Four common methods and commands for preventing spoofing attacks on vswitches

There are four common switch methods and commands to prevent spoofing attacks. The switch has many spoofing attacks. Here we mainly introduce anti-dynamic relay protocol DTP attacks to prevent VLAN leapfrog attacks, defense Against DHCP spoofing attacks and ARP spoofing attacks.

Switch anti-spoofing attack: Anti-dynamic relay protocol DTP attack

The switch dynamically negotiates the usage and encapsulation mode of the relay link by switching the DTP protocol. However, if the switch relay port mode is Auto, it will wait for another switch in Auto or On to establish a connection. In this case, if a malicious user uses DTP to establish a relay link through negotiation with the switch port, attackers can capture any data streams through this VLAN.

To prevent spoofing attacks, the switch configures Access mode for any port connected to the user so that it cannot use DTP in Auto mode. The command to be used is:
Switch (config-if) # switchport mode access

Switch anti-spoofing attack: preventing VLAN leapfrog attacks

In this method, the attacker is located in a common VLAN and sends a double-tagged frame, just like using an 802.1q relay link. Of course, the attacker is not connected to a relay line. by forging a relay encapsulation, the attacker spoofs the switch to forward frames to another VLAN to achieve a VLAN leap attack, in this way, the data link layer can access another VLAN illegally.

Switch anti-spoofing attack method: first, modify the intrinsic vlan id and trim the intrinsic VLAN at both ends of the relay link. The command is as follows:
Switch (config-if) # switchport trunk native vlan 200
Switch (config-if) # switchport trunk allowed vlan remove 200
Then, force all the Relay Links to add tags to the intrinsic VLAN. The switch's anti-spoofing command is:
Switch (config) # vlan dotlq tagnative

Switch guard against spoofing attacks: prevents DHCP spoofing attacks

The principle of DHCP spoofing can be briefly described as that an attacker runs a forged DHCP server on a computer. When a customer broadcasts a DHCP request, the forged server will send its own DHCP response, after the customer receives the response by using the IP address as the default gateway, the data group outside the subnet first goes through the pseudo gateway. If the attacker is smart enough, he will forward

This data group is sent to the correct address, but it also captures these groups. Despite the leakage of customer information, he has no knowledge of this. The defense method is to enable DHCP detection on the vswitch. First, enable DHCP detection in global mode of the vswitch. The command to prevent spoofing attacks on the vswitch is as follows:
Switch (config) # ip dhcp snooping
Next, specify the VLAN to be detected, and the switch's anti-spoofing command is:
Switch (config) # ip dhcp snooping vlan 2
Then, set the port of the DHCP server to a trusted port, and the switch's anti-spoofing command:
Switch (config-if) # ip dhcp snooping trust
Finally, the DHCP packet rate of other untrusted ports is limited. The switch's anti-spoofing command is:
Switch (config-if) # ip dhcp snooping limit rate

Switch defends against spoofing attacks: defends against ARP spoofing attacks

ARP Address Spoofing is a special type of virus, which is generally a trojan virus. It does not have the characteristics of active transmission and does not replicate itself. However, during the attack, it will send forged ARP packets to the whole network to interfere with the operation of the whole network. Therefore, it is more harmful than some worms. In fact, we only need to bind the MAc address on the switch to make ARP virus useless.

First, enable port security on the vswitch. The command to prevent spoofing attacks on the vswitch is:
Switch (config-if) # switchport port-security
Then, specify the allowed MAC address to allow valid MAC address access. The switch command to prevent spoofing attacks is:
Switch (config-if) # switchport port-security mac-address 000A. E698.84B7
Of course, the above operations are static specifying addresses, which is troublesome. We can also learn about MAC in animation, and then limit the maximum number of MAC that can be learned on the port. The command is:
Switch (config-if) # switchport port-security 24
Then, define the measures to be taken if the MAC address violates the rules. The switch's anti-spoofing command is:
Switch (config-if) # switchport port-security vislation shutdown
Here, shutdown is disabled, restrrict is discarded and recorded, alarm, protect is discarded but not recorded.

The above are the technical details about the switch's defense against spoofing attacks. We believe that the security settings of the three vswitches can be ensured by working with relevant rules and regulations.