WEBVTT 0:00:03.020000 --> 0:00:08.060000 Hello and welcome to this video titled, Securing Network Access with D8CP 0:00:08.060000 --> 0:00:12.820000 Snooping. In this video, I'm going to cover what problem is solved by 0:00:12.820000 --> 0:00:17.900000 D8CP Snooping, some terminology that goes along with this feature, and 0:00:17.900000 --> 0:00:20.620000 we're going to cover the operation of how the protocol works to actually 0:00:20.620000 --> 0:00:23.320000 secure your network. 0:00:23.320000 --> 0:00:25.120000 So let's start with the overall problem. 0:00:25.120000 --> 0:00:29.900000 Why would we need D8CP Snooping in the first place? 0:00:29.900000 --> 0:00:34.580000 Well, let's go back to our basic operations of D8CP, and we can see that 0:00:34.580000 --> 0:00:40.720000 D8CP is inherently unsecure because of the nature of the way it works. 0:00:40.720000 --> 0:00:47.920000 So we know that when the D8CP client sends his first message, which is 0:00:47.920000 --> 0:00:55.300000 the D8CP offer, that message, not an offer, sorry, I'm thinking ahead 0:00:55.300000 --> 0:00:59.500000 of myself here. That's not the D8CP offer, that first message is the D8CP 0:00:59.500000 --> 0:01:01.300000 Discover packet. 0:01:01.300000 --> 0:01:04.180000 There we go, the Discover. 0:01:04.180000 --> 0:01:12.140000 Well, we know the Discover packet is broadcast in nature, which means 0:01:12.140000 --> 0:01:16.120000 that anybody else who's in the same VLAN as you will have visibility to 0:01:16.120000 --> 0:01:18.760000 that, because they'll be flooded to them. 0:01:18.760000 --> 0:01:22.040000 Here's where somebody could use this against you. 0:01:22.040000 --> 0:01:26.760000 If we had a malicious evil person in the network who was on the same VLAN, 0:01:26.760000 --> 0:01:34.140000 the same broadcast domain as you, they could set up a rogue D8CP server, 0:01:34.140000 --> 0:01:38.100000 maybe on their laptop. 0:01:38.100000 --> 0:01:42.180000 They have some sort of application running as a D8CP server application. 0:01:42.180000 --> 0:01:45.640000 When they see your Discover packet, there's nothing that would prevent 0:01:45.640000 --> 0:01:52.040000 them from sending you an offer packet, a D8CP offer. 0:01:52.040000 --> 0:01:58.940000 Now, if the legitimate D8CP server still gets your D8CP Discover, he also 0:01:58.940000 --> 0:02:02.640000 will be sending an offer, but here's the problem. 0:02:02.640000 --> 0:02:07.580000 Every operating system I know of, when an operating system gets two or 0:02:07.580000 --> 0:02:12.980000 more D8CP offers in response to your Discover packet, every operating 0:02:12.980000 --> 0:02:16.440000 system I know of will accept the first one that came in. 0:02:16.440000 --> 0:02:21.020000 So whatever the first offer was that came in, that's the one that's accepted. 0:02:21.020000 --> 0:02:26.020000 So if this rogue D8CP server is physically located closer to you, the 0:02:26.020000 --> 0:02:31.520000 client, then the actual real D8CP server is, you will accept his rogue 0:02:31.520000 --> 0:02:40.120000 offer first. So let's say here that this person was 1.1.1.1. 0:02:40.120000 --> 0:02:44.860000 Well, in his offer, he could say, hey, I'm going to give you 1.1.1.2. 0:02:44.860000 --> 0:02:46.060000 That can be yours. 0:02:46.060000 --> 0:02:50.960000 And by the way, your default gateway is 1.1.1. 0:02:50.960000 --> 0:02:56.900000 Now, maybe the real default gateway is right here, and he's actually 1 0:02:56.900000 --> 0:03:02.140000 .1.1.8. So you just got the wrong gateway information. 0:03:02.140000 --> 0:03:08.260000 So now you're going to give yourself the IP address of 1.1.1.2 that was 0:03:08.260000 --> 0:03:12.900000 in your offer. You will mark down that your default gateway is 1.1.1.1. 0:03:12.900000 --> 0:03:14.200000 And who is that? 0:03:14.200000 --> 0:03:17.840000 That's the rogue malicious evil person. 