Provider Networking on Cisco Switches Using Option 82 and Dynamic ARP Inspection

  • Tutorial

Prologue


On the hub there were quite a few topics describing various options for building provider networks, including using the technologies indicated in the header. In part, they helped me in solving their problem, but I had to dig a lot myself. I want to share what happened and try to save time for followers.


image

So, setting the task:


It is necessary to organize a network that is as convenient as possible for the end user, while also convenient (in terms of the minimum load on technical support) and safe (in terms of fraud) for the operator. In addition, the network should be inexpensive. Someone argues that Cisco and “inexpensive” are incompatible concepts, but End of Life old people are also suitable for solving our problem, which can be purchased at very affordable prices.

To ensure user convenience, the following options were discarded:
  • static assignment of ip addresses is inconvenient for the user, the address needs to be written down somewhere, users who have lost the address are called in tech support
  • dhcp with binding by mac-address is inconvenient for the user, when changing the device you need to re-register it with the provider or change the mac on it.
  • all kinds of tunnels, mainly pptp - requires client settings, forgotten logins and passwords

Of all the options considered, the option with DHCP is most convenient for the user, but for the provider there are a number of difficulties:
Mac binding is inconvenient, since you will have to re-register new mac addresses. User authentication in billing only by ip-address also seems unreliable at first glance, a cunning user can manually set the neighbor's ip-address and introduce confusion. However, there is a solution and it is built on technologies from the heading of the article - option 82 and dynamic arp inspection.
Who cares about the solution - please, under


Decision


The DHCP server for issuing addresses will be guided by option 82, which determines which physical port of the switch received a request for an address. Thus, we achieve that Vasya Pupkin from the 14th apartment, whose cable is connected to the 7th port of our SW-01 switch, will always receive the address 10.10.1.7, for example, regardless of which device he connects to his cable. This approach allows us to identify Vasya Pupkin only by IP address, but there is a problem. Neighbor Zhora, who does not want to pay for the Internet, will put Vasya Pupkin’s address on his hands, create a conflict of IP addresses on the network and use the Internet at the expense of Vasya.

To prevent this from happening, there is Dynamic ARP Inspection technology. The essence of the technology comes down to checking the mac + ip bundles received from the DHCP server and comparing them with ARP requests arriving on the port. Thus, even if neighbor Zhora sets himself the same mac and IP as Vasya’s, the switch will check whether DHCP issued this IP to such a mac for this port. If not issued, the packet will be discarded.

Actually setting


We have two switches at our disposal: Cisco 2950-24 and Cisco 2960-24-TT-L
The 2950 switch will be used to connect subscribers. On it Management vlan 254 is configured for management.
Switch IP - 10.0.254.10 , mac - 00: 11: 92: 1B: 3A: 00
Switch 2960 will act as a DHCP server and solve the ARP inspection task.
Switch IP - 10.0.254.2 , mac - 00: 16: C8: D7: D2: 80
MAC can be viewed with the show version command

cisco WS-C2950-24 (RC32300) processor (revision P0) with 19911K bytes of memory.
Processor board ID FOC0825Z1GD
Last reset from system-reset
Running Standard Image
24 FastEthernet/IEEE 802.3 interface(s)

32K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address: 00:11:92:1B:3A:00

The 2950 switch does not support Dynamic ARP Inspection, but we can solve this problem on the upstream switch. In the example, the Cisco 2960-24-TT-L is used as such a switch , although it is more correct to use the L3 switch, for example, 3550-12T or 3550-12G , then it can solve the Inter-VLAN Routing task too.

And so, on the C2950 we configure the following:

  1. In global configuration mode, indicate the need to add options to the dhcp-relay message:
    ip dhcp relay information option
    

  2. In the settings of the management interface, indicate that DHCP requests should be forwarded to the 2960th switch at 10.0.254.2
    interface Vlan254
     ip address 10.0.254.10 255.255.255.0
     ip helper-address 10.0.254.2
    

  3. In global configuration mode, enable DHCP snooping for all of our vlan s
    ip dhcp snooping vlan 10
    ip dhcp snooping vlan 20
    ip dhcp snooping vlan 254
    ip dhcp snooping
    

