eng.shahinaz
www.youtube.com/shahinazelkasrawy
Implementing DHCP
In This Chapter
▪ 1.0 Network Fundamentals

▪ 1.10 Identify IP parameters for Client OS (Windows,
▪ Mac OS, Linux)
▪ 4.0 IP Services
▪ 4.3 Explain the role of DHCP and DNS within the
▪ network
▪ 4.6 Configure and verify DHCP client and relay
Dynamic Host Configuration Protocol (DHCP)
• the vast majority of user devices learn their IPv4 settings using
DHCP
• resulting in fewer user errors.
• DHCP allows both the permanent assignment of host addresses,
but more commonly, DHCP assigns a temporary lease of IP
addresses
• Without DHCP, the user would have to ask for information about
the local network and configure settings manually
4
DHCP Concepts
• As a DHCP client, the host begins with no IPv4 settings— no

IPv4 address, no mask, no default router, and no DNS server IP
addresses.
DHCP uses the following four messages between the

client and server
• Discover: Sent by the DHCP client to find a willing DHCP

server
• Offer: Sent by a DHCP server to offer to lease to that client a
specific IP address (and inform the client of its other parameters)
• Request: Sent by the DHCP client to ask the server to lease the
IPv4 address listed in the Offer message
• Acknowledgment: Sent by the DHCP server to assign the
address and to list the mask, default router, and DNS server IP
addresses 6
“ ▪ 0.0.0.0: An address reserved for

use as a source IPv4 address for
hosts that do not yet have an IP
address.
▪ 255.255.255.255: The local
broadcast IP address. Packets
sent to this destination address
are broadcast on the local data
link, but routers do not forward
them.
7
DHCP Discover and Offer
Supporting DHCP for Remote Subnets with DHCP Relay
• The ip helper-address server-ip subcommand tells the router to do

the following for the messages coming in an interface, from a DHCP
client:
▫ 1. Watch for incoming DHCP messages, with destination IP
address 255.255.255.255.
▫ 2. Change that packet’s source IP address to the router’s
incoming interface IP address.
▫ 3. Change that packet’s destination IP address to the address of
the DHCP server (as configured in the ip helper-address
command).
9
▫ 4. Route the packet to the DHCP server.
“ ▪ This feature, by
which a router relays
DHCP messages by
changing the IP
addresses in the
packet header, is
called DHCP relay.
10
IP Helper Address Effect
11
IP Helper Address for the Offer Message Returned from the DHCP Server
12
Information Stored at the DHCP Server
• Subnet ID and mask: The DHCP server can use

• this information to know all addresses in the subnet. (The DHCP server knows to
not lease the subnet ID or subnet broadcast address.)
• Reserved (excluded) addresses: The server needs to know which addresses in
the subnet to not lease. This list allows the engineer to reserve addresses to be
used as static IP addresses. For example, most router and switch IP addresses,
server addresses, and addresses of most anything other than user devices use a
statically assigned IP address. Most of the time, engineers use the same
convention for all subnets, either reserving the lowest IP addresses in all subnets
or reserving the highest IP addresses in all subnets.
• Default router(s): This is the IP address of the router on that subnet.
13
• DNS IP address(es): This is a list of DNS server IP addresses.
Preconfiguration on a DHCP Server
14
DHCP uses three allocation modes
• Dynamic allocation refers to the DHCP mechanisms and

configuration described throughout this chapter. Another method
• automatic allocation, sets the DHCP lease time to infinite. As a
result, once the server chooses an address from the pool and
assigns the IP address to a client, the IP address remains with that
same client indefinitely.
• static allocation, preconfigures the specific IP address for a client
based on the client’s MAC address.
15
Configuring DHCP Features on Routers and Switches
• The CCNA 200-301 exam blueprint does not mention the DHCP
server function
16
Configuring DHCP Relay
• ip helper-address 172.16.2.11 interface subcommand
17
Configuring a Switch as DHCP Client
18
Verifying DHCP-Learned IP Address on a

Switch
19
Verifying DHCP-Learned Information on a Switch
20
Configuring a Router as DHCP Client
21
Host IP Settings on Windows
22
ipconfig and ipconfig/all
23
netstat -rn Command
24
Chapter #8
Volume #2
DHCP Snooping and ARP Inspection
In This Chapter
▪ 5.0 Security Fundamentals

▪ 5.7 Configure Layer 2 security features (DHCP
▪ snooping, dynamic ARP inspection, and port
▪ security)
27
DHCP SNOOPING
DHCP Snooping Concepts
• DHCP Snooping operates on LAN switches
DHCP Snooping Basics: Client Ports Are Untrusted
30
Rules
• DHCP messages received on an untrusted port, for messages

normally sent by a server, will always be discarded.
• DHCP messages received on an untrusted port, as normally sent
by a DHCP client, may be filtered if they appear to be part of an
attack.
• DHCP messages received on a trusted port will be forwarded;
trusted ports do not filter (discard) any DHCP messages.
31
A Sample Attack: A Spurious DHCP Server
• 1. PC1 sends a LAN broadcast

with PC1’s first DHCP message
(DHCPDISCOVER).
• 2. The attacker’s PC—acting as
a spurious DHCP
server—replies to the
DHCPDISCOVER with a
DHCPOFFER.
32
DHCP Snooping Logic
33
the DHCP Snooping rules
• 1. Examine all incoming DHCP messages.