0:03:17.840000 --> 0:03:20.980000 So now whenever you need to send a packet off your network, which let's 0:03:20.980000 --> 0:03:26.160000 face it, is like 99% of all the packets you ever send, your packets will 0:03:26.160000 --> 0:03:29.160000 be directed to that malicious person right there. 0:03:29.160000 --> 0:03:30.900000 They will see everything you're sending. 0:03:30.900000 --> 0:03:35.360000 And if they're smart, not only will they keep copies of your packets, 0:03:35.360000 --> 0:03:39.820000 but then they will replay your packets out to the correct default gateway. 0:03:39.820000 --> 0:03:43.420000 So your packets can actually reach their destination, but now they are 0:03:43.420000 --> 0:03:47.140000 performing what's called a man in the middle attack. 0:03:47.140000 --> 0:03:49.800000 Because they're seeing everything that you send because all your packets 0:03:49.800000 --> 0:03:52.700000 are being directed to them first. 0:03:52.700000 --> 0:03:56.740000 So that's one way that DACP could be used against you. 0:03:56.740000 --> 0:03:58.680000 There's lots of other ways as well. 0:03:58.680000 --> 0:04:02.500000 For example, you send your discover packet. 0:04:02.500000 --> 0:04:07.480000 You get an offer. 0:04:07.480000 --> 0:04:10.840000 Now this person right here, they're not going to see the offer because 0:04:10.840000 --> 0:04:12.560000 the offer is unicast. 0:04:12.560000 --> 0:04:15.700000 So they're not going to have visibility to that. 0:04:15.700000 --> 0:04:22.680000 But they are going to see your DACP request because the request, just 0:04:22.680000 --> 0:04:26.000000 like the discover, is a broadcast packet. 0:04:26.000000 --> 0:04:27.080000 So they'll see that. 0:04:27.080000 --> 0:04:30.500000 And guess what? In that request, they'll see what IP address that you 0:04:30.500000 --> 0:04:34.900000 got. Because in the request, you're saying, hey, DACP server, you just 0:04:34.900000 --> 0:04:36.860000 told me I could be 1.1.1.1. 0:04:36.860000 --> 0:04:39.540000 I like that. I'll go ahead and take that. 0:04:39.540000 --> 0:04:41.260000 Well, because that's a broadcast, they see it. 0:04:41.260000 --> 0:04:46.480000 And guess what? Now that they see what your IP address is, if they want 0:04:46.480000 --> 0:04:51.760000 to be mean, they can just change their own IP address to match you. 0:04:51.760000 --> 0:04:57.140000 And now they could send a DACP release packet. 0:04:57.140000 --> 0:04:59.440000 Saying, hey, server, I'm gone. 0:04:59.440000 --> 0:05:02.320000 I'm going to leave this network so you can have 1.1.1 back again. 0:05:02.320000 --> 0:05:03.660000 I don't need it. 0:05:03.660000 --> 0:05:07.860000 And now the DACP server assigns somebody else who comes along that exact 0:05:07.860000 --> 0:05:09.480000 same IP address. 0:05:09.480000 --> 0:05:11.960000 Now we have a duplicate IP addressing problem. 0:05:11.960000 --> 0:05:16.220000 Two devices in the network, two hosts, they're using the same address, 0:05:16.220000 --> 0:05:19.040000 which is going to cause all kinds of problems. 0:05:19.040000 --> 0:05:24.560000 So these are just two examples of the many examples of how DACP could 0:05:24.560000 --> 0:05:28.880000 be used to perform denial of service attacks and all sorts of problems 0:05:28.880000 --> 0:05:34.360000 here. So DACP snooping as a switching feature was designed to mitigate 0:05:34.360000 --> 0:05:37.500000 or prevent all these types of problems. 0:05:37.500000 --> 0:05:39.340000 So how does it do it? 0:05:39.340000 --> 0:05:45.640000 All right, so when you enable DACP snooping, step number one, and we'll 0:05:45.640000 --> 0:05:48.680000 see this coming up later on, but I'll give you a preview of it now. 0:05:48.680000 --> 0:05:53.540000 Step number one is to enable it at the global level of the switch. 