16 November, 2013

DHCP Snooping

Configure DHCP Snooping For VLAN 101: (Global Configuration)
configure terminal 
no ip dhcp snooping information option
ip dhcp snooping 
ip dhcp snooping vlan 101

Configure Trunk Ports:
interface range fastEthernet 0/7-8 (Trunk Ports Connected To DHCP. DHCP Offers Are Permited)
ip dhcp snooping trust 

Configure Access Port Limits:   (User Port)
interface fastEthernet 0/1
ip dhcp snooping limit rate 5  (5 DHCP Offers)

Configure Errdisable: 
errdisable detect cause dhcp-rate-limit
errdisable recovery cause dhcp-rate-limit
errdisable recovery interval 30

Configure Dynamic ARP Inspection DAI: (Global Configuration)
configure terminal 
ip arp inspection vlan 101 
ip arp inspection log-buffer entries 1024
ip arp inspection log-buffer logs 1024 interval 10

Configure Trunk Ports: (Trust Ports)
interface range fastEthernet 0/7-8 ip arp inspection trust

commands to verify the configuration:
show ip dhcp snooping
debug ip dhcp snooping event 
show log
show errdisable

DHCP Snooping is a security feature capable of intercepting DHCP messages crossing a switch and blocking bogus DHCP offers. DHCP Snooping uses the concept of trusted and untrusted ports. Typically, the trusted ports are used to reach DHCP servers or relay agents, while untrusted ports are used to connect to clients

Dynamic ARP Inspection (DAI) is a security feature that helps prevent ARP poisoning and other ARP-based attacks by intercepting all ARP requests and responses, and by verifying their authenticity before updating the switch's local ARP cache or forwarding the packets to the intended destinations.


Attacks:

• STP MiTM (Vlan) Attack: Yersinia, Ettercap
 STP MiTM (ISL) Attack: Yersinia, Ettercap, packETH
• ARP MiTM Attack: Ettercap
• MAC Overflow Attack: Ettercap
• DHCP Consumption Atack: Yersinia
• DHCP Starvation Attack: dhcpstarv