• 2. If normally sent by servers, discard the message.
• 3. If normally sent by clients, filter as follows:
▫ 1. For DISCOVER and REQUEST messages, check for MAC address
consistency between the Ethernet frame and the DHCP message.
▫ 2. For RELEASE or DECLINE messages, check the incoming interface plus
IP address versus the DHCP Snooping binding table.
▫ 3. For messages not filtered that result in a DHCP lease, build a new entry to
the DHCP Snooping binding table.
34
Filtering DISCOVER Messages Based on MAC Address
35
Filtering Messages that Release IP Addresses
36
DHCP Snooping Defeats a DHCP RELEASE from Another Port
37
DHCP Snooping Configuration
38
DHCP Snooping Status
39
Insertion of option 82
• Ip dhcp information option

• When the switch does not also act as a DHCP relay agent, the
default setting stops DHCP from working for end users.
40
Limiting DHCP Message Rates
41
Confirming DHCP Snooping Rate Limits
42
DHCP Snooping Configuration Summary

• Step 1. Configure this pair of commands (both required):
▫ A. Use the ip dhcp snooping global command to enable DHCP Snooping on the switch.
▫ B. Use the ip dhcp snooping vlan vlan-list global command to identify the VLANs on which to use
DHCP Snooping.
• Step 2. (Optional): Use the no ip dhcp snooping information option global command on Layer 2 switches
to disable the insertion of DHCP Option 82 data into DHCP messages, specifically on switches that do not
act as a DHCP relay agent.
• Step 3. Configure the ip dhcp snooping trust interface subcommand to override the default setting of not
trusted.
• Step 4. (Optional): Configure DHCP Snooping rate limits and err-disabled recovery:
▫ Step A. (Optional): Configure the ip dhcp snooping limit rate number interface subcommand to set
a limit of DHCP messages per second.
▫ Step B. (Optional): Configure the no ip dhcp snooping limit rate number interface subcommand to
remove an existing limit and reset the interface to use the default of no rate limit.
▫ Step C. (Optional): Configure the errdisable recovery cause dhcprate- limit global command to
enable the feature of automatic recovery from err-disabled mode, assuming the switch placed the port 43
in err-disabled state because of exceeding DHCP Snooping rate limits.
▫ Step D. (Optional): Configure the errdisable recovery interval seconds global commands to set the
The Dynamic ARP Inspection (DAI)
“ ▪ feature on a switch
examines incoming
ARP messages on
untrusted ports to
filter those it believes
to be part of an
attack.
45
“ ▪ DAI’s core feature compares

incoming ARP messages
with two sources of data: the
DHCP Snooping binding
table and any configured
ARP ACLs. If the incoming
ARP message does not match
the tables in the switch, the
switch discards the ARP
message.
46
Legitimate ARP Tables
47
A Detailed Look at ARP Request and Reply
48
Nefarious Use of ARP Reply Causes Incorrect ARP Data on R2
49
Man-in-the-Middle Attack Resulting from Gratuitous ARP
50
DAI Filtering ARP Based on DHCP Snooping Binding Table
51
DAI Filtering Checks for Source MAC
52
DAI can be enabled to make the comparisons shown in

the figure, discarding these messages
• Messages with an Ethernet header source MAC address that is

not equal to the ARP origin hardware (MAC) address
• ARP reply messages with an Ethernet header destination MAC
address that is not equal to the ARP target hardware (MAC)
address
• Messages with unexpected IP addresses in the two ARP IP
address fields
53
Dynamic ARP Inspection Configuration
• Choose whether to rely on DHCP Snooping, ARP ACLs, or both.

