Use the port security interface configuration
command to mitigate MAC spoofing attacks. The port security
command provides the capability to specify the MAC address of the system
connected to a particular port. The command also provides the ability to
specify an action to take if a port security violation occurs. However, as with
the CAM table overflow attack mitigation, specifying a MAC address on every
port is an unmanageable solution. Hold-down timers in the interface
configuration menu can be used to mitigate ARP spoofing attacks by setting the
length of time an entry will stay in the ARP cache. However, hold-down timers
by themselves are insufficient. Modification of the ARP cache expiration time
on all end systems would be required as well as static ARP entries. Even in a
small network this approach does not scale well. One solution would be to use
private VLANs to help mitigate these network attacks.
In this Lab activity, students will
configure network switches and routers to mitigate Layer 2 attacks. After
completing this activity, students will be able to mitigate CAM table overflow
attacks, MAC spoofing attacks, and DHCP starvation attacks.