L2 Security Features Part III – Dynamic ARP Inspection

Dynamic ARP Inspection

ARP inspection allows the switch to discard ARP packets with invalid IP to MAC address bindings, effectively stopping common man-in-the-middle attacks. ARP poisoning is a tactic where an attacker injects false ARP packets into the subnet, normally by broadcasting ARP responses where the attacker claims to be someone else.


To curtail poisoning, Dynamic ARP Inspection (DAI) uses our friend, the DHCP snooping table. There are many options, and you must be careful enabling DAI if all network devices don’t support it. The most basic configuration is:


    Switch(config)# ip arp inspection vlan 1

Trunk ports need to be trusted:

    Switch(config)# int range f1/1 – 4 , f2/24

    Switch(config-if)# ip arp inspection trust

You can view the status with:

    Switch# show ip arp inspection ?


Using the features that leverage knowledge gained from DHCP snooping can create a new level of local network security. Combine that with port-level MAC security, and network admins will no longer cringe at the thought of turning on a network connection in a public area. Testing these features in a production environment is, of course, not recommended: Many of them have wicked side effects if configured incorrectly or out of order.


L2 Security Features Part II – IP Source Guard

IP Source Guard and Port Security

Using just DHCP snooping, you have stopped untrusted devices from acting as a DHCP server; which is important in an environment where people think it’s a good idea to bring in their Linksys access point to better cover the office with wireless. Port Security can also help to stop more than one MAC from being seen on a port, making it impossible to connect hubs and other network-extending devices.


Now, to stop malicious people from using IP addresses that weren’t assigned to them, we use IP source guard. Even better, we can also stop clients from forging their MAC address. MAC address filtering makes flooding the switch impossible. Flooding is a technique by which an attacker sends so many MAC addresses from their port that the switch’s MAC table overflows. Then the switch has no choice but to flood all Ethernet frames out of every single port, since it doesn’t know what MAC is connected where, allowing an attacker to see all the traffic across the switch. Some viruses have been known to do this as well.


    Switch(config-if)# ip verify source vlan dhcp-snooping


But be careful! If the DHCP table doesn’t have an association for this port, you’ve just stopped all IP traffic from it. It is recommended that DHCP snooping be turned on a day before enabling IP source guard to allow it to gather information.


To apply MAC address security, you must turn it on, then configure appropriate options:


    !Set explicit access mode (dynamic or trunk ports can’t have security)

    Switch(config-if)# switchport mode access


    !Enable port-security

    Switch(config-if)# switchport port-security


    !Specify how many MAC addresses can be used:

    Switch(config-if)# switchport port-security maximum 1


    !Action to take when a violation happens:

    Switch(config-if)# switchport port-security violation {restrict | shutdown}

Violation Restrict will not disable the switch port, but instead cause the switch to increment a security violation counter, and send an SNMP trap. These options are quite configurable, you can even specify how long to shut down the port when a violation occurs. An alternative, less dynamic method, is to program the MAC address binding as static. This stops any other MAC from working on a port, ever.

L2 Security Features Part I – DHCP Snooping

Here is a 3-part series document written by Charlie Schluting, describing some of the L2 security features available in Cisco Switches with smart ports.

Enjoy reading this as it is covered in the CCIE exams.


DHCP Snooping

Using the features that leverage knowledge gained from DHCP snooping can create a new level of local network security. Combine that with port-level MAC security, and network admins will no longer cringe at the thought of turning on a network connection in a public area.

DHCP snooping is a security feature that filters untrusted DHCP messages, and can protect clients on the network from peering up with an unauthorized DHCP server. When enabled, it builds a table of MAC address, IP address, lease time, binding type, and interface information (the switch’s interface).

There is also an important difference between trusted and untrusted interfaces when talking about DHCP snooping. Switch ports connected to the end-user should be configured as untrusted. Trusted interfaces are those connected to your DHCP server or another switch. When DHCP snooping on the entire switch is enabled, the switch acts like a firewall for your VLAN (define) . You’ll also want to enable DHCP snooping on the VLAN, to allow the switch to act as a firewall for the entire VLAN domain.

