Router Ios Security Techniques Computer Science Essay

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

Security is number of times excluded at the lower layers. Due to low security at these layers might cause security attack on other layers while data transfer unless some security steps (Permissions) used. The various network attacks are based on interface of each device in a network as potential target. Consider a switch which is connected to number of devices (PCs and routers). There are several security attacks that can permit users on switch to whip traffic to them, it is called Man in-the middle attacks.

Standard Protocol Considerations


The 802.1q is a standard system for switches to exchange VLANs (Virtual LAN) data. It carry's with 4 byte tag after the MAC (Media access Control) address of source and destination. The addition of 4 bytes to the packet raises the size of Ethernet frame from 1518 to 1522 bytes. In these 4 byte the first 2 bytes acts as an Ethernet tag protocol identifier. And the remaining 2 bytes divided into bits, VLAN identifier uses 12 bits and 3 bits used by priority identifier. [1]

(Figure: 01 802.1q Packet Header)


Spanning-Tree Protocol (STP)

Another attack against switches involves block traffic by attacking Spanning-Tree protocol. STP is used in switched Ethernet network topology to stop the creation of bridging loops. By default STP is enabled in catalyst switches on all VLAN's. To form topology database the STP switches and bridges send BPDU's (Bridge Protocol Data Units) to other switches. For every two seconds the BPDU's are sent out to all ports. BPDU message contains 8 bytes for long Bridge ID it contains both bridge priority and MAC address. And for lower Bridge ID become Root Bridge. When the root bridge created the remaining switches calculate cost to reach Root Bridge and allow STP respectively. When the attacker fails the link, generally it takes 30 to 45 seconds for STP to fix the failure and update the topology database. A new feature included in Cisco switches to deal with this problem and the feature is called Port fast and Uplink fast. [2]

(Figure: 02 Starting Topology)

Figure 02, the attacker has connected to different layer 2 switches with two links. The link that is in forwarding state denotes by F and the link blocked using STP is denotes by B. one of the attacker's link was blocked because of STP. Now the attacker sends BPDU message with low bridge priority to become Root Bridge and this causes STP to update the topology.

(Figure: 03 Resulting Topology)


Figure: 03, now the attacker became Root Bridge in the topology and all the traffic in the network must flow through attacker's pc in between switches. Now the attacker act as man-in-the middle or he can create Denial of Service (DoS) action on the network. The DoS action is workout because the attacker can make his link very slower than other links between the access switches.

To overcome from this problem disable STP in the network in which network loops are not exists. If the attacker create a new loop in the network to attack. Filter all the ports which are involved in STP process and block those ports to prevent attacker's attack. Today in some switches having option to do this. Two principal options in Cisco devices are BPDU Guard and Root Guard. [1]

BPDU Guard is disabling that port which receives. Because BPDU message effect on port configured with port fast option. Every user port is having port fast option. Syntax of BPDU is:

CatOS> (enable)set spantree portfast bpdu-guard enable

IOS(config)#spanning-tree portfast bpduguard

Root Guard can be enabling or disable on any port of device. By disabling a port, that port will become Root Bridge. Any user can allows them to plug in to switch at their workplace. syntax of Root guard is:

CatOS> (enable) set spantree guard root 1/1

IOS(config-if)#spanning-tree guard root


The 802.1x specifies a process in Ethernet network to do port-based access control. The user who is trying to connect the port must require 802.1x authentications first before giving the access. The user just sends packet between supplicant and authenticating server. After finishing the authentication process, the user receives a success message from authentication server. Suppose the user failed in authentication process he receives failed message from authentication server. [3]

(Figure: 04 802.1x LAN Structure)


Based on user's access rights, the users could be assigned to specific VLAN after authentication by user. In future to perform additional security checks the 802.1x will be used, it may be administrating Quality of Service (QoS) or Access Control List (ACL) for the user.

MAC Address Spoofing

The network attacker targets a switch which transfers packets to the remote host end by using known MAC address of another host.

