Layer 2 Security Considera ons

Layer 2 Security Threats

14.1.1 Describe Layer 2 Vulnerabili es

The OSI reference model is divided into seven layers which work independently of each other. As
shown in the figure, each layer performs a specific func on and has core elements that can be
exploited.

The figure shows the O S I model layers and their func ons.

Network administrators rou nely implement security solu ons to protect the elements in Layer 3 up
through Layer 7 using VPNs, firewalls, and IPS devices. However, as shown in the figure below, if
Layer 2 is compromised, then all layers above it are also affected. For example, if an employee or
visitor with access to the internal network could capture Layer 2 frames, then all of the security
implemented on the layers above would be useless. The employee could also wreak havoc on the
Layer 2 LAN networking infrastructure.

The figure shows that if layer 2 is compromised so are all the layers above.

Lower Levels Affect Higher Levels

14.1.2 Switch A ack Categories

Security is only as strong as the weakest link in the system, and Layer 2 is considered to be that
weakest link. This is because tradi onally LANs were under the administra ve control of a single
organiza on. We inherently trusted all persons and devices connected to our LAN. Today, with BYOD
and more sophis cated a acks, our LANs have become more vulnerable to penetra on. Therefore, in
addi on to protec ng Layer 3 to Layer 7, network security professionals must also mi gate a acks to
the Layer 2 LAN infrastructure.

The first step in mi ga ng a acks on the Layer 2 infrastructure is to understand the underlying
opera on of Layer 2 and the threats posed by the Layer 2 infrastructure.

A acks against the Layer 2 LAN infrastructure are highlighted in the table.

Note: The focus of this module is on common Layer 2 a acks.

Type Descrip on

MAC Table A acks Includes MAC table overflow (also called MAC Address Flooding) A acks.

Includes VLAN hopping and VLAN double-tagging a acks. It also includes a acks
VLAN A acks
between devices on a common VLAN.

DHCP A acks Includes DHCP starva on and DHCP spoofing a acks.

ARP A acks Includes ARP spoofing and ARP poisoning a acks.

Address Spoofing
Includes MAC Address and IP address spoofing a acks.
A acks

STP A acks Includes Spanning Tree Protocol manipula on a acks.

The figure below provides an overview of Cisco solu ons that help mi gate Layer 2 a acks.

The figure is a pyramid with four levels labeled from top to bo om, I P S G, D A I, D H C P snooping,
and port security.
 Topic Title Topic Objec ve

Port security prevents many types of a acks including MAC table overflow
Port Security
a acks and DHCP starva on a acks.

DHCP Snooping prevents DHCP starva on and DHCP spoofing a acks by

DHCP Snooping
rogue DHCP servers.

Dynamic ARP Inspec on (DAI) DAI prevents ARP spoofing and ARP poisoning a acks.

IP Source Guard (IPSG) IP Source Guard prevents MAC and IP address spoofing a acks.

These Layer 2 solu ons will not be effec ve if the management protocols are not secured. An
example would be if a ackers can easily telnet into a switch. Syslog, SNMP, TFTP, telnet, FTP and
most other common network management protocols are insecure. Therefore, the following
strategies are recommended:

 Always use secure variants of these protocols such as SSH, SCP, and SSL.

 Consider using out-of-band (OOB) management.

 Use a dedicated management VLAN where nothing but management traffic resides.

 Use ACLs to filter unwanted access.

MAC Table A acks

14.2.1 Switch Fundamentals

A switch uses MAC addresses to forward (or discard) frames to other devices on a network. If a
switch just forwarded every frame, it received out all ports, your network would be so congested
that it would probably come to a complete halt.

A Layer 2 Ethernet switch uses Layer 2 MAC addresses to make forwarding decisions. It is
completely unaware of the data (protocol) being carried in the data portion of the frame, such as
an IPv4 packet, an ARP message, or an IPv6 ND packet. The switch makes its forwarding
decisions based solely on the Layer 2 Ethernet MAC addresses.

An Ethernet switch examines its MAC address table to make a forwarding decision for each
frame, unlike legacy Ethernet hubs that repeat bits out all ports except the incoming port. In the
figure, the four-port switch was just powered on. The table shows the MAC Address Table which
has not yet learned the MAC addresses for the four attached PCs.

Note: MAC addresses are shortened throughout this topic for demonstration purposes.

Note: The MAC address table is some mes referred to as a content addressable memory (CAM)
table. While the term CAM table is fairly common, for the purposes of this course, we will refer to it
as a MAC address table.

14.2.2 Switch Learning and Forwarding

The switch dynamically builds the MAC address table by examining the source MAC address of the
frames that are received on a port. The switch forwards frames by searching for a match between
the des na on MAC address in the frame and an entry in the MAC address table.

Click the Learn and Forward bu ons for an illustra on and explana on of this process.
Examine the Source MAC Address

Every frame that enters a switch is checked for new informa on to learn. It does this by examining
the source MAC address of the frame and the port number where the frame entered the switch. If
the source MAC address does not exist, it is added to the table along with the incoming port number.
If the source MAC address does exist, the switch updates the refresh mer for that entry in the table.
By default, most Ethernet switches keep an entry in the table for 5 minutes.

In the figure for example, PC-A is sending an Ethernet frame to PC-D. The table shows the switch
adds the MAC address for PC-A to the MAC Address Table.

Note: If the source MAC address does exist in the table but on a different port, the switch treats this
as a new entry. The entry is replaced using the same MAC address but with the more current port
number.

Find the Des na on MAC Address

If the des na on MAC address is a unicast address, the switch will look for a match between the
des na on MAC address of the frame and an entry in its MAC address table. If the des na on MAC
address is in the table, it will forward the frame out the specified port. If the des na on MAC
address is not in the table, the switch will forward the frame out all ports except the incoming port.
This is called an unknown unicast.

As shown in the figure, the switch does not have the des na on MAC address in its table for PC-D, so
it sends the frame out all ports except port 1.

Note: If the des na on MAC address is a broadcast or a mul cast, the frame is also flooded out all
ports except the incoming port.
14.2.3 Filtering Frames

As a switch receives frames from different devices, it is able to populate its MAC address table by
examining the source MAC address of every frame. When the MAC address table of the switch
contains the des na on MAC address, it is able to filter the frame and forward out a single port.

In the figure, PC-D is replying back to PC-A. The switch sees the MAC address of PC-D in the incoming
frame on port 4. The switch then puts the MAC address of PC-D into the MAC Address Table
associated with port 4.
Next, because the switch has des na on MAC address for PC-A in the MAC Address Table, it will
send the frame only out port 1, as shown in the figure.

Next, PC-A sends another frame to PC-D, as shown in the figure. The MAC address table already
contains the MAC address for PC-A; therefore, the five-minute refresh mer for that entry is reset.
Next, because the switch table contains the des na on MAC address for PC-D, it sends the frame
only out port 4.
14.2.4 MAC Address Table Flooding

All MAC tables have a fixed size and consequently, a switch can run out of resources in which to store
MAC addresses. MAC address flooding a acks take advantage of this limita on by bombarding the
switch with fake source MAC addresses un l the switch MAC address table is full.

When this occurs, the switch treats the frame as an unknown unicast and begins to flood all
incoming traffic out all ports on the same VLAN without referencing the MAC table. This condi on
now allows a threat actor to capture all of the frames sent from one host to another on the local LAN
or local VLAN.

Note: Traffic is flooded only within the local LAN or VLAN. The threat actor can only capture traffic
within the local LAN or VLAN to which the threat actor is connected.

The figure shows how a threat actor can easily use the network a ack tool macof to overflow a MAC
address table.

If the threat actor stops macof from running or is discovered and stopped, the switch eventually ages
out the older MAC address entries from the table and begins to act like a switch again.

14.2.5 MAC Address Table A ack Mi ga on

What makes tools such as macof so dangerous is that an a acker can create a MAC table overflow
a ack very quickly. For instance, a Catalyst 6500 switch can store 132,000 MAC addresses in its MAC
address table. A tool such as macof can flood a switch with up to 8,000 bogus frames per second;
crea ng a MAC address table overflow a ack in a ma er of a few seconds. The example shows a
sample output of the macof command on a Linux host.
Another reason why these a ack tools are dangerous is because they not only affect the local switch,
they can also affect other connected Layer 2 switches. When the MAC address table of a switch is
full, it starts flooding out all ports including those connected to other Layer 2 switches.

To mi gate MAC address table overflow a acks, network administrators must implement port
security. Port security will only allow a specified number of source MAC addresses to be learned on
the port. Port security is further discussed later in this module.

Mi gate MAC Table A acks

14.3.1 Secure Unused Ports

Layer 2 devices are considered to be the weakest link in a company’s security infrastructure. Layer 2
a acks are some of the easiest for hackers to deploy but these threats can also be mi gated with
some common Layer 2 solu ons.

All switch ports (interfaces) should be secured before the switch is deployed for produc on use. How
a port is secured depends on its func on.

A simple method that many administrators use to help secure the network from unauthorized access
is to disable all unused ports on a switch. For example, if a Catalyst 2960 switch has 24 ports and
there are three Fast Ethernet connec ons in use, it is good prac ce to disable the 21 unused ports.
Navigate to each unused port and issue the Cisco IOS shutdown command. If a port must be
reac vated at a later me, it can be enabled with the no shutdown command.

To configure a range of ports, use the interface range command.

For example, to shutdown ports for Fa0/8 through Fa0/24 on S1, you would enter the following
command.

14.3.2 Mi gate MAC Address Table A acks

The simplest and most effec ve method to prevent MAC address table overflow a acks is to enable
port security.
Port security limits the number of valid MAC addresses allowed on a port. It allows an administrator
to manually configure MAC addresses for a port or to permit the switch to dynamically learn a
limited number of MAC addresses. When a port that is configured with port security receives a
frame, the source MAC address of the frame is compared to the list of secure source MAC addresses
that were manually configured or dynamically learned on the port.

