There are many ways that hackers use. So we need to prepare for them. In this article we are gonna shortly talk about DHCP Snooping , VLAN Hopping And STP Attacks. I would love to talk more about these guys but i think these subjects are being deeply examined for CCNP Security certification.
VLAN HOPPING
* At VLAN hopping method, hacker communicates with trunk port and goes between all VLANs which is really very dangerous.
Trick : To prevent VLAN hopping, switch ports should be configured as “access” or “trunk”. ( Default mode is “dynamic desirable”
DHCP SNOOPING
* At DHCP snooping method, hacker wants to distribute IP’s instead of you DHCP server. He can use a DHCP server or sth like a modem to do this. Surely if your clients get the IP of hacker’s DHCP they can’t access anything and hacker can get the whole information of your clients.
Trick : To prevent DHCP snooping, we should use ip dhcp snooping commands below :
SWITCH_A(conf)#int Fa0/23 SWITCH_A(conf-if)#ip dhcp snooping SWITCH_A(conf-if)#ip dhcp snooping trust
*** Snooping is activated globally first. In this example f0/23 is the port of the DHCP server of US, not HACKER’s.
STP ATTACKS
As you can see in the figure, we have a root and backup root switch in the topology. The box below refers to a new switch just plugged in to network.
To prevent STP attacks, we should enable BPDU – Guard for the portfast ports.
SWITCH_A(conf)#int Fa0/1 SWITCH_A(conf-if)#spanning-tree bpduguard enable
To prevent STP attacks, we should enable rootguard on root switches. That provides any devices connected to f0/1 can’t be root !
SWITCH_A(conf)#int Fa0/1 SWITCH_A(conf-if)#spanning-tree guard root