SlideShare a Scribd company logo

Switch security

Download as PPTX, PDF
N
nullowaspmumbai

Network security - Switch Security

Technology
1 of 78
Switch security Mohnish Singh CCNA R&S | CCI+ | Msc.IT
Table of content 1. Defense in depth 2. Switch security 3. Mac flooding attack 4. Strom control 5. Private Vlan 6. DHCP snooping 7. IP spoofing 8. DAI 9. AAA 10. Traffic Analysis
Defence in depth • Add security at multiple layers & not rely on perimeter firewall • Networks cannot be partitioned inside and outside Defense in depth requires relation between network resource & network user be a controlled scallable & granular system premission & access controls that goes beyond simply dropping firewalls between network segment
Defense In Depth
MAC Address Spoofing Attack MAC Address: AABBcc AABBcc 12AbDdSwitch Port 1 2 MAC Address: AABBcc Attacker Port 1 Port 2 MAC Address: 12AbDd I have associated Ports 1 and 2 with the MAC addresses of the devices attached. Traffic destined for each device will be forwarded directly. The switch keeps track of the endpoints by maintaining a MAC address table. In MAC spoofing, the attacker poses as another host—in this case, AABBcc
MAC Address Spoofing Attack MAC Address: AABBcc AABBcc Switch Port 1 2 MAC Address: AABBcc Attacker Port 1 Port 2 AABBcc 1 2I have changed the MAC address on my computer to match the server. The device with MAC address AABBcc has changed locations to Port2. I must adjust my MAC address table accordingly.
MAC Address Table Overflow Attack The switch can forward frames between PC1 and PC2 without flooding because the MAC address table contains port-to-MAC-address mappings in the MAC address table for these PCs.
MAC Address Table Overflow Attack A B C D VLAN 10 VLAN 10 Intruder runs macof to begin sending unknown bogus MAC addresses. 3/25 3/25 MAC X 3/25 MAC Y 3/25 MAC Z XYZ flood MAC Port X 3/25 Y 3/25 C 3/25 Bogus addresses are added to the CAM table. CAM table is full. Host C The switch floods the frames. Attacker sees traffic to servers B and D. VLAN 10 1 2 3 4
Port Security Overview MAC A MAC A Port 0/1 allows MAC A Port 0/2 allows MAC B Port 0/3 allows MAC C Attacker 1 Attacker 2 0/1 0/2 0/3 MAC F Allows an administrator to statically specify MAC Addresses for a port or to permit the switch to dynamically learn a limited number of MAC addresses
CLI Commands switchport mode access Switch(config-if)# • Sets the interface mode as access switchport port-security Switch(config-if)# • Enables port security on the interface switchport port-security maximum value Switch(config-if)# • Sets the maximum number of secure MAC addresses for the interface (optional)
Switchport Port-Security Parameters Parameter Description mac-address mac-address (Optional) Specify a secure MAC address for the port by entering a 48-bit MAC aaddress. You can add additional secure MAC addresses up to the maximum value configured. vlan vlan-id (Optional) On a trunk port only, specify the VLAN ID and the MAC address. If no VLAN ID is specified, the native VLAN is used. vlan access (Optional) On an access port only, specify the VLAN as an access VLAN. vlan voice (Optional) On an access port only, specify the VLAN as a voice VLAN mac-address sticky [mac-address] (Optional) Enable the interface for sticky learning by entering only the mac-address sticky keywords. When sticky learning is enabled, the interface adds all secure MAC addresses that are dynamically learned to the running configuration and converts these addresses to sticky secure MAC addresses. Specify a sticky secure MAC address by entering the mac-address sticky mac-address keywords.. maximum value (Optional) Set the maximum number of secure MAC addresses for the interface. The maximum number of secure MAC addresses that you can configure on a switch is set by the maximum number of available MAC addresses allowed in the system. The active Switch Database Management (SDM) template determines this number. This number represents the total of available MAC addresses, including those used for other Layer 2 functions and any other secure MAC addresses configured on interfaces. The default setting is 1. vlan [vlan-list] (Optional) For trunk ports, you can set the maximum number of secure MAC addresses on a VLAN. If the vlan keyword is not entered, the default value is used. n vlan: set a per-VLAN maximum value. n vlan vlan-list: set a per-VLAN maximum value on a range of VLANs separated by a hyphen or a series of VLANs separated by commas. For nonspecified VLANs, the per-VLAN maximum value is used.
Port Security Violation Configuration switchport port-security mac-address sticky Switch(config-if)# • Enables sticky learning on the interface (optional) switchport port-security violation {protect | restrict | shutdown} Switch(config-if)# • Sets the violation mode (optional) switchport port-security mac-address mac-address Switch(config-if)# • Enters a static secure MAC address for the interface (optional)