By limi ng the number of permi ed MAC addresses on a port to one, port security can be used to
control unauthorized access to the network, as shown in the figure.

14.3.3 Enable Port Security

No ce in the example, the switchport port-security command was rejected. This is because port
security can only be configured on manually configured access ports or manually configured trunk
ports. By default, Layer 2 switch ports are set to dynamic auto (trunking on). Therefore, in the
example, the port is configured with the switchport mode access interface configura on command.

Note: Trunk port security is beyond the scope of this course.

Use the show port-security interface command to display the current port security se ngs for
FastEthernet 0/1, as shown in the example below. No ce that port security is enabled, and the port
status is Secure-down, which means there are no devices a ached and no viola on has occurred.
Also, the viola on mode is Shutdown, and the maximum number of MAC addresses allowed is 1. If a
device is connected to the port, the switch port status would display Secure-up and the switch will
automa cally add the device’s MAC address as a secure MAC. In this example, no device is connected
to the port.

Note: If an ac ve port is configured with the switchport port-security command and more than one
device is connected to that port, the port will transi on to the error-disabled state. This condi on is
discussed later in this topic.

A er port security is enabled, other port security specifics can be configured, as shown in the
example.

14.3.4 Limit and Learn MAC Addresses

To set the maximum number of MAC addresses allowed on a port, use the following command:

The default port security value is 1. The maximum number of secure MAC addresses that can be
configured depends on the switch and the IOS. In this example, the maximum is 8192.

The switch can be configured to learn about MAC addresses on a secure port in one of three ways:

1. Manually Configured

The administrator manually configures a sta c MAC address(es) by using the following command for
each secure MAC address on the port:
2. Dynamically Learned

When the switchport port-security command is entered, the current source MAC for the device
connected to the port is automa cally secured but is not added to the startup configura on. If the
switch is rebooted, the port will have to re-learn the device’s MAC address.

3. Dynamically Learned - S cky

The administrator can enable the switch to dynamically learn the MAC address and “s ck” them to
the running configura on by using the following command:

Saving the running configura on will commit the dynamically learned MAC address to NVRAM.

The following example demonstrates a complete port security configura on for FastEthernet 0/1
with a host connected to port Fa0/1. The administrator specifies a maximum of 2 MAC addresses,
manually configures one secure MAC address, and then configures the port to dynamically learn
addi onal secure MAC addresses up to the 2 secure MAC address maximum. Use the show port-
security interface and the show port-security address command to verify the configura on.
The output of the show port-security interface command verifies that port security is enabled, there
is a host connected to the port (i.e., Secure-up), a total of 2 MAC addresses will be allowed, and S1
has learned one MAC address sta cally and one MAC address dynamically (i.e., s cky).

The output of the show port-security address command lists the two learned MAC addresses.

14.3.5 Port Security Aging

Port security aging can be used to set the aging me for sta c and dynamic secure addresses on a
port. Two types of aging are supported per port:

 Absolute - The secure addresses on the port are deleted a er the specified aging me.

 Inac vity - The secure addresses on the port are deleted only if they are inac ve for the
specified aging me.

Use aging to remove secure MAC addresses on a secure port without manually dele ng the exis ng
secure MAC addresses. Aging me limits can also be increased to ensure past secure MAC addresses
remain, even while new MAC addresses are added. Aging of sta cally configured secure addresses
can be enabled or disabled on a per-port basis.

Use the switchport port-security aging command to enable or disable sta c aging for the secure
port, or to set the aging me or type.

Parameter Descrip on

sta c Enable aging for sta cally configured secure addresses on this port.

Specify the aging me for this port. The range is 0 to 1440 minutes. If the me is 0, aging is
me me
disabled for this port.

Set the absolute aging me. All the secure addresses on this port age out exactly a er the
type absolute
me (in minutes) specified and are removed from the secure address list.

Set the inac vity aging type. The secure addresses on this port age out only if there is no
type inac vity
data traffic from the secure source address for the specified me period.

Note: MAC addresses are shown as 24 bits for simplicity.

The example shows an administrator configuring the aging type to 10 minutes of inac vity and then
using the show port-security interface command to verify the configura on.
14.3.6 Port Security Viola on Modes

If the MAC address of a device that is a ached to the port differs from the list of secure addresses,
then a port viola on occurs. By default, the port enters the error-disabled state.

To set the port security viola on mode, use the following command:

The following table describes the different switch modes.

Mode Descrip on

The port transi ons to the error-disabled state immediately, turns off the port LED, and
shutdown sends a syslog message. It increments the viola on counter. When a secure port is in the
(default) error-disabled state, an administrator must re-enable it by entering
the shutdown and no shutdown commands.

The port drops packets with unknown source addresses un l you remove a sufficient
number of secure MAC addresses to drop below the maximum value or increase the
restrict
maximum value. This mode causes the Security Viola on counter to increment and
generates a syslog message.

This is the least secure of the security viola on modes. The port drops packets with
unknown MAC source addresses un l you remove a sufficient number of secure MAC
protect
addresses to drop below the maximum value or increase the maximum value. No syslog
message is sent.

The following table shows how a switch reacts based on the configured viola on mode.
 Viola on Discards Offending Sends Syslog Increase Viola on Shuts Down
Mode Traffic Message Counter Port

Protect Yes No No No

Restrict Yes Yes Yes No

Shutdown Yes Yes Yes Yes

The following example shows an administrator changing the security viola on to “restrict”. The
output of the show port-security interface command confirms that the change has been made.

14.3.7 Ports in error-disabled State

What happens when the port security viola on is shutdown and a port viola on occurs? The port is
physically shutdown and placed in the error-disabled state, and no traffic is sent or received on that
port.

In the example, the port security viola on is changed back to the default shutdown se ng. Then the
host with MAC address a41f.7272.676a is disconnected and a new host is plugged into Fa0/1.

No ce that a series of port security related messages are generated on the console.
Note: The port protocol and link status are changed to down and the port LED is turned off.

In the example, the show interface command iden fies the port status as err-disabled. The output
of the show port-security interface command now shows the port status as Secure-shutdown
instead of Secure-up. The Security Viola on counter increments by 1.

The administrator should determine what caused the security viola on If an unauthorized device is
connected to a secure port, the security threat is eliminated before re-enabling the port.

In the next example, the first host is reconnected to Fa0/1. To re-enable the port, first use
the shutdown command, then, use the no shutdown command to make the port opera onal, as
shown in the example.
14.3.8 Verify Port Security

A er configuring port security on a switch, check each interface to verify that the port security is set
correctly, and check to ensure that the sta c MAC addresses have been configured correctly.

Port Security for All Interfaces

To display port security se ngs for the switch, use the show port-security command. The example
indicates that only one port is configured with the switchport port-security command.

Port Security for a Specific Interface

Use the show port-security interface command to view details for a specific interface, as shown
previously and in this example.

Verify Learned MAC Addresses

To verify that MAC addresses are “s cking” to the configura on, use the show run command as
shown in the example for FastEthernet 0/19.
Verify Secure MAC Addresses

To display all secure MAC addresses that are manually configured or dynamically learned on all
switch interfaces, use the show port-security address command as shown in the example.

14.3.9 Syntax Checker - Implement Port Security

Implement port security for a switch interface based on the specified requirements

You are currently logged into S1. Configure FastEthernet 0/5 for port security by using the following
requirements:

 Use the interface name fa0/5 to enter interface configura on mode.

 Enable the port for access mode.

 Enable port security.

 Set the maximum number of MAC address to 3.

 Sta cally configure the MAC address aaaa.bbbb.1234.

 Configure the port to dynamically learn addi onal MAC addresses and dynamically add them
to the running configura on.

 Return to privileged EXEC mode.

S1(config)#interface fa0/5
S1(config-if)#switchport mode access

S1(config-if)#switchport port-security

S1(config-if)#switchport port-security maximum 3

S1(config-if)#switchport port-security mac-address aaaa.bbbb.1234

S1(config-if)#switchport port-security mac-address s cky

S1(config-if)#end

Enter the command to verify port security for all interfaces.

S1#show port-security

Secure Port MaxSecureAddr CurrentAddr SecurityViola on Security Ac on

(Count) (Count) (Count)

---------------------------------------------------------------------------

Fa0/5 3 2 0 Shutdown

---------------------------------------------------------------------------

Total Addresses in System (excluding one mac per port) :0

Max Addresses limit in System (excluding one mac per port) : 8192

Enter the command to verify port security on FastEthernet 0/5. Use fa0/5 for the interface name.

S1#show port-security interface fa0/5

Port Security : Enabled

Port Status : Secure-up

Viola on Mode : Shutdown

Aging Time : 0 mins

Aging Type : Absolute

SecureSta c Address Aging : Disabled

Maximum MAC Addresses :3

Total MAC Addresses :2

Configured MAC Addresses : 1

S cky MAC Addresses :1

Last Source Address:Vlan : 0090.2135.6B8C:1

Security Viola on Count : 0

Enter the command that will display all of the addresses to verify that the manually configured and
dynamically learned MAC addresses are in the running configura on.
S1#show port-security address

Secure Mac Address Table

-----------------------------------------------------------------------------

Vlan Mac Address Type Ports Remaining Age

(mins)

---- ----------- ---- ----- -------------

1 0090.2135.6b8c SecureS cky Fa0/5 -

1 aaaa.bbbb.1234 SecureConfigured Fa0/5 -

-----------------------------------------------------------------------------

Total Addresses in System (excluding one mac per port) :0

Max Addresses limit in System (excluding one mac per port) : 8192

You have successfully configured and verified port security for the interface.