  4. Determine that DHCP-offer is allowed only from port 24, to which the upstream 2960 is connected with a DHCP server.
    interface FastEthernet0/24
     ip dhcp snooping trust
    



The configuration of the C2960 is a little more complicated:

  1. For each user, create an ip dhcp class
  2. entry
    ip dhcp class user01
       remark SW2950-1 port 01
       relay agent information
          relay-information hex 01060004000a0001020800060011921b3a00
    

    The class is sufficient to indicate only the relay-information , but for convenience is also recommended to use a comment remark , which can be written, for example, subscriber data.
    The most important thing here is to understand the principle of hex-string formation. This is 18 bytes contained in option 82.
    Its contents consist of two fields: circuit-id and remote-id
    circuit-id contains the vlan number and the physical port number from which the dhcp request came from.
    remote-id contains the mac address of the switch that sent this request.
    This string can be extracted by the wireshark analyzer, but it is inconvenient for each subscriber to do this, so we will consider how to generate it.

    image
  3. After creating dhcp classes for subscribers, configure the address pools for each vlan.
    The address lease time is 5 minutes. This is necessary so that when a new device with a different address is connected to its port, the subscriber quickly receives an address on it. Otherwise, there will be an error that this pool has been exhausted, since it has only 1 address. In addition, the example omits the rest of the dhcp pool settings, such as the gateway, dns, etc.

    ip dhcp pool vlan10
       network 10.0.10.0 255.255.255.0
       lease 0 0 5
       class user01
          address range 10.0.10.11 10.0.10.11
       class user02
          address range 10.0.10.12 10.0.10.12
    

  4. You must configure the appropriate ip interfaces for each pool on the switch. This is done through the interface vlan.
    Despite the fact that the C2960 is a second-level switch, it allows you to keep several IP interfaces active, but cannot route traffic between them.
    interface Vlan10
     ip address 10.0.10.2 255.255.255.0
    !
    interface Vlan20
     ip address 10.0.20.2 255.255.255.0
    !
    interface Vlan254
     ip address 10.0.254.2 255.255.255.0
    

  5. On this switch, we also need to configure dhcp-snooping, since this option forms the base for binding issued IP addresses to mac addresses.
    Using the ip dhcp snooping database command, we determine the storage location of the database, in the example it will be stored in the dhcp file on the flash. You can also specify ftp, tftp, http, https, scp and other urls as the storage location.
    The ip dhcp snooping information option allow-untrusted command allows receiving requests with option 82 from all ports on the switch.
    ip dhcp snooping vlan 10
    ip dhcp snooping vlan 20
    ip dhcp snooping information option allow-untrusted
    ip dhcp snooping database flash:dhcp
    ip dhcp snooping
    

  6. At the moment, we are working with binding the ip-address to the physical port of the switch. It remains to configure Dynamic ARP Inspection. This is done with one simple command:
    ip arp inspection vlan 10,20
    


Proof of concept


Check the address assignment to the client connected to the 9th port of the switch. The port is in the 20th vlan, according to our scheme, the client should get the address 10.0.20.9 Generate the
hex value: 01060004 0014 0008 02080006 0011921b3a00
where 0014 is the 20th vlan,
0008 is the 9th port of the switch
0011921b3a00 is its mac.

ip dhcp class user09
   remark SW2950-1 port 09
   relay agent information
      relay-information hex 0106000400140008020800060011921b3a00

ip dhcp pool vlan20
   network 10.0.20.0 255.255.255.0
   lease 0 0 5
   class user09
      address range 10.0.20.9 10.0.20.9


This exchange looks like this in wireshark:
And this is how the output of the debug ip dhcp server events command looks

2d00h: DHCPD: Sending notification of DISCOVER:
2d00h:   DHCPD: htype 1 chaddr 000a.e45b.dcc6
2d00h:   DHCPD: remote id 00060011921b3a00
2d00h:   DHCPD: circuit id 000400140008
2d00h:   DHCPD: interface = Vlan20
2d00h:   DHCPD: class id 4d53465420352e30
2d00h:   DHCPD: out_vlan_id 0
2d00h: DHCPD: DHCPOFFER notify setup address 10.0.20.9 mask 255.255.255.0
2d00h: DHCPD: Sending notification of ASSIGNMENT:
2d00h:  DHCPD: address 10.0.20.9 mask 255.255.255.0
2d00h:   DHCPD: htype 1 chaddr 000a.e45b.dcc6
2d00h:   DHCPD: lease time remaining (secs) = 300
2d00h:   DHCPD: interface = Vlan20
2d00h:   DHCPD: out_vlan_id 0

000a.e45b.dcc6 - client mac-address
Now we connect another laptop to the same port.

