Layer 2 threat mitigation is important, it is defense from an insider who aims to damage the network. There are security devices such as firewall, IDS/IPS, and other systems to protect the network but these technologies do not work at layer 2.
There are many threat that can be initiated by an insider in a local network, such as insider could leak or grab information, he/she can cause a denial of service condition to switch or servers.
It is the attack against switches that feeds too many false MAC addresses to flood the switch and make it unresponsive resulting in a denial of service. Port security is featuring on switches to handle this type of attack.
This is another attack that works on layer 2 and results in a denial of service condition. In this attack the attacker sends too many MAC address to server to get IP addresses and it empties the pool of addresses in result the legitimate user cannot get access to the network resources.
DHCP work on DORA mechanism where this attack only Discovers and gets the Offer, it does not replies with Request and starves the DHCP server.
DHCP snooping is a feature in switches that could handle this type of attack, it is also a layer 2 attack because this protocol works on layer 2 communication.
It is a measure that could be used on ports to allow N number Discover of requests from client and block of limits exceeds and also N number of Offer request from server to clients.
This technology does not only protect you from DHCP starving but it also protects you from Rogue DHCP server.
The configuration is quite simple, turn on the snooping in global configuration, assign VLANs to it, limit the requests from clients to DHCP and allow the port that is connected to DHCP server to assign IP configuration to clients.
The first figure shows that the feature is disabled by default.
Now enable the feature globally.
Assign VLANs to this feature.
Apply rate limit on client ports so they can never exceeds the discovery message limit.
Now each client can make 10 request of DHCP recovery if it exceeds the limit switch blocks the request.
Now we need to assign trust port for DHCP server so the server can Offer the addresses. Notice that this port should be the one on which the DHCP server is directly connected to or the trunk link port.
Notice that all ports have rate limit of 10 and the trust is no which means no other port can offer the DHCP configuration except port fa0/24.
With this simple practice we have mitigated two major threats together one is DHCP starving and other is Rogue DHCP.
DHCP starving threat has been mitigated by limiting the clients to 10 requests of Discovery.
Rogue DHCP threat has been mitigated by only assigning one port to be responsible for DHCP by giving it trust. Now if any other port offers the DHCP configuration it will be blocked.
Prerequisites for 200-301
200-301 is a single exam, consisting of about 120 questions. It covers a wide range of topics, such as routing and switching, security, wireless networking, and even some programming concepts. As with other Cisco certifications, you can take it at any of the Pearson VUE certification centers.
The recommended training program that can be taken at a Cisco academy is called Implementing and Administering Cisco Solutions (CCNA). The successful completion of a training course will get you a training badge.
Full Version 200-301 Dumps