CHAPTER 11 - Switch Security Configuration

Secured

All switch ports (interfaces) should be _______ before the switch is deployed for production use. How it is done depends on its function.

disable

A simple method that many administrators use to help secure the network from unauthorized access is to _______ all unused ports on a switch. Navigate to each unused port and issue the Cisco IOS shutdown command.

No shutdown

If a port must be reactivated at a later time, it can be enabled with the __ ________ command.

Interface range

To configure a range of ports, use the _________ _____ command.

port security

The simplest and most effective method to prevent MAC address table overflow attacks is to enable ____ ________.

port security

limits the number of valid MAC addresses allowed on a port. It allows an administrator to manually configure MAC addresses for a port or to permit the switch to dynamically learn a limited number of MAC addresses. When a port configured with ____ ________ receives a frame, the source MAC address of the frame is compared to the list of secure source MAC addresses that were manually configured or dynamically learned on the port.

switchport port-security

Port security is enabled with the __________ ____-________ interface configuration command.

dynamic auto

port security can only be configured on manually configured access ports or manually configured trunk ports. By default, Layer 2 switch ports are set to _______ ____ (trunking on). Therefore, in the example, the port is configured with the switchport mode access interface configuration command.

show port-security interface

Use the ____ ____-________ _________ command to display the current port security settings for FastEthernet 0/1.

error disabled

If an active port is configured with the switchport port-security command and more than one device is connected to that port, the port will transition to the _____-________ state

switchport port-security maximum value

To set the maximum number of MAC addresses allowed on a port, use the following command

1

The default port security value is _

Manually Configured

a way for a switch to learn about mac addresses. The administrator manually configures a static MAC address(es) by using the following command for each secure MAC address on the port:

Switch(config-if)# switchport port-security mac-address mac-address

Dynamically Learned

a way for a switch to learn about mac addresses. When the switchport port-security command is entered, the current source MAC for the device connected to the port is automatically secured but is not added to the running configuration. If the switch is rebooted, the port will have to re-learn the device's MAC address.

Dynamically Learned - Sticky

a way for a switch to learn about mac addresses. The administrator can enable the switch to dynamically learn the MAC address and "stick" them to the running configuration by using the following command:

Switch(config-if)# switchport port-security mac-address sticky

NVRAM

Saving the running configuration will commit the dynamically learned MAC address to _____

Port security aging

can be used to set the aging time for static and dynamic secure addresses on a port

Absolute, inactivity

two types of aging supported per port

Absolute

type of aging. The secure addresses on the port are deleted after the specified aging time.

Inactivity

type of aging. The secure addresses on the port are deleted if they are inactive for a specified time.

aging

Use _____ to remove secure MAC addresses on a secure port without manually deleting the existing secure MAC addresses.

switchport port-security aging

Use the __________ ____-________ _____ command to enable or disable static aging for the secure port, or to set the aging time or type.

Switch(config-if)# __________ ____-________ _____ {static | time _time_ | type {absolute | inactivity}

port violation, error-disabled state

If the MAC address of a device attached to a port differs from the list of secure addresses, then a ____ _________ occurs and the port enters the _____-________ _____.

switchport port-security violation

To set the port security violation mode, use the following command:

Switch(config-if)# __________ ____-________ _________ {shutdown | restrict | protect}

shutdown

violation mode. (default) The port transitions to the error-disabled state immediately, turns off the port LED, and sends a syslog message. It increments the violation counter. When a secure port is in the error-disabled state, an administrator must re-enable it by entering theshutdownandno shutdowncommands

restrict

violation mode. The port drops packets with unknown source addresses until you remove a sufficient number of secure MAC addresses to drop below the maximum value or increase the maximum value. This mode causes the Security Violation counter to increment and generates a syslog message.

protect

violation mode. This is the least secure of the security violation modes. The port drops packets with unknown MAC source addresses until you remove a sufficient number of secure MAC addresses to drop below the maximum value or increase the maximum value. No syslog message is sent.

Shutdown, restrict, protect

3 violation modes

Shutdown, no shutdown

To re-enable the port, first use the ________ command, then, use the __ ________ command.

1, shutdown

The example indicates that all 24 interfaces are configured with the switchport port-security command because the maximum allowed is _ and the violation mode is _______.

Show run

To verify that MAC addresses are "sticking" to the configuration, use the ____ ___ command as shown in the example for FastEthernet 0/19

show port-security address

To display all secure MAC addresses that are manually configured or dynamically learned on all switch interfaces, use the ____ ____-________ _______ command as shown in the example.

Spoofing DTP

messages from the attacking host to cause the switch to enter trunking mode. From here, the attacker can send traffic tagged with the target VLAN, and the switch then delivers the packets to the destination.

rogue

Introducing a _____ switch and enabling trunking. The attacker can then access all the VLANs on the victim switch from that switch.

Double-tagging

Another type of VLAN hopping attack is a ______-_______(or double-encapsulated) attack. This attack takes advantage of the way hardware on most switches operate.

DTP

Step 1 Mitigate VLAN Hopping: Disable ___ (auto trunking) negotiations on non-trunking ports by using the switchport mode access interface configuration command.

Unused vlan

Step 2 Mitigate VLAN Hopping: Disable unused ports and put them in an ______ ____.

