Today we will discuss two important topics: DHCP Snooping and “nedovoljna” Native VLAN. Before you go to the lesson, invite you to visit our other YouTube channel, where you can view a video on how to improve your memory. I recommend you subscribe to this channel because there we post lots of useful tips for self-improvement.

This lesson focuses on the study of sections 1.7 b and 1.7 with the ICND2 topics. Before you begin DHCP Snooping, let’s remember some moments from the previous lessons. If I’m not mistaken, we studied the DHCP on the lessons of “Day 6” and “Day 24”. There were discussed important issues relating to the assignment of IP addresses DHCP server and a corresponding exchange of messages.

Usually, when an end user End User logs on to the network, it sends a broadcast query, which “hear” all of the network devices. If it is directly connected to the DHCP server, the request is sent directly to the server. If in the network there are transmission devices – routers and switches the request to the server passes through them. Receiving a request, the DHCP server responds to the user, he sends a request to obtain an IP address, then the server provides this address to the user device. This is the process of obtaining an IP address in normal conditions. According to the example diagram, the End User will receive the address and gateway address After that, the user will be able to go through this gateway to the Internet or to communicate with other network devices.

Suppose that in addition to this DHCP server in network a fraudulent DHCP server, that is, the attacker just sets up a DHCP server on your computer. In this case, the user logging in to the network, just sends a broadcast message, which router and switch will forward this server.

However fraudulent the server “listens” to the network, and receiving a broadcast message, will reply to the user instead of the real DHCP server with your offer. After receiving it, the user gives his consent, which will receive an IP address from the attacker and gateway address

The process of obtaining IP addresses in abbreviated form is called DORA and consists of 4 stages: Discovery, Offer, Request and Acknowledgement. As you can see, the attacker will give the device a legitimate IP address in the available range of network addresses, but instead of the real gateway address “slip” him a fake address, i.e. the address of your own computer.

After that, all traffic end-user looking to the Internet will pass through the attacker’s computer. The attacker will forward it on, and the user will not feel any difference with this method of communication, because you will still be able to access the Internet.

Likewise, return traffic from the Internet will be supplied to the user through the attacker’s computer. This is what is called the attack Man in the Middle (MiM) — “the man in the middle”. All user traffic will pass through the computer of the hacker who will be able to read everything he sends or receives. This is one type of attack that can take place in the DHCP networks.

The second type of attack is called Denial of Service (DoS), or “denial of service”. What happens? The computer hacker was not acting as DHCP server, now he’s just attacking device. It really sends the DHCP server Discovery request, and receives in response a message Offer, then server sends Request and receives an IP address. The attacker’s computer is doing this every few milliseconds, every time getting a new IP address.

Depending on the settings, the real DHCP server has a pool of hundreds or several hundreds of vacant IP addresses. A computer hacker would get the IP address .1, .2, .3 and so on until until the address pool is fully exhausted. After that, the DHCP server cannot provide IP addresses for new clients network. If a new user enters the network, it will not be able to obtain a free IP address. This is the sense of DoS attacks on the DHCP server: to deprive him of the ability to issue IP addresses to new users.

To counter such attacks uses the concept of DHCP Snooping. This is a function of the second level OSI acting like the ACL and works only on switches. For understanding DHCP Snooping need to consider two concepts: trusted ports and untrusted switch Trusted ports, Untrusted for other network devices.

Trusted ports are missing any type of DHCP messages. Untrusted ports are the ports connected to clients, and DHCP Snooping ensures that any DHCP messages received from those ports will be dropped.

If you remember DORA-the process, the message D is received from the client to the server, and the message from the server to the client. Then from the client to the server sends a message to R, and the server sends a message to the client A.

Message D and R from insecure ports are accepted and the message is of type O and A are discarded. When you enable DHCP Snooping, all ports in the switch by default, are considered unsafe. This function can be used as a whole for the switch and for individual VLANs. For example, if port is connected to VLAN10, it is possible to enable this feature only for VLAN10, and then her port will be unreliable.