14.3.10 SNMP MAC Address No fica on

Network managers need a way of monitoring who is using the network and what their loca on is.
For example, if port Fa0/1 is secure on a switch, an SNMP trap is generated when a MAC address
entry for that port disappears from the MAC table.

The MAC address no fica on feature sends SNMP traps to the network management sta on (NMS)
whenever a new MAC address is added to, or an old address is deleted from, the forwarding tables.
MAC address no fica ons are generated only for dynamic and secure MAC addresses.

MAC address no fica on allows the network administrator to monitor MAC addresses that are
learned, as well as MAC addresses that age out and are removed from the switch. For example, in
the figure, the laptop with MAC C has disconnected from the network. The switch will eventually
meout port Fa0/3 and send an SNMP trap no fica on to the NMS Server.

Use the mac address-table no fica on global configura on command to enable the MAC address
no fica on feature on a switch.

The figure shows a laptop that has been disconnected from F0/3 and as a result the switch will
eventually me out port F0/3 and send an S N M P trap no fica on to the N M S Server.
Mi gate VLAN A acks
14.4.1 VLAN Hopping A acks

VLANs are used to create separate broadcast domains on switches. Endpoints that are located in one
VLAN are unable to communicate with endpoints that are on another VLAN unless permi ed to do
so by a router or Layer 3 switch. VLANs can be used to separate sensi ve content from other network
traffic. For example, a guest VLAN may be created for guests to an organiza on. Those guests should
not have access to sensi ve corporate content that is carried on other VLANs. VLAN a acks can
circumvent the inten on of a VLAN design by allowing unauthorized users access to VLANs that they
should not be able access. Two types of VLAN a acks are VLAN hopping a acks and VLAN double-
tagging a acks.

A VLAN hopping a ack enables traffic from one VLAN to be seen by another VLAN without the aid of
a router. In a basic VLAN hopping a ack, the threat actor configures a host to act like a switch to take
advantage of the automa c trunking port feature enabled by default on most switch ports.

The threat actor configures the host to spoof 802.1Q signaling and Cisco-proprietary Dynamic
Trunking Protocol (DTP) signaling to trunk with the connec ng switch. If successful, the switch
establishes a trunk link with the host, as shown in the figure. Now the threat actor can access all the
VLANs on the switch. The threat actor can send and receive traffic on any VLAN, effec vely hopping
between VLANs.
14.4.2 VLAN Double-Tagging A ack

A threat actor in specific situa ons could embed a hidden 802.1Q tag inside the frame that already
has an 802.1Q tag. This tag allows the frame to go to a VLAN that the original 802.1Q tag did not
specify.
A VLAN double-tagging a ack is unidirec onal and works only when the a acker is connected to a
port residing in the same VLAN as the na ve VLAN of the trunk port. The idea is that double tagging
allows the a acker to send data to hosts or servers on a VLAN that otherwise would be blocked by
some type of access control configura on. Presumably the return traffic will also be permi ed, thus
giving the a acker the ability to communicate with devices on the normally blocked VLAN.

VLAN A ack Mi ga on

VLAN hopping and VLAN double-tagging a acks can be prevented by implemen ng the following
trunk security guidelines, as discussed in a previous module:

 Disable trunking on all access ports.

 Disable auto trunking on trunk links so that trunks must be manually enabled.

 Be sure that the na ve VLAN is only used for trunk links.

14.4.3 Mi ga ng VLAN Hopping A acks

Use the following steps to mi gate VLAN hopping a acks:

Step 1: Disable DTP (auto trunking) nego a ons on non-trunking ports by using the switchport
mode access interface configura on command.
Step 2: Disable unused ports and put them in an unused VLAN. In the example it is VLAN 1000.
Step 3: Manually enable the trunk link on a trunking port by using the switchport mode
trunk command.
Step 4: Disable DTP (auto trunking) nego a ons on trunking ports by using the switchport
nonego ate command.
Step 5: Set the na ve VLAN to a VLAN other than VLAN 1 by using the switchport trunk na ve
vlan vlan_number command.

For example, assume the following:

 FastEthernet ports 0/1 through fa0/16 are ac ve access ports

 FastEthernet ports 0/17 through 0/20 are not currently in use

 FastEthernet ports 0/21 through 0/24 are trunk ports.

VLAN hopping can be mi gated by implemen ng the following configura on.

  FastEthernet ports 0/1 to 0/16 are access ports and therefore trunking is disabled by
explicitly making them access ports.

 FastEthernet ports 0/17 to 0/20 are unused ports and are disabled and assigned to an
unused VLAN.

 FastEthernet ports 0/21 to 0/24 are trunk links and are manually enabled as trunks with DTP
disabled. The na ve VLAN is also changed from the default VLAN 1 to VLAN 999.

14.4.4 Syntax Checker - Mi gate VLAN Hopping A acks

Mi gate VLAN hopping a acks on the switch based on the specified requirements.

You are currently logged into S1. The ports status of the ports are as follows:

 FastEthernet ports 0/1 through 0/4 are used for trunking with other switches.

 FastEthernet ports 0/5 through 0/10 are unused.

 FastEthernet ports 0/11 through 0/24 are ac ve ports currently in use.

Use range fa0/1 - 4 to enter interface configura on mode for the trunks.

S1(config)#interface range fa0/1 - 4

Configure the interfaces as nonnego a ng trunks assigned to default VLAN 99.

S1(config-if-range)#switchport mode trunk

S1(config-if-range)#switchport nonego ate

S1(config-if-range)#switchport trunk na ve vlan 99

S1(config-if-range)# exit

Use range fa0/5 - 10 to enter interface configura on mode for the unused ports.

S1(config)#interface range fa0/5 - 10

Configure the unused ports as access ports, assign them to VLAN 86, and shutdown the ports.

S1(config-if-range)#switchport mode access

S1(config-if-range)#switchport access vlan 86

% Access VLAN does not exist. Crea ng vlan 86

S1(config-if-range)#shutdown

*Mar 1 00:28:48.883: %LINK-5-CHANGED: Interface FastEthernet0/5, changed state to

administra vely down

*Mar 1 00:28:48.900: %LINK-5-CHANGED: Interface FastEthernet0/6, changed state to

administra vely down

*Mar 1 00:28:48.908: %LINK-5-CHANGED: Interface FastEthernet0/7, changed state to

administra vely down
*Mar 1 00:28:48.917: %LINK-5-CHANGED: Interface FastEthernet0/8, changed state to
administra vely down

*Mar 1 00:28:48.942: %LINK-5-CHANGED: Interface FastEthernet0/9, changed state to

administra vely down

*Mar 1 00:28:48.950: %LINK-5-CHANGED: Interface FastEthernet0/10, changed state to

administra vely down

*Mar 1 00:28:49.890: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/5,

changed state to down

*Mar 1 00:28:49.907: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/6,

changed state to down

S1(config-if-range)# exit

Use range fa0/11 - 24 to enter interface configura on mode for the ac ve ports and then configure
them to prevent trunking.

S1(config)#interface range fa0/11 - 24

S1(config-if-range)#switchport mode access

S1(config-if-range)# end

S1#

You have successfully mi gated VLAN hopping a acks on this switch.

14.4.5 Private VLANs

VLANs are broadcast domains. However, in some situa ons, it may useful to break this rule and allow
only the minimum required L2 connec vity within the VLAN.

Private VLANs (PVLAN) provide Layer 2 isola on between ports within the same broadcast domain.
There are three types of PVLAN ports:

 Promiscuous - A promiscuous port can talk to everyone. It can communicate with all
interfaces, including the isolated and community ports within a PVLAN.

 Isolated - An isolated port can only talk to promiscuous ports. An isolated port has complete
Layer 2 separa on from the other ports within the same PVLAN, but not from the
promiscuous ports. PVLANs block all traffic to isolated ports except traffic from promiscuous
ports. Traffic from an isolated port is forwarded only to promiscuous ports.

 Community - Community ports can talk to other community and promiscuous ports. These
interfaces are separated at Layer 2 from all other interfaces in other communi es or isolated
ports within their PVLAN.

The example in the figure illustrates which ports can interconnect. The security provided by a PVLAN
can be bypassed by using the router as a proxy.
For example, in the figure below, PC-A and PC-B are isolated from each other. However, PC-A can
ini ate an a ack against PC-B by sending packets that have the source IP address and MAC address
of PC-A, the des na on IP address of PC-B, but the des na on MAC address of R1. S1 will forward
the frame to R1 because F0/5 is configured as a promiscuous port. R1 rebuilds the frame with PC-B's
MAC address and forwards it to S1. S1 then forwards the frame to PC-B.

Note: PVLANs are used mainly in service provider co-loca on sites. Another typical applica on can
be found in hotels where each room would be connected on its own isolated port.

The figure is a topology with a router connected to a switch. Two P Cs are also connected to the
switch. Each P C is on an isolated port. The router is on a promiscuous port. The primary V LAN is
172.16.0.0/24.

PVLAN Proxy A ack

To mi gate this type of a ack, configure an ACL that will deny traffic with a source and des na on IP
address that belongs to the same subnet, as shown in in the configura on below.
14.4.6 PVLAN Edge Feature

Some applica ons require that no traffic be forwarded at Layer 2 between ports on the same switch
so that one neighbor does not see the traffic generated by another neighbor.

In such an environment, the use of the PVLAN Edge feature ensures that there is no exchange of
unicast, broadcast, or mul cast traffic between PVLAN edge ports on the switch, as shown in the
figure. The PLVAN Edge feature is also called Protected Ports.

