Cisco Switch Security

Below I will go over the different security threats that can happen on our network and a way to mitigate them. This is very important to do because the techniques are not hard to do for an internal employee which is where most security threats come from. I’ve always implemented these if they were no already implemented.


Port Security limits the number of MAC Addresses allowed on a switches interface. It creates its own database and when a device connects to a port, the MAC Address and Port are kept in this database. If a new device comes along and plugs into a port that already has a MAC Address assigned to it, the port will be locked down. This will only happen if you are running port security and you are only allowing 1 MAC Address on that port. There are many options to configure when it comes to Port Security.

SW01# show port-security address
          Secure Mac Address Table
Vlan    Mac Address       Type                Ports   Remaining Age
----    -----------       ----                -----   -------------
   1    0001.0001.0001    SecureDynamic       Fa2/1      15 (I)
   1    0001.0001.0002    SecureDynamic       Fa2/1      15 (I)
Total Addresses in System: 2
Max Addresses limit in System: 128

DHCP Snooping prevents rogue devices from behaving as the DHCP server on your network which could be used for attacks like a Man in the Middle (MITM), Blackholeing, and DOS. It’s basically used to police the network to keep track of valid IP Addresses assigned to downstream network devices by a trusted DHCP server. This DHCP server is connected to a Trusted port. DHCP Snooping uses a system based on Trusted and Untrusted ports. PC, Laptops, Printers, and any other device that will use DHCP will be considered an Untrusted port. These devices are considered out of your administrative control so they are not Trusted. DHCP Servers and Uplink ports are in your administrative control, so they are considered Trusted. Those ports need to be configured as Trusted manually. It important to know that in order for DHCP snooping to function properly, all DHCP servers must be connected to the switch through Trusted interfaces. Also, by default, ALL ports in a VLAN are Untrusted

Just like Port Security, DHCP Snooping builds its own database by inspecting DHCP packets on Untrusted ports. In this database you will see the MAC Address, IP Address, Lease Time, VLAN, and Interface. Entries stay in the table until DHCP lease time expires.

SW01#sh ip dhcp snooping binding 
MacAddress          IpAddress        Lease (sec) Type           VLAN Interface
------------------  ---------------  ----------  -------------  ----  --------------------
00:4C:05:85:35:18     337469      dhcp-snooping   10    FastEthernet2/12
67:B3:55:F9:B2:7D     542603      dhcp-snooping   10    FastEthernet3/12

This table is critical for other technologies like Dynamic Arp Inspection (DAI) and IP Source Guard. These will be talked about next.

It’s good to know the process DHCP goes through in order to give a client an IP Address from a Pool:
DHCPDISCOVER (Broadcast) – From Client to Server
NOTE: In this message, there’s a field called “chaddr” which is the client hardware address. This is actually the source MAC Address from the client’s device by default.
DHCPOFFER (Unicast) – From Server to Client
DHCPREQUEST (Broadcast) – From Client to Server
DHCPACK (Unicast) – From Server to Client

The client will now have an IP Address and will be able to use the Address Resolution Protocol (ARP) to prevent IP conflicts caused by overlapping address pools of DHCP servers.

Now how does DHCP Snooping work when it comes to mitigating the attackers?

The switch drops a DHCP packet when one of these situations occurs:

1. If the switch receives any kind of DHCP message that ONLY a DHCP server would send on an Untrusted interface. Those are DHCPOFFER, DHCPACK, DHCPNAK, or DHCPLEASEQUERY.

2. DHCP Snooping discards all Untrusted DHCP packets not consistent with the information in the binding table. For example, if the switches receive a DHCP packet where the source MAC Address and the DHCP client hardware address do not match on an Untrusted interface. If you look above in the DHCP Process, DHCPDISCOVER has the client hardware address field. This should match with the actual source MAC Address. If there is a change detected, it will be blocked.

DHCP Snooping is DHCP based meaning that it’s only looking at the DHCP packet traffic. It’s not focused on the IP Addresses, MAC Addresses, and ARP. That’s why there’s IP Source Guard and Dynamic ARP Inspection that uses the same binding table.

IP Source Guard looks at the MAC Address and IP Address fields in the DHCP Snooping Binding Table to see if the traffic from the interface is in this table, if NOT, traffic is blocked.

ARP is not used with IPSG. That’s where Dynamic ARP Inspection comes into play.

Dynamic ARP Inspection also uses the DHCP Snooping Binding Table but it looks at the MAC Address and IP Address fields to see if the ARP from the interface is in the binding, if NOT, traffic is blocked. So DAI will look at ARP to see if the mapping in ARP matches the mapping in the binding table.


Rogue DHCP Server – In this attack the attacker uses a rouge DHCP server which impersonates a legitimate DHCP server on the LAN. This can cause a DOS or a Man in the Middle attack. An example for a MITM attack would be that this rogue DHCP server will give out a new default gateway and DNS addresses pointing to a Laptop running a sniffer. Once the data is sniffed it can pass it on to the real default gateway without anyone noticing. The information sniffed could be anything including usernames and password sent in plain text.

DHCP Snooping

DHCP Starvation – The goal to this attack it to use up all the IP Addresses in the Pool so that no clients can get an IP. This is a DOS attack. Like I mentioned above in the DHCP process, the DHCPDISCOVER message has a field called “chaddr” that must be the same as the MAC Address on the device. If an attacker keeps changing their MAC Address (spoofed MAC Addresses), then they could drain/empty the Pool leaving no IP Addresses left for use because it tricks the DHCP server into giving them IP Addresses. A way to help mitigate this attack would be to use Port Security. Port Security is not 100% because a clever attacker could leave their MAC Address the same and only change the “chaddr” field to accomplish the same thing. This would leave the MAC Address of the device the same preventing a Port Security trigger. The good news is that DHCP Snooping takes care of this problem.

Port Security & DHCP Snooping

IP Address Hijacking – When a client is ready to give up an IP Address it will send a DHCPRELEASE message. This will tell the server to go ahead and add that IP Address back to the DHCP Pool so that it can be reused. An attacker can attempt to send a DHCPRELEASE message on your behalf and take that IP Address. This will alter the DHCP Snooping database. This will cause the ARP requests from the “legitimate” client to be blocked.

To protect against this type of alteration of the DHCP snooping database, configure MAC addresses that are explicitly allowed on the interface. See Example: Configuring Allowed MAC Addresses to Protect the Switch from DHCP Snooping Database Alteration Attacks.

Port Security

Arp Spoofing – First, what is ARP? ARP is basically an IP Address to MAC Address mapping. In an ARP Spoofing attack, the attacker sends out fake ARP messages onto the network by associating its own MAC Address with an IP Address of a network device connected to the switch. Any traffic sent to that IP Address would now be sent to the attacker’s device. From this point, the attack can now sniff all the traffic and implement a Man in the Middle attack.

DHCP Snooping & Dynamic ARP Inspection (DAI)

Port Security: Prevents CAM attacks and DHCP Starvation attacks (Focuses on MAC Addresses)
DHCP Snooping: Prevents Rogue DHCP Server attacks (Focuses on DHCP packets)
Dynamic ARP Inspection: Prevents ARP attacks (Focuses on ARP)
IP Source Guard: Prevents IP/MAC Spoofing (Focuses on IP Addresses and MAC Addresses)

More Stories
Windows 7/2008 and Newer built-in Packet Capture