CCNP Exam Prep Tips and Must Knows about Mitigating VLAN Attacks

laptopstudy155319814Things You Need to Know about Mitigating VLAN Attacks

VLAN Hopping
Unused Ports

  • Shut down all unused ports
  • Configure all unused ports to access mode
  • Configure an access VLAN on all unused ports to an unused VLAN
  • Configure a native trunk VLAN on all unused ports to be an unused VLAN

Trunk Ports

  • Configure a trunk port with trunk mode on and disable trunk negotiation
  • Configure a native trunk VLAN on trunk ports to an unused VLAN
  • Configure the allowed VLANs on the trunk ports, and do not allow the native VLAN

VLAN Access Control Lists

  • Switch(config)# access-list 100 permit ip 10.1.1.0 0.0.0.255 any
  • Switch(config)# MAC access-list extended BACKUP_SERVER
  • Switch(config-ext-mac)# permit any host 0000.1111.2222
  • Switch(config)# VLAN access-map TEST 10
  • Switch(config-map)# match ip address 10
  • Switch(config-map)# action drop
  • Switch(config-map)# VLAN access-map TEST 20
  • Switch(config-map)# match mac address BACKUP_SERVER
  • Switch(config-map)# action drop
  • Switch(config-map)# VLAN access-map TEST 30
  • Switch(config-map)# action forward
  • Switch(config)# VLAN filter TEST VLAN-list 10,20

 

Things You Need to Know about Authentication and Authorization Methods

AAA Network Configuration

  • Authentication – verifies user identity
  • Authorization – specifies permitted tasks for a user
  • Accounting – Provides billing, auditing and monitoring

Configuring User AAA Authentication

 

  • Switch(config)# username admin password Cisco
  • Switch(config)# aaa new-model
  • Switch(config)# radius-server host 10.1.1.50 auth-port 1812 key xyz123
  • Switch(config)# aaa authentication login default group radius local
  • Switch(config)# aaa authentication login NO_AUTH none
  • Switch(config)# line vty 0 15
  • Switch(config-line)# login authentication default
  • Switch(config-line)# password San-Fran
  • Switch(config-line)# line console 0
  • Switch(config-line)# login authentication NO_AUTH

802.1X Port-Based Authentication

 

  • Switch(config)# aaa new-model
  • Switch(config)# radius-server host 10.1.1.50 auth-port 1812 key xyz123
  • Switch(config)# aaa authentication dot1x default group radius
  • Switch(config)# dot1x system-auth-control
  • Switch(config)# interface fa0/1
  • Switch(config-if)# switchport mode access
  • Switch(config-if)# dot1x port-control auto
In this article

Join the Conversation