The PVLAN Edge feature has the following characteris cs:

 A protected port does not forward any traffic, such as unicast, mul cast, or broadcast, to any
other port that is also a protected port. Data traffic cannot be forwarded between protected
ports at Layer 2; only control traffic is forwarded because these packets are processed by the
CPU and forwarded in so ware. All data traffic passing between protected ports must be
forwarded through a Layer 3 device.

 Forwarding behavior between a protected port and a non-protected port proceeds as usual.

 The default is to have no protected ports defined.

The figure shows a switch connected to a cloud and two computers. there is a server connected to
the other side of the cloud. There is a two-way arrow between one computer and the server. There is
a two way arrow between the two computers with a red circle with a red slash over it. There is a
two-way arrow between the other computer and the server. The label near the computer reads
protected ports. the label near the middle of the arrow reads unprotected ports (default).

Restric ng Layer 2 Traffic between Switch Ports

14.4.7 Configure PVLAN Edge

To configure the PVLAN Edge feature, enter the switchport protected interface configura on mode
command.
The PVLAN Edge feature can be configured on a physical interface or an EtherChannel group. When
the PVLAN Edge feature is enabled for a port channel, it is enabled for all ports in the port-channel
group. To disable protected port, use the no switchport protected interface configura on mode
command.

To verify the configura on of the PVLAN Edge feature, use the show interfaces interface-
id switchport global configura on mode command, as shown in the example below.

The PVLAN edge is a feature that has only local significance to the switch, and there is no isola on
provided between two protected ports located on different switches. A protected port does not
forward any traffic (unicast, mul cast, or broadcast) to any other port that is also a protected port on
the same switch. Traffic cannot be forwarded between protected ports at Layer 2 (L2); all traffic
passing between protected ports must be forwarded through a Layer 3 (L3) device.

Mi gate DHCP A acks

14.5.1 DHCP A acks

Two types of DHCP a acks are DHCP starva on and DHCP spoofing. Both a acks are mi gated by
implemen ng DHCP snooping.

DHCP Starva on A ack

The goal of the DHCP starva on a ack is DoS for connec ng clients. DHCP starva on a acks require
an a ack tool such as Gobbler.

Gobbler has the ability to look at the en re scope of leasable IP addresses and tries to lease them all.
Specifically, it creates DHCP discovery messages with bogus MAC addresses.
DHCP Spoofing A ack

A DHCP spoofing a ack occurs when a rogue DHCP server is connected to the network and provides
false IP configura on parameters to legi mate clients. A rogue server can provide a variety of
misleading informa on:

 Wrong default gateway - The rogue server provides an invalid gateway, or its own IP address,
to create a man-in-the-middle a ack. This may go en rely undetected as the intruder
intercepts the data flow through the network and then forwards it on to the real default
gateway.

 Wrong DNS server - The rogue server provides an incorrect DNS server address that points
the user to a nefarious website.

 Wrong IP address - The rogue server provides an invalid IP address which effec vely creates
a DoS a ack on the DHCP client.
14.5.2 DHCP A acks Mi ga on

It is easy to mi gate DHCP starva on a acks by using port security. However, mi ga ng DHCP
spoofing a acks requires more protec on.

For instance, Gobbler uses a unique MAC address for each DHCP request and port security. Port
security could be configured to mi gate this. However, Gobbler can also be configured to use the
same interface MAC address with a different hardware address for every request. This would render
port security ineffec ve.

DHCP spoofing a acks can be mi gated using DHCP snooping on trusted ports. DHCP snooping also
helps mi gate against DHCP starva on a acks by rate limi ng the number of DHCP discovery
messages that an untrusted port can receive. DHCP snooping builds and maintains a DHCP snooping
binding database that the switch can use to filter DHCP messages from untrusted sources. The DHCP
snooping binding table includes the client MAC address, IP address, DHCP lease me, binding type,
VLAN number, and interface informa on on each untrusted switchport or interface.

Devices under your administra ve control, such as switches, routers, and servers, are trusted
sources. Any device beyond the firewall or outside your network is an untrusted source. In addi on,
all access ports are generally treated as untrusted sources. The figure shows an example of trusted
and untrusted ports.

Note: In a large network, the DHCP binding table may take me to build a er it is enabled. For
example, it could take 2 days for DHCP snooping to complete the table if DHCP lease me is 4 days.

When DHCP snooping is enabled on an interface or VLAN, and a switch receives a packet on an
untrusted port, the switch compares the source packet informa on with that held in the DHCP
snooping binding table. The switch will deny packets containing specific informa on:

 Unauthorized DHCP server messages from an untrusted port

  Unauthorized DHCP client messages not adhering to the snooping binding table or rate limits

 DHCP relay-agent packets that include op on-82 informa on on an untrusted port

Note: To counter Gobbler using the same MAC address, DHCP snooping also makes the switch check
the Client Hardware Address (CHADDR) field in the DHCP request. This ensures that it matches the
hardware MAC address in the DHCP snooping binding table and the MAC address in the MAC table. If
there is no match, the request is dropped.

Note: Similar mi ga on techniques are available for DHCPv6 and IPv6 clients. Because IPv6 devices
can also receive their addressing informa on from the router’s Router Adver sement (RA) message,
there are also mi ga on solu ons to prevent any rogue RA messages.

14.5.3 Steps to Implement DHCP Snooping

Use the following steps to enable DHCP snooping:

Step 1. Enable DHCP snooping by using the ip dhcp snooping global configura on command.
Step 2. On trusted ports, use the ip dhcp snooping trust interface configura on command.
Step 3. Limit the number of DHCP discovery messages that can be received per second on untrusted
ports by using the ip dhcp snooping limit rate interface configura on command.
Step 4. Enable DHCP snooping by VLAN, or by a range of VLANs, by using the ip dhcp
snooping vlan global configura on command.

14.5.4 DHCP Snooping Configura on Example

The reference topology for this DHCP snooping example is shown in the figure. No ce that F0/5 is an
untrusted port because it connects to a PC. F0/1 is a trusted port because it connects to the DHCP
server.

The following is an example of how to configure DHCP snooping on S1. No ce how DHCP snooping is
first enabled. Then the upstream interface to the DHCP server is explicitly trusted. Next, the range of
FastEthernet ports from F0/5 to F0/24 are untrusted by default, so a rate limit is set to six packets
per second. Finally, DHCP snooping is enabled on VLANS 5, 10, 50, 51, and 52.
Use the show ip dhcp snooping privileged EXEC command to verify DHCP snooping and show ip
dhcp snooping binding to view the clients that have received DHCP informa on, as shown in the
example.

Note: DHCP snooping is also required by Dynamic ARP Inspec on (DAI), which is the next topic.

4.5.5 Syntax Checker - Mi gate DHCP A acks

Implement DHCP snooping for a switch based on the following topology and specified requirements.
You are currently logged into S1. Enable DHCP snooping globally for the switch.

S1(config)#ip dhcp snooping

Enter interface configura on mode for g0/1 - 2, trust the interfaces, and return to global
configura on mode.

S1(config)#interface range g0/1 - 2

S1(config-if-range)#ip dhcp snooping trust

S1(config-if-range)#exit

Enter interface configura on mode for f0/1 - 24, limit the DHCP messages to no more than 10 per
second, and return to global configura on mode.

S1(config)#interface range f0/1 - 24

S1(config-if-range)#ip dhcp snooping limit rate 10

S1(config-if-range)#exit

Enable DHCP snooping for VLANs 10,20,30-49.

S1(config)#ip dhcp snooping vlan 10,20,30-49

S1(config)# exit

Enter the command to verify DHCP snooping.

S1#show ip dhcp snooping

Switch DHCP snooping is enabled

DHCP snooping is configured on following VLANs:

10,20,30-49

DHCP snooping is opera onal on following VLANs:

none

DHCP snooping is configured on the following L3 Interfaces:

Inser on of op on 82 is enabled
 circuit-id default format: vlan-mod-port

remote-id: 0cd9.96d2.3f80 (MAC)

Op on 82 on untrusted port is not allowed

Verifica on of hwaddr field is enabled

Verifica on of giaddr field is enabled

DHCP snooping trust/rate is configured on the following Interfaces:

Interface Trusted Allow op on Rate limit (pps)

----------------------- ------- ------------ ----------------

GigabitEthernet0/1 yes yes unlimited

Custom circuit-ids:

GigabitEthernet0/2 yes yes unlimited

Custom circuit-ids:

FastEthernet0/1 no no 10

Custom circuit-ids:

Enter the command to verify the current DHCP bindings logged by DHCP snooping

S1#show ip dhcp snooping binding

MacAddress IpAddress Lease(sec) Type VLAN Interface

------------------ --------------- ---------- ------------- ---- --------------------

00:03:47:B5:9F:AD 10.0.0.10 193185 dhcp-snooping 5 FastEthernet0/1

S1#

You have successfully configured and verified DHCP snooping for the switch.
Mi gate ARP A acks
14.6.1 ARP A acks

Recall that hosts broadcast ARP Requests to determine the MAC address of a host with a par cular
IPv4 address. This is typically done to discover the MAC address of the default gateway. All hosts on
the subnet receive and process the ARP Request. The host with the matching IPv4 address in the ARP
Request sends an ARP Reply.

According to the ARP RFC, a client is allowed to send an unsolicited ARP Request called a “gratuitous
ARP.” When a host sends a gratuitous ARP, other hosts on the subnet store the MAC address and IPv4
address contained in the gratuitous ARP in their ARP tables.

The problem is that an a acker can send a gratuitous ARP message containing a spoofed MAC
address to a switch, and the switch would update its MAC table accordingly. Therefore, any host can
claim to be the owner of any IP and MAC address combina on they choose. In a typical a ack, a
threat actor can send unsolicited ARP Replies to other hosts on the subnet with the MAC Address of
the threat actor and the IPv4 address of the default gateway.

