Specifications

CHAPTER 7

Campus Network Security

Enable IP Source Guard for both IP and MAC addresses on host access interfaces with the command ip verify source

port-security.

ARP Spoofing

In an ARP spoofing attack, the attacker sends out gratuitous (unsolicited) ARP messages giving the IP address of the local

default gateway, with its own MAC address as the Layer 2 address. Local devices overwrite their existing correct ARP

information with the incorrect one, and, thus, they forward off-net traffic to the attacker (it becomes a “man-in-the-

middle”). If the attacker then forwards it on to the legitimate router, this type of attack might go undetected by the users.

Dynamic ARP Inspection (DAI) can work with DHCP spoofing to stop ARP spoofing. DAI defines trusted and untrusted

interfaces. It intercepts ARP messages on untrusted ports and checks them against the IP address/MAC address bindings

in the DHCP snooping database. They must match for the switch to forward the traffic. Access ports should be configured

as untrusted, and ports that connect to other switches or to a router should be trusted.

Enable DAI on a VLAN, or multiple VLANs, and configure trusted interfaces. You can optionally configure a rate limit or

configure which addresses DAI matches against. (The default is IP and MAC address.) The basic commands are

Switch(config)# ip arp inspection vlan vlan_id

Switch(config-if)# ip arp inspection trust

Securing Your Switch

Here are some basic security suggestions for network devices:

n Use passwords that are not susceptible to a dictionary attack. Add numbers or substitute numbers and symbols for

letters.

n Limit Telnet access using access lists.

[ 89 ]

CCNP SWITCH 642-813 Quick Reference by Denise Donohue

9781587140112.qxd 11/23/09 11:35 AM Page 89