Cisco® CCNA Security Exam Notes : Mitigation Procedures

4. Secure Routing and Switching

4.5 Mitigation procedures

Implementing DHCP Snooping

DHCP Snooping - Prevents rogue DHCP servers from gaining access to the network information.

Dynamic Host Configuration Protocol (DHCP) snooping enables

  • a networking device (say, a switch) to filter untrusted DHCP packets in a subnet.
  • Ward off MiM attacks, such as a rogue DHCP server sending false DHCP server reply packets with the intention of misdirecting other users.
  • DHCP snooping can also stop unauthorized DHCP servers and prevent errors stemming from user mis-configuration of DHCP servers.

DHCP snooping is often used with Dynamic ARP Inspection (DAI) and IP Source Guard.

Given below are the basic configuration steps involved in configuring DHCP snooping. Note that even though DHCP Snooping is enabled globally, you still need to define the VLANs (atleast one VLAN is required to be configured) that participate in DHCP Snooping.

Step 1: Enable DHCP Snooping Globally:

sw(config)#ip dhcp snooping

Step 2: Enable DHCP Snooping on one or more VLANs :

sw(config)#ip dhcp snooping vlan 20

Step 3: Configure the switch interface as a trusted interface:

sw(config-if)#ip dhcp snooping trust

step 4: Configure the DHCP Snooping database agent to store the bindings :

sw(config)#ip dhcp snooping databasetftp://

Implementing Dynamic ARP Inspection(DAI): DAI, short for Dynamic ARP Inspection, validates ARP packets in the subnet. DAI intercepts, and goes through each ARP request and discards ARP packets with invalid IP to MAC address bindings. This takes care of man in the middle attacks, and any spurious behavious of the network. The interface on which the DHCP server is connected should be a trusted interface.

Minimum configuration steps involved in configuring DAI on a switch are given below:

Step 1:

  • To enable DAI on VLANs, perform this task:
  • You can enable DAI on a single VLAN or a range of VLANs:
  • To enable a single VLAN, enter a single VLAN number.
  • To enable a range of VLANs, enter a dash-separated pair of VLAN numbers.
  • You can enter a comma-separated list of VLAN numbers and dash-separated pairs of VLAN numbers.

Example: vlan 20,21,22,23 or vlan 20-23

sw(config)#ip arp inspection vlan 20

Step 2:

Specifies the interface connected to another switch, and enter interface configuration mode

sw(config)#interface fa0/0/14

Configures the connection between switches as trusted (default: untrusted).

sw(config-if)#ip arp inspection trust
sw(config)#do show ip arp inspection vlan

The command "do show ip arp inspection vlan 20" displays the list of vlans that had been DAI enabled and whether the vlans are active.

Dynamic ARP Inspection (DAI) enables the Brocade device to

  • Intercept and examine all ARP request and response packets in a subnet and discard packets with invalid IP-to-MAC address bindings.
  • DAI can prevent common man-in-the-middle (MiM) attacks such as ARP cache poisoning, and
  • Disallow mis-configuration of client IP addresses.

Layer 2 mechanisms that can be used to protect the data plane include the following:

  • Port security to protect against MAC addresses flooding and CAM (content-addressable memory) overflows attacks.
  • Dynamic Host Configuration Protocol (DHCP) snooping - Used to prevent a rogue DHCP server taking over from a genuine DHCP server.
  • Dynamic ARP inspection (DAI) - Protects against Address Resolution Protocol (ARP) spoofing, and ARP poisoning. DAI validates ARP packets in a network. DAI intercepts, logs, and discards ARP packets with invalid IP-to-MAC address bindings. This capability protects the network from some man-in-the-middle attacks
  • IP Source Guard, when implemented on a switch, verifies that IP spoofing is not occurring by devices on that switch. In other words, IP Source Guard provides source IP address filtering on a Layer 2 port and prevents a rogue host from impersonating a legitimate host by assuming the legitimate host's IP address. The feature uses dynamic DHCP snooping and static IP source binding to match IP addresses to hosts on un-trusted Layer 2 access ports

Two switch features available with Cisco switches for preventing un-intentional BPDUs are:

a. root guard: The root guard feature provides a way to enforce the root bridge placement in the network. The root guard ensures that the port on which root guard is enabled is the designated port. Normally, root bridge ports are all designated ports, unless two or more ports of the root bridge are connected together. If the bridge receives superior STP Bridge Protocol Data Units (BPDUs) on a root guard-enabled port, root guard moves this port to a root-inconsistent STP state. This root-inconsistent state is effectively equal to a listening state. No traffic is forwarded across this port. In this way, the root guard enforces the position of the root bridge. When configured at the interface level, BPDU Guard shuts the port down as soon as the port receives a superior BPDU. By default, it is disabled on all switch ports.

