MAC Address, ARP, and DHCP Vulnerabilities
Mitigating MAC spoofing attacks

Use the port security interface configuration command to mitigate MAC spoofing attacks. The port security command provides the capability to specify the MAC address of the system connected to a particular port. The command also provides the ability to specify an action to take if a port security violation occurs. However, as with the CAM table overflow attack mitigation, specifying a MAC address on every port is an unmanageable solution. Hold-down timers in the interface configuration menu can be used to mitigate ARP spoofing attacks by setting the length of time an entry will stay in the ARP cache. However, hold-down timers by themselves are insufficient. Modification of the ARP cache expiration time on all end systems would be required as well as static ARP entries. Even in a small network this approach does not scale well. One solution would be to use private VLANs to help mitigate these network attacks.


Lab Activity

Lab Exercise: Mitigate Layer 2 Attacks

In this Lab activity, students will configure network switches and routers to mitigate Layer 2 attacks. After completing this activity, students will be able to mitigate CAM table overflow attacks, MAC spoofing attacks, and DHCP starvation attacks.