Network Security & Configuration: Routing, VLANs, DHCP, and Attack Mitigation

Classified in Computers

Written at on English with a size of 2.38 KB.

Router-on-a-Stick Inter-VLAN Routing

The router's port connecting to the LAN has multiple sub-interfaces, each the default gateway for a specific VLAN. For example, VLAN 10 traffic destined for VLAN 20 is first forwarded to VLAN 10's default gateway (the router sub-interface). The router then routes this traffic to VLAN 20's gateway (its corresponding sub-interface) and finally to the user in VLAN 20.

Why STP Is Needed for Redundant Ethernet LANs

  • Preventing Broadcast Storms: In redundant networks, frames can loop endlessly, exponentially increasing traffic. STP prevents this by disabling redundant paths, ensuring one active path between devices.
  • Ensuring MAC Address Table Consistency: Loops cause switches to receive the same frame on different ports, creating MAC table instability. STP ensures a loop-free topology for accurate MAC address learning.

How Users Obtain IP Addresses via DHCP

  1. Discovery: The client broadcasts a DHCPDISCOVER message.
  2. Offer: DHCP servers respond with a unicast or broadcast DHCPOFFER.
  3. Request: The client broadcasts a DHCPREQUEST for the offered IP.
  4. Acknowledgement: The server confirms with a unicast or broadcast DHCPACK.

Addressing Duplicate GUA (IPv6 SLAAC)

A device multicasts an ICMPv6 Neighbor Solicitation (NS) to check for GUA duplication. A neighbor with the same address replies with a Neighbor Advertisement (NA). If no NA is received, the address is unique and assigned.

How FHRP Improves Gateway Reliability

FHRP uses multiple routers as potential gateways sharing a virtual IP. One is active; others are standby. If the active router fails, a standby takes over seamlessly.

MAC Flooding Attack

Attackers flood a switch with frames containing different MAC addresses, overwhelming its MAC table and forcing it into fail-open mode, effectively turning it into a hub. Mitigation: Port security limits learnable MAC addresses.

ARP Man-in-the-Middle Attack

Attackers send gratuitous ARP replies to link their MAC address with a legitimate device's IP. Traffic for the device goes to the attacker. Mitigation: Dynamic ARP Inspection (DAI) validates ARP packets.

VLAN Hopping Attack

Karma: 14%
Visits: 0

Entradas relacionadas:

Tags:
ARP Spoofing VLAN Hopping VLAN MAC Flooding FHRP DHCP