Here’s how it’s done:

    !Turn on snooping for the entire switch:

    Switch(config)# ip dhcp snooping

    Switch(config)# ip dhcp snooping vlan [number or range]


    !Our DCHP server:

    Switch(config)# interface GigabitEthernet 5/1

    Switch(config-if)# ip dhcp snooping trust


    !An untrusted client (not a required step):

    Switch(config-if)# interface FastEthernet 2/1

    Switch(config-if)# ip dhcp snooping limit rate 10

A few notes on this:

First, and most importantly, you must realize that this will cause all DHCP requests to be dropped until a port is configured as trusted. Hence, this should be turned on with great care. Second, this isn’t as cumbersome as it may seem. You can use the Interface Range command to specify all trusted ports at once. Here’s how to enable trust on all trunk ports and ports that a dhcp server is connected to:

    Switch(config)#interface range FastEthernet 2/0/1 – 8 , GigabitEthernet 1/0/1 – 3

    Switch(config-if-range)# ip dhcp snooping trust

Interface range is a little-known command, introduced in IOS 12.1 that saves a tremendous amount of time.

The last caveat with DHCP snooping is that you must establish a trust relationship with downstream DHCP snoopers on a trunk port:

    Switch(config-if)# ip dhcp relay information trusted

Now, you may be thinking “DHCP snooping sounds nice, but what happens when I reboot the switch and the snooper doesn’t have a database of leases anymore? Won’t it require clients to re-obtain their DHCP leases?”

Yes. Cisco thought of this, and created a mechanism by which the database can be saved. It is possible to configure the database to live on flash memory, but because of space limitations it’s best to use a tftp server with the command:

    Switch(config)# ip dhcp snooping database tftp://

The database is updated constantly, and should survive a quick reboot. If some DHCP leases have expired by the time the switch comes alive again, those entries will be invalid, and the client won’t have connectivity until it tries to peer up with DHCP again.






Spanning Tree – 802.1d

I have read through “Cisco LAN Switching” by Clark and here are main points I was able to get out reading through the STP chapter.

 SPT uses 2 key concepts to create a loop free topology

1. Bridge ID 

2. Path Cost

Bridge ID is 8-byte field made up of bridge priority field (2 bytes) & MAC address assigned to the bridge/switch (6 bytes).

Path Cost is defined as 1000Mbps/bandwith of the link in Mbps. using this calculation to generate path cost leads to non-integer values but non-integer values are not acceptable to be used as path cost (i.e OC48 is 1000/2400 = 0.42).

Workaround is to generate new values to be used for path cost. Some example are shown below;

10Mbps ethernet link – 100

100 Mbps ethernet link – 19

155 Mbps link – 14

10 Gbps link – 2

Generally, the lower cost are always preferred. Also note that cost value in a BPDU are incremented when the BPDU arrives on a port.

STP uses the following steps for all its decision;

1 .  Lower Root BID (Bridge ID)

2.  Lowest Path Cost to Root Bridge

3.  Lowest Sender BID

4.  Lowest Port ID

2 Types of BPDU:

Configuration BPDU – It flows downstream from root bridge to all other bridges

Topology Change Notification BPDU – Flows upstream towards root bridge

Initial STP Convergence:

1.  Elect one Root Bridge

2.  Elect Root Ports on non-root bridges

3.  Elect Designated ports on every network segment in the network

Port States in STP

STP 802.1d                        RSTP 802.1w                Function

Forwarding                            Forwarding           Send/receive user data

Learning                                 Learning               Learning MAC addresses

Listening                                 Discarding            Building active topology

Blocking                                  Discarding            Listening to BPDU only

Disable                                    Discarding               Admin Down

802.1d STP Timers

Hello – 2 sec

Forward Delay (Listening & Learning States) – 15 secs each

Max Age – Time for BPDU to be refreshed – 20 secs

Default STP max. convergence time = (15 + 15 + 20) = 50 secs