0:05:53.540000 --> 0:06:01.000000 So on the switch, we just simply type at the global configuration level 0:06:01.000000 --> 0:06:04.300000 IP DACP snooping. 0:06:04.300000 --> 0:06:11.720000 So that command by itself doesn't really do anything from your perspective. 0:06:11.720000 --> 0:06:15.620000 Now in the background it sets up some memory tables and databases and 0:06:15.620000 --> 0:06:18.000000 gets DACP snooping ready to go. 0:06:18.000000 --> 0:06:23.140000 Now the next thing that happens is we have to ask ourselves, okay, what 0:06:23.140000 --> 0:06:24.280000 VLANs are these ports? 0:06:24.280000 --> 0:06:28.120000 This says VLAN X, but let's put a real VLAN on here, so we actually have 0:06:28.120000 --> 0:06:29.940000 something that we can use. 0:06:29.940000 --> 0:06:38.820000 Let's say that these ports here are in VLAN 2. 0:06:38.820000 --> 0:06:42.840000 All these ports right here are in VLAN 2. 0:06:42.840000 --> 0:06:46.820000 And this is the VLAN for which we want to enable DACP snooping. 0:06:46.820000 --> 0:06:49.120000 Well that's the next thing we have to do. 0:06:49.120000 --> 0:06:53.800000 We have to tell DACP snooping that needs to be operational on that particular 0:06:53.800000 --> 0:06:59.680000 VLAN. So once again at the global configuration level we're going to say 0:06:59.680000 --> 0:07:05.540000 IP DACP snooping, but this time we're going to say VLAN 2. 0:07:05.540000 --> 0:07:10.980000 If I can move this up here a little bit, come on, you can do it. 0:07:10.980000 --> 0:07:18.580000 There we go. Okay, so the moment that you do that, every interface that's 0:07:18.580000 --> 0:07:27.740000 in VLAN 2 from a DACP perspective will be configured as an untrusted port. 0:07:27.740000 --> 0:07:30.360000 So all three of these interfaces will be untrusted. 0:07:30.360000 --> 0:07:32.560000 Now what does that mean exactly? 0:07:32.560000 --> 0:07:33.500000 Why do we care about that? 0:07:33.500000 --> 0:07:35.480000 Well here's the difference. 0:07:35.480000 --> 0:07:42.240000 Without DACP snooping, any DACP client packet that's a broadcast like 0:07:42.240000 --> 0:07:48.340000 your DACP discover and your DACP request normally is flooded because those 0:07:48.340000 --> 0:07:52.180000 are broadcasted so they're flooded out all the other ports in that VLAN. 0:07:52.180000 --> 0:07:58.920000 Not so here. So when we have DACP snooping enabled for VLAN 2, when a 0:07:58.920000 --> 0:08:04.440000 client message comes in on an untrusted port, so for example when we see 0:08:04.440000 --> 0:08:14.000000 coming in this way, either a discover or we see a request or any other 0:08:14.000000 --> 0:08:15.420000 type of client message. 0:08:15.420000 --> 0:08:19.160000 For example like a release. 0:08:19.160000 --> 0:08:23.100000 These are just some of the examples of the DACP client messages. 0:08:23.100000 --> 0:08:28.720000 When it arrives on an untrusted port, it is not allowed to be transmitted 0:08:28.720000 --> 0:08:32.000000 out another untrusted port. 0:08:32.000000 --> 0:08:36.020000 So even if this thing is a broadcast, when it comes in port 1, in this 0:08:36.020000 --> 0:08:40.140000 case it's not going to go out, port 2 or port 3. 0:08:40.140000 --> 0:08:43.840000 So port 2 where a malicious evil person is sitting, he's never going to 0:08:43.840000 --> 0:08:45.020000 see your discover. 0:08:45.020000 --> 0:08:47.460000 He's never going to see your request. 0:08:47.460000 --> 0:08:50.480000 Now if we just left it like this and we walked away we'd have a big problem 0:08:50.480000 --> 0:08:55.520000 because those messages also are not going to go out port number 3 and 0:08:55.520000 --> 0:08:57.660000 we do need them to go out port number 3. 