Things You Need to Know about Switch Security
Modularizing Internal Security
- Use switch port security at the building access layer
- Use access lists at the building distribution layer
- Do not implement packet manipulation at the campus core layer
- Use host and network based IPS, private VLANs, ACLs, and secure passwords in the Server Farm
Switch Attack Categories
MAC address-based attacks
- MAC address flooding
VLAN attacks
- VLAN hopping
Spoofing attacks
- Spoofing DHCP, ARP, and MAC addressing
Attacks on switch devices
- Cisco Discovery Protocol (CDP)
- Management protocols
Port Security
- Limits MAC flooding attacks and locks down the port
- Sets an SNMP trap
- Allowed frames are forwarded
- New MAC addresses over limit are not allowed
- Switch responds to non-allowed framed
Port Security Configuration
- Switch(config)# interface fa0/2
- Switch(config-if)# switchport mode access
- Switch(config-if)# switchport access VLAN 2
- Switch(config-if)# switchport port-security
- Switch(config-if)# switchport port-security maximum 2
- Switch(config-if)# switchport port-security mac-address 0000.1111.222
- Switch(config-if)# switchport port-security mac-address sticky
- Switch(config-if)# switchport port-security violate shut down
- Switch(config-if)# switchport port-security aging time 60
- Switch(config-if)# switchport port-security aging type inactivity