CCNA 6.2: Describe common access layer threat mitigation techniques

Overview: Common access layer threats include unauthorized clients connecting to a LAN, rogue DHCP servers and VLAN hopping by way of double tagging. 802.1x, DHCP snooping and Nondefault native VLAN are techniques to mitigate access layer types of vulnerabilities.


Study Notes:

6.2.a 802.1x

  • A client-server-based access control and authentication protocol preventing unauthorized clients from connecting to a LAN through publicly accessible ports unless they are properly authenticated
  • The authentication server authenticates each client connected to a switch port before making available any services offered by the switch or the LAN
  • Until the client is authenticated, 802.1x access control allows only Extensible Authentication Protocol over LAN (EAPOL), Cisco Discovery Protocol (CDP), and Spanning Tree Protocol (STP) traffic through the port to which the client is connected
  • After authentication is successful, normal traffic can pass through the port


6.2.b DHCP snooping

  • Not to be confused with DHCP spoofing (a bad thing)
  • DHCP snooping (a good thing) is a security feature, typically on a switch, that acts like a firewall between untrusted hosts and trusted DHCP servers
  • DHCP snooping is enabled on a per-VLAN basis and is inactive by default
  • Filters out invalid DHCP messages received from untrusted sources
  • Rate-limits DHCP traffic from both trusted and untrusted sources
  • Maintains a bindings database mapping vlan to untrusted hosts with leased IP addresses
  • Uses that database to validate subsequent requests from untrusted hosts


6.2.c Nondefault native VLAN

    • The default native VLAN is VLAN1
    • The nondefault native VLAN means you changed the native VLAN to be something other than VLAN 1
    • There are a lot of things that are defaulted to VLAN 1 and that means a lot of bad things can happen either accidentally or by way of purposeful exploits
    • VLAN hopping by way of double tagging is one such exploit.  It can be easily averted by using a nondefault native vlan
Switch(config-if)# switchport trunk native vlan 999
Leave a Reply
Built by TrailSix