0:08:57.660000 --> 0:09:03.920000 So the next step in the process here is we need to do some manual configuration 0:09:03.920000 --> 0:09:08.560000 and configure port 3 as a trusted port. 0:09:08.560000 --> 0:09:16.320000 So once port number 3 is configured as a trusted interface, now DACP client 0:09:16.320000 --> 0:09:23.940000 messages that come in untrusted ports will be allowed out trusted interfaces. 0:09:23.940000 --> 0:09:28.400000 So this discover message will be allowed out here because it's going out 0:09:28.400000 --> 0:09:35.500000 a trusted port. And DACP server messages, if a DACP server message is 0:09:35.500000 --> 0:09:39.780000 received on a trusted port, it's okay, we trust it. 0:09:39.780000 --> 0:09:42.780000 So we will allow that through and let it get back to the client. 0:09:42.780000 --> 0:09:49.500000 But if a DACP server message comes in on an untrusted port, it's dropped. 0:09:49.500000 --> 0:09:52.120000 It's not allowed. 0:09:52.120000 --> 0:09:56.140000 So right there we can see some big benefits of DACP snooping. 0:09:56.140000 --> 0:09:59.840000 So if this was all that it did, there'd be some big benefits right here. 0:09:59.840000 --> 0:10:04.040000 Number one, my discover packet would not be seen by the malicious evil 0:10:04.040000 --> 0:10:08.440000 person. My request packet that actually contains my IP address would not 0:10:08.440000 --> 0:10:10.760000 be seen by the malicious evil person. 0:10:10.760000 --> 0:10:16.320000 Those would only be going to the server when the server sent replies back 0:10:16.320000 --> 0:10:20.840000 like offers because that's received on a trusted port. 0:10:20.840000 --> 0:10:23.180000 That would be allowed through. 0:10:23.180000 --> 0:10:26.960000 If we've got somebody here with a rogue DACP service, it wouldn't do them 0:10:26.960000 --> 0:10:32.420000 any good at all because any messages they sent like offers for example, 0:10:32.420000 --> 0:10:36.400000 wouldn't get beyond this port because that port number two is an untrusted 0:10:36.400000 --> 0:10:39.940000 port. Server messages are not allowed. 0:10:39.940000 --> 0:10:42.240000 But it gets even better than that. 0:10:42.240000 --> 0:10:46.360000 Let's say that the malicious evil person somehow discovers, you know, 0:10:46.360000 --> 0:10:50.820000 maybe you walk away, they sit down on your laptop, and they see that your 0:10:50.820000 --> 0:10:54.480000 laptop was given this IP address and subnet mask. 0:10:54.480000 --> 0:10:55.520000 Okay, so now they leave. 0:10:55.520000 --> 0:10:59.320000 So before you come back, they know now what your IP address is. 0:10:59.320000 --> 0:11:04.540000 What if this malicious evil person changed their own IP address to match 0:11:04.540000 --> 0:11:07.760000 you, and now they tried to do some spoofing. 0:11:07.760000 --> 0:11:12.100000 They tried to pretend to be you and knock you off the network by sending 0:11:12.100000 --> 0:11:19.400000 a DACP release. Well, if what I've described here was all that DACP snooping 0:11:19.400000 --> 0:11:24.360000 did, we'd have a problem because a DCP release is a client message. 0:11:24.360000 --> 0:11:28.720000 Client messages are allowed to be received on untrusted ports. 0:11:28.720000 --> 0:11:32.680000 It would be forwarded out the trusted port and the DCP server would get 0:11:32.680000 --> 0:11:34.360000 it and release that IP address. 0:11:34.360000 --> 0:11:37.700000 He would put it back into the available addressing pool. 0:11:37.700000 --> 0:11:43.280000 But fortunately for us, DACP snooping has another capability. 0:11:43.280000 --> 0:11:53.660000 You see, when DACP messages from clients are received on untrusted ports, 0:11:53.660000 --> 0:11:59.760000 the DCP snooping switch keeps a record of that, keeps a track of it. 0:11:59.760000 --> 0:12:04.140000 So as the four-way handshake happens right here, the switch will actually 0:12:04.140000 --> 0:12:08.020000 keep a record of all of that transaction, and he will put that into what's 0:12:08.020000 --> 0:12:10.700000 called a DACP snooping binding database. 