Switchport mode trunk

Step 3 Mitigate VLAN Hopping: Manually enable the trunk link on a trunking port by using the __________ ____ _____ command.

switchport nonegotiate

Step 4 Mitigate VLAN Hopping: Disable DTP (auto trunking) negotiations on trunking ports by using the __________ ___________ command.

Vlan 1

Step 5 Mitigate VLAN Hopping: Set the native VLAN to a VLAN other than ____ _ by using the switchport trunk native vlan vlan_number command

DOS

The goal of a DHCP starvation attack is to an attack tool such as Gobbler to create a ___ for connecting clients.

DHCP Snooping

DHCP spoofing attacks can be mitigated by using ____ ________ on trusted ports

DHCP snooping

filters DHCP messages and rate-limits DHCP traffic on untrusted ports.

• Devices under administrative control (e.g., switches, routers, and servers) are trusted sources.

• Trusted interfaces (e.g., trunk links, server ports) must be explicitly configured as trusted.

• Devices outside the network and all access ports are generally treated as untrusted sources

DHCP snooping binding

A DHCP table is built that includes the source MAC address of a device on an untrusted port and the IP address assigned by the DHCP server to that device. • The MAC address and IP address are bound together. • Therefore, this table is called the ____ ________ _______ table.

ip dhcp snooping

Step 1 dhcp snooping. Enable DHCP snooping by using the __ ____ ________ global configuration command.

ip dhcp snooping trust

Step 2 dhcp snooping. On trusted ports, use the __ ____ ________ _____ interface configuration command.

ip dhcp snooping limit rate

Step 3 dhcp snooping: On untrusted interfaces, limit the number of DHCP discovery messages that can be received using the __ ____ ________ _____ ____ _packets-per-second interface configuration command.

ip dhcp snooping vlan

Step 4 dhcp snooping. Enable DHCP snooping by VLAN, or by a range of VLANs, by using the __ ____ ________ ____ global configuration command

show ip dhcp snooping

Use the ____ __ ____ ________ privileged EXEC command to verify DHCP snooping settings.

show ip dhcp snooping binding

Use the ____ __ ____ ________ _______ command to view the clients that have received DHCP information.

Unsolicited, valid

In a typical ARP attack, a threat actor can send ___________ ARP replies to other hosts on the subnet with the MAC Address of the threat actor and the IP address of the default gateway. To prevent ARP spoofing and the resulting ARP poisoning, a switch must ensure that only _____ ARP Requests and Replies are relayed.

Dynamic ARP inspection

(DAI)

DAI

___ requires DHCP snooping and helps prevent ARP attacks by:

• Not relaying invalid or gratuitous ARP Replies out to other ports in the same VLAN.

• Intercepting all ARP Requests and Replies on untrusted ports.

• Verifying each intercepted packet for a valid IP-to-MAC binding.

• Dropping and logging ARP Replies coming from invalid to prevent ARP poisoning.

• Error-disabling the interface if the configured DAI number of ARP packets is exceeded.

Globally, selected, selected, trusted

To mitigate the chances of ARP spoofing and ARP poisoning, follow these DAI implementation guidelines:

• Enable DHCP snooping ________.

• Enable DHCP snooping on ________ VLANs.

• Enable DAI on ________ VLANs.

• Configure _______ interfaces for DHCP snooping and ARP inspection.

Untrusted, trusted

It is generally advisable to configure all access switch ports as _________ and to configure all uplink ports that are connected to other switches as _______

ip arp inspection validate

The __ ___ __________ ________ {[src-mac] [dst-mac] [ip]} global configuration command is used to configure DAI to drop ARP packets when the IP addresses are invalid. It can be used when the MAC addresses in the body of the ARP packets do not match the addresses that are specified in the Ethernet header.

Bridge Protocol Data Unit

(BPDU)

Portfast, bpdu

Recall that network attackers can manipulate the Spanning Tree Protocol (STP) to conduct an attack by spoofing the root bridge and changing the topology of a network. To mitigate STP attacks, use ________ and ____

PortFast

immediately brings a port to the forwarding state from a blocking state, bypassing the listening and learning states. Apply to all end-user access ports.

BPDU Guard

immediately error disables a port that receives a BPDU

End

Like PortFast, BPDU guard should only be configured on interfaces attached to ___ devices.

portfast interface

On an interface - Use the spanning-tree ________ _________ configuration command.

portfast default

Globally - Use the spanning tree ________ _______ global configuration command to enable PortFast on all access ports.

show spanning-tree summary

To verify whether PortFast is enabled globally you can use the ____ ________-____ _______ command

error disabled

If a BPDU is received on a BPDU Guard enabled access port, the port is put into _____ ________ state.

errdisable recovery cause psecure_violation

If a BPDU is received on a BPDU Guard enabled access port, This means the port is shut down and must be manually re-enabled or automatically recovered through the __________ ________ _____ _________________ global command.

spanning-tree bpduguard enable

BPDU Guard can be enabled: • On an interface - Use the ________-____ _________ ______ interface configuration command.

spanning-tree portfast bpduguard default

BPDU Guard can be enabled: • Globally - Use the ________-____ ________ _________ _______ global configuration command to enable BPDU Guard on all access ports