To enable root guard, use the command:

switch(config-if)#spanning-tree guard root

root guard feature forces an interface to become a designated port to prevent surrounding switches from becoming a root switch. In other words, Root Guard provides a way to enforce the root bridge placement in the network. The Root Guard feature prevents a Designated Port from becoming a Root Port. If a port on which the Root Guard feature receives a superior BPDU, it moves the port into a root-inconsistent state (effectively equal to a listening state), thus maintaining the current Root Bridge status.

b. bpdu guard: BPDU Guard is a feature that will automatically shut down a port when BPDU's are received on that particular port. It is common to configure PortFast and BPDU Guard on host access ports.Here if any BPDU (superior or not) is received on a port configured with BPDU guard, the port is immediately put into errdisable state. The port is effectively shutdown and it must either be enabled manually or by use of a timeout function. By default, it is disabled on all ports. To enable BPDU guard use the command at interface configuration mode:

switch(config-if)#spanning-tree bpduguard enable

BPDU Guard puts an interface configured for STP PortFast into the err-disable state upon receipt of a BPDU. The BPDU Guard feature is used to protect the Spanning Tree domain from external influence. BPDU Guard is disabled by default but is recommended for all ports on which the Port Fast feature has been enabled. This prevents false information from being injected into the Spanning Tree domain on ports that have Spanning Tree disabled.

A port that is shutdown will continue to be in errdisable state even if the BPDUs are no longer received. It is recommended to use bpdu guard on all ports that have portfast enabled. The protection is useful for access layer nodes where the end user's computers are expected to be connected.

c. Loop Guard: Provides additional protection against Layer 2 forwarding loops (STP loops). A bridging loop happens when an STP blocking port in a redundant topology erroneously transitions to the forwarding state. This usually occurs because one of the ports of a physically redundant topology (not necessarily the STP blocking port) has stopped receiving STP BPDUs.

d. IP Source Guard: Prevents IP address spoofing by hosts. For example, a rogue host may use different IP addresses as source and flood the switch.

The following commands configure spanning-tree root guard on interface fa0/2 on switch SW1

SW1#configure terminal
fastethernet 0/2
SW1(config-if)#spanning-tree rootguard

Important points on STP BPDU guard and root guard

  • The STP root guard feature prevents a port from becoming root port or blocked port. If a port configured for root guard receives a superior BPDU, the port immediately goes to the root-inconsistent (blocked) state. Usually STP root guard is configured on primary and secondary root switches.
  • BPDU Guard basically means that if the port has portfast enabled, connecting an unauthorized switch to it (by someone such as an end-user) will cause that original switch to receive a BPDU from the second switch, making the port shut down to prevent frames from the second switch entering into the network. This is called err disabled state. The administrator needs to bring up the port manually or programmatically after elapse of certain quiet period.
  • Root guard provides a way to enforce the root bridge placement in the network. The configuration of root guard is on a per-port basis. Root guard does not allow the port to become an STP root port, so the port is always STP-designated. If a better BPDU arrives on this port, root guard does not take the BPDU into account and elect a new STP root. Instead, root guard puts the port into the root-inconsistent STP state. You must enable root guard on all ports where the root bridge should not appear. In a way, you can configure a perimeter around the part of the network where the STP root is able to be located

Storm Control - Limits the amount of broadcast or multicast traffic flowing through the switch.

Storm control provides a way for administrators to limit the amount of traffic that passes through a switch by way of broadcasts and multicasts. By implementing storm control, administrators may prevent excess resource used by an attacker, and prevent broadcast flooding.

Port Security: Controls the number of MAC addresses that can be learned on a single switch port. It is because; an attacker may floor the switch with several fictitious MAC addresses on a single port, thus over flowing the switch's MAC table. By using Port security, it is possible to limit the number of MAC addresses that could be learned from a single switch port.

The command switchport port-security maximum 5 sets the maximum number of allowable MAC addresses to 5. The default is 1 allowable MAC address. The default violation action is to shut down the port. Alternatively, we can configure the violation response to be to "protect," which will not shut down the port but will deny any frames from new MAC addresses over the set limit. The "restrict" action does the same as protect but generates a syslog message, as well. The purpose of port security is to prevent access to the LAN from un-authorized hosts.

The command "Switch1(config-if)# switchport port-security violation protect" , will not allow MAC address frames above the set maximum.

The command is used in conjunction with the command

Switch(config-if)# switchport port-security maximum <number 1 - 5> 

The default action if protect command is not given is that the port will be shut down.


Port-security can only be allowed to access ports but not trunks. "Switchport port-security maximum ". This command sets the maximum number of secure mac address allowed on the switch port, default is 1.

Security-violation: A security violation occurs if the maximum number of secure MAC addresses has been added to the address table and a workstation whose MAC address is not in the address table attempts to access the interface. To set the action to be taken when a security violation is detected, use the switchport port-security violation command. To revert to the default settings, use the no form of this command.

switchport port-security violation { protect | restrict | shutdown }
no switchport port-security violation { protect | restrict | shutdown }

Syntax description:

1. Protect: Drops all the packets from the insecure hosts at the port-security process level but does not increment the security-violation count.

2. Restrict: Drops all the packets from the insecure hosts at the port-security process level and increments the security-violation count.

3. Shutdown: Shuts down the port if there is a security violation

Previous   Contents   Next