How to Configure Anti-Spoofing

---

This Help topic describes the Policy Manager anti-spoofing feature and how to configure it. It includes the following sections:

• Anti-Spoofing Overview
• DHCP Snooping
  • DHCP Snooping Port Types
  • DHCP MAC Verify
• Dynamic ARP Inspection (DAI)
• IP Source Guard
• Duplicate IP Checking
• Populating the MAC-to-IP Binding Table
  • Bindings Created by DHCP Snooping
  • Bindings Created by DAI or IP Source Guard
  • Expiration of Bindings
• Implementing Anti-Spoofing in Your Network
  • Using DHCP Snooping Only
  • Using DAI, IP Source Guard, and Duplicate IP Detection
• Anti-Spoofing Configuration
  • Port Classes
  • Managing the Binding Table
• Anti-Spoofing Configuration Steps
  • Configure Port Classes
  • Configure Ports
  • Configure Devices
• Configuration Example

Anti-Spoofing Overview

Attacks on IP networks can be performed easily using tools available on the internet today. Malicious users can spoof DHCP server response packets, allowing them to give false information to a user for such fields as the default gateway or domain name resolution servers. Man-in-the-middle attacks can take advantage of ARP, allowing hackers to redirect user traffic through their own devices to and from the default gateway. A hacker can then spy on the private information being sent from the user, without either the user or gateway knowing. A malicious user can spoof an innocent user's IP address, allowing the malicious user to bypass other possible security features of a network that are based on a user's subnet.

The Policy Manager anti-spoofing solution provides a flexible and secure approach to IP spoofing detection and prevention. To mitigate the effects of these types of attacks on a network, a source MAC address to source IP address binding table is created. Then, based on the entries in the binding table, action can be taken against violating users.

There are three basic tools used to detect source MAC address to source IP address associations and populate the binding table:

• DHCP snooping
• Dynamic ARP inspection (DAI)
• IP source guard

All three methods can create MAC-to-IP bindings in the binding table, although both DAI and IP source guard can be configured to run in inspection only mode, which would not create bindings. Bindings created as a result of DHCP exchanges on trusted ports using DHCP snooping take precedence over bindings created through dynamic ARP inspection or IP source guard.

Use of all three tools allows bindings to be created for users in a network where DHCP is not in use or where a DHCP exchange has not occurred since the anti-spoofing feature has been enabled.

The actions that may be taken against a violating user include:

• Logging a syslog message
• Generating an audit trap
• Putting the user in quarantine, as defined by a quarantine role.

DHCP Snooping

DHCP snooping provides the foundation for IP spoofing detection and prevention. DHCP ACK packets received from a DHCP server on a "trusted" port create a MAC-to-IP address binding for the user along with the lease time and expiration. DHCP ACK packets received on "untrusted" ports are dropped.

On untrusted ports on edge devices, DHCP MAC Verify can be configured to verify that the source MAC address and the client hardware address match in DHCP client packets that transit the ports. If the addresses match, the packets are forwarded. If the addresses do not match, the packets are dropped.

DHCP Snooping Port Types

In a DHCP snooping, ports are set to one of three port types that determine anti-spoofing behavior. Anti-spoofing is typically configured on the edge of the network, with ports assigned one of the following port types:

• Trusted – When port type is set to trusted, DHCP server traffic is accepted and used to create bindings in the MAC-to-IP address binding table. Typically, only a port that is connected to a DHCP server would be set to trusted.
• Bypass – When port type is set to bypass, snooping of DHCP server traffic does not take place on the port. Typically, uplink ports out to the network would be set to bypass, as traffic would not be originating from that port.
• Untrusted – When port type is set to untrusted, the untrusted server counter is incremented when DHCP server traffic (DHCP ACK) is detected on the port, and the packets are dropped. DHCP RELEASE and DECLINE messages, sent by a client to free its IP address for use by another, are dropped if they are for a MAC address in the binding table that is on another port. If DHCP MAC Verify is enabled and the source MAC address does not match the Client Host Address in the DHCP payload (CHADDR), the packets are dropped. Typically, all edge ports with users would be set to untrusted.

DHCP MAC Verify

All UDP traffic contains MAC address information in the packet header. DHCP traffic contains additional MAC address information in the payload. When DHCP MAC verification is enabled, DHCP snooping verifies that the source MAC address in the UDP packet frame header matches the MAC address specified in the DHCP payload as the Client Host Address (CHADDR). If the addresses do not match, the packet is dropped.

DHCP MAC verification is a network edge feature that should be enabled on ports transited by DHCP client packets. For DHCP MAC verification to be operational:

• DHCP snooping must be enabled on the device and on the port.
• The port type must be set to untrusted.

