CCNP Exam Prep Tips and Must Knows about Switch Security

study154263471

Things You Need to Know about Switch Security

Modularizing Internal Security

  • Use switch port security at the building access layer
  • Use access lists at the building distribution layer
  • Do not implement packet manipulation at the campus core layer
  • Use host and network based IPS, private VLANs, ACLs, and secure passwords in the Server Farm

Switch Attack Categories

MAC address-based attacks

  • MAC address flooding

VLAN attacks

  • VLAN hopping

Spoofing attacks

  • Spoofing DHCP, ARP, and MAC addressing

Attacks on switch devices

  • Cisco Discovery Protocol (CDP)
  • Management protocols

Port Security

  • Limits MAC flooding attacks and locks down the port
  • Sets an SNMP trap
  • Allowed frames are forwarded
  • New MAC addresses over limit are not allowed
  • Switch responds to non-allowed framed

Port Security Configuration

  • Switch(config)# interface fa0/2
  • Switch(config-if)# switchport mode access
  • Switch(config-if)# switchport access VLAN 2
  • Switch(config-if)# switchport port-security
  • Switch(config-if)# switchport port-security maximum 2
  • Switch(config-if)# switchport port-security mac-address 0000.1111.222
  • Switch(config-if)# switchport port-security mac-address sticky
  • Switch(config-if)# switchport port-security violate shut down
  • Switch(config-if)# switchport port-security aging time 60
  • Switch(config-if)# switchport port-security aging type inactivity
In this article

Join the Conversation