packets based on user-configurable ACLs for hosts
that use statically configured IP addresses. To prevent ARP
spoofing or “poisoning,” a switch must ensure that only valid
ARP requests and responses are relayed. To ensure that only
valid ARP requests and responses are relayed, DAI takes the
following actions: - Forwards ARP packets received on a
trusted interface without any checks
- Intercepts all
ARP packets on untrusted ports
- Verifies that each
intercepted packet has a valid IP-to-MAC address binding before
forwarding packets that can update the local ARP cache
- Drops, logs, or drops and logs ARP packets with invalid
IP-to-MAC address bindings
Generally, all access
switch ports should be cofigured as untrusted and all switch
ports connected to other switches as trusted. All ARP packets
traversing the network from an upstream distribution or core
switch could bypass the security check requiring no further
validation. You can also use DAI to set the rate limit of ARP
packets and then err-disable the interface if the rate is
exceeded.
Content 8.3 Protecting Against Spoof
Attacks 8.3.6 Configuring Dynamic ARP
Inspection Figure lists the commands used to configure
Dynamic ARP Inspection, and Figure describes the commands. The
following example shows how to configure DAI for hosts on VLAN
1, where client devices are located for switch 2. All client
ports are untrusted by default. Only port 3/3 is trusted,
because this is the only port where DHCP replies would be
expected. Switch S2(config)#ip arp inspection vlan
1
Switch S2(config)#interface fastethernet
3/3
Switch S2(config-if)#ip arp inspection
trust
Content 8.3 Protecting Against Spoof
Attacks 8.3.7 Protecting Against ARP Spoofing
Attacks To mitigate the chances of ARP spoofing, the
following procedures are recommended: Step 1 Implement
protection against DHCP spoofing. Step 2 Enable dynamic
ARP inspection.
Content 8.4 STP Security
Mechanisms 8.4.1 Protecting the Operation of
STP Cisco provides features to protect spanning tree from
loops being created on ports where PortFast has been enabled.
In a proper configuration, PortFast would be enabled only on
ports supporting end devices such as servers and workstations.
It is anticipated that BPDUs from a switch device should not be
received on a PortFast interface. However, should this happen,
BPDU guard and BPDU filtering provide protection. Both BPDU
guard and BPDU filtering can be configured globally on all
PortFast-configured ports or on individual ports.BPDU guard
protects the switched network from the problems that may be
caused by the receipt of BPDUs on ports that should not be
receiving them. The receipt of unexpected BPDUs may be
accidental or may be part of an unauthorized attempt to add a
switch to the network. PortFast BPDU filtering affects how the
switch acknowledges BPDUs seen on PortFast-configured ports.
Its functionality differs if it is configured globally or on a
per-port basis. Root guard protects against a switch outside
the designated network attempting to become the root bridge by
blocking its access until the receipt of its BPDUs ceases.
Content 8.4 STP Security Mechanisms
8.4.2 Configuring BPDU Guard BPDU guard protects
the network from loops that might form if BPDUs are received on
a PortFast-enabled switch port. Note: When the BPDU
guard feature is enabled, spanning tree applies BPDU guard to
all PortFast-configured interfaces. You can enable BPDU guard
on PortFast-enabled ports at the global level. In a valid
configuration, PortFast-enabled ports do not receive BPDUs.
Receiving a BPDU on a PortFast-enabled port signals an invalid
configuration, such as the connection of an unauthorized
device, and the BPDU guard feature puts the port in an
error-disabled state. You can also enable BPDU guard on any
port at the interface level without enabling the PortFast
feature. When the port receives a BPDU, it is put in an
error-disabled state. To enable BPDU guard globally on the
switch, use this command: Switch(config)#spanning-tree
portfast bpduguard default The no form of the
command disables the feature on the switch. To enable PortFast
BPDU guard on a specific switch port, use this command:
Switch(config)#spanning-tree bpduguard enable The
no form of the command disables the feature on the
interface. Use the following command to verify the BPDU
configuration: Switch#show spanning-tree summary totals
Root bridge for: none.
PortFast BPDU guard is
enabled
Etherchannel misconfiguration guard is enabled
UplinkFast is disabled
BackboneFast is disabled
Default
pathcost method used is short
Name Blocking Listening
Learning Forwarding STP Active
--------- ---------
--------- -------- ---------- ---------
34 VLANs 0 0 0 36
36
Content 8.4 STP Security Mechanisms
8.4.3 Configuring BPDU Filtering You can
configure BPDU filtering globally or on individual
PortFast-enabled ports. BPDU global filtering has these
attributes: - It affects all operational PortFast ports
on a switch that do not have BPDU filtering configured on the
individual ports.
- If BPDUs are seen, the port loses
its PortFast status, BPDU filtering is disabled, and STP sends
and receives BPDUs on the port like any other STP port on the
switch.
- At startup, the port transmits ten BPDUs. If
this port receives any BPDUs during that time, PortFast and
PortFast BPDU filtering are disabled.
BPDU filtering
has these attributes when enabled on an individual port:
- It ignores all BPDUs received.
- It sends no
BPDUs.
CAUTION: Explicit configuration of
PortFast BPDU filtering on a port not connected to a host
station can result in bridging loops. The port ignores any
incoming BPDUs and changes to the forwarding state. This does
not occur when PortFast BPDU filtering is enabled globally. To
enable PortFast BPDU filtering globally on the switch, use this
command: Switch(config)#spanning-tree portfast bpdufilter
default To enable PortFast BPDU filtering on a specific
switch port, use this command: Switch(config-if)#spanning-tree bpdufilter enable
To verify the configuration on the switch, use this
command: PxD1#show spanning-tree summary
Switch is
in pvst mode
Root bridge for: none
Extended system ID
is enabled
Portfast Default is disabled
PortFast BPDU
Guard Default is disabled
Portfast BPDU Filter Default is
disabled
Loopguard Default is disabled
EtherChannel
misconfig guard is enabled
UplinkFast is disabled
BackboneFast is disabled
Configured Pathcost method used is
short
Name Blocking Listening Learning Forwarding STP
Active
-------------- ---- -------- ------- --------
---------- ---------
VLAN0001 2 0 0 6 8
----------------- -- -------- ------- -------- ----------
---------
1 vlan 2 0 0 6 8
PxD1# To verify the
configuration on a specific port, use the following command:
Switch#show spanning-tree interface fastEthernet 4/4
detail
Port 196 (FastEthernet4/4) of VLAN0010 is
forwarding
Port path cost 1000, Port priority 160, Port
Identifier 160.196.
Designated root has priority 32768,
address 00d0.00b8.140a
Designated bridge has priority
32768, address 00d0.00b8.140a
Designated port id is