DHCP Snooping , VLAN Hopping And STP Attacks

dhcp snooping

There are many ways that hackers use. So we need to prepare for them. In this article we are gonna shortly talk about DHCP Snooping , VLAN Hopping And STP Attacks. I would love to talk more about these guys but i think these subjects are being deeply examined for CCNP Security certification.


At VLAN hopping method, hacker communicates with trunk port and goes between all VLANs which is really very dangerous.

Trick : To prevent VLAN hopping, switch ports should be configured as “access” or “trunk”. ( Default mode is “dynamic desirable”


dhcp snooping

At DHCP snooping method, hacker wants to distribute IP’s instead of you DHCP server. He can use a DHCP server or sth like a modem to do this. Surely if your clients get the IP of hacker’s DHCP they can’t access anything and hacker can get the whole information of your clients.

Trick : To prevent DHCP snooping, we should use ip dhcp snooping commands below :

SWITCH_A(conf)#int Fa0/23
SWITCH_A(conf-if)#ip dhcp snooping
SWITCH_A(conf-if)#ip dhcp snooping trust


*** Snooping is activated globally first. In this example f0/23 is the port of the DHCP server of US, not HACKER’s.


As you can see in the figure, we have a root and backup root switch in the topology. The box below refers to a new switch just plugged in to network.

To prevent STP attacks, we should enable BPDU – Guard for the portfast ports.

SWITCH_A(conf)#int Fa0/1
SWITCH_A(conf-if)#spanning-tree bpduguard enable

To prevent STP attacks, we should enable rootguard on root switches. That provides any devices connected to f0/1 can’t be root !

SWITCH_A(conf)#int Fa0/1
SWITCH_A(conf-if)#spanning-tree guard root


Leave a Reply

Your email address will not be published. Required fields are marked *