There are many tools available on the internet to create ARP man-in-the-middle a acks including
dsniff, Cain & Abel, e ercap, Yersinia, and others. IPv6 uses ICMPv6 Neighbor Discovery Protocol for
Layer 2 address resolu on. IPv6 includes strategies to mi gate Neighbor Adver sement spoofing,
similar to the way IPv6 prevents a spoofed ARP Reply.

ARP spoofing and ARP poisoning are mi gated by implemen ng Dynamic ARP Inspec on (DAI).
14.6.3 Dynamic ARP Inspec on

In a typical ARP a ack, a threat actor can send unsolicited ARP requests to other hosts on the subnet
with the MAC Address of the threat actor and the IP address of the default gateway. To prevent ARP
spoofing and the resul ng ARP poisoning, a switch must ensure that only valid ARP Requests and
Replies are relayed.

Dynamic ARP inspec on (DAI) requires DHCP snooping and helps prevent ARP a acks by:

 Not relaying invalid or gratuitous ARP Requests out to other ports in the same VLAN

 Intercep ng all ARP Requests and Replies on untrusted ports

 Verifying each intercepted packet for a valid IP-to-MAC binding

 Dropping and logging ARP Requests coming from invalid sources to prevent ARP poisoning

 Error-disabling the interface if the configured DAI number of ARP packets is exceeded

14.6.4 DAI Implementa on Guidelines

To mi gate the chances of ARP spoofing and ARP poisoning, follow these DAI implementa on
guidelines:

 Enable DHCP snooping globally.

 Enable DHCP snooping on selected VLANs.

 Enable DAI on selected VLANs.

 Configure trusted interfaces for DHCP snooping and ARP inspec on.

It is generally advisable to configure all access switch ports as untrusted and to configure all uplink
ports that are connected to other switches as trusted.

The sample topology in the figure iden fies trusted and untrusted ports.
14.6.5 DAI Configura on Example

In the previous topology, S1 is connec ng two users on VLAN 10. DAI will be configured to mi gate
against ARP spoofing and ARP poisoning a acks.

As shown in the example, DHCP snooping is enabled because DAI requires the DHCP snooping
binding table to operate. Next, DHCP snooping and ARP inspec on are enabled for the PCs on
VLAN10. The uplink port to the router is trusted, and therefore, is configured as trusted for DHCP
snooping and ARP inspec on.

DAI can also be configured to check for both des na on or source MAC and IP addresses:

 Des na on MAC - Checks the des na on MAC address in the Ethernet header against the
target MAC address in the ARP packet body

 Source MAC - Checks the source MAC address in the Ethernet header against the sender
MAC address in the ARP packet body

 IP address - Checks the ARP packet body for invalid and unexpected IP addresses including
addresses 0.0.0.0, 255.255.255.255, and all IP mul cast addresses
The ip arp inspec on validate {src-mac [dst-mac] [ip]} global configura on command is used to
configure DAI to drop ARP packets when the IP addresses are invalid. It can be used when the MAC
addresses in the body of the ARP packets do not match the addresses that are specified in the
Ethernet header. No ce in the following example how only one command can be configured.
Therefore, entering mul ple ip arp inspec on validate commands overwrites the previous
command. To include more than one valida on method, enter them on the same command line as
shown and verified in the following output.

14.6.6 Syntax Checker - Mi gate ARP A acks

Implement DAI for a switch based on the following topology and specified requirements.

You are currently logged into S1. Enable DHCP snooping globally for the switch.

S1(config)#ip dhcp snooping

Enter interface configura on mode for g0/1 - 2, trust the interfaces for both DHCP snooping and DAI,
and then return to global configura on mode.

S1(config)#interface range g0/1 - 2

S1(config-if-range)#ip dhcp snooping trust

S1(config-if-range)#ip arp inspec on trust

S1(config-if-range)#exit

Enable DHCP snooping and DAI for VLANs 10,20,30-49.

S1(config)#ip dhcp snooping vlan 10,20,30-49

S1(config)#ip arp inspec on vlan 10,20,30-49

S1(config)#

You have successfully configured DAI for the switch.

Mi gate Address Spoofing A acks

14.7.1 Address Spoofing A acks

MAC addresses and IP addresses can be spoofed for a variety of reasons. Spoofing a acks occur
when one host poses as another to receive otherwise inaccessible data, or to circumvent security
configura ons.

The method used by switches to populate the MAC address table leads to a vulnerability known as
MAC address spoofing. MAC address spoofing a acks occur when a ackers alter the MAC address of
their host to match another known MAC address of a target host, as shown in the figure. The
a acking host then sends a frame throughout the network with the newly configured MAC address.

The figure shows an a acker, and a server connected to a switch. The mac address of the server is a a
b b c c.there is an arrow poin ng from the a acker to port 2 of the switch with the words spoofed
mac address a a b b c c. there is a mac address table for the switch with a a b b c c in the port 1 cell
and nothing in the port 2 cell of the table.

A acker Spoofs a Server’s MAC Address

When the switch receives the frame, it examines the source MAC address. The switch overwrites the
current MAC table entry and assigns the MAC address to the new port, as shown in the figure below.
It

Switch Updates MAC Table with Spoofed Address

When the switch changes the MAC table, the target host does not receive any traffic un l it sends
traffic. When the target host sends traffic, the switch receives and examines the frame, resul ng in
the MAC table being rewri en once more, realigning the MAC address to the original port. To stop
the switch from returning the spoofed MAC address port assignments to their correct state, the
a acking host can create a program or script that will constantly send frames to the switch so that
the switch maintains the incorrect or spoofed informa on. There is no security mechanism at Layer 2
that allows a switch to verify the source of MAC addresses, which is what makes it so vulnerable to
spoofing.

IP address spoofing is when a rogue PC hijacks a valid IP address of a neighbor, or a uses a random IP
address. IP address spoofing is difficult to mi gate, especially when it is used inside a subnet in which
the IP belongs.

14.7.2 Address Spoofing A ack Mi ga on

To protect against MAC and IP address spoofing, configure the IP Source Guard (IPSG) security
feature. IPSG operates just like DAI, but it looks at every packet, not just the ARP packets. Like DAI,
IPSG also requires that DHCP snooping be enabled.

Specifically, IPSG is deployed on untrusted Layer 2 access and trunk ports. IPSG dynamically
maintains per-port VLAN ACLs (PVACL) based on IP-to-MAC-to-switch-port bindings. Ini ally, all IP
traffic on the port is blocked, except for DHCP packets that are captured by the DHCP snooping
process. A PVACL is installed on the port when a client receives a valid IP address from the DHCP
server or when a sta c IP source binding is configured by the user.

This process restricts the client IP traffic to those source IP addresses that are configured in the
binding. Any IP traffic with a source IP address other than that in the IP source binding will be filtered
out. This filtering limits the ability of a host to a ack the network by claiming the IP address of a
neighbor host.

For each untrusted port, there are two possible levels of IP traffic security filtering:
  Source IP address filter - IP traffic is filtered based on its source IP address and only IP traffic
with a source IP address that matches the IP source binding entry is permi ed. When a new
IP source entry binding is created or deleted on the port, the PVACL automa cally adjusts
itself to reflect the IP source binding change.

 Source IP and MAC address filter - IP traffic is filtered based on its source IP address in
addi on to its MAC address. Only IP traffic with source IP and MAC addresses that match the
IP source binding entry are permi ed.

14.7.3 Configure IP Source Guard

Examine the IP Source Guard reference topology that is shown in the figure.

IP Source Guard is enabled on untrusted ports using the ip verify source command as shown in the
configura on below. Remember that the feature can only be configured on a Layer 2 access or trunk
port and that DHCP snooping is required to learn valid IP address and MAC address pairs.

Use the show ip verify source command to verify the IP Source Guard configura on, as shown
below. In the example, the F0/1 and F0/2 ports are configured with IP Source Guard. Each interface
has one valid DHCP binding

14.7.4 Syntax Checker - Configure IP Source Guard

Enable IP source guard on untrusted interfaces F0/1 - 2.

S1(config)#interface range F0/1 - 2

S1(config-if-range)#ip verify source

Use the do command from inside global config mode to display the IP source guard se ngs.

S1(config-if-range)#do show ip verify source

Interface Filter-type Filter-mode IP-address Mac-address Vlan

--------- ----------- ----------- --------------- ----------------- ----

F0/1 ip ac ve 192.168.10.10 10

F0/2 ip ac ve 192.168.10.11 10

S1(config-if-range)#

You have successfully configured IP source guard.

Spanning Tree Protocol

14.8.1 Spanning Tree Protocol

Spanning Tree Protocol (STP) is a loop-preven on network protocol that allows for redundancy while
crea ng a loop-free Layer 2 topology. IEEE 802.1D is the original IEEE MAC Bridging standard for STP.

Click Play in the figure to view an anima on of STP in ac on.

STP Normal Opera on

Steps:

PC1 Senda broadcast frame

S2 forwards the broadcast out all ports, except the origina ng port and blocked port

S1 forwards the broadcast out all ports, except the origina ng port

S3 receives the frame and forwards it back to S2

S2 drops the frame because it received it on a blocked port

14.8.2 STP Recalcula on

Click Play in the next figure to view an anima on of STP recalcula on when a failure occurs.

STP Compensates for Network Failure

The Trunk link between S2 and S1 has failed

S2 unblocks the port for trunk 2

PC1 sends a broadcast frame to S2

S2 forwards broadcast out all switch ports, except the origina ng port and the failed link for trunk 1

S3 forwards the broadcast out all available switch ports, except the origina ng ports

S1 forwards the broadcast only out of F0/3

14.8.3 Layer 2 Loops

Without STP enabled, Layer 2 loops can form, causing broadcast, mul cast and unknown unicast
frames to loop endlessly. This can bring down a network within a very short amount of me,
some mes in just a few seconds. For example, broadcast frames, such as an ARP Request are
forwarded out all of the switch ports, except the original ingress port. This ensures that all devices in
a broadcast domain are able to receive the frame. If there is more than one path for the frame to be
forwarded out of, an endless loop can result. When a loop occurs, the MAC address table on a switch
will constantly change with the updates from the broadcast frames, which results in MAC database
instability. This can cause high CPU u liza on, which makes the switch unable to forward frames.

