Cisco CCNA 200-301 – Switch Security

1. Introduction

You’ll learn about the access layer. Switch security mechanisms. That DHCP Snooping Dai, which is dynamic. ARP inspection eight one X. Identity based networking and port security. For the CCNA exam, cisco expect you to have detailed knowledge of port security, what it does, how it works and how to configure it. But for the other three mechanisms, you just need to have an understanding of what they are, why we have them and how they work. You don’t actually need to know how to configure and troubleshoot them in detail. So in this section, we will cover port security in detail, but in the frame lecture, I’ll give you a fairly detailed overview of the first three mechanisms, which is going to be more than enough for what you need for the exam.

2. DHCP Snooping

This lecture you’ll learn about the first of the access layer switch security mechanisms, which is DHCP snooping. And you remember from the DHCP section that we covered before that on our Cisco router, if our clients are not on the same subnet as the DHCP server will need to configure the IP helper address. So that’s what we’ve done. In the example here in the diagram, PC One and PC Two are in the ten 1010 subnet and their DHCP server is on the other side of the router. At 1010 2010. I’ve configured a scope on my DHCP server for the ten 1010 subnet, giving IP addresses starting at ten, going up to two, five, four. A subnet mask of 24 default gateway, ten one. And a DNS server is also on the DHCP server, which is 10 10 21, when the PCs send out a DHCP request that goes out as broadcast traffic. So it will not be forwarded by the router by default. So on the router I need to configure the IP helper address command on the interface of those requests come in on and that forwards the request to the DHCP server.

So we covered all that configuration before, but we can have a problem in our network which is a rogue DHCP server. So you see in our example here that a DHCP server has been connected on the same side of the router as the PCs have. It actually doesn’t matter where it was connected in, it would still give us the same problem. And this server has been configured to give out DHCP addresses. It’s also giving out addresses in the range ten 1010 with a subnet mask of 24.

But the default gateway is configured as 1010 25 four and the DNS server is 10 10 24 as well. So when the PCs send out a DHCP request reliable to get the offer from this DHCP server here, which has got an invalid default gateway and DNS server address, so the PCs won’t actually have any connectivity to the network. And in the example here, it’s going to be quite hard to detect that because we’re actually getting an IP address in the correct subnet. It’s not going to be immediately obvious what the problem was. So if you do get a rogue DHCP server, what it can do is drop your PCs off of the network.

Now, more often than not, this is not actually going to be a malicious attacker who’s doing this deliberately. More likely it’s some end user who takes something maybe from home, like a home router and plugs into the network and it’s got a DHCP service running on there. Or it could also be maybe one of your It staff and they are running a lab which has got a DHCP server in it and accidentally they connect it to the real network. So more likely it will be an accident. But the impact is the same. It’s going to be devastating for those clients, it’s going to drop them off of the network. So there is mitigation that we can take that will prevent role DHCP servers from being able to be active on your network. And the solution is DHCP snooping. With DHCP snooping you enable this on your access layer switches and you configure the ports that your DHCP server is connected to as a trusted port. So you see in the example here, if we configure this on switch two it would be interface fast zero two that is directly connected to the DHCP server that would be configured as a trusted port from switch one’s point of view down at the bottom, the DHCP offers are going to come in on interface fast zero one.

So that also needs to be configured as a trusted port. So trusted ports is a port directly connected to the DHCP server and also on your interswitch links leading down to the PCs. When any DHCP server traffic comes in on a trusted port the switch will allow that traffic to go through. But if DHCP server traffic comes in on a port that is not trusted then the switch will drop it. So here we’re trusting all the way through to our valid DHCP server.

If somebody plugs in a rogue DHCP server on any other port then the DHCP offers that it gives out are going to be dropped by the switch. We’re not going to get to the client so we’re not going to get that invalid information. The configuration for this, we’ve done this on switch one globally you say Ipdhcp snooping, you also need to enable it at your access VLAN level as well. So we also say Ipdhcp snooping VLAN ten for example and then configure your trusted parts so that’s interface fast zero one on switch one Ipdhtp snooping trust. Okay so that is why we have DHCP snooping. What it does. Also a quick look at the configuration.

3. DAI Dynamic ARP Inspection

The next security mechanism that we can implement on our accessware switches is Dai Dynamic ARP Inspection. Before you see what that does, let’s have a quick review of what ARP does itself. ARP is the address resolution protocol. We covered this in detail already. You should know this already. So in the example, we’ve got PC One over on the left with IP address 1010 and Mac address one One. And it’s wanting to communicate with its default gateway at ten 1010 One. So it needs to send out an ARP request to find out what its default gateway’s Mac addresses. So it sends out an ARP request saying I’m ten 1010. I’m looking for 1010 one. What’s your Mac address that comes into the switch? It’s broadcast traffic, so it is flooded out all parts. It reaches the router on the right. Also the PC on the bottom. The PC on the bottom is not IP address 1010 One.

