Cisco 2975 - Catalyst LAN Base Switch Instrukcja Użytkownika Pobierz pdf (Strona 8)

Problem:

– Malicious user pretends to

be the network DHCP

server

– Mis-configured user

starts up a DHCP server

incorrectly

– Malicious user can send

out bogus address,

deplete the address

space or spoof the default

gateway

DHCP Spoofing Attack

Rogue DHCP Offer

IP: 10.1.1.20/24

GW: 10.1.1.1

DNS: 192.168.1.122

DHCP

Discovery

Broadcast

Victim

DHCP

Server

User Ports

Untrusted

DHCP

Server

√

Solution

– Untrust user ports so only

DHCP Requests can be

sent

– Snoop DHCP information

for integrity

DHCP Snooping

DHCP

Client

DHCP

Server

Rogue

Server

Trusted

DHCP Snooping Enabled

√

What It Does:

Switch forwards only DHCP

requests from untrusted

access ports, drops all other

types of DHCP traffic. Allows

only designated DHCP ports or

uplink ports trusted to relay

DHCP Messages

Builds a DHCP binding table

containing client IP address,

client MAC address, port,

VLAN number

Benefit:

Eliminates rogue devices from

behaving as the DHCP server

Untrusted

1 2 3 4 5 6 7 8 9 10 11 12 13 ... 28 29

Komentarze do niniejszej Instrukcji

Brak uwag

Cisco 2975 - Catalyst LAN Base Switch Instrukcja Użytkownika Strona 8

Komentarze do niniejszej Instrukcji

Powiązane produkty i podręczniki dla Networking Cisco 2975 - Catalyst LAN Base Switch