Configure DHCP Snooping For VLAN 101: (Global Configuration)
configure terminal
no ip dhcp snooping information option
ip dhcp snooping
ip dhcp snooping vlan 101
Configure Trunk Ports:
interface range fastEthernet 0/7-8 (Trunk Ports Connected To DHCP. DHCP Offers Are Permited)
ip dhcp snooping trust
Configure Access Port Limits: (User Port)
interface fastEthernet 0/1
ip dhcp snooping limit rate 5 (5 DHCP Offers)
Configure Errdisable:
errdisable detect cause dhcp-rate-limit
errdisable recovery cause dhcp-rate-limit
errdisable recovery interval 30
Configure Dynamic ARP Inspection DAI: (Global Configuration)
configure terminal
ip arp inspection vlan 101
ip arp inspection log-buffer entries 1024
ip arp inspection log-buffer logs 1024 interval 10
Configure Trunk Ports: (Trust Ports)
interface range fastEthernet 0/7-8
ip arp inspection trust
commands to verify the configuration:
show ip dhcp snooping
debug ip dhcp snooping event
show log
show errdisable
DHCP Snooping is a security feature capable of intercepting DHCP messages crossing a switch and blocking bogus DHCP offers. DHCP Snooping uses the concept of trusted and untrusted ports. Typically, the trusted ports are used to reach DHCP servers or relay agents, while untrusted ports are used to connect to clients
Dynamic ARP Inspection (DAI) is a security feature that helps prevent ARP poisoning and other ARP-based attacks by intercepting all ARP requests and responses, and by verifying their authenticity before updating the switch's local ARP cache or forwarding the packets to the intended destinations.
Attacks:
• STP MiTM (Vlan) Attack: Yersinia, Ettercap
• STP MiTM (ISL) Attack: Yersinia, Ettercap, packETH
• ARP MiTM Attack: Ettercap
• MAC Overflow Attack: Ettercap
• DHCP Consumption Atack: Yersinia
• DHCP Starvation Attack: dhcpstarv
