Scribd Logo
Upload

Welcome to Scribd!

  • CCNAv2 Chapter 08 - DHCP Snooping and ARP Inspection

    Uploaded by

    Linux Hamza
    14 views29 pages
    The document discusses Layer 2 security features including DHCP snooping, dynamic ARP inspection, and port security. It describes DHCP snooping as watching for DHCP messages on ports and building bindings based on the source MAC and IP addresses to prevent spoofing. Dynamic ARP inspection uses the DHCP snooping bindings to filter ARP packets and prevent man-in-the-middle attacks by discarding ARP replies from untrusted ports not matching the bindings. The chapter provides examples of configuring these features on switches to protect against common Layer 2 attacks.

    Original Description:

    Original Title

    CCNAv2 Chapter 08- DHCP Snooping and ARP Inspection

    Copyright

    © © All Rights Reserved

    Available Formats

    PPTX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    The document discusses Layer 2 security features including DHCP snooping, dynamic ARP inspection, and port security. It describes DHCP snooping as watching for DHCP messages on ports and building bindings based on the source MAC and IP addresses to prevent spoofing. Dynamic ARP inspection uses the DHCP snooping bindings to filter ARP packets and prevent man-in-the-middle attacks by discarding ARP replies from untrusted ports not matching the bindings. The chapter provides examples of configuring these features on switches to protect against common Layer 2 attacks.

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    14 views29 pages

    CCNAv2 Chapter 08 - DHCP Snooping and ARP Inspection

    Uploaded by

    Linux Hamza
    The document discusses Layer 2 security features including DHCP snooping, dynamic ARP inspection, and port security. It describes DHCP snooping as watching for DHCP messages on ports and building bindings based on the source MAC and IP addresses to prevent spoofing. Dynamic ARP inspection uses the DHCP snooping bindings to filter ARP packets and prevent man-in-the-middle attacks by discarding ARP replies from untrusted ports not matching the bindings. The chapter provides examples of configuring these features on switches to protect against common Layer 2 attacks.

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 29

    CCNA 200-301, Volume 2

    Chapter 8
    DHCP Snooping and ARP
    Inspection
    Objectives
    • Configure Layer 2 security features (DHCP
    snooping, dynamic ARP inspection, and port
    security)
    DHCP Snooping
    • Acts like a firewall or an ACL in many ways
    • Watches for incoming messages on either all ports
    or some ports
    • Looks for DHCP messages and ignores all non-
    DHCP messages
    • DHCP snooping logic: allow the message or discard
    the message
    • Acts off the concept of trusted and untrusted ports
    for determining which DHCP messages are allowed
    DHCP Snooping Basics: Client Ports are
    Untrusted
    DHCP Attack Supplies Good IP Address but
    Wrong Default Gateway
    Unfortunate Result: DHCP Attack Leads to
    Man-in-the-Middle
    Summary of Rules for DHCP Snooping
    DHCP Snooping Checks chaddr and Ethernet
    Source MAC
    Legitimate DHCP Client with DHCP Binding
    Entry Built by DHCP Snooping
    DHCP Snooping Defeats a DHCP RELEASE
    from Another Port
    Sample Network Used in DHCP Snooping
    Configuration Examples
    DHCP Snooping Configuration to Match
    Previous Graphic
    SW2 DHCP Snooping Status
    Configuring DHCP Snooping Message Rate
    Limits
    Confirming DHCP Snooping Rate Limits
    Legitimate ARP Tables After PC1 DHCP and
    ARP with Router R2
    A Detailed Look at ARP Request and Reply
    Nefarious Use of ARP Reply Causes Incorrect
    ARP Data on R2
    Man-in-the-Middle Attack Resulting from
    Gratuitous ARP
    DAI Filtering ARP Based on DHCP Snooping
    Binding Table
    DAI Filtering Checks for Source MAC
    Addresses
    Sample Network Used in ARP Inspection
    Configuration Examples
    IP ARP Inspection Configuration to Match
    Previous Graphic
    IP DHCP Snooping Configuration Added to
    Support DAI
    SW2 IP ARP
    Inspection
    Status
    Sample Results from an ARP Attack
    Configuring ARP Inspection Message Rate
    Limits
    Confirming ARP Inspection Rate Limits
    Configuring Optional DAI Message Checks

    You might also like