Broadcast frames are not the only type of frames that are affected by loops. Unknown unicast frames
sent onto a looped network can result in duplicate frames arriving at the des na on device. An
unknown unicast frame is when the switch does not have the des na on MAC address in its MAC
address table and must forward the frame out all ports, except the ingress port.
Click Play in the figure to view the anima on. When the anima on pauses, read the text describing
the ac on. The anima on will con nue a er the short pause.

The figure is an anima on with the same topology as in the previous anima on. There are no
blocked ports. PC1 1 sends a broadcast frame. S2 updates the mac address table. PC1’s mac address
is mapped to f0-/11. S2 forwards the broadcast out all ports, except the receiving port. S3 and S1
update their mac address tables with PC1 informa on. S3 and S1 forward the broadcast out all ports,
except the receiving port. S1 and S3 receive a packet from PC1 on a new port. they update their mac
address table accordingly. S1 and S3 forward the broadcast out all ports, except the receiving port. S2
updates its mac address table for PC1 with the last port on which it received the broadcast frame. S2
forwards the broadcast frame out all ports, except the last received port. The cycle starts again.

14.8.4 STP Port Roles

The spanning tree algorithm designates a single switch as the root bridge and uses it as the reference
point for all path calcula ons. In the figure, the root bridge (switch S1) is chosen through an elec on
process. All switches that par cipate in STP exchange BPDU frames to determine which switch has
the lowest bridge ID (BID) on the network. The switch with the lowest BID automa cally becomes the
root bridge for the spanning tree algorithm calcula ons.

Note: For simplicity, assume un l otherwise indicated that all ports on all switches are assigned to
VLAN 1. The switches are configured with the default PVST+. Each switch has a unique MAC address
associated with VLAN 1.

the figure is the same topology as the previous anima ons. s 1 is labeled root bridge with the ports
connected to the other switches labeled designated port. the port on the switch to which each
connec on goes is labeled root port. the ports between the two other switches are labeled
designated port and alternate port. the alternate port has a red circle with a red slash over it.
STP Ports

A BPDU is a messaging frame that is exchanged by switches for STP. Each BPDU contains a BID that
iden fies the switch that sent the BPDU. The BID contains a priority value, the MAC address of the
sending switch, and an op onal extended system ID. The lowest BID value is determined by the
combina on of these three fields.

A er the root bridge has been determined, the spanning tree algorithm calculates the shortest path
to it. Each switch uses the spanning tree algorithm to determine which ports to block. While the
spanning tree algorithm determines the best paths to the root bridge for all switch ports in the
broadcast domain, traffic is prevented from being forwarded through the network. The spanning tree
algorithm considers both path and port costs when determining which ports to block. The path costs
are calculated using port cost values associated with port speeds for each switch port along a given
path. The sum of the port cost values determines the overall path cost to the root bridge. If there is
more than one path to choose from, spanning tree algorithm chooses the path with the lowest path
cost.

When the spanning tree algorithm has determined which paths are most desirable rela ve to each
switch, it assigns port roles to the par cipa ng switch ports. The STP port roles are:

 Alternate - Alternate or backup ports are configured to be in a blocking state to prevent

loops. Alternate ports are selected only on trunk links where neither end is a root port.

 Root - Root ports are switch ports that are closest to the root bridge.

 Designated - Designated ports are all non-root ports that STP permits to forward traffic on
the network. Designated ports are selected on a per-trunk basis. If one end of a trunk is a
root port, then the other end is a designated port. All ports on the root bridge are
designated ports
The figure above shows the rela onship of the port roles in the network to the root bridge and
whether they are allowed to forward traffic. In the figure, only one end of Trunk2 is blocked. This
allows for faster transi on to a forwarding state when a change in the network makes it necessary.

Note: A port that is administra vely shut down is referred to as a disabled port.

14.8.5 STP Root Bridge

As shown in the figure, every spanning tree instance (switched LAN or broadcast domain) has a
switch designated as the root bridge. The root bridge serves as a reference point for all spanning tree
calcula ons to determine which redundant paths to block.

An elec on process determines which switch becomes the root bridge.

The figure below shows the BID fields. The BID is made up of a priority value, an extended system ID,
and the MAC address of the switch.

The figure shows the bridge I D fields. These include priority, the extended system I D, and the MAC
address.

Bridge ID (BID) Fields

All switches in the broadcast domain par cipate in the elec on process. A er a switch boots, it
begins to send out BPDU frames every two seconds. These BPDU frames contain the switch BID and
the root ID.

As the switches forward their BPDU frames, switches in the broadcast domain read the root ID
informa on from the BPDU frames. If the root ID from a BPDU that has been received is lower than
the root ID on the receiving switch, then the receiving switch updates its root ID, which iden fies the
adjacent switch as the root bridge. The switch then forwards new BPDU frames with the lower root
ID to the other switches. Eventually, the switch with the lowest BID ends up being iden fied as the
root bridge for the spanning tree instance.

There is a root bridge elected for each spanning tree instance. It is possible to have mul ple dis nct
root bridges. If all ports on all switches are members of VLAN 1, then there is only one spanning tree
instance. The extended system ID plays a role in how spanning tree instances are determined.

14.8.6 STP Path Cost

When the root bridge has been elected for the spanning tree instance, the spanning tree algorithm
starts the process of determining the best paths to the root bridge from all des na ons in the
broadcast domain. The path informa on is determined by summing up the individual port costs
along the path from the des na on to the root bridge. Each “des na on” is actually a switch port.

The default port costs are defined by the speed at which the port operates. As shown in the table, 10
Gb/s Ethernet ports have a port cost of 2, 1 Gb/s Ethernet ports have a port cost of 4, 100 Mb/s Fast
Ethernet ports have a port cost of 19, and 10 Mb/s Ethernet ports have a port cost of 100.

Link Speed and

Cost (Revised IEEE Specifica on) Cost (Previous IEEE Specifica on)
Name

10 Gb/s 2 1

1 Gb/s 4 1
 Link Speed and
Cost (Revised IEEE Specifica on) Cost (Previous IEEE Specifica on)
Name

100 Mb/s 19 10

10 Mb/s 100 100

Note: As newer, faster Ethernet technologies become available, the path cost values may change to
accommodate the new speeds. The non-linear numbers in the table accommodate some
improvements to the older Ethernet standard. The values have changed to accommodate the 10
Gb/s Ethernet standard. To illustrate the con nued change associated with high-speed networking,
Catalyst 4500 and 6500 switches support a longer path cost method; for example, 10 Gb/s has a 2000
path cost, 100 Gb/s has a 200 path cost, and 1 Tb/s has a 20 path cost.

Although switch ports have a default port cost associated with them, the port cost is configurable.
The ability to configure individual port costs gives the administrator the flexibility to manually control
the spanning tree paths to the root bridge.

To configure the port cost of an interface enter the spanning-tree cost value command in interface
configura on mode. The value can be between 1 and 200,000,000.

In the example below, switch port F0/1 has been configured with a port cost of 25 using
the spanning-tree cost 25 interface configura on mode command on the F0/1 interface.

To restore the port cost back to the default value of 19, enter the no spanning-tree cost interface
configura on mode command.

The path cost is equal to the sum of all the port costs along the path to the root bridge. Paths with
the lowest cost become preferred, and all other redundant paths are blocked. In the example below,
the path cost from S2 to the root bridge S1, over Path 1 is 19 (based on the IEEE-specified individual
port cost), while the path cost over Path 2 is two mes 19, or 38. Because Path 1 has a lower overall
path cost to the root bridge, it is the preferred path. STP then configures the redundant path to be
blocked, preven ng a loop from occurring.
To verify the port and path cost to the root bridge, enter the show spanning-tree command. The
Cost field is the total path cost to the root bridge. This value changes depending on how many switch
ports must be traversed to get to the root bridge. In the output below, each interface is also
iden fied with an individual port cost of 19.
14.8.7 Select the Root Bridge

When an administrator wants a specific switch to become a root bridge, the bridge priority value
must be adjusted to ensure it is lower than the bridge priority values of all the other switches on the
network. There are two different methods to configure the bridge priority value on a Cisco Catalyst
switch.

To ensure that the switch has the lowest bridge priority value, use the spanning-tree vlan vlan-
id root primary command in global configura on mode. The priority for the switch is set to the
predefined value of 24,576 or to the highest mul ple of 4,096, less than the lowest bridge priority
detected on the network.

If an alternate root bridge is desired, use the spanning-tree vlan vlan-id root secondary global
configura on mode command. This command sets the priority for the switch to the predefined value
of 28,672. This ensures that the alternate switch becomes the root bridge if the primary root bridge
fails. This assumes that the rest of the switches in the network have the default 32,768 priority value
defined.

In this example, S1 has been assigned as the primary root bridge using the spanning-tree vlan 1 root
primary command, and S2 has been configured as the secondary root bridge using the spanning-tree
vlan 1 root secondary command.

Another method for configuring the bridge priority value is using the spanning-tree vlan vlan-
id priority value global configura on mode command. This command gives more granular control
over the bridge priority value. The priority value is configured in increments of 4,096 between 0 and
61,440.
In the example, S3 has been assigned a bridge priority value of 24,576 for VLAN 1 using
the spanning-tree vlan 1 priority 24576 command. This is the equivalent value of the root primary
se ng.

