Home > Articles > Cisco Certification > CCNP Security / CCSP > CCSP SNRS Exam Self-Study: Mitigating Layer 2 Attacks

CCSP SNRS Exam Self-Study: Mitigating Layer 2 Attacks

Chapter Description

This excerpt from the official Cisco SNRS study guide discusses Layer 2 attacks, mitigations, best practices, and functionality within the scope of the CCSP SNRS exam framework.

Foundation Summary

The "Foundation Summary" section of each chapter lists the most important facts from the chapter. Although this section does not list every fact from the chapter that will be on your SNRS exam, a well-prepared candidate should at a minimum know all the details in each "Foundation Summary" before going to take the exam.

The most common types of Layer 2 attacks and mitigation strategies are as follows:

CAM table overflow— In a CAM table overflow attack, an attacker sends thousands of bogus MAC addresses from one port, which looks like valid hosts' communication to the switch. You can mitigate CAM table overflow attacks in several ways. One of the primary ways is to configure port security on the switch. You can apply port security in three ways: static secure MAC addresses, dynamic secure MAC addresses, and sticky secure MAC addresses.

VLAN hopping— There are two different types of VLAN hopping attacks: switch spoofing and double tagging. Mitigating VLAN hopping attacks requires the following configuration modifications:

  • Always use dedicated VLAN IDs for all trunk ports.
  • Disable all unused ports and place them in an unused VLAN.
  • Set all user ports to nontrunking mode by disabling DTP. Use the switchport mode access command in the interface configuration mode.
  • For backbone switch-to-switch connections, explicitly configure trunking.
  • Do not use the user native VLAN as the trunk port native VLAN.
  • Do not use VLAN 1 as the switch management VLAN.

STP manipulation— An STP attack involves an attacker spoofing the root bridge in the topology. The attacker broadcasts out an STP configuration/topology change BPDU in an attempt to force an STP recalculation. The BPDU sent out announces that the attacker's system has a lower bridge priority. The attacker can then see a variety of frames forwarded from other switches to it.

To mitigate STP manipulation, use the root guard and BPDU guard features in the Cisco IOS Software.

MAC address spoofing— MAC address spoofing involves the use of a known MAC address of another host authorized to access the network. The attacker attempts to make the target switch forward frames destined for the actual host to the attacker device instead. Another way to spoof MAC addresses is by using ARP.

Use the port-security command described in the "Mitigating CAM Table Overflow Attacks" section to specify MAC addresses connected to particular ports. DHCP snooping could be used as a method to mitigate MAC address spoofing. Another method of mitigating MAC address spoofing is DAI.

Private VLAN— Private VLANs isolate ports within a VLAN to communicate only with other ports in the same VLAN. The three types of private VLAN ports are community, isolated, and promiscuous.

You can configure ACLs on the router port to mitigate private VLAN attacks. You can also use virtual ACLs on the Cisco Catalyst Layer 3 switch platforms to help mitigate the effects of private VLAN attacks.

DHCP "starvation"— A DHCP starvation attack works by broadcasting DHCP requests with spoofed MAC addresses.

The methods used to mitigate MAC address spoofing attack may also prevent DHCP starvation by using the DHCP snooping feature. You can limit the number of MAC addresses on a switch port, a mitigation strategy for CAM table flooding, to mitigate DHCP starvation attack. Other features on the Cisco Catalyst switch, such as IP source guard, may also provide additional defense against attacks.

IEEE 802.1x attack— IEEE 802.1x is an IEEE standard link layer (Layer 2) protocol designed to provide port-based network access control using authentication unique to a device or user.

Two types of vulnerabilities are associated with EAP: man-in-the-middle attacks and session-hijacking attacks. Cisco recommends deploying PEAP for use in a wireless LAN environment and deploying 802.1x on all access switches to limit physical access to the network.