So it will just silently discard the packet, but the router is. So it will send back an ARP reply saying I’m ten 1010 One and my Mac address is two two. PC One will then update its ARP cache to say that 1010 One is available at two two r one will also learn that PC 110 ten is available with a Mac address of one One. And then when we have traffic between the PC and its router, it comes from ten 1010 going to 1010 One source Mac is one one on the PC going a destination Mac of two two on the router. And when the router sends traffic back, we just flip that round. So it comes from a source IP address of 1010 One going a destination of 1010 source Mac is two Two and the destination Mac is one one. So that’s just the standard way that ARP works.

But we can have a problem here if that PC down at the bottom happens to be an attacker. Now, this is different than the rogue DHCP server problem. A rogue DHCP server, more often than not is accidental. It’s not actually malicious. If you get man in the middle ARP spoofing, this is a malicious attack almost always by an attacker, though. So what’s going to happen is our attacker on the network here has to be in the same IP subnet. So the IP address is 1010 100. In our example, the attacker’s Mac address is three three, and the attacker sends out a gratuitous ARP.

A gratuitous ARP is an ARP update, which is not in response to an actual request. So this it’s just the attacker says, hey, I am ten One and my Mac address is three. So it’s spoofing the routers IP address of 1010 One and the PC will update its ARP cache saying, oh, I got an update for my ARP entry. 1010 One is not at one, it’s actually at three. And the attacker will also send out a Gratuitous ARP saying I’m ten 1010, which is the PC, and my Mac address again is three, and the router will update its ARP cache with a new entry for the PC. So now what happens is when the PC sends traffic from IP address ten 1010 to 1010 One, it looks in its ARP cache and it sees to send that to three. So it goes to the attacker, not to the router. The attacker can then send the traffic onto the router. When the return traffic comes back, it’s going to be coming from 1010 one, the router to 1010 at the PC.

Again, because the router’s ARP cache was also poisoned, it sends the traffic to three, which is the attacker, and the attacker can then send it back to the PC. So what happens now is one of the benefits of a switch is that it only sends traffic out on the relevant port. So if the attacker was trying to sniff out traffic, it never hits the attacker’s port so the attacker can’t see it, so it can’t see the traffic. But if the attacker does this man in the middle ARP spoofing attack, all the traffic goes through the attacker so they can sniff the traffic and see what that communication says. So it’s a huge security issue. Now, if the attacker isn’t able to do man in the middle like spoof to poison the ARP cache on both sides, this can also be used for a denial of service attack.

Say the PC sending traffic to the router rather than the attacker actually sending on to the router, the attacker could just drop it. So this can be used for man in the middle sniffing. It can also be used as denial of service. Usually this will be a malicious attack. The attacker can use a tool such as can enable which is very easy to use to do this kind of attack. So how do we stop that from happening? The answer is dai dynamic ARP inspection when you enable DHCP snooping. So for Dai you need to have enabled DHCP snooping already. It can’t just work on its own. When you have enabled DHCP snooping, the switch inspects the DHCP traffic and keeps track of which IP addresses were assigned to which Mac addresses. The switch is in between the DHCP server and the PCs, so it can look at all that DHCP traffic. When the client sends out a request, it can see what the client’s Mac addresses.

And when the server sends the response, it can see what IP address was assigned to that Mac address. So the switch keeps track of the IP address to Mac address mappings. For example, PC one with Mac address one one it was assigned IP address 1010 by the DHCP server. Then, if invalid ARP traffic tries to pass through the switch, for example, an attacker at three saying that it is ten 1010, the switch can see that that Mac address does not map to that IP address. It’s invalid and it will drop the traffic. So it prevents attackers from spoofing ARP on your network. For our configuration on this, on switch one, we say interface fast one IPRP inspection trust for hosts which do not get their IP address from DHCP.

Obviously, the switch is not going to have a mapping of Mac address to IP address for them because they didn’t get it from the DHCP server. So for those hosts, such as your routers firewalls, maybe servers, et cetera, you need to configure the switch to trust them regardless. So any non DHCP clients configure those as trusted ports for all of your other PCs which are getting their IP address from DHCP, they’re not going to be trusted. The switch will do dynamic ARP inspection. The way you enable that is a global configuration IP ARP inspection VLAN ten, for example, so it’s enabled at the VLAN level. Okay, so that was Dai dynamic ARP inspection.