To verify the bridge priority of a switch, use the show spanning-tree command. In example in
Method 2, the priority of the switch was set to 24,576. Also no ce that the switch is designated as
the root bridge for the spanning tree instance.

14.8.8 Syntax Checker - Configure and Verify the Root Bridge

Introductory text. Can be a bulleted list of what they’ll do or any other appropriate text

You are logged into S3:

 Configure the priority for VLAN 1 on S3 to 24567.

 Enter the end command to return to privileged EXEC mode.

S3(config)#spanning-tree vlan 1 priority 24576

S3(config)#end

------------------------

You are now logged into S2:

 Configure S2 to be the secondary root for VLAN 1.

 Enter the end command to return to privileged EXEC mode.

S2(config)#spanning-tree vlan 1 root secondary

S2(config)#end

------------------------
You are now logged into S1:

 Configure S1 to be the primary root for VLAN 1.

 Enter the end command to return to privileged EXEC mode.

S1(config)#spanning-tree vlan 1 root primary

S1(config)#end

Display the current spanning tree status on S1.

S1#show spanning-tree

VLAN0001

Spanning tree enabled protocol ieee

Root ID Priority 24577

Address 000A.0033.0033

This bridge is the root

Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 24577 (priority 24576 sys-id-ext 1)

Address 000A.0033.0033

Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Aging Time 15 sec

Interface Role Sts Cost Prio.Nbr Type

------------------- ---- --- --------- -------- ------------------------

Fa0/1 Desg FWD 4 128.1 P2p

Fa0/2 Desg FWD 4 128.2 P2p

S1#

You have successfully configured and verified the Root Bridge.

Mi gate STP A acks
14.9.1 STP A ack

Threat actors can manipulate the Spanning Tree Protocol (STP) to conduct an a ack by spoofing the
root bridge and changing the topology of a network. A ackers can make their hosts appear as root
bridges; and therefore, capture all traffic for the immediate switched domain.

To conduct an STP manipula on a ack, the a acking host broadcasts STP bridge protocol data units
(BPDUs) containing configura on and topology changes that will force spanning-tree recalcula ons,
as shown in the figure. The BPDUs that are sent by the a acking host announce a lower bridge
priority in an a empt to be elected as the root bridge.

Note: These issues can occur when someone adds an Ethernet switch to the network without any
malicious intent.

If successful, the a acking host becomes the root bridge, as shown in the figure below, and can now
capture a variety of frames that would otherwise not be accessible.

This STP a ack is mi gated by implemen ng BPDU Guard on all access ports.
14.9.2 Mi ga ng STP A acks

To mi gate STP manipula on a acks, use the Cisco STP stability mechanisms to enhance the overall
performance of the switches and to reduce the me that is lost during topology changes.

These are the STP stability mechanisms:

 PortFast - PortFast immediately brings an interface that is configured as an access or trunk

port to the forwarding state from a blocking state. This bypasses the listening and learning
states. It should be applied to all end-user ports. PortFast should only be configured when
there is a host a ached to the port, and not another switch.

 BPDU Guard - BPDU guard immediately error disables a port that receives a BPDU. It is
typically used on PortFast enabled ports. Apply to all end-user ports.

 Root Guard - Root guard prevents an inappropriate switch from becoming the root bridge.
Root guard limits the switch ports out of which the root bridge may be nego ated. Apply to
all ports which should not become root ports.

 Loop Guard - Loop guard prevents alternate or root ports from becoming designated ports
because of a failure that leads to a unidirec onal link. Apply to all ports that are or can
become non-designated.

These features enforce the placement of the root bridge in the network and enforce the STP domain
borders.

The figure highlights the ports on which these features should be implemented.

The figure illustrates the ports where the Cisco S T P stability features should be implemented. there
is a primary root bridge and a secondary root bridge connected to each other. both of these ports are
labeled loop guard. these root bridges are connected to a switch. these ports on the bridges are
labeled root guard and the ports on the switch are labeled loop guard. the switch connects to
computers. these ports are labeled por ast and b p d u guard.

STP Stability Mechanisms

14.9.3 Configure PortFast

PortFast bypasses the STP listening and learning states to minimize the me that access ports must
wait for STP to converge. If PortFast is enabled on a port connec ng to another switch, there is a risk
of crea ng a spanning-tree loop.

PortFast can be enabled on an interface by using the spanning-tree por ast interface configura on
command. Alterna vely, Por ast can be configured globally on all access ports by using
the spanning-tree por ast default global configura on command.

To verify whether PortFast is enabled globally you can use either the show running-config | begin
span command or the show spanning-tree summary command. To verify if PortFast is enabled on an
interface, use the show running-config interface type/number command, as shown in the following
example. The show spanning-tree interface type/number detail command can also be used for
verifica on.

No ce the warning messages that are displayed when PortFast is enabled.

14.9.4 Configure BPDU Guard

Even though PortFast is enabled, the interface will s ll listen for BPDUs. Unexpected BPDUs might be
accidental, or part of an unauthorized a empt to add a switch to the network.

If any BPDUs are received on a BPDU Guard enabled port, that port is put into error-disabled state.
This means the port is shut down and must be manually re-enabled or automa cally recovered
through the errdisable recovery cause bpduguard global command.

BPDU Guard can be enabled on a port by using the spanning-tree bpduguard enable interface
configura on command. Alterna vely, use the spanning-tree por ast bpduguard default global
configura on command to globally enable BPDU guard on all PortFast-enabled ports.

To display informa on about the state of spanning tree, use the show spanning-tree
summary command. In the example, PortFast default and BPDU Guard are both enabled as the
default state for ports that are configured in access mode.

Note: Always enable BPDU Guard on all PortFast-enabled ports.

14.9.5 Syntax Checker -Mi gate STP A acks

Implement PortFast and BPDU Guard for a switch based on the following topology and specified
requirements
You are currently logged into S1. Complete the following steps to implement PortFast and BPDU
Guard on all access ports:

 Enter interface configura on mode for fa0/1 - 24.

 Configure the ports for access mode.

 Return to global configura on mode.

 Enable PortFast by default for all access ports.

 Enable BPDU Guard by default for all access ports.

S1(config)#interface range fa0/1 - 24

S1(config-if-range)#switchport mode access

S1(config-if-range)#exit

S1(config)#spanning-tree por ast default

S1(config)#spanning-tree por ast bpduguard default

S1(config)# exit

Verify that PortFast and BPDU Guard is enabled by default by viewing STP summary informa on.

S1#show spanning-tree summary

Switch is in pvst mode

Root bridge for: none

Extended system ID is enabled

Por ast Default is enabled

PortFast BPDU Guard Default is enabled

Por ast BPDU Filter Default is disabled

Loopguard Default is disabled

EtherChannel misconfig guard is enabled

UplinkFast is disabled

BackboneFast is disabled

Configured Pathcost method used is short

(output omi ed)

S1#

You have successfully configured and verified PortFast and BPDU Guard for the switch.
14.9.6 Configure Root Guard

There are some switches in a network that should never, under any circumstances, become the STP
root bridge. Root Guard provides a way to enforce the placement of root bridges in the network by
limi ng which switch can become the root bridge.

Root guard is best deployed on ports that connect to switches that should not be the root bridge. If a
root-guard-enabled port receives BPDUs that are superior to those that the current root bridge is
sending, that port is moved to a root-inconsistent state. This is effec vely equal to an STP listening
state, and no data traffic is forwarded across that port. Recovery occurs as soon as the offending
device ceases to send superior BPDUs.

Use the spanning-tree guard root interface configura on command to configure root guard on an
interface.

In the figure, D1 is the root bridge. If D1 fails, only D2 switch should become the root bridge. To
ensure that S1 never becomes a root bridge, the F0/1 interfaces of D1 and D2 should be enabled for
Root guard.

To view Root Guard ports that have received superior BPDUs and are in a root-inconsistent state, use
the show spanning-tree inconsistent ports command.

Note: Root guard may seem unnecessary because an administrator can manually set the bridge
priority of a switch to zero. However, this does not guarantee that this switch will be elected as the
root bridge. Another switch may s ll become the root if it also has a priority of zero and a lower MAC
address.
14.9.7 Configure Loop Guard

Traffic on bidirec onal links flows in both direc ons. If for some reason one-direc on traffic flow
fails, this creates a unidirec onal link which can result in a Layer 2 loop. STP relies on con nuous
recep on or transmission of BPDUs based on the port role. The designated port transmits BPDUs,
and the non-designated port receives BPDUs. A Layer 2 loop is usually created when an STP port in a
redundant topology stops receiving BPDUs and erroneously transi ons to the forwarding state.

The STP Loop Guard feature provides addi onal protec on against Layer 2 loops. If BPDUs are not
received on a non-designated Loop Guard-enabled port, the port transi ons to a loop-inconsistent
blocking state, instead of the listening / learning / forwarding state. Without the Loop Guard feature,
the port would assume a designated port role and create a loop.

As shown here, Loop Guard is enabled on all non-Root Guard ports using the spanning-tree guard
loop interface configura on command.

Note: Loop Guard can also be enabled globally using the spanning-tree loopguard default global
configura on command. This enables Loop Guard on all point-to-point links.

14.9.8 Syntax Checker -Configuring Loop Guard

Implement PortFast, BPDU Guard, and Loop guard for a switch.

Configure S1 using the following instruc ons:

 Configure PortFast globally for all non-trunking ports on the switch.

 Enable BPDU guard globally on all ports with PortFast enabled.

 Enable Loop guard globally on all point-to-point links.

  Exit global configura on mode.

S1(config)#spanning-tree por ast default

%Warning: this command enables por ast by default on all interfaces. You

should now disable por ast explicitly on switched ports leading to hubs,

switches and bridges as they may create temporary bridging loops.

