The document discusses various switch security concepts and configuration including: - Defense in depth with multiple layers of security and controlling network access. - MAC flooding and spoofing attacks and how switches use MAC address tables to forward traffic. - Port security features like limiting MAC addresses, locking ports based on violations, and aging secure addresses. - Storm control to limit broadcast traffic and prevent denial of service attacks. - DHCP snooping to prevent unauthorized DHCP servers and spoofing of client requests. - Dynamic ARP inspection to validate ARP packets match the DHCP snooping database.

1. Switch security
Mohnish Singh
CCNA R&S | CCI+ | Msc.IT

2. Table of content
1. Defense in depth
2. Switch security
3. Mac flooding attack
4. Strom control
5. Private Vlan
6. DHCP snooping
7. IP spoofing
8. DAI
9. AAA
10. Traffic Analysis

3. Defence in depth
• Add security at multiple layers & not rely on perimeter firewall
• Networks cannot be partitioned inside and outside
Defense in depth requires relation between network resource &
network user be a controlled scallable & granular system premission &
access controls that goes beyond simply dropping firewalls between
network segment

4. Defense In Depth

5. MAC Address Spoofing Attack
MAC
Address:
AABBcc
AABBcc 12AbDdSwitch Port
1 2
MAC Address:
AABBcc
Attacker
Port 1
Port 2
MAC
Address:
12AbDd
I have associated Ports 1 and 2 with
the MAC addresses of the devices
attached. Traffic destined for each
device will be forwarded directly.
The switch keeps track of the
endpoints by maintaining a
MAC address table. In MAC
spoofing, the attacker poses
as another host—in this case,
AABBcc

6. MAC Address Spoofing Attack
MAC
Address:
AABBcc
AABBcc
Switch Port
1 2
MAC Address:
AABBcc
Attacker
Port 1 Port 2
AABBcc
1 2I have changed the MAC
address on my computer
to match the server.
The device with MAC
address AABBcc has
changed locations to Port2.
I must adjust my MAC
address table accordingly.

7. MAC Address Table Overflow Attack
The switch can forward frames between PC1 and PC2 without flooding
because the MAC address table contains port-to-MAC-address mappings in the
MAC address table for these PCs.

8. MAC Address Table Overflow Attack
A B
C D
VLAN 10 VLAN 10
Intruder runs macof to
begin sending unknown
bogus MAC addresses.
3/25
3/25 MAC X
3/25 MAC Y
3/25 MAC Z
XYZ
flood
MAC Port
X 3/25
Y 3/25
C 3/25
Bogus addresses are
added to the CAM table.
CAM table is full.
Host C
The switch floods the
frames.
Attacker sees traffic to
servers B and D.
VLAN 10
1
2
3
4

9. Port Security Overview
MAC A
MAC A
Port 0/1 allows MAC A
Port 0/2 allows MAC B
Port 0/3 allows MAC C
Attacker 1
Attacker 2
0/1
0/2
0/3
MAC F
Allows an administrator to statically specify MAC
Addresses for a port or to permit the switch to dynamically
learn a limited number of MAC
addresses

10. CLI Commands
switchport mode access
Switch(config-if)#
• Sets the interface mode as access
switchport port-security
Switch(config-if)#
• Enables port security on the interface
switchport port-security maximum value
Switch(config-if)#
• Sets the maximum number of secure MAC addresses for
the interface (optional)

