Sunday, March 3, 2013

CCIE DC Study: Nexus 1000V

Hi Guys

This post is going to be about the nexus 1000V in order to help those out there studying for the CCIE DC. I am not going to go through in this blog post how to install the Nexus 1000V as this is covered in great detail elsewhere. Instead I am going to talk about why you might want to use the Nexus 1000V and some of the features available to you.

First of all, before we go any further did you know that the Nexus 1000V is now COMPLETELY FREE? 

That's right, Nexus 1000 now comes in two editions, "Essential edition" which is completely free to use and Advanced edition. You can go to cisco.com right now and download your very own copy of Nexus 1000V.

Now that we have that out the way, let's look at some of the Security features the Nexus 1000V has, later we will look at QoS and (if we get time) VXLAN


DHCP Snooping
This feature might be familiar to you as it is available on existing physical switches from Cisco right now, what you need to ask yourself though is as VDI Deployments increase, how do I protect my virtual infrastructure? If your doing a "cloud" deployment and your intending to have lots of machines from lots of diffirent locations running VDI the chances of one of those users being a nefarious hacker increases, so the necessity to protect your infrastructure becomes more vital. DHCP Snooping allows you to protect against some common Man-in-The-Middle attacks as well as a few sophisticated attacks we will chat about.

Let's briefly chat about the configuration I have. I have two windows Servers configured, one is acting my as DHCP Client and the other as my DHCP Server, both are connected on VLAN 50 (172.21.5.0/24) on my Nexus 1000v.

The first thing to do is enable the dhcp feature:


DCNexus1000V(config)#
Feature dhcp


You may receive an error when you attempt to do this: this does require the advanced edition of the Nexus 1000V, you can enable the advanced edition as a trial for 60 days with:


DCNexus1000V(config)# svs switch edition advanced


Once this is done and you have now entered the feature DHCP command, enable ip dhcp snooping for the appropriate VLAN:

DCNexus1000V(config)# ip dhcp snooping vlan 50




Let's look at the configuration so far:

 DCNexus1000V# show ip dhcp snooping
Switch DHCP snooping is enabled
DHCP snooping is configured on the following VLANs:
50
DHCP snooping is operational on the following VLANs:
none

Insertion of Option 82 is disabled
Verification of MAC address is enabled
DHCP snooping trust is configured on the following interfaces:
Interface             Trusted        Pkt Limit
------------          -------        ---------
Vethernet1            No              Unlimited
Vethernet2            No              Unlimited
Vethernet3            No              Unlimited
Vethernet4            No              Unlimited
Vethernet5            No              Unlimited
Vethernet6            No              Unlimited
Vethernet7            No              Unlimited



As you can see from the above output DHCP snooping is still not active, so let's go ahead and enable the entire DHCP feature itself with:

DCNexus1000V(config)# ip dhcp snooping 

Now DHCP snooping will be enabled for VLAN 50.

DCNexus1000V# show ip dhcp snooping
Switch DHCP snooping is disabled
DHCP snooping is configured on the following VLANs:
50
DHCP snooping is operational on the following VLANs:
none
Insertion of Option 82 is disabled
Verification of MAC address is enabled
DHCP snooping trust is configured on the following interfaces:
Interface             Trusted        Pkt Limit
------------          -------        ---------
Vethernet1            No              Unlimited
Vethernet2            No             Unlimited
Vethernet3            No              Unlimited
Vethernet4            No              Unlimited
Vethernet5            No              Unlimited
Vethernet6            No              Unlimited
Vethernet7            No              Unlimited


Let's take a look at the default behavior of DHCP Snooping, as you can see from the above all ports are in the untrusted state, which means that if i try and get a DHCP address on my Windows Server...

Windows 2008 DHCP Client:
ipconfig /release

ipconfig /renew


The request just hangs, i can see that the DHCP responses are being blocked:

 DCNexus1000V# show ip dhcp snooping statistics
Packets processed 23
Packets forwarded 22
Total packets dropped 1

Packets dropped from untrusted ports 0
Packets dropped due to MAC address check failure 0
Packets dropped due to Option 82 insertion failure 0
Packets dropped due to o/p intf unknown 0
Packets dropped which were unknown 0
Packets dropped due to service dhcp not enabled 0
Packets dropped due to no binding entry 0
Packets dropped due to interface error/no interface 0
Packets dropped due to max hops exceeded 0


Therefore I must configure a port as trusted with a trusted port-profile:

 port-profile type vethernet DHCP_TRUSTED
  vmware port-group
  switchport mode access
  switchport access vlan 50
  no shutdown
  state enabled

  ip dhcp snooping trust

I then assign this port profile to my DHCP Server and try renewing the address again