S1(config)#spanning-tree por ast bpduguard default

S1(config)#spanning-tree loopguard default

S1(config)#end

Verify that PortFast, BPDU guard, and Loop guard are enabled on switch S1.

S1#show spanning-tree summary

Switch is in pvst mode

Root bridge for: none

Extended system ID is enabled

Por ast Default is enabled

PortFast BPDU Guard Default is enabled

Por ast BPDU Filter Default is disabled

Loopguard Default is enabled

EtherChannel misconfig guard is enabled

UplinkFast is disabled

BackboneFast is disabled

Configured Pathcost method used is short

Name Blocking Listening Learning Forwarding STP Ac ve

---------------------- -------- --------- -------- ---------- ----------

VLAN0001 1 0 0 5 6

---------------------- -------- --------- -------- ---------- ----------

1 vlan 1 0 0 5 6

S1#

You have successfully configured and verified PortFast, BPDU guard, and Loop guard.
Layer 2 Security Considera ons Summary
14.10.1 What Did I Learn in this Module?

Layer 2 Security Threats

Security is implemented at all layers of the OSI model. However, if Layer 2 is disrupted by a cyber
a ack, all layers above it will be affected. There are a number of a acks that can happen at Layer 2
including MAC table a acks, VLAN a acks, DHCP a acks, ARP a acks, address spoofing a acks, and
STP a acks. It is important to protect Layer 2 by always using secure variants of protocols such as
SSH, SCP, and SSL. Using out-of-band management whenever possible and crea ng a dedicated VLAN
for management traffic are also means to make successful Layer 2 a acks less likely. In addi on, ACLs
should be used to filter unwanted access. Port security, DHCP Snooping, DAI, and IP Source Guard are
available on Cisco switches to directly mi gate Layer 2 a acks.

MAC Table A acks

Layer 2 switches use MAC addresses to make forwarding decisions. The switch uses a MAC table that
maps MAC addresses to switchports. The switch looks for the des na on MAC address in the MAC
table for the frames that it receives. It then forwards the traffic to the corresponding port. If the
switch does not recognize a des na on MAC address, it floods the frames for the unknown
des na on out of all ports except the port from which the frames originated. These are called
unknown unicast messages. The switch dynamically learns MAC addresses from the source addresses
of the frames that originate on its ports. One type of Layer 2 a ack floods the switch with frames
with random MAC source addresses. The switch a empts to add all of these frames to the MAC table
un l the table is full. Subsequent frames are then treated as unknown unicast messages and sent out
all but the receiving port. Since these frames are flooded, a threat actor can receive all traffic that is
sent on the network. Threat actor tools such as macof can quickly overwhelm the MAC table of a
switch causing a MAC table overflow exploit. Because the flooding of unknown unicast addresses can
include trunk ports to other switches, the exploit can cause widespread disrup ons.

Mi gate MAC Table A acks

Layer 2 devices are considered to be the weakest link in a company’s security infrastructure because
Layer 2 a acks are some of the easiest for hackers to deploy. For this reason, Cisco has developed a
number of Layer 2 security measures in the switch IOS. A simple but effec ve way to prevent Layer 2
a acks is to shutdown all unused ports. Port security is a simple way to directly address MAC address
overflow a acks. With port security, the number of MAC addresses that are allowed to be learned on
a port, and the way in which the addresses are learned can be controlled. Port security aging can be
used to remove secure MAC addresses on a secure port without manually dele ng the exis ng
secure MAC addresses. Aging me limits can also be increased to ensure past secure MAC addresses
remain, even while new MAC addresses are added. When port security viola ons occur, the
switchport can be configured to shutdown, restrict frames from unknown MAC addresses from
being forwarded and issue a syslog message, or protect to drop frames from the unknown host but
not issue a syslog message. Protect is the least secure op on. A port that has been shutdown by port
security is placed in the err-disabled state. The port must be manually re-enabled with
the shutdown and no shutdown commands in order to return to the Secure-up state.

Mi gate VLAN A acks

VLANs may be used to separate sensi ve traffic from other traffic. VLAN hopping and VLAN double-
tagging a acks enable threat actors to access VLANs that they are not authorized to access. In VLAN
hopping a acks, a threat actor connects a host computer to a switch and then a empts to nego ate
the switchport to become trunk using DTP. The threat actor computer a empts to act as another
switch that is connected by a trunk. Trunks carry traffic for all VLANs by default, so if a threat actor
can connect a computer over a trunked link, all VLAN traffic can be intercepted. In VLAN double-
tagging a acks, a threat actor adds a false VLAN tag to malicious traffic in addi on to the legi mate
tag. This can allow a threat actor to send unauthorized traffic into other VLANs. VLAN hopping and
double-tagging a acks can be mi gated by disabling trunking and trunk nego a on on all
switchports that are to be accessed by users, and by ensuring that the na ve VLAN is only used on
trunk links. Private VLAN promiscuous ports can be vulnerable to PVLAN proxy a acks in which a
threat actor can spoof the des na on MAC address of the default gateway router. The router will
then permit the unauthorized traffic to enter the target VLANs. PVLAN proxy a acks can be mi gated
through the use of access control lists.

Mi gate DHCP A acks

Two types of DHCP a acks are DHCP starva on and DHCP spoofing. Both a acks are mi gated by
implemen ng DHCP snooping. The goal of the DHCP starva on a ack is DoS for connec ng clients.
DHCP starva on a acks require an a ack tool such as Gobbler. A DHCP spoofing a ack occurs when
a rogue DHCP server is connected to the network and provides false IP configura on parameters to
legi mate clients. It is easy to mi gate DHCP starva on a acks by using port security. DHCP spoofing
a acks can be mi gated using DHCP snooping on trusted ports. DHCP snooping also helps mi gate
DHCP starva on a acks by rate limi ng the number of DHCP discovery messages that an untrusted
port can receive. DHCP snooping builds and maintains a DHCP snooping binding database that the
switch can use to filter DHCP messages from untrusted sources. DHCP snooping is globally ac vated.
Ports that are connected to legi mate DHCP servers are then configured as trusted. In addi on,
untrusted ports can be configured to rate limit DHCP requests.

Mi gate ARP A acks

According to the ARP RFC, a client can send gratuitous ARP requests. When other hosts on the
subnet receive a gratuitous ARP request, the hosts store the MAC address and IPv4 address
contained in the gratuitous ARP in their ARP tables. An a acker can send a gratuitous ARP message
containing a spoofed MAC address to a switch, and the switch would update its MAC table
accordingly. Therefore, any host can claim to be the owner of any IP and MAC address. In a typical
a ack, a threat actor can send unsolicited ARP Replies to other hosts on the subnet with the MAC
Address of the threat actor and the IPv4 address of the default gateway. Address spoofing a acks
occur when threat actors cra packets that contain false IP or MAC addresses. MAC address spoofing
a acks occur when threat actors alter the MAC address of their host to match another known MAC
address of a target host. A spoofed MAC address can cause a switch to send packets that are
intended for another host to the threat actor PC. This can be especially problema c when the
spoofed MAC address is that of the default gateway. DAI can mi gate ARP spoofing by ensuring that
only valid ARP Requests and Replies are sent into the network. DAI requires that DHCP snooping is
globally configured. DAI can be configured on trusted interfaces and VLANs.

Mi gate Address Spoofing A acks

Spoofing a acks occur when one host poses as another to receive otherwise inaccessible data, or to
circumvent security configura ons. MAC address spoofing a acks occur when a ackers alter the
MAC address of their host to match another known MAC address of a target host. When a switch
receives the spoofed frames, it switch overwrites the current MAC table entry and assigns the MAC
address to the new port. A threat actor computer can now receive traffic that was intended for the
host with the spoofed address. IP address spoofing is when a rogue PC hijacks a valid IP address of a
neighbor, or a uses a random IP address. IP address spoofing is difficult to mi gate, especially when it
is used inside a subnet in which the IP belongs. To protect against MAC and IP address spoofing,
configure IPSG. IPSG operates like DAI, but it looks at every packet, not just the ARP packets. Like DAI,
IPSG also requires that DHCP snooping be enabled. For each untrusted port, a source IP address or
source IP and MAC address filter can be configured.

Spanning Tree Protocol

STP is a loop-preven on network protocol that allows for redundancy while crea ng a loop-free
Layer 2 topology. Without STP enabled, Layer 2 loops can form, causing broadcast, mul cast and
unknown unicast frames to loop endlessly. This can bring down a network within a very short
amount of me, some mes in just a few seconds. The spanning tree algorithm designates a single
switch as the root bridge and uses it as the reference point for path calcula ons. Spanning tree
algorithm calculates the shortest path to the root bridge and enables forwarding on trunks that form
the best path. Alternate ports are blocked. Designated ports are all non-root ports that spanning tree
permits to forward traffic. If a path become unavailable, spanning tree then enables the alternate
ports to forward traffic. Spanning tree uses bridge protocol data units to communicate between
switches in a spanning tree topology.

Mi ga ng STP A acks
Threat actors can manipulate the STP to conduct an a ack by spoofing the root bridge and changing
the topology of a network. A ackers can make their hosts appear as root bridges; and therefore,
capture all traffic for the immediate switched domain. Cisco switches have a number of STP stability
mechanisms such as PortFast, BPDU Guard, Root Guard, and Loop Guard. PortFast enables access
ports to go to spanning-tree forwarding state without go through the transi onal spanning-tree
states. BPDU guard immediately error disables a port that receives a BPDU. This is configured on
non-trunking ports that typically have PortFast enabled. Root Guard prevents an inappropriate
switch from becoming the root bridge. Loop guard prevents alternate or root ports from becoming
designated ports because of a failure that leads to a unidirec onal link.