Network Bulls
www.networkbulls.com
Best Institute for CCNA CCNP CCSP CCIP CCIE Training in India
M-44, Old Dlf, Sector-14 Gurgaon, Haryana, India
Call: +91-9654672192
VLAN Hopping
There are two different types of attack which are both classified as VLAN hopping: Switch spoofing and
Double Tagging. Switch spoofing is when someone tries to impersonate a switch on your network in
order to collect the layer 2 topology information for your network from your switches. Double Tagging
is a method that is used to try and gain access to a restricted VLAN through the double VLAN tagging
of a frame.
Configuring VLAN Hopping prevention
Switch Spoofing
Whenever an attacker tries to impersonate a switch they typically gain physical access to a port on one of
your switches and try to impersonate a switch on this port. The best way to get around this type of attack
is to allow only the specific ports slated for trunking to be able to become trunks. This is done by statically
configuring all user or access ports to be only access ports and to configure trunk ports only when they
are physical ready to be trunked with another switch.
In order to statically put a port into access mode the following command is used:
router(config-if)#switchport mode access
In order to statically configure a port to be a trunk the following command is used:
router(config-if)#switchport mode trunk
It is also good to disable trunking negotiation on trunk ports when statically configuring to port. This is
done with the following command:
router(config-if)#switchport nonegotiate
Double Tagging
The Double Tagging type of attack requires that the attacker be aware of the native VLAN number which
is being used on the network. Without this knowledge the initial switch which receives the altered frame
will leave the “outer” or double tag on the frame and the attack would be thwarted. The best way to
protect from this attack is through the configuration of a non-standard native VLAN (typically it is set to 1).
The following command is used to change this number on an interface:
router(config-if)#switchport trunk native vlan vlan
Root Guard
One of the ways that an attacker can try to affect a Spanning Tree network is to hijack the STP root switch.
In order to prevent this, Cisco has created the Root Guard feature which transitions a port into rootinconsistent
state should a superior BPDU be received on a port not coming from in on the root port.
Configuring Root Guard
In order to configure the Root Guard feature, the following command must be entered on
all non-root ports:
router(config-if)#spanning-tree guard root
Portfast
One of the methods which can be used to increase the convergence time of spanning-tree is to use the
Portfast feature. The Portfast feature works by transitioning directly to forwarding state. That way, the port
does not have to progress through the various STP modes to reach the forwarding state, which can take
between 30 and 50 seconds.
Configuring Portfast
The Portfast feature is configured on all access ports which attach to a single user device. This is done with
the following command:
router(config-if)#switchport portfast
BPDU Guard
BPDU Guard is a feature that works in conjunction with the Portfast feature. Since ports which are
configured with Portfast are only suppose to be connected to user devices and not other switches, the
BPDU Guard feature works by disabling a port should a BPDU be advertised through a Portfast port.
Configuring BPDU Guard
Bridge Protocol Data Units (BPDU) are communication messages sent between connected switches for
the purpose of configuring and monitoring the Spanning Tree. The BPDU Guard feature is configured
on a port which is already configured with Portfast. Because the ports are already assumed to not have a
switch attached to them, no BPDUs should ever be seen. BPDU Guard watches for BPDUs on the access
ports which indicate a user illegally attached a switch to an access port. The command which is used to
configure BPDU Guard is as follows:
router(config-if)#switchport portfast bpduguard
DHCP Snooping
One of the features which can be used on a Cisco device is the DHCP Snooping feature, which is used to
protect from DHCP server spoofing. This feature works by trusting ports which connect to valid DHCP
servers or from a port which is in the direction of a valid DHCP server.
Configuring DHCP Snooping
The DHCP Snooping feature is configured by first enabling the DHCP Snooping feature and then
configuring individual trusted ports.
router(config)#ip dhcp snooping
router(config-if)#ip dhcp snooping trust
Dynamic ARP Inspection (DAI)
Another type of layer two attack which can happen is one aimed at ARP requests.ARP requests are
used to locate the IP address of a remote device based on its MAC address. If an attacker was able to
spoof a client into believing that they were a valid trusted device, the client could potentially give away
trusted information without knowing it. One of the ways to prevent this is through the use of Dynamic
ARP Inspection. DAI uses the DHCP snooping binding table to be aware of which clients are able to talk
and from which MAC address and IP address they are talking from. Ports are configured to be trusted
or untrusted; all ARP replies that come in an untrusted port are compared against the DHCP snooping
binding table. If there is a match then the traffic is allowed; if not, then the port is disabled.
Configuring DAI
Dynamic ARP Inspection (DAI) is configured by enabling it on specific VLANs and then specifying trusted
ports. By default all ports are not trusted. Only ports which are known to be trusted and secured should be
configured as such.
router(config)#ip arp inspection vlan vlan
router(config-if)#ip arp inspection trust
Port Security
Port security offers the ability to secure a port through a number of different configuration types. This
includes limiting the number of MAC addresses allowed on a specific port, the specific MAC address
allowed on a port, and the behavior when a port detects a violation.
Port Violation Behaviors
When port detects a violation it can behave in one of three ways:
Protect – When configured, the port will forward frames from the known MAC addresses
allowed on a port to all MAC addresses trying to transit on that port. Any traffic over the allowed
amount will be dropped. No notification message is send if a violation occurs.
Restrict – Exactly the same as Protect except an SNMP trap and syslog message are
sent upon violation.
Shutdown – When configured, the port will shutdown on any violation and send an SNMP trap
and syslog message.
Secure MAC Address Types
There are three different types of Secure MAC address on a Cisco device:
Static Secure MAC Addresses – This type of MAC address is statically configured.
Sticky Secure MAC Addresses – This type of MAC addresses is dynamically learned and is
entered both in the CAM table of the switch and in the running configuration. If the running
configuration is saved to the startup configuration, they effectively become statically configured
addresses on reload.
Dynamic Secure MAC Addresses – This type of MAC address is dynamically learned and is
entered into the CAM table of the switch but is not saved to the running configuration. This type
of address is lost on reload.
Configuring Port Security
In order to get started with configuring port security it must be first enabled; this is done with
the following command:
router(config-if)#switchport port-security
In order to configure the maximum number of MAC addresses which are allowed on a port, you use
the following command:
router(config-if)#switchport port-security maximum number
In order to change the default port behavior when a violation is detected, the following command is used:
router(config-if)#switchport port-security violation behavior
By default, the port behavior is to shut down the port.
When you want to set up a static secure MAC address, the following command is used:
router(config-if)#switchport port-security mac-address mac-address
In order to enable a port to make use of sticky MAC addresses, you use the following command:
router(config-if)#switchport port-security mac-address sticky
No comments:
Post a Comment