Switchport Port-Security Violation Parameters Parameter Description protect (Optional) Set the security violation protect mode. When the number of secure MAC addresses reaches the limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses or increase the number of maximum allowable addresses. You are not notified that a security violation has occurred. restrict (Optional) Set the security violation restrict mode. When the number of secure MAC addresses reaches the limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses or increase the number of maximum allowable addresses. In this mode, you are notified that a security violation has occurred. shutdown (Optional) Set the security violation shutdown mode. In this mode, a port security violation causes the interface to immediately become error-disabled and turns off the port LED. It also sends an SNMP trap, logs a syslog message, and increments the violation counter. When a secure port is in the error-disabled state, you can bring it out of this state by entering the errdisable recovery cause psecure-violation global configuration command, or you can manually re-enable it by entering the shutdown and no shut down interface configuration commands. shutdown vlan Set the security violation mode to per-VLAN shutdown. In this mode, only the VLAN on which the violation occurred is error-disabled.
Port Security Aging Configuration switchport port-security aging {static | time time | type {absolute | inactivity}} Switch(config-if)# • Enables or disables static aging for the secure port or sets the aging time or type
Switchport Port-Security Aging Parameters Parameter Description static Enable aging for statically configured secure addresses on this port. time time Specify the aging time for this port. The range is 0 to 1440 minutes. If the time is 0, aging is disabled for this port. type absolute Set absolute aging type. All the secure addresses on this port age out exactly after the time (minutes) specified and are removed from the secure address list. type inactivity Set the inactivity aging type. The secure addresses on this port age out only if there is no data traffic from the secure source address for the specified time period.
Typical Configuration switchport mode access switchport port-security switchport port-security maximum 2 switchport port-security violation shutdown switchport port-security mac-address sticky switchport port-security aging time 120 Switch(config-if)# S2 PC B
CLI Commands sw-class# show port-security Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action (Count) (Count) (Count) --------------------------------------------------------------------------- Fa0/12 2 0 0 Shutdown --------------------------------------------------------------------------- Total Addresses in System (excluding one mac per port) : 0 Max Addresses limit in System (excluding one mac per port) : 1024 sw-class# show port-security interface f0/12 Port Security : Enabled Port status : Secure-down Violation mode : Shutdown Maximum MAC Addresses : 2 Total MAC Addresses : 1 Configured MAC Addresses : 0 Aging time : 120 mins Aging type : Absolute SecureStatic address aging : Disabled Security Violation Count : 0
View Secure MAC Addresses sw-class# show port-security address Secure Mac Address Table ------------------------------------------------------------------- Vlan Mac Address Type Ports Remaining Age (mins) ---- ----------- ---- ----- ------------- 1 0000.ffff.aaaa SecureConfigured Fa0/12 - ------------------------------------------------------------------- Total Addresses in System (excluding one mac per port) : 0 Max Addresses limit in System (excluding one mac per port) : 1024
Storm Control Total number of broadcast packets or bytes
LAN Storm Attack • Broadcast, multicast, or unicast packets are flooded on all ports in the same VLAN. •These storms can increase the CPU utilization on a switch to 100%, reducing the performance of the network. Broadcast Broadcast Broadcast Broadcast Broadcast Broadcast
Storm Control Methods • Bandwidth as a percentage of the total available bandwidth of the port that can be used by the broadcast, multicast, or unicast traffic • Traffic rate in packets per second at which broadcast, multicast, or unicast packets are received • Traffic rate in bits per second at which broadcast, multicast, or unicast packets are received • Traffic rate in packets per second and for small frames. This feature is enabled globally. The threshold for small frames is configured for each interface.
Storm Control Configuration • Enables storm control • Specifies the level at which it is enabled • Specifies the action that should take place when the threshold (level) is reached, in addition to filtering traffic Switch(config-if)# storm-control broadcast level 75.5 Switch(config-if)# storm-control multicast level pps 2k 1k Switch(config-if)# storm-control action shutdown
Storm Control Parameters Parameter Description broadcast This parameter enables broadcast storm control on the interface. multicast This parameter enables multicast storm control on the interface. unicast This parameter enables unicast storm control on the interface. level level [level-low] Rising and falling suppression levels as a percentage of total bandwidth of the port. • level: Rising suppression level. The range is 0.00 to 100.00. Block the flooding of storm packets when the value specified for level is reached. • level-low: (Optional) Falling suppression level, up to two decimal places. This value must be less than or equal to the rising suppression value. level bps bps [bps-low] Specify the rising and falling suppression levels as a rate in bits per second at which traffic is received on the port. • bps: Rising suppression level. The range is 0.0 to 10000000000.0. Block the flooding of storm packets when the value specified for bps is reached. • bps-low: (Optional) Falling suppression level, up to one decimal place. This value must be equal to or less than the rising suppression value. level pps pps [pps-low] Specify the rising and falling suppression levels as a rate in packets per second at which traffic is received on the port. • pps: Rising suppression level. The range is 0.0 to 10000000000.0. Block the flooding of storm packets when the value specified for pps is reached. • pps-low: (Optional) Falling suppression level, up to one decimal place. This value must be equal to or less than the rising suppression value. action {shutdown|trap} The action taken when a storm occurs on a port. The default action is to filter traffic and to not send an SNMP trap. The keywords have these meanings: • shutdown: Disables the port during a storm • trap: Sends an SNMP trap when a storm occurs