11. Switchport Port-Security Parameters
Parameter Description
mac-address mac-address (Optional) Specify a secure MAC address for the port by entering a 48-bit MAC aaddress. You can add additional
secure MAC addresses up to the maximum value configured.
vlan vlan-id (Optional) On a trunk port only, specify the VLAN ID and the MAC address. If no VLAN ID is specified, the native
VLAN is used.
vlan access (Optional) On an access port only, specify the VLAN as an access VLAN.
vlan voice (Optional) On an access port only, specify the VLAN as a voice VLAN
mac-address sticky
[mac-address]
(Optional) Enable the interface for sticky learning by entering only the mac-address sticky keywords. When sticky
learning is enabled, the interface adds all secure MAC addresses that are dynamically learned to the running
configuration and converts these addresses to sticky secure MAC addresses.
Specify a sticky secure MAC address by entering the mac-address sticky mac-address keywords..
maximum value (Optional) Set the maximum number of secure MAC addresses for the interface. The maximum number of secure
MAC addresses that you can configure on a switch is set by the maximum number of available MAC
addresses allowed in the system. The active Switch Database Management (SDM) template determines this
number. This number represents the total of available MAC addresses, including those used for other Layer 2
functions and any other secure MAC addresses configured on interfaces.
The default setting is 1.
vlan [vlan-list] (Optional) For trunk ports, you can set the maximum number of secure MAC addresses on a VLAN. If the vlan
keyword is not entered, the default value is used.
n vlan: set a per-VLAN maximum value.
n vlan vlan-list: set a per-VLAN maximum value on a range of VLANs separated by a hyphen or a series of
VLANs separated by commas. For nonspecified VLANs, the per-VLAN maximum value is used.

12. Port Security Violation Configuration
switchport port-security mac-address sticky
Switch(config-if)#
• Enables sticky learning on the interface (optional)
switchport port-security violation {protect | restrict |
shutdown}
Switch(config-if)#
• Sets the violation mode (optional)
switchport port-security mac-address mac-address
Switch(config-if)#
• Enters a static secure MAC address for the interface
(optional)

13. Switchport Port-Security Violation
Parameters
Parameter Description
protect (Optional) Set the security violation protect mode. When the number of secure MAC
addresses reaches the limit allowed on the port, packets with unknown source
addresses are dropped until you remove a sufficient number of secure MAC addresses
or increase the number of maximum allowable addresses. You are not notified that a
security violation has occurred.
restrict (Optional) Set the security violation restrict mode. When the number of secure MAC
addresses reaches the limit allowed on the port, packets with unknown source
addresses are dropped until you remove a sufficient number of secure MAC addresses
or increase the number of maximum allowable addresses. In this mode, you are notified
that a security violation has occurred.
shutdown (Optional) Set the security violation shutdown mode. In this mode, a port security
violation causes the interface to immediately become error-disabled and turns off the
port LED. It also sends an SNMP trap, logs a syslog message, and increments the
violation counter. When a secure port is in the error-disabled state, you can bring it out
of this state by entering the errdisable recovery cause psecure-violation global
configuration command, or you can manually re-enable it by entering the shutdown and
no shut down interface configuration commands.
shutdown
vlan
Set the security violation mode to per-VLAN shutdown. In this mode, only the VLAN on
which the violation occurred is error-disabled.

14. Port Security Aging Configuration
switchport port-security aging {static | time time | type
{absolute | inactivity}}
Switch(config-if)#
• Enables or disables static aging for the secure port or
sets the aging time or type

15. Switchport Port-Security
Aging Parameters
Parameter Description
static Enable aging for statically configured secure
addresses on this port.
time time Specify the aging time for this port. The range is 0 to
1440 minutes. If the time is 0, aging is disabled for
this port.
type absolute Set absolute aging type. All the secure addresses
on this port age out exactly after the time (minutes)
specified and are removed from the secure address
list.
type inactivity Set the inactivity aging type. The secure addresses
on this port age out only if there is no data traffic
from the secure source address for the specified
time period.

16. Typical Configuration
switchport mode access
switchport port-security
switchport port-security maximum 2
switchport port-security violation shutdown
switchport port-security mac-address sticky
switchport port-security aging time 120
Switch(config-if)#
S2
PC B

17. CLI Commands
sw-class# show port-security
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
(Count) (Count) (Count)
---------------------------------------------------------------------------
Fa0/12 2 0 0 Shutdown
---------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) : 0
Max Addresses limit in System (excluding one mac per port) : 1024
sw-class# show port-security interface f0/12
Port Security : Enabled
Port status : Secure-down
Violation mode : Shutdown
Maximum MAC Addresses : 2
Total MAC Addresses : 1
Configured MAC Addresses : 0
Aging time : 120 mins
Aging type : Absolute
SecureStatic address aging : Disabled
Security Violation Count : 0