DCNexus1000V# show ip dhcp snooping
Switch DHCP snooping is enabled
DHCP snooping is configured on the following VLANs:
50
DHCP snooping is operational on the following VLANs:
50
Insertion of Option 82 is disabled
Verification of MAC address is enabled
DHCP snooping trust is configured on the following interfaces:
Interface             Trusted        Pkt Limit
------------          -------        ---------
Vethernet1            No              Unlimited
Vethernet2            Yes             Unlimited
Vethernet3            No              Unlimited
Vethernet4            No              Unlimited
Vethernet5            No              Unlimited
Vethernet6            No              Unlimited
Vethernet7            No              Unlimited


 I can see now that a binding table entry has been built:


DCNexus1000V# show ip dhcp snooping binding
MacAddress         IpAddress        LeaseSec  Type        VLAN  Interface
-----------------  ---------------  --------  ----------  ----  -------------
00:50:56:01:fa:ce  172.21.5.11      691129     dhcp-snoop  50    Vethernet7 


So you can see that IP DHCP Snooping protects me from a rogue DHCP server: if i don't trust the port, then no DHCP responses sent out that port will be trusted, they will be dropped.

DHCP Snooping also protects me from two other attacks that I had never even envisioned!

The first potential attack is taken care of by this default command:

DCNexus1000V# show run all | inc "ip dhcp snooping"

ip dhcp snooping
no ip dhcp snooping information option
ip dhcp snooping verify mac-addressip dhcp snooping vlan 50



This setting is set by default on the Nexus 1000V, what this does is check that when a DHCP request is sent, that the DHCP Client Hardware Address Value (Part of the DHCP packet) matches the source MAC Address, if it does not then the frame is dropped,this is to prevent an attacker running a DOS attack where by the attacker generates lots of DHCP requests in an attempt to empty the DHCP server of any available addresses in it's scope.

As you can imagine however depending on your configuration you may have some device that proxies DHCP requests on a clients behalf and thus with this command you must take that into account.

The other feature that DHCP performs is that if a DHCP release request is sent or a decline message, the switch checks its binding table to make sure that the dhcp release request is being sent from the same port where that IP is listed in it's binding table, to prevent attackers from sending a DHCP release request with your IP address to the DHCP server in the hope that when they then request an IP address, the DHCP server then allocates your address (which to be honest, seems fairly unlikely to me and quite a sophisticated attack!)


IP Source Guard

This feature does as advertised: if you have DHCP snooping enabled then the switch can ensure that the ip address coming out of the interface matches the one allocated via DHCP, by default it checks that both the MAC address and IP address match, but if your MAC address is likely to change, Nexus 1000V can just check that the SOURCE IP is correct.

DCNexus1000V(config)# ip source binding filter-mode ?
  ip      Source IP-filter only
  ip-mac  IP-mac filter


You can see the option to configure this above.

To actually specify this on an interface:

interface Vethernet7
  inherit port-profile DHCP_UNTRUSTED
  description DHCP_Windows2008_2, Network Adapter 1
  vmware dvport 289 dvswitch uuid "ff 19 20 50 81 e8 3a f3-40 ab f2 17 7c ff a3 95"
  vmware vm mac 0050.5601.FACE
  ip verify source dhcp-snooping-vlan


This is now configured on this interface, let's watch it in action.


So if we ping the DHCP we are able to with this command, but if we statically define the IP address on this host to 172.21.5.3 we are unable to ping

However if we define a static mapping:



DCNexus1000V(config)# ip source binding 172.21.5.3 0050.5601.face vlan 50 interface veth7



We are suddenly able to ping.

Now let's assume we enter in a binding but we enter a totally fake mac address, so only the IP matches:


DCNexus1000V(config)# ip source binding 172.21.5.3 face.face.face vlan 50 interface vethernet 7


If we left the configuration at this we would not be able to ping.

However if we change the config to verify IP address only and not mac address:


DCNexus1000V(config)# ip source binding filter-mode ip


Now we are able to ping because we are only verifying the IP address.




2 comments:

  1. I thought I knew everything about these 3 L2 security technologies (including DAI), but you did a better job than some training vendors explaining how the "ip dhcp snooping verify mac-address" command checks the "Client Hardware Address Value" at the DHCP packet. I have to admit as well that I was too lazy to look that up myself at the NX-OS security config guide.

    Also, the "ip source binding filter-mode ip" command seems useful in some scenarios and I didn't know about it. My N5K for tests does not support it apparently.

    ReplyDelete