[Rack] [Noisebridge-discuss] network down this afternoon, an interesting guide for people who want to help when the network goes down

Jonathan Lassoff jof at thejof.com
Wed Jun 6 00:07:45 UTC 2012 

[ - noisebridge-discuss@, + rack@ ]

On Tue, Jun 5, 2012 at 5:01 PM, Jonathan Lassoff <jof at thejof.com> wrote:
> On Tue, Jun 5, 2012 at 3:38 PM, Nick Owens <mischief at offblast.org> wrote:
>> Can't we whitelist the real dhcp server on udp port 68, and drop packets on
>> the lan whose source port is 68 and not on the whitelist?
>
> This kind of filtering is exactly what DHCP snooping was made for.
>
> It takes this idea a step further and selectively filters UDP
> destination_port = 68 destination_port = 67 traffic and follows the
> state of a DHCP DISCOVER, OFFER, REQUEST, ACK protocol flow.
>
> It filters any OFFERs, or ACKs from ports that are not marked as "trusted".
> An administrator then marks any ports on the switch that could
> possibly follow a path back to a DHCP server, so that traffic along
> that path is allowed to be forwarded to clients.
>
> With the information garnered from that exchange, some switches also
> go a step further and dynamically inspect ARP requests / responses to
> block any ARP spoofing requests.
> The one downside to this is that any statically-addressed things also
> need to get added to the switch or need to obtain/bind their IPs with
> static DHCP leases on the server.
>
>
> I think we ought to take the first step and do some DHCP snooping /
> filtering, to prevent any rogue servers showing up.

I propose we start down this path by uplinking the APs and
further-downstream client ports via switch3.noise (the Juniper EX2200
I brought in). This can be the root of the filtering, and from which
we can "trust" that there's no DHCP-related tom-foolery downstream of
it.

Currently, the tree of switches looks like:

## Switch 2 (switch2.noise), Cisco 2948. 8-port FastE, 1 GigE ##
-- Main edge / border and core switch
-- Uplinks to Sonic.net and Monkeybrains
-- Router "bikeshed" hooks into here
-- Stallion hooks into here (any by extension, Pony)

## Switch 1 (switch1.noise), 48-port, cheap-o Linksys switch ##
- Used for fan-out, distribution, and access ports.
- APs connect into here.
- Very little administrative / management control available in
software. Did I mention it's cheap?
- I suspect many network "problems" are downstream from here.

## Switch 3 (switch3.noise), Juniper EX 2200, 24-port GigE PoE ##
- High quality switch with lots of administrative control
- Used to feed the Ruckus APs.
- Backup path from switch2<->switch1, shutdown currently

More information about the Rack mailing list