You, as system administrator, if you enable DHCP Snooping will have to go into the settings of the switch and configure the ports so that unreliable was considered only for ports connected to devices similar to the server. This refers to any type of server, not just DHCP.
For example, if the port is connected to another switch, a router or a real DHCP server, then this port is configured as trusted. Other ports of the switch to which the connected end user devices or wireless access points must be configured as unsafe. Therefore, any device type of the access point to which users connect, connects to the switch through the untrusted port.

If the attacker’s computer will send the switch message type O and A, they will be blocked, so the traffic does not pass through the untrusted port. So DHCP Snooping prevents the above attack types.

In addition, DHCP Snooping creates the DHCP bindings table. After the client receives from the server an IP address, this address along with the MAC address of the receiving device will be listed in the DHCP Snooping table. These two characteristics will be tied to an unsafe port to which you connected the client.

It helps, for example, to prevent a DoS attack. If the client with this MAC address has already received the IP address, then why would he require a new IP address? In this case, any attempt of such activity will be prevented immediately after checking the entries in the table.
The next thing we should discuss is Nondefault, or “nedovoljna” Native VLAN. We have repeatedly raised the topic of VLANs, dedicating these networks 4 tutorial. If you have forgotten what it is, are advised to review these lessons.

We know that in Cisco switches, the default Native VLAN is VLAN1. There is an attack called VLAN Hopping. Assume that the computer in the diagram is connected to the first switch default native VLAN1 network, and the last switch is connected to the computer network VLAN10. Between switches arranged trunk.

Usually when traffic from the first computer is supplied to the switch knows that the port is connected to this computer is part of VLAN1. Further, the traffic comes to a trunk between the two switches, the first switch thinks like this: “this traffic came from a Native VLAN, so I don’t need to implement it tag” and forwards on the trunk neteherlands traffic that goes to the switch.

Switch 2, upon receiving neteherlands traffic, thinks so: “if this traffic without a tag, so it belongs to the network VLAN1, so I can’t send it over the network VLAN10”. The result sent by the first computer traffic can not reach the second computer.

In fact, as it should be – VLAN1 traffic must not enter the network VLAN10. Now let’s imagine that the first computer is attacking, which creates a frame tagged with VLAN10 and sends it to the switch. If you remember, how does the VLAN know – if tagged traffic reaches the switch, he does nothing with the frame and just sends it further down the trunk. The second switch receives traffic with a tag that was created by the attacker instead of the first switch.

This means that you change the Native VLAN to something different from VLAN1.

As the second switch does not know who created the tag VLAN10, it just sends the traffic to the second computer. That’s the way the attack type VLAN Hopping, where an attacker penetrates the network, which initially was not available to him.

To prevent such attacks we need to create a Random VLAN, or a random VLAN VLAN999 for example, VLAN666, VLAN777, etc., which generally cannot be used by an attacker. Thus, we turn to the trunk ports of switches and custom them to work, for example, with Native VLAN666. In this case we are changing the Native VLAN for trunk ports from VLAN1 on VLAN66, that is, use as Native VLAN a network that is different from VLAN1.

Ports on both sides of the trunk need to be configured on the same VLAN, otherwise we will get error mismatch numbers VLAN.

When this is configured, if a hacker decides to carry out the attack VLAN Hopping, it does not work, because native VLAN1 is not assigned to any trunk ports on the switches. This is the method of protection against attack by building nodepath native VLAN.

Thank you for staying with us. You like our articles? Want to see more interesting materials? Support us by ordering or recommending to friends, 30% discount for users of Habra on a unique analogue entry-level servers, which was invented by us for You: the Whole truth about VPS (KVM) E5-2650 v4 (6 Cores) 10GB DDR4 240GB SSD 1Gbps from $20 or how to share a server? (available RAID1 and RAID10, up to 24 cores and up to 40GB DDR4).

Dell R730xd in 2 times cheaper? Only we have 2 x Intel TetraDeca-Core Xeon 2x E5-2697v3 14C 2.6 GHz 64GB DDR4 SSD 1Gbps 4x960GB 100 TV from $199 in the Netherlands! Dell R420 — 2x E5-2430 2.2 Ghz 6C 128GB SSD 2x960GB DDR3 1Gbps 100TB from $99! Read more about How to build infrastructure in korp. class c application servers Dell R730xd E5-2650 v4 worth 9000 euros for a penny?