0:12:10.700000 --> 0:12:14.980000 So he will learn that the legitimate client has that particular MAC address. 0:12:14.980000 --> 0:12:19.280000 He's on port number one, his IP address, his subnet mask. 0:12:19.280000 --> 0:12:21.780000 He'll even learn what the lease time is. 0:12:21.780000 --> 0:12:26.040000 So now, if we have somebody who tries to spoof you, if this guy over here 0:12:26.040000 --> 0:12:31.780000 tries to change his IP address to match you, and he tries to send in like 0:12:31.780000 --> 0:12:36.520000 a release, for example, it's not going to do him any good, because the 0:12:36.520000 --> 0:12:39.220000 switch will say, hey, hold on a second. 0:12:39.220000 --> 0:12:43.840000 You say that you're 1-1-1-1, and yet you're coming in on port number two, 0:12:43.840000 --> 0:12:46.980000 that doesn't match what I have here. 0:12:46.980000 --> 0:12:49.560000 That IP address was learned on port number one. 0:12:49.560000 --> 0:12:54.080000 I think you're wrong, and he'll drop that release message. 0:12:54.080000 --> 0:13:00.740000 So the DACP snooping binding database helps prevent spoofing attacks with 0:13:00.740000 --> 0:13:07.140000 DACP. So these three things here are how DACP snooping helps prevent a 0:13:07.140000 --> 0:13:08.840000 whole variety of attacks. 0:13:08.840000 --> 0:13:13.480000 The concept of untrusted ports supports are untrusted by default. 0:13:13.480000 --> 0:13:17.340000 So the moment you enable DACP snooping for a VLAN, every single port in 0:13:17.340000 --> 0:13:19.380000 that VLAN becomes untrusted. 0:13:19.380000 --> 0:13:25.160000 Secondly, we have to manually configure trusted interfaces, and then as 0:13:25.160000 --> 0:13:29.820000 legitimate DACP transactions happen between untrusted and trusted ports, 0:13:29.820000 --> 0:13:33.860000 it builds this binding database, which keeps track of where everybody 0:13:33.860000 --> 0:13:43.580000 is. So as we can see here, client messages are only allowed from untrusted 0:13:43.580000 --> 0:13:47.180000 ports to trusted ports. 0:13:47.180000 --> 0:13:51.100000 And here are the various DACP client messages that would be allowed there. 0:13:51.100000 --> 0:13:56.700000 Server messages are only allowed to be received from trusted interfaces, 0:13:56.700000 --> 0:14:01.200000 like your offer and your ACK and your DCP NAC. 0:14:01.200000 --> 0:14:08.140000 Now, there's a few other things about this that we need to talk about. 0:14:08.140000 --> 0:14:14.020000 Let me go back to the picture here for just a moment. 0:14:14.020000 --> 0:14:22.080000 So we know that if I enable DACP snooping on this switch, that we would 0:14:22.080000 --> 0:14:28.460000 leave this interface here, oops, not D, as an untrusted port. 0:14:28.460000 --> 0:14:38.040000 We would leave this interface port number two as untrusted. 0:14:38.040000 --> 0:14:43.740000 And then manually, we would have to go on to interface number three and 0:14:43.740000 --> 0:14:49.520000 configure that as a trusted interface. 0:14:49.520000 --> 0:14:58.480000 Okay. So when a DACP message passes through the switch, there's some behavior 0:14:58.480000 --> 0:15:00.880000 here that the switch does with that message. 0:15:00.880000 --> 0:15:04.100000 It's very important to know, especially if you're working this up in a 0:15:04.100000 --> 0:15:05.600000 lab environment. 0:15:05.600000 --> 0:15:10.760000 So what I want to show you is I want to go back to a picture of the DACP 0:15:10.760000 --> 0:15:14.420000 packet format for a moment. 0:15:14.420000 --> 0:15:18.580000 Let's take a look at that. 0:15:18.580000 --> 0:15:21.520000 So here is our DACP packet. 