2d00h: DHCPD: Sending notification of DISCOVER:
2d00h:   DHCPD: htype 1 chaddr 089e.012b.6ce1
2d00h:   DHCPD: remote id 00060011921b3a00
2d00h:   DHCPD: circuit id 000400140008
2d00h:   DHCPD: interface = Vlan20
2d00h:   DHCPD: class id 4d53465420352e30
2d00h:   DHCPD: out_vlan_id 0
2d00h: DHCPD: no free address within the address range for class user09 in pool vlan20
2d00h: DHCPD: Sending notification of ASSIGNMENT FAILURE:

First we get a message that there are no free addresses in the pool (since the 5 minutes allotted to rent this address to another poppy have not yet expired).
However, after a while we get the address we need, but already for the client with poppy 08-9e-01-2b-6c-e1

2d00h: DHCPD: Sending notification of DISCOVER:
2d00h:   DHCPD: htype 1 chaddr 089e.012b.6ce1
2d00h:   DHCPD: remote id 00060011921b3a00
2d00h:   DHCPD: circuit id 000400140008
2d00h:   DHCPD: interface = Vlan20
2d00h:   DHCPD: class id 4d53465420352e30
2d00h:   DHCPD: out_vlan_id 0
2d00h: DHCPD: Adding binding to radix tree (10.0.20.9)
2d00h: DHCPD: Adding binding to hash tree
2d00h: DHCPD: assigned IP address 10.0.20.9 to client 0108.9e01.2b6c.e1. (316 0)
2d00h: DHCPD: DHCPOFFER notify setup address 10.0.20.9 mask 255.255.255.0
2d00h: DHCPD: Sending notification of ASSIGNMENT:

Now let's check whether our client’s neighbor, connected to port 10 of the switch, can manually set the address 10.0.20.9.
Since the Cisco 2950 does not support Dynamic ARP Inspection, this technology must be configured on the upstream Cisco 2960 switch.
The show ip dhcp snooping binding command on C2960 will show the binding of IP addresses to macs

MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface
------------------  ---------------  ----------  -------------  ----  --------------------
08:9E:01:2B:6C:E1   10.0.20.9        288         dhcp-snooping   20    FastEthernet0/1
Total number of bindings: 1

FastEthernet0 / 1 is the interface of the 2960 switch, into which the lower 2950 is included. We will
connect a computer with the manually configured address 10.0.20.9 to the 10th port of C2950.
And then we will see a notification of an error, from which it can be seen that it occurred in the 20th vlan 1st port of the switch. In addition, we see the ip and poppy addresses that caused the error. 000a.e45b.dcc6 / 10.0.20.9 /

2d01h: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa0/1, vlan 20.([000a.e45b.dcc6/10.0.20.9/0000.0000.0000/10.0.20.9/23:48:25 EEST Mon Sep 2 2013])

You can find out exactly who tried to cheat by going to the C2950 switch and looking at the switching table

SW2950-1#show mac-address-table 
          Mac Address Table
-------------------------------------------

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
  20    000a.e45b.dcc6    DYNAMIC     Fa0/10
  20    089e.012b.6ce1    DYNAMIC     Fa0/9

We see that the mac of interest to us hangs on port 10.
On this, perhaps, all additional information can be found in these articles:
Features of the operation and configuration of DHCP on Cisco routers
Features of the operation and configuration of DHCP on Cisco routers (Part 2)
IPoE, and also Client-VLAN and DHCP Option 82
IPoE problem - I’ll add on my own that there is just no problem if everything is configured correctly.
Link-level ARP-spoofing attack and how to protect a Cisco switch is a good article showing another benefit of Dynamic ARP Inspection - improving network security in general.