If using DHCP Snooping, configure it and make the correct ports
trusted for DHCP Snooping.
• Choose the VLAN(s) on which to enable DAI.
• Make DAI trusted (rather than the default setting of untrusted) on
select ports in those VLANs, typically for the same ports you
trusted for DHCP Snooping.
54
Sample Network Used in ARP Inspection Configuration Examples
55
56
IP DHCP Snooping Configuration Added to Support DAI
57
IP ARP Inspection Status
58
IP ARP Inspection Status
59
Sample Results from an ARP Attack
60
Limiting DAI Message Rates
61
Confirming ARP Inspection Rate Limits
62
IP ARP Inspection Configuration Summary www.youtube.com/shahinazelkasrawy
• Step 1. Use the ip arp inspection vlan vlan-list global command to enable Dynamic ARP Inspection (DAI)
on the switch for the specified VLANs.
• Step 2. Separate from the DAI configuration, also configure DHCP Snooping and/or ARP ACLs for use by
DAI.
• Step 3. Configure the ip arp inspection trust interface subcommand to override the default setting of not
trusted.
• Step 4. (Optional): Configure DAI rate limits and err-disabled recovery: SW2(config)# ip arp inspection
validate src-mac SW2(config)# ^Z SW2# SW2# show ip arp inspection Source Mac Validation : Enabled
Destination Mac Validation : Disabled IP Address Validation : Disabled
▫ Step A. (Optional): Configure the ip arp inspection limit rate number [burst interval seconds]
interface subcommand to set a limit of ARP messages per second, or ARP messages for each
configured interval.
▫ Step B. (Optional): Configure the ip arp inspection limit rate none interface subcommand to disable
rate limits.
▫ Step C. (Optional): Configure the errdisable recovery cause arpinspection global command to
enable the feature of automatic recovery from err-disabled mode, assuming the switch placed the port
in err-disabled state because of exceeding DAI rate limits.
▫ Step D. (Optional): Configure the errdisable recovery interval seconds global commands to set the 63
time to wait before recovering from an interface err-disabled state (regardless of the cause of the
err-disabled state).
Good Luck ☺
Eng. Shahinaz Elkasrawy

ACFrOgC B3yylYbk-of8x9 YBdxTjBNXvzCxp9LvWXGHScoJpHvAMJn6yALLe4KudqsbAIxDehvisq2kVPPrgKfnPFxzTggnyAZpSCw5LaprghnbTetGV4WGC-NRyGJt0wc 29SQvYTJfVisTAky

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

ACFrOgC B3yylYbk-of8x9 YBdxTjBNXvzCxp9LvWXGHScoJpHvAMJn6yALLe4KudqsbAIxDehvisq2kVPPrgKfnPFxzTggnyAZpSCw5LaprghnbTetGV4WGC-NRyGJt0wc 29SQvYTJfVisTAky

Uploaded by

Copyright:

Available Formats

www.youtube.

▪ 1.0 Network Fundamentals

Dynamic Host Configuration Protocol (DHCP)

• As a DHCP client, the host begins with no IPv4 settings— no

DHCP uses the following four messages between the

• Discover: Sent by the DHCP client to find a willing DHCP

“ ▪ 0.0.0.0: An address reserved for

DHCP Discover and Offer

Supporting DHCP for Remote Subnets with DHCP Relay

• The ip helper-address server-ip subcommand tells the router to do

IP Helper Address Effect

Information Stored at the DHCP Server

• Subnet ID and mask: The DHCP server can use

Preconfiguration on a DHCP Server

DHCP uses three allocation modes

• Dynamic allocation refers to the DHCP mechanisms and

Configuring DHCP Features on Routers and Switches

Configuring DHCP Relay

• ip helper-address 172.16.2.11 interface subcommand

Configuring a Switch as DHCP Client

Verifying DHCP-Learned IP Address on a

Verifying DHCP-Learned Information on a Switch

Configuring a Router as DHCP Client

Host IP Settings on Windows

ipconfig and ipconfig/all

netstat -rn Command

DHCP Snooping and ARP Inspection

▪ 5.0 Security Fundamentals

DHCP Snooping Concepts

• DHCP Snooping operates on LAN switches

DHCP Snooping Basics: Client Ports Are Untrusted

• DHCP messages received on an untrusted port, for messages

A Sample Attack: A Spurious DHCP Server

• 1. PC1 sends a LAN broadcast

DHCP Snooping Logic

the DHCP Snooping rules

• 1. Examine all incoming DHCP messages.

Filtering DISCOVER Messages Based on MAC Address

Filtering Messages that Release IP Addresses

DHCP Snooping Defeats a DHCP RELEASE from Another Port

DHCP Snooping Configuration

DHCP Snooping Status

• Ip dhcp information option

Limiting DHCP Message Rates

Confirming DHCP Snooping Rate Limits

DHCP Snooping Configuration Summary

The Dynamic ARP Inspection (DAI)

“ ▪ DAI’s core feature compares

Legitimate ARP Tables

A Detailed Look at ARP Request and Reply

Nefarious Use of ARP Reply Causes Incorrect ARP Data on R2

Man-in-the-Middle Attack Resulting from Gratuitous ARP

DAI Filtering ARP Based on DHCP Snooping Binding Table

DAI Filtering Checks for Source MAC

DAI can be enabled to make the comparisons shown in

• Messages with an Ethernet header source MAC address that is

Dynamic ARP Inspection Configuration

• Choose whether to rely on DHCP Snooping, ARP ACLs, or both.

Sample Network Used in ARP Inspection Configuration Examples

IP DHCP Snooping Configuration Added to Support DAI

IP ARP Inspection Status

IP ARP Inspection Status