18. View Secure MAC Addresses
sw-class# show port-security address
Secure Mac Address Table
-------------------------------------------------------------------
Vlan Mac Address Type Ports Remaining Age
(mins)
---- ----------- ---- ----- -------------
1 0000.ffff.aaaa SecureConfigured Fa0/12 -
-------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) : 0
Max Addresses limit in System (excluding one mac per port) : 1024

19. Storm Control
Total
number of
broadcast
packets
or bytes

20. LAN Storm Attack
• Broadcast, multicast, or unicast packets are flooded on all ports in the same VLAN.
•These storms can increase the CPU utilization on a switch to 100%, reducing the
performance of the network.
Broadcast
Broadcast
Broadcast
Broadcast
Broadcast
Broadcast

22. Storm Control Methods
• Bandwidth as a percentage of the total available bandwidth of
the port that can be used by the broadcast, multicast, or
unicast traffic
• Traffic rate in packets per second at which broadcast,
multicast, or unicast packets are received
• Traffic rate in bits per second at which broadcast, multicast, or
unicast packets are received
• Traffic rate in packets per second and for small frames. This
feature is enabled globally. The threshold for small frames is
configured for each interface.

23. Storm Control Configuration
• Enables storm control
• Specifies the level at which it is enabled
• Specifies the action that should take place when the
threshold (level) is reached, in addition to filtering traffic
Switch(config-if)# storm-control broadcast level 75.5
Switch(config-if)# storm-control multicast level pps 2k
1k
Switch(config-if)# storm-control action shutdown

26. Storm Control Parameters
Parameter Description
broadcast This parameter enables broadcast storm control on the interface.
multicast This parameter enables multicast storm control on the interface.
unicast This parameter enables unicast storm control on the interface.
level level [level-low] Rising and falling suppression levels as a percentage of total bandwidth of the port.
• level: Rising suppression level. The range is 0.00 to 100.00. Block the flooding of
storm packets when the value specified for level is reached.
• level-low: (Optional) Falling suppression level, up to two decimal places. This
value must be less than or equal to the rising suppression value.
level bps bps [bps-low] Specify the rising and falling suppression levels as a rate in bits per second at which
traffic is received on the port.
• bps: Rising suppression level. The range is 0.0 to 10000000000.0. Block the
flooding of storm packets when the value specified for bps is reached.
• bps-low: (Optional) Falling suppression level, up to one decimal place. This value
must be equal to or less than the rising suppression value.
level pps pps [pps-low] Specify the rising and falling suppression levels as a rate in packets per second at
which traffic is received on the port.
• pps: Rising suppression level. The range is 0.0 to 10000000000.0. Block the
flooding of storm packets when the value specified for pps is reached.
• pps-low: (Optional) Falling suppression level, up to one decimal place. This value
must be equal to or less than the rising suppression value.
action {shutdown|trap} The action taken when a storm occurs on a port. The default action is to filter traffic
and to not send an SNMP trap.
The keywords have these meanings:
• shutdown: Disables the port during a storm
• trap: Sends an SNMP trap when a storm occurs

27. Verify Storm Control Settings
Switch# show storm-control
Interface Filter State Upper Lower Current
--------- ------------- ---------- --------- --------
-Gi0/1 Forwarding 20 pps 10 pps 5 pps
Gi0/2 Forwarding 50.00% 40.00% 0.00%
<output omitted>

38. Understanding DHCP Snooping

43. Scenario
 Config ure SW2-client as a DHCP client
 Config ure SW3-serveras a DHCP serverforVLAN 1:
- Configure the VLAN1 SVI as 192.168.7.3/24
- Scope:192.168.7.100-254/24
- Default gateway:192.168.7.1
- Lease time: 7 days

45. When a client no longer needs its IP address, it sends a
DHCPRELEASE message to the DHCP server
Client Spoofing Attack
DHCPRELEASE messages can be spoofed!
DHCP snooping does not tell you when it blocks a rogue server

46. If the DHCPRELEASE message doesn’t match what’s in the DHCP
snooping binding database, the packet will get dropped
Client Spoofing Attack
Examples:
Source interface doesn’t match port client is connected to
Source MAC doesn’t match client’s MAC address

47. Prevent a malicious device from hijacking an IP address
DHCP Snooping Does Not…
Prevent a device from using an unallocated IP address

