Switch Security Flashcards
The switch maintains a ________________, which records the association between the MAC address of a device and the IP address it has been assigned by an authorized DHCP server. This table helps the switch identify legitimate DHCP responses.
DHCP Snooping Binding Table
What is DHCP Snooping?
DHCP Snooping is a security feature available on Cisco switches. It works by inspecting DHCP messages exchanged between DHCP clients and DHCP servers and compares it to the DHCP Snooping Binding Table to make sure that the association between the MAC Address of the device and the IP address is valid. If it’s not it will drop the packet
How would you enable DHCP Snooping on a switch?
ip dhcp snooping
ip dchp snooping {vlan} (You want to make sure you do this for all VLANs)
int {int}
ip dhcp snooping trust (You want to enable this on upstream ports pointing to the valid DHCP server)
When you are enabling ip dhcp snooping trust, what is happening with that command?
You are enabling that interface to be a trusted interface to receive valid DHCP traffic
What happens if DHCP traffic arrives a port that is not trusted?
The switch will drop that DHCP traffic
What protocol would you use to stop a Man in the Middle attack?
DAI - Dynamic ARP Inspection
True or False: DAI (Dynamic ARP Inspection) can work without DHCP Snooping being turned on
False. DHCP Snooping has to be turned on for DAI to work because DHCP Snooping is the protocol that is actually building the DHCP Snooping Binding Table that DAI will use to inspect traffic.
Briefly explain DAI
DAI is a security feature that works by inspecting ARP packets as they traverse the network and it validates the mapping between IP addresses and MAC addresses via the DHCP Snooping Binding Table
How does DAI know about the mappings between the IP Address and MAC Address?
The DHCP Snooping Binding Table
How would you configure DAI?
int {int}
ip arp inspection trust
(this for all non-DHCP related hosts on the switch such as servers, routers, etc. They have to be trusted)
ip arp inspection vlan {vlan-id)
(This is for all your PCs that are getting their IP Address from DHCP, they shouldn’t be trusted ports so they need DAI on them)
At what layer is DAI enabled on?
Layer 2 (VLAN Layer) and Layer 3.
Context: While DAI primarily operates at Layer 2, its purpose is to protect the integrity of ARP data used at Layer 3. It verifies that the ARP information provided by devices matches the information in the DHCP binding table. This helps ensure that the IP-to-MAC address mappings used at Layer 3 are accurate and haven’t been tampered with by malicious devices.
How would you configure port security at the interface level?
int {int}
switchport port-security
If you configure Port Security with no additional parameters then how many MAC Addresses are allowed to transmit on that port?
1
True or False: The port security command should only be enabled on the ports that something is plugged into?
False. It should be enabled on every port on the switch because it controls the number of MAC Addresses that a port will accept traffic from
Describe a scenario where Port Security would be a good thing.
If someone unplugged a PC from a wall port and stuck a wifi access point in it’s place and connected multiple devices to it. At that point the switch would be receiving traffic from multiple MAC Addresses and if Port security was configured then it would only accept traffic from 1 MAC address and drop all other packets.
