2. Infrastructure Security

2.1 Configure and verify switch security features

2.1.a DHCP snooping

DHCP snooping is a layer 2 security technology built into the operating system of a capable network switch that drops DHCP traffic determined to be unacceptable. The fundamental use case for DHCP snooping is to prevent unauthorized (rogue) DHCP servers offering IP addresses to DHCP clients. Rogue DHCP servers are often used in man in the middle or denial of service attacks for malicious purposes. When DHCP snooping is enabled, switch ports are categorized as either trusted or un-trusted. Only trusted ports are allowed to send DHCP replies. Therefore, you should identify and configure only those ports that are trusted and connected to DHCP server(s).

You can do this with the following interface configuration command:

Switch( config-if)# ip dhcp snooping trust

IP Source Guard prevents IP spoofing by forwarding only packets that have a source address consistent with the DHCP Snooping table.

2.1.b IP Source Guard:

IPSG helps to prevent IP spoofing, which is when an attacker claims the IP address of a server or device on your network. By pretending to be that device, the attacker could potentially direct sensitive data towards a port he's connected to. IPSG is configured at the access layer and uses the DHCP Snooping database, or static IP binding entries, to dynamically create ACLs on a per-port basis (these can't be viewed in the running-configuration). Any traffic which doesn't match the binding entries is dropped in hardware. However, the port won't go into the errdisable state, it won't even display a violation message at the console.IPSG is supported on layer two ports and cannot be used on layer 3 ports or SVIs.

2.1.c Dynamic ARP inspection (DAI):

Dynamic ARP inspection (DAI) is a security feature that rejects invalid and malicious ARP packets. DAI is a security feature that validates ARP packets in a network. DAI intercepts, logs, and discards ARP packets with invalid IP-to-MAC address bindings. Further, ARP attacks are Layer-2 attacks. Therefore, each switch needs to be configured with DAI for effectively preventing ARP spoofing attacks. Because ARP attacks are limited to a single Layer 2 broadcast domain, separate the VLAN with DAI checks from the one with no checking. This action secures the ARP caches of hosts in the VLAN enabled for DAI. DAI depends on the entries in the DHCP snooping binding database to verify IP-to-MAC address bindings in incoming ARP requests and ARP responses. DAI is supported on access ports, trunk ports, EtherChannel ports, and private VLAN ports.