Specifications
CHAPTER 7
Campus Network Security
Spoof Attacks
Spoof attacks include DHCP spoofing, MAC address spoofing, and ARP spoofing.
DHCP Spoofing
A DHCP spoofing attacker listens for DHCP requests and answers them, giving its IP address as the client default
gateway. The attacker then becomes a “man-in-the-middle” as all off-net traffic flows through it.
DHCP snooping can prevent DHCP spoofing attacks. When DHCP snooping is enabled, only ports that uplink to an
authorized DHCP server are trusted and allowed to send all types of DHCP messages. All other ports on the switch are
untrusted and can send only DHCP requests. If a DHCP response (or “offer”) is seen on an untrusted port, the port is shut
down. The switch can also be configured to send information, such as port ID, using DHCP option 82.
Configure DHCP snooping with the following commands, either globally or for a particular VLAN. Configure only indi-
vidual ports that uplink to DHCP servers as trusted ports.
Switch(config)# ip dhcp snooping
Switch(config)# ip dhcp snooping information option
Switch(config)# ip dhcp snooping vlan number number
Switch(config-if)# ip dhcp snooping trust
Switch(config-if)# ip dhcp snooping limit pkts-per-second
Switch# show ip dhcp snooping
IP Source Guard
To extend the protection further, IP Source Guard tracks the IP addresses of the host connected to each port and prevents
traffic sourced from another IP address from entering that port. The tracking can be done based on just an IP address or
on both IP and MAC addresses.
[ 88 ]
© 2010 Pearson Education, Inc. All rights reserved. This publication is protected by copyright. Please see page 112 for more details.
CCNP SWITCH 642-813 Quick Reference by Denise Donohue
Note:
DHCP snooping configu-
ration is user impacting
because the switch drops
all DHCP requests until
the ports are configured.
You should do this
during off hours or
during a maintenance
window.