Configuration Example:
interface Vlan1
ip address 192.168.1.10 255.255.255.0
!
aaa new-model
!
dot1x system-auth-control
!
aaa authentication dot1x default group radius
!
radius-server host 192.168.1.100 auth-port 1645 key cisco123
!
interface FastEthernet0/2
switchport mode access
authentication port-control auto
dot1x pae authenticator
!
interface FastEthernet0/3
switchport mode access
authentication port-control auto
dot1x pae authenticator
!
interface FastEthernet0/4
switchport mode access
authentication port-control auto
dot1x pae authenticator
The goal of a DHCP starvation attack is to an attack tool such as Gobbler to create a Denial of Service (DoS) for connecting clients.
Recall that DHCP starvation attacks can be effectively mitigated by using port security because Gobbler uses a unique source MAC address for each DHCP request sent. However, mitigating DHCP spoofing attacks requires more protection.
Gobbler could be configured to use the actual interface MAC address as the source Ethernet address, but specify a different Ethernet address in the DHCP payload. This would render port security ineffective because the source MAC address would be legitimate.
DHCP spoofing attacks can be mitigated by using DHCP snooping on trusted ports.
DHCP snooping filters DHCP messages and rate-limits DHCP traffic on untrusted ports.
A DHCP table is built that includes the source MAC address of a device on an untrusted port and the IP address assigned by the DHCP server to that device.
Use the following steps to enable DHCP snooping:
Step 1. Enable DHCP snooping by using the ip dhcp snooping global configuration command.
Step 2. On trusted ports, use the ip dhcp snooping trust interface configuration command.
Step 3: On untrusted interfaces, limit the number of DHCP discovery messages that can be received using the ip dhcp snooping limit rate packets-per-second interface configuration command.
Step 4. Enable DHCP snooping by VLAN, or by a range of VLANs, by using the ip dhcp snooping vlan global configuration command.
#show ip dhcp snoopingÂ
#show ip dhcp snooping bindingÂ
Â
In a typical ARP attack, a threat actor can send unsolicited ARP replies to other hosts on the subnet with the MAC Address of the threat actor and the IP address of the default gateway. To prevent ARP spoofing and the resulting ARP poisoning, a switch must ensure that only valid ARP Requests and Replies are relayed.
Error-disabling the interface if the configured DAI number of ARP packets is exceeded
To mitigate the chances of ARP spoofing and ARP poisoning, follow these DAI implementation guidelines:
It is generally advisable to configure all access switch ports as untrusted and to configure all uplink ports that are connected to other switches as trusted.
Recall that network attackers can manipulate the Spanning Tree Protocol (STP) to conduct an attack by spoofing the root bridge and changing the topology of a network.
To mitigate STP attacks, use PortFast and Bridge Protocol Data Unit (BPDU) Guard:
PortFast
BPDU Guard