48. IP Source Guard
Prevents a device from
using an IP address it’s not
entitled to
DHCP Snooping
Prevents unauthorized DHCP
servers from handing out IP
addresses
DHCP Snooping and IP Source Guard

50. IP Source Guard

52. Configuring IP Source Guard
You must enable DHCP snooping
on the VLANs corresponding to
the ports you want IP source
guard to protect

54. You can’t configure IP source guard on
a layer 3 routed interface

56. 172.31.98.
214
172.31.9
8.1
Who has
172.31.98.1?
Understanding ARP poisoning requires an
in-depth understanding of how ARP works

57. ARP Request
Ben’s laptop
Default
Gateway

58. 172.31.98.
214
172.31.9
8.1
I am 172.31.98.1
My MAC is 9c1c.12c9.7257
Who has 172.31.98.1?

59. ARP Reply
Default
Gateway
Ben’s
laptop

60. Scenario
To: FFFF.FFFF.FFFF I
am 192.168.7.1!
 SW1 is the default gateway for the 192.168.7.0/24 subnet
 A hacker is trying to intercept traffic from SW2-client (192.168.7.2)
destined for SW1 (192.168.7.1)

61. 172.31.98.214
172.31.98.1
To: FFFF.FFFF.FFFF
I am 172.31.98.1
My MAC is
9c1c.12c9.7257
Gratuitous ARP

62. Gratuitous ARP
Attacker
ARP Poisoning Attacks

63. Intercepts ARP requests and replies on untrusted
ports
Dynamic ARP Inspection
Compares contents with the DHCP snooping binding database
Limits the number of incoming ARP packets to 15 per second on an untrusted
interface

64. Does not inspect incoming ARP packets on trusted ports
Dynamic ARP Inspection
Does not inspect outgoing ARP packets on any interface

65. Local Authentication
Requires manually configuring
credentials on each device

66. RADIUS and TACACS+
Provide centralized authentication

69. Configuring AuthenticationMethod Lists

71. Traffic Analysis
 A SPAN port mirrors traffic to another
port where a monitoring device is
connected.
 Without this, it can be difficult to
track hackers after they have entered
the network.
“Intruder
Alert!”
Attacker
IDS
RMON Probe
Protocol Analyzer

72. CLI Commands
monitor session session_number source {interface
interface-id [, | -] [both | rx | tx]} | {vlan vlan-
id [, | -] [both | rx | tx]}| {remote vlan vlan-id}
monitor session session_number destination
{interface interface-id [, | -] [encapsulation
replicate] [ingress {dot1q vlan vlan-id | isl |
untagged vlan vlan-id | vlan vlan-id}]} | {remote
vlan vlan-id}
Switch(config)#
Switch(config)#

73. Verify SPAN Configuration

74. SPAN and IDS
Attacker
IDS
Use SPAN to
mirror traffic in
and out of port
F0/1 to port
F0/2.
F0/1
F0/2

75. Overview of RSPAN
• An RSPAN port mirrors traffic to
another port on another switch
where a probe or IDS sensor is
connected.
• This allows more switches to be
monitored with a single probe or IDS.
“Intruder
Alert!”
Attacker
IDS
RSPAN VLAN
Source VLAN
Source VLAN
Source VLAN

76. Configuring RSPAN
2960-1 2960-2
2960-1(config)# vlan 100
2960-1(config-vlan)# remote-span
2960-1(config-vlan)# exit
2960-1(config)# monitor session 1 source interface FastEthernet 0/1
2960-1(config)# monitor session 1 destination remote vlan 100
reflector-port FastEthernet 0/24
2960-1(config)# interface FastEthernet 0/2
2960-1(config-if)# switchport mode trunk
2960-2(config)# monitor session 2 source remote vlan 100
2960-2(config)# monitor session 2 destination interface FastEthernet 0/3
2960-2(config)# interface FastEthernet 0/2
2960-2(config-if)# switchport mode trunk
1. Configure the RPSAN VLAN
2. Configure the RSPAN source ports and VLANs
3. Configure the RSPAN traffic to be forwarded

77. Verifying RSPAN Configuration
show monitor [session {session_number | all | local
| range list | remote} [detail]] [ | {begin | exclude
| include}expression]
2960-1 2960-2