(Figure: 05 MAC address spoofing)


Figure 05, by using the other host address, attacker sends a single frame and it helps to overwrite the CAM table entry so that switch sends packets to end of attacker host. It will not receive any traffic until the host sends traffic. Suppose the host sends traffic out, the CAM table entry will be reset and it goes back to default port. [4]

(Figure: 06 MAC address spoofing)

MAC Flooding Considerations

Every MAC address which has an connection to a switch requires some mechanism which make sure that the communication between hosts is done without traffic. This mechanism information is stored in CAM (Content Addressable Memory) table. As a network architect few things are to be considered regarding security. The mechanism with CAM table is arranged with a timing function as whenever new MAC address is sent a time frame is transmitted into the CAM table. This resets the timer. [1] [5]


The network attacker tries to get control over the CAM table with different MAC address of source and designation. There are many other ways to keep this type of attack process continuously with various tools.

Attack Mitigation

Preventing attacks towards CAM table is not a tough job, but also not a quite easy work. Port security is generally provided with many switches which has the ability to control or limit for maximum entries of MAC addresses. The port security generally works on the learning behavior of the configuration of number of MAC address it is programmed to allow per port and automatically it is set to shutting down when the limit is exceeded. [1] [5]

ARP Spoofing

The aim of ARP (Address Resolution Protocol) is to map the network addresses to the Physical addresses of devices. ARP sends request to the network address to find physical address of particular device and ARP receive response from that particular host. Unwanted ARP replies are called as GARP (Gratuitous Address Resolution Protocol). Through GRAP, the attacker attacks the particular host IP address on a LAN fragment. The attacker finds the network address of particular host or total network via default gate way this is called Man in the Middle attack. [6][7]

(Figure: 07 ARP spoofing attack)



Figure 07 ARP spoofing attack, the attacker sends an ARP reply to the host and getting request from the server. The attacker applies his own physical address to find the network address of which the attacker wants to attack in the network. The false ARP request is also get place in switch ARP table.

(Figure: 08 ARP spoofing defence)



Figure 08 ARP spoof defence, to overcome the problem using DHCP spoofing with ARP security to shield the network from ARP spoofing attacks. Check all the ARP requests from unwanted ports which contain untrusted IP address to secure the network.

DHCP Server Spoofing

DHCP (Dynamic Host Configuration Protocol) sends request IP address to all the dominant servers. DNS server IP address and Default gateway are additional features in DHCP server spoofing. There are two types of attacks in DHCP server are:

Bit nastier, the attacker implement a temporary DHCP server in to the network. The server accepts all the DHCP requested address. The attacker's host sets Default gateway and DNS server fields to enable MITM and sniffing attacks. The attacker won't get temporary address when the main DHCP server is working. It is more difficult to prevent this attack. With the help of DHCP Authentication we can stop this attack but it's not yet implemented.

Attacker requests DHCP server to get IP address by changing his MAC address are done in CAM table flooding attack. Use port security to avoid this attack [8][1]

DHCP Snooping

To protect network from temporary DHCP server the DHCP snooping Feature was used. In between unauthorized hosts and DHCP server it creates a logical firewall. This feature can be configured in VLANs and switches. The interface in a switch will be acting as a layer 2 bridge when it is stared.

Enabling of DHCP in switch is done by command

Switch(config)#ip dhcp snooping

For VLAN's

Switch(config)#ip dhcp snooping vlan number

After triggering VLAN DHCP command all the other ports will start working only when trust command is placed, because when a DHCP snooping enabled for specific VLAN number rest all other ports stops working.

Switch(config-if)# ip dhcp snooping trust

This kind of snooping is not recommended when multiple systems are engaged on a switch. [1]

Conclusions and Recommendations

In the network system the layer 2 security is very low when it is not fully configured securely. The attackers attack the network through local area network. Some of the essential steps to secure layer 2 considerations are as follows:

For all trunk port use only the faithful VLAN ID's.

Don't use VLAN 1.

For user ports implement port security.

Use more than one ARP security possibilities.

Always use BPDU guard and root guard to avoid STP attack.

Create a unused VLAN for disabled unused ports.

Use DHCP spoofing where needed.

To avoid MAC address spoofing use port security mechanisms.

Disabled unused protocols and service to stop DoS (Denial of Service) attacks.

Configure port security features to prevent untrusted access of switch port.