Dynamic ARP Inspection (DAI)

Dynamic ARP inspection uses the MAC-to-IP address binding table to ensure that ARP packets have the proper MAC-to-IP binding. Limiting ARPs to the bound addresses in the table prevents malicious users from inserting themselves in between the end user and a gateway and poisoning network device ARP caches, or succeeding in man-in-the-middle attacks.

When an ARP packet enters the switch, the source MAC and IP addresses are compared to the entry in the table. If the packet data conflicts with the binding in the table, the IP change is counted and logged for the binding and any configured actions are taken against the user. If the packet data does not conflict with the binding table it will be forwarded. If the packet data does not exist in the binding table, it will be added unless DAI is enabled in inspection only mode.

IP Source Guard

IP source guard is another means to restrict IP traffic and take action against violating users. It is particularly beneficial in an environment not limited to edge devices or one in which DHCP is not the sole proprietor of network IP addresses.

IP traffic on a port is inspected to ensure that a user's MAC and IP addresses are found in the binding table created by DHCP snooping. Changes to a user's IP address are counted and action is taken, as configured. Like DAI, IP source guard will add entries to the MAC-to-IP binding table unless it is enabled in inspection only mode.

Duplicate IP Checking

In addition to the anti-spoofing tools described above, the anti-spoofing feature can also be configured to log duplicate IP addresses when they are bound to different MAC addresses, using syslog messages and audit traps. This situation is usually due to a misconfiguration in the network and is generally not indicative of an attack, but can be a worthwhile event to record, as administrative action may be needed to reconcile the condition. These duplicate IP addresses are only detected upon a user's binding change, and do not apply to duplicate IP addresses over ports for the same MAC address (for example, if a single user moves from one port to another).

Populating the MAC-to-IP Binding Table

The anti-spoofing MAC-to-IP binding table can be populated through DHCP snooping, dynamic ARP inspection, and IP source guard. Regardless of which of these three methods are used, an entry cannot be added if there is not already an entry for the user's MAC address in the multi-auth session table (displayed in the End User Sessions table in the device Port Usage tab.)

Bindings Created by DHCP Snooping

DHCP snooping watches DHCP exchanges to create a MAC-to-IP address binding for a client. A basic DHCP client/server exchange is as follows:

1. client > server: DISCOVER
2. server > client: OFFER
3. client > server: REQUEST
4. server >client: ACKNOWLEDGE

It is the acknowledgment from the server that creates the binding, and the server message is considered authoritative. (No other security measures, other than those described here, are used to ensure that the server is legitimately responding to a client request.)

The ACK message includes the client hardware address and the client's confirmed IP address. It is the client hardware address (not the MAC destination address) that is used in determining if there is already an entry in the multi-auth session table for the user, to which the IP address will be bound. If there is no entry in the session table for the client, a syslog message will be generated.

Only DHCP server ACK messages received on trusted ports will populate MAC-TO-IP address bindings. On untrusted ports, any DHCP server packets are recorded (that is, the counter is incremented), but they are not used to populate the MAC-to-IP address bindings. If policy is properly configured, the packets will be dropped or the port will be shut down, as specified by the role assigned to the port. Bypass ports ignore all DHCP server packets for purposes of populating the binding database.

DHCP server messages are limited to trusted ports, so the bindings that are created by them are not intended to be recorded as violations. In the case that a server sends a client a new binding with a different IP address before the current binding's lease has expired, the event will trigger a syslog message, but will not increment the violation counter.

Bindings Created by DAI or IP Source Guard

When DAI or IP source guard are enabled, the other traffic being inspected (ARP or IP) can also populate the IP address bindings table. With ARP inspection, the sender MAC and IP and the target MAC and IP from the ARP payload are used to populate the bindings, as provided by the ARP request or reply. With IP inspection, the source MAC address and IP address are used in creating these bindings.

If a binding already exists for a user due to DHCP, and the lease time has not expired, the DHCP binding takes precedence and a violation is recorded, but the binding does not change. If there is an entry for the user in the multi-auth session table and DHCP snooping has not provided a MAC-to-IP address binding table entry, the ARP or IP traffic can create the MAC-to-IP address binding table entry. This form of binding creation allows for the anti-spoofing feature to be used in environments that are not on the edge or are not able to monitor and process all DHCP exchanges on the network for attached users.

Expiration of Bindings

IP address bindings will timeout when a lease expires, a DHCP release frame is received, or upon manual clearing of an entry, whichever occurs first. For DHCP-snooping created bindings, after the lease expires, the binding also expires. However, for DAI and IP inspection, the counter resets after the timeout period, but the binding remains active (restarts the timer).

When you manually set a timeout period, be aware that the lease time defined in the DHCP server scope takes precedence over manually set timeouts.

Implementing Anti-Spoofing in Your Network

Using DHCP Snooping Only

In a network edge environment where DHCP is the exclusive provider of IP addresses, DHCP snooping can be used by itself to record all end user DHCP interactions, creating a MAC-to-IP address binding for each connected user.

