Module 11_Switch Security Configuration

port security

• The simplest and most effective method to prevent MAC address table overflow attacks is to enable _____.

• limits the number of valid MAC addresses allowed on a port.

  • It allows an administrator to manually configure MAC addresses for a port or to permit the switch to dynamically learn a limited number of MAC addresses.

  • When a port configured with port security receives a frame, the source MAC address of the frame is compared to the list of secure source MAC addresses that were manually configured or dynamically learned on the port.

  • By limiting the number of permitted MAC addresses on a port to one, _____ can be used to control unauthorized access to the network.

1

The default port security value is _____.

Manually Configured,

Dynamically Learned,

Dynamically Learned – Sticky

The switch can be configured to learn about MAC addresses on a secure port in one of three ways

Manually Configured

The administrator _____ a static MAC address(es) by using the following command for each secure MAC address on the port:

Switch(config-if)# switchport port-security mac-address mac-address

Dynamically Learned

• When the switchport port-security command is entered, the current source MAC for the device connected to the port is automatically secured but is not added to the running configuration.

• If the switch is rebooted, the port will have to re-learn the device’s MAC address.

Dynamically Learned – Sticky

The administrator can enable the switch to dynamically learn the MAC address and “stick” them to the running configuration by using the following command:

Switch(config-if)# switchport port-security mac-address sticky

Absolute,

Inactivity

two types of aging

Absolute

The secure addresses on the port are deleted after the specified aging time.

Inactivity

The secure addresses on the port are deleted if they are inactive for a specified time.

aging

• Use _____ to remove secure MAC addresses on a secure port without manually deleting the existing secure MAC addresses.

  • _____ of statically configured secure addresses can be enabled or disabled on a per-port basis.

shutdown (default),

restrict,

protect

3 security violation mode

shutdown (default)

• The port transitions to the error-disabled state immediately, turns off the port LED, and sends a syslog message.

• It increments the violation counter.

• When a secure port is in the error-disabled state, an administrator must re-enable it by entering the shutdown and no shutdown commands.

restrict

• The port drops packets with unknown source addresses until you remove a sufficient number of secure MAC addresses to drop below the maximum value or increase the maximum value.

• This mode causes the Security Violation counter to increment and generates a syslog message.

protect

• This is the least secure of the security violation modes.

• The port drops packets with unknown MAC source addresses until you remove a sufficient number of secure MAC addresses to drop below the maximum value or increase the maximum value.

• No syslog message is sent.

Spoofing DTP messages

Introducing a rogue switch and enabling trunking.

double-tagging (or double-encapsulated) attack.

A VLAN hopping attack can be launched in one of three ways:

DHCP starvation attack,

Gobbler,

Denial of Service (DoS)

The goal of a _____ is to an attack tool such as _____ to create a _____ for connecting clients.

port security

• DHCP starvation attacks can be effectively mitigated by using _____ because Gobbler uses a unique source MAC address for each DHCP request sent.

  • However, mitigating DHCP spoofing attacks requires more protection

DHCP snooping

• DHCP spoofing attacks can be mitigated by using _____ on trusted ports.

• filters DHCP messages and rate-limits DHCP traffic on untrusted ports.

DHCP table,

DHCP snooping binding table

• is built that includes the source MAC address of a device on an untrusted port and the IP address assigned by the DHCP server to that device.

  • The MAC address and IP address are bound together.

  • Therefore, this table is called the _____.

ARP attack

a threat actor can send unsolicited ARP replies to other hosts on the subnet with the MAC Address of the threat actor and the IP address of the default gateway.

Dynamic ARP inspection (DAI)

requires DHCP snooping and helps prevent ARP attacks

Enable DHCP snooping globally.

Enable DHCP snooping on selected VLANs.

Enable DAI on selected VLANs.

Configure trusted interfaces for DHCP snooping and ARP inspection.

To mitigate the chances of ARP spoofing and ARP poisoning, follow these DAI implementation guidelines (4)

access switch ports - untrusted,

uplink ports - trusted

It is generally advisable to configure all ____ as ____ and to configure all _____ that are connected to other switches as _____.

Destination MAC,

Source MAC,

IP address

DAI can also be configured to check for (3)

Spanning Tree Protocol (STP)

network attackers can manipulate the _____ to conduct an attack by spoofing the root bridge and changing the topology of a network.

PortFast,

Bridge Protocol Data Unit (BPDU) Guard

To mitigate STP attacks, use ____ and ____

PortFast

immediately brings a port to the forwarding state from a blocking state, bypassing the listening and learning states.

BPDU Guard

immediately error disables a port that receives a BPDU.