0:15:21.520000 --> 0:15:24.700000 And what I want to call your attention to is this field in the bottom 0:15:24.700000 --> 0:15:27.420000 here called options. 0:15:27.420000 --> 0:15:32.800000 Now, pretty much everything you get, not everything, but almost everything 0:15:32.800000 --> 0:15:36.680000 you get. So when the DACP server responds back to you, most of the information 0:15:36.680000 --> 0:15:40.340000 he gives you is in the form of a DACP option. 0:15:40.340000 --> 0:15:44.940000 Pretty much the only thing you get that's not a DACP option is your actual 0:15:44.940000 --> 0:15:49.300000 IP address. So right here, it says your IP address, there's an actual 0:15:49.300000 --> 0:15:55.040000 field for that. But what about your subnet mask? 0:15:55.040000 --> 0:15:57.000000 Do you see a field in here for that? 0:15:57.000000 --> 0:15:59.600000 Nope. That's a DACP option. 0:15:59.600000 --> 0:16:02.780000 I don't know what the option number is, but there's an option number something 0:16:02.780000 --> 0:16:06.060000 which corresponds to subnet mask. 0:16:06.060000 --> 0:16:07.740000 So that's got to be in there. 0:16:07.740000 --> 0:16:10.740000 What about the IP address of your default gateway that you're supposed 0:16:10.740000 --> 0:16:13.320000 to use? That's not this. 0:16:13.320000 --> 0:16:14.540000 That's not that. 0:16:14.540000 --> 0:16:16.460000 There's another option that carries that. 0:16:16.460000 --> 0:16:19.580000 What about the IP address of the DNS server you need to go to to resolve 0:16:19.580000 --> 0:16:21.680000 your websites to IP addresses? 0:16:21.680000 --> 0:16:22.940000 That's another option. 0:16:22.940000 --> 0:16:26.960000 So there's a lot of options that DACP uses by default. 0:16:26.960000 --> 0:16:31.220000 And then there's a lot of options which are optional options which you 0:16:31.220000 --> 0:16:33.040000 may or may not use. 0:16:33.040000 --> 0:16:35.140000 What does that have to do with DACP snooping? 0:16:35.140000 --> 0:16:39.860000 Well, in DACP snooping, when your DACP packet goes through the switch 0:16:39.860000 --> 0:16:45.080000 that's configured for the security feature, the switch by default will 0:16:45.080000 --> 0:16:48.860000 actually put an option in there that in my opinion, it probably shouldn't 0:16:48.860000 --> 0:16:54.600000 be. It's called option 82. 0:16:54.600000 --> 0:17:01.860000 Option 82. An option 82 consists of two pieces of information. 0:17:01.860000 --> 0:17:13.220000 Something called a remote ID and a circuit ID. 0:17:13.220000 --> 0:17:20.180000 Sort of the general idea behind option 82 is that the network access device, 0:17:20.180000 --> 0:17:25.380000 like the switch, that this DACP client message is passing through, is 0:17:25.380000 --> 0:17:26.340000 a little bit more than the other thing. 0:17:26.340000 --> 0:17:32.100000 Will append some information about itself to the DACP message. 0:17:32.100000 --> 0:17:36.760000 So the theory is, once the DACP message gets to the server, the server 0:17:36.760000 --> 0:17:40.080000 not only can learn a little bit of information about the client, like 0:17:40.080000 --> 0:17:44.340000 what the client's MAC address is, the server can also learn a little bit 0:17:44.340000 --> 0:17:49.200000 about the network device, like the switch, that this message pass through. 0:17:49.200000 --> 0:17:53.320000 Now normally the DACP server could care less about that. 0:17:53.320000 --> 0:17:58.540000 But you could configure the DACP server to recognize option 82 and make 0:17:58.540000 --> 0:18:02.120000 use of that. For example, you could say, hey, DACP server, I've got this 0:18:02.120000 --> 0:18:05.700000 pool here that contains 100 IP addresses. 0:18:05.700000 --> 0:18:12.380000 Well, when you see option 82 coming from switch A over here, we're only 0:18:12.380000 --> 0:18:15.800000 going to limit any DACP messages that come through switch A, we're going 0:18:15.800000 --> 0:18:18.660000 to limit maybe 20 addresses from that pool. 0:18:18.660000 --> 0:18:21.820000 To be allocated from that switch. 