Optionally, MAC Verify can be configured on untrusted ports to verify that the client hardware address in the DHCP packet matches the source MAC address of the packet. If it does not, it is dropped. This is a more robust security feature that can be used on the edge of the network where it is expected that the client requests are coming from the client, not a different switch, router, or AP.

In this scenario, DHCP snooping ensures that server packets are only handled where appropriate, that malicious users do not release or decline DHCP IP address assignments for other users, that DHCP client request packets are coming from the actual client (MAC Verify), and that the MAC-to-IP address binding database is populated. No actions are taken against users whose IP address assignment changes due to DHCP (where the server responses are on a trusted port), and user counters don't increment.

In an environment away from the network edge, if DAI and IP source guard are disabled or configured for inspection only, DHCP exchange packets could be missed. For example, link loss at the distribution or core layer would not necessarily cause DHCP renewals from the end users at the edge, thus the binding table would not be repopulated and users could suffer the consequence of unintended violation actions (for example, denial of service).

However, there are still benefits obtained from using DHCP snooping by itself away from the network edge. It allows for user accounting (user IP address change counters) and for the population of the MAC-to-IP address binding table from known DHCP servers. The binding table will then allow user leases to run for the configured lease time used on the network.

In this scenario, an administrator should recognize that configuring any actions that limit a user's traffic after a violation could potentially disrupt network traffic for an otherwise legitimate user. Generally, this configuration would not be used away from the network edge to quarantine or otherwise limit the user's traffic, as these limitations could be manipulated to cause denial of service attacks against a user.

Using DAI, IP Source Guard, and Duplicate IP Detection

Once DAI is enabled or set to inspection only, ARP packet inspection occurs. On those ports, all ARP traffic is intercepted and the MAC and IP address of the ARP is verified against the entry in the MAC-to-IP address binding table. Actions may be taken against the user if there is a violation.

Similarly, if IP source guard is enabled or configured for inspection only, IP traffic is intercepted and verified against the binding table. Once a connection is created, that traffic won't be inspected again unless the source IP address associated with the MAC address changes. As IP address changes are detected, the anti-spoofing feature will take action if there is a violation.

If the duplicate IP detection feature is enabled, when new MAC-to-IP bindings are created or current bindings are changed, an IP address lookup is performed on the binding table to verify that the IP is not currently in use. If it is in use, a syslog message and trap are sent.

Anti-Spoofing Configuration

You can enable and disable anti-spoofing on a per-device basis. When the feature is disabled on the device, no anti-spoofing features are active. Anti-spoofing must be enabled on the device before port values are considered when inspecting traffic. The default value for all anti-spoofing features on the device and port, is disabled.

DHCP snooping and MAC Verify are enabled or disabled per port. DAI and IP source guard are enabled, disabled, or set to inspection only per port. Duplicate IP Checking is enabled or disabled per device.

Each port must have its port type set to trusted, untrusted, or bypass. Port type determines how DHCP snooping will handle the port's traffic. DHCP server messages are only processed on trusted ports. On untrusted ports, DHCP server messages are counted in the untrusted packet counter (per port) and dropped. On bypass ports, DHCP server messages are ignored (that is, they do not affect the MAC-to-IP binding database), but they are not dropped. Ports are untrusted by default.

Port Classes

Enabling anti-spoofing on both the device and port level results in snooping frames, but it does not necessarily result in any actions taken on IP address binding violations. For this, you must define threshold values and resulting actions that will be used when MAC-to-IP address binding violations occur.

To do this, port classes must be defined and ports added to the appropriate port class. Up to three port classes can be configured on the switch. For example, you might configure a port class for your edge ports and another port class for your uplink ports. You might also want to configure a port class for ports with statically assigned addresses, allowing for a stricter threshold configuration. Another option is to configure port classes for ports that are using different methods to create MAC-to-IP bindings, such as DHCP snooping ports in one class and IP source guard ports in another class.

Port classes are configured with thresholds and actions. Up to six thresholds can be configured per port class, and each threshold can be assigned one or more of the following actions: sending syslog messages, sending an audit trap, or applying a quarantine policy. If the quarantine action is specified, you must associate a valid quarantine policy with the quarantine action.

If you have only one anti-spoofing detection type enabled on the port (for example, DHCP snooping), the class thresholds and actions are configured for that anti-spoofing detection type. If multiple anti-spoofing types are enabled on a port, (for example, DHCP snooping and dynamic ARP inspection), the class thresholds and actions must take into account any combination of anti-spoofing events for both configured anti-spoofing types.

