Cisco Network Academy. All rights reserved CCNP+ BSMSN v3.0Minimizing Service Loss and Data Theft in a Campus NetworkProtecting Against Spoof AttacksCisco Network Academy. All rights reserved CCNP+ BSMSN v3.0DHCP Spoof Attacks Attacker activates DHCP server on VLAN. Attacker replies to valid client DHCP requests. Attacker assigns IP configuration information that establishes rogue device as client default gateway. Attacker establishes “man -in-the-middle” attack.Cisco Network Academy. All rights reserved CCNP+ BSMSN v3.0DHCP Snooping DHCP snooping allows the configuration of ports as trusted or untrusted. Untrusted ports cannot process DHCP replies. Configure DHCP snooping on uplinks to a DHCP server. Do not configure DHCP snooping on client ports.Cisco Network Academy. All rights reserved CCNP+ BSMSN v3.0Securing Against DHCP Snooping AttacksSwitch(config)# ip dhcp snooping limit rate rate Enables DHCP Option 82 data insertionSwitch(config)# ip dhcp snooping information option Number of packets per second accepted on a port Enables DHCP snooping globallySwitch(config)# ip dhcp snoopingSwitch(config-if)# ip dhcp snooping trust Configures a trusted interfaceSwitch(config)# ip dhcp snooping vlan number number Enables DHCP snooping on your VLANsCisco Network Academy. All rights reserved CCNP+ BSMSN v3.0Verifying DHCP Snooping Verifies the DHCP snooping configurationSwitch# show ip dhcp snoopingSwitch# show ip dhcp snooping Switch DHCP snooping is enabled DHCP Snooping is configured on the following VLANs:10 30-40 100 200-220 Insertion of option 82 information is enabled. Interface Trusted Rate limit (pps) - - - FastEthernet2/1 yes none FastEthernet2/2 yes none FastEthernet3/1 no 20 Switch# Cisco Network Academy. All rights reserved CCNP+ BSMSN v3.0IP source guard is configured on untrusted L2 interfacesIP Source GuardCisco Network Academy. All rights reserved CCNP+ BSMSN v3.0Configuring IP Source Guard on a Switch Enables DHCP snooping on a specific VLANSwitch(config)# ip dhcp snooping vlan number number Enables DHCP snooping globallySwitch(config)# ip dhcp snoopingSwitch(config-if)# ip verify source vlan dhcp-snooping port-security Enables IP Source Guard, source IP, and source MAC address filter on a portCisco Network Academy. All rights reserved CCNP+ BSMSN v3.0ARP SpoofingCisco Network Academy. All rights reserved CCNP+ BSMSN v3.0 DAI associates each interface with a trusted state or an untrusted state. Trusted interfaces bypass all DAI. Untrusted interfaces undergo DAI validation.Dynamic ARP InspectionCisco Network Academy. All rights reserved CCNP+ BSMSN v3.0Switch(config)#ip arp inspection vlan vlan_id,vlan_id Enables DAI on a VLAN or range of VLANsSwitch(config-if)#ip arp inspection trust Enables DAI on an interface and sets the interface as a trusted interfaceSwitch(config-if)#ip arp inspection validate src-mac dst-mac ip Configures DAI to drop ARP packets when the IP addresses are invalidConfiguring DAICisco Network Academy. All rights reserved CCNP+ BSMSN v3.