0:18:21.820000 --> 0:18:26.500000 So whether there's five clients attached to that switch or 30 clients 0:18:26.500000 --> 0:18:30.360000 attached to that switch, we will know all the messages that come through 0:18:30.360000 --> 0:18:34.660000 that switch will say, hey, a maximum of 20 addresses from this pool can 0:18:34.660000 --> 0:18:38.420000 be allocated to clients hanging off of that particular switch. 0:18:38.420000 --> 0:18:42.180000 That's one theoretical use of option 82. 0:18:42.180000 --> 0:18:44.460000 Well, here's the problem. 0:18:44.460000 --> 0:18:50.720000 A lot of DACP servers don't recognize option 82 and they're not configured 0:18:50.720000 --> 0:18:54.040000 to recognize option 82 and a lot of DACP server implementations. 0:18:54.040000 --> 0:18:59.780000 If a DACP client packet comes in that contains an option that the server 0:18:59.780000 --> 0:19:03.660000 doesn't recognize, the server will just drop the packet. 0:19:03.660000 --> 0:19:06.460000 It'll never even bother replying back to the packet. 0:19:06.460000 --> 0:19:09.300000 What if you're doing this in a lab? 0:19:09.300000 --> 0:19:14.560000 If you're configuring a Cisco router or switch as a DACP server, let's 0:19:14.560000 --> 0:19:17.360000 say you don't actually have a real DACP server to work with. 0:19:17.360000 --> 0:19:20.720000 So you jump onto a Cisco router switch and you configure that as a sort 0:19:20.720000 --> 0:19:23.440000 of primary basic DACP server. 0:19:23.440000 --> 0:19:27.400000 Well, Cisco routers and switches, they don't like seeing option 82. 0:19:27.400000 --> 0:19:33.660000 So if this DACP packet passed through a switch that was running DACP snooping, 0:19:33.660000 --> 0:19:37.400000 that automatically put option 82 in there, guess what? 0:19:37.400000 --> 0:19:40.420000 You'd be sitting back, scratching your head saying, what's going on? 0:19:40.420000 --> 0:19:43.860000 Why is my DACP client not getting anything? 0:19:43.860000 --> 0:19:46.120000 He's just sitting there, not getting an IP address. 0:19:46.120000 --> 0:19:49.440000 And then when you move over to the router switch configured as a DACP 0:19:49.440000 --> 0:19:52.760000 server, you would see that he's not allocating an address. 0:19:52.760000 --> 0:19:53.460000 What's going on? 0:19:53.460000 --> 0:19:57.300000 Well, the reason why is because as the message is getting to that router 0:19:57.300000 --> 0:20:02.480000 or switch which is configured as a DACP server, it's seeing option 82 0:20:02.480000 --> 0:20:05.740000 in there and it's saying, I don't know what that is, and it's just discarding 0:20:05.740000 --> 0:20:11.840000 the packet. Like I said, Cisco switches add this option by default when 0:20:11.840000 --> 0:20:14.800000 you enable DACP snooping. 0:20:14.800000 --> 0:20:18.380000 In the next video where I actually show you the commands to get this working, 0:20:18.380000 --> 0:20:21.460000 I'll show you how to turn off that behavior. 0:20:21.460000 --> 0:20:24.380000 But in this video, I just want to introduce you to this concept of option 0:20:24.380000 --> 0:20:30.520000 82, talk about why it's a bad thing, talk about this on by default with 0:20:30.520000 --> 0:20:34.360000 DACP snooping and just to reinforce the concept that this is something 0:20:34.360000 --> 0:20:35.760000 you're going to want to disable. 0:20:35.760000 --> 0:20:42.180000 When you enable DACP snooping, you want to turn off option 82. 0:20:42.180000 --> 0:20:48.280000 So now that we've learned about option 82, that pretty much concludes 0:20:48.280000 --> 0:20:54.540000 this video on DACP snooping operations. 0:20:54.540000 --> 0:20:55.760000 Thank you for watching.