Managing the Binding Table

You can delete an entry in the MAC-to-IP binding table for a device using the device Anti-Spoofing tab in Policy Manager. Clearing the binding also clears the IP address change count associated with the user. Alternatively, you can clear the IP Change Count without clearing the current binding.

You can also view a binding table for a specific port from the Anti-Spoofing tab in the Port Properties window. The same options for clearing the IP Change Count and deleting bindings are available.

Anti-Spoofing Configuration Steps

Use the following steps as a guide for configuring anti-spoofing on your network. Typically, anti-spoofing is configured on the edge devices on your network. You will need to configure anti-spoofing at both the device and port level.

Configure Port Classes

For each device where anti-spoofing will be enabled, configure the port classes that define the threshold values and resulting actions that will be used when MAC-to-IP address binding violations occur. Up to three port classes can be configured per device.

1. Select a device in the left-panel Network Elements tab and then select the right-panel Anti-Spoofing tab.
2. Select the Device Configuration sub-tab.
3. In the Violation Actions section, configure the port classes for the device. Click on a Port Class tab and enter a name for the port class.
4. Set the Binding Lease Time, which is the number of seconds a binding will exist before being removed by the device.
5. Configure the thresholds and actions for the class. Select an action index number in the table and click the Edit Action(s) button or double-click the row. The Edit Actions window opens where you can configure the threshold value and action. If you assign a quarantine action, you must associate a valid quarantine policy with the quarantine action. For more information, refer to How to Create a Quarantine Role.
6. Assign the appropriate ports to each port class you configure. Use the Add/Remove Ports button to add or remove ports to or from the class.
7. Click Apply to save your changes.

Configure Ports

Configure anti-spoofing for the ports on each device where anti-spoofing will be enabled.

1. In the device Anti-Spoofing tab, select the Port Configuration sub-tab.
2. In the table, select the ports that you will set as Trusted. Right-click and use the menu to:
   1. Set the Port Type to Trusted.
   2. Set DHCP Snooping to Enabled.
   3. Set DHCP MAC Verify to Disabled.
3. Select the ports that you will set as Untrusted. Right-click and use the menu to:
   1. Set the Port Type to Untrusted.
   2. Set DHCP Snooping to Enabled.
   3. Optionally, set DHCP MAC Verify to Enabled.
4. Select the ports that you will set as Bypass. Right-click and use the menu to:
   1. Set the Port Type to Bypass
   2. Set DHCP Snooping to Disabled.
   3. Set DHCP MAC Verify to Disabled.
5. Optionally, enable dynamic ARP inspection on the desired port or ports. Select the ports in the table, right-click and use the menu to set dynamic ARP inspection to Enabled, Disabled, or Inspection Only.
6. Optionally, enable IP source guard on the desired port or ports. Select the ports in the table, right-click and use the menu to set IP source guard to Enabled, Disabled, or Inspection Only.

You can also set anti-spoofing parameters for a single port using the Port Properties Anti-Spoofing tab.

Configure Devices

For each device, enable anti-spoofing and set anti-spoofing parameters.

1. In the Anti-Spoofing tab, select the Device Configuration sub-tab.
2. Use the drop-down menu to set Anti-Spoofing to Enabled on the device.
3. Use the drop-down menu to set Audit Traps to Enabled on the device, if desired. This must be enabled if you have configured an audit trap as a threshold action, in order for the trap to be sent.
4. Change the Audit Trap Interval if desired. The default is 60 seconds.
5. Enable Duplicate IP Checking, if desired.
6. Click Apply to save your settings.

Configuration Example

The following example configures anti-spoofing features on a switch at the edge of the network, where two ports are connected to a DHCP server and the rest of the ports are connected to users. DHCP snooping is configured on the ports connected to the DHCP server so the binding table will be populated by DHCP snooping.

User ports 10 through 40 are configured for dynamic ARP inspection and IP source guard inspection, but are enabled for inspection only, since the binding table entries are added by DHCP snooping on the DHCP server trusted ports. Also, DHCP snooping MAC Verify is enabled on the untrusted user ports.

As part of the configuration:

• Two port classes are configured: one for Server ports and one for User ports. Binding lease time, threshold, and action values for each port class are configured.
• The two ports connected to the DHCP server are configured as trusted ports and have DHCP snooping enabled.
• All user ports are configured as untrusted ports and have DHCP snooping enabled. DHCP MAC Verify is also enabled on all user ports.
• Dynamic ARP inspection and IP source guard are configured for inspection only on user ports 10 through 40.
• Both server ports are assigned to the Server port class.
• All user ports are assigned to the User port class.
• Anti-spoofing is enabled on the device.
• Audit Traps are enabled on the device and the audit trap interval is changed to 30 seconds.
• Duplicate IP checking is enabled on the device.

---

Related Information

For information on related tasks:

• Device Anti-Spoofing Tab
• Port Properties - Anti-Spoofing Tab