Verify Storm Control Settings Switch# show storm-control Interface Filter State Upper Lower Current --------- ------------- ---------- --------- -------- -Gi0/1 Forwarding 20 pps 10 pps 5 pps Gi0/2 Forwarding 50.00% 40.00% 0.00% <output omitted>
Understanding DHCP Snooping
Scenario  Config ure SW2-client as a DHCP client  Config ure SW3-serveras a DHCP serverforVLAN 1: - Configure the VLAN1 SVI as 192.168.7.3/24 - Scope:192.168.7.100-254/24 - Default gateway:192.168.7.1 - Lease time: 7 days
When a client no longer needs its IP address, it sends a DHCPRELEASE message to the DHCP server Client Spoofing Attack DHCPRELEASE messages can be spoofed! DHCP snooping does not tell you when it blocks a rogue server
If the DHCPRELEASE message doesn’t match what’s in the DHCP snooping binding database, the packet will get dropped Client Spoofing Attack Examples: Source interface doesn’t match port client is connected to Source MAC doesn’t match client’s MAC address
Prevent a malicious device from hijacking an IP address DHCP Snooping Does Not… Prevent a device from using an unallocated IP address
IP Source Guard Prevents a device from using an IP address it’s not entitled to DHCP Snooping Prevents unauthorized DHCP servers from handing out IP addresses DHCP Snooping and IP Source Guard
IP Source Guard
Configuring IP Source Guard You must enable DHCP snooping on the VLANs corresponding to the ports you want IP source guard to protect
You can’t configure IP source guard on a layer 3 routed interface
172.31.98. 214 172.31.9 8.1 Who has 172.31.98.1? Understanding ARP poisoning requires an in-depth understanding of how ARP works
ARP Request Ben’s laptop Default Gateway
172.31.98. 214 172.31.9 8.1 I am 172.31.98.1 My MAC is 9c1c.12c9.7257 Who has 172.31.98.1?
ARP Reply Default Gateway Ben’s laptop
Scenario To: FFFF.FFFF.FFFF I am 192.168.7.1!  SW1 is the default gateway for the 192.168.7.0/24 subnet  A hacker is trying to intercept traffic from SW2-client (192.168.7.2) destined for SW1 (192.168.7.1)
172.31.98.214 172.31.98.1 To: FFFF.FFFF.FFFF I am 172.31.98.1 My MAC is 9c1c.12c9.7257 Gratuitous ARP
Gratuitous ARP Attacker ARP Poisoning Attacks
Intercepts ARP requests and replies on untrusted ports Dynamic ARP Inspection Compares contents with the DHCP snooping binding database Limits the number of incoming ARP packets to 15 per second on an untrusted interface
Does not inspect incoming ARP packets on trusted ports Dynamic ARP Inspection Does not inspect outgoing ARP packets on any interface
Local Authentication Requires manually configuring credentials on each device
RADIUS and TACACS+ Provide centralized authentication
Configuring AuthenticationMethod Lists
Traffic Analysis  A SPAN port mirrors traffic to another port where a monitoring device is connected.  Without this, it can be difficult to track hackers after they have entered the network. “Intruder Alert!” Attacker IDS RMON Probe Protocol Analyzer
CLI Commands monitor session session_number source {interface interface-id [, | -] [both | rx | tx]} | {vlan vlan- id [, | -] [both | rx | tx]}| {remote vlan vlan-id} monitor session session_number destination {interface interface-id [, | -] [encapsulation replicate] [ingress {dot1q vlan vlan-id | isl | untagged vlan vlan-id | vlan vlan-id}]} | {remote vlan vlan-id} Switch(config)# Switch(config)#
Verify SPAN Configuration
SPAN and IDS Attacker IDS Use SPAN to mirror traffic in and out of port F0/1 to port F0/2. F0/1 F0/2
Overview of RSPAN • An RSPAN port mirrors traffic to another port on another switch where a probe or IDS sensor is connected. • This allows more switches to be monitored with a single probe or IDS. “Intruder Alert!” Attacker IDS RSPAN VLAN Source VLAN Source VLAN Source VLAN
Configuring RSPAN 2960-1 2960-2 2960-1(config)# vlan 100 2960-1(config-vlan)# remote-span 2960-1(config-vlan)# exit 2960-1(config)# monitor session 1 source interface FastEthernet 0/1 2960-1(config)# monitor session 1 destination remote vlan 100 reflector-port FastEthernet 0/24 2960-1(config)# interface FastEthernet 0/2 2960-1(config-if)# switchport mode trunk 2960-2(config)# monitor session 2 source remote vlan 100 2960-2(config)# monitor session 2 destination interface FastEthernet 0/3 2960-2(config)# interface FastEthernet 0/2 2960-2(config-if)# switchport mode trunk 1. Configure the RPSAN VLAN 2. Configure the RSPAN source ports and VLANs 3. Configure the RSPAN traffic to be forwarded
Verifying RSPAN Configuration show monitor [session {session_number | all | local | range list | remote} [detail]] [ | {begin | exclude | include}expression] 2960-1 2960-2
Switch security

Recommended

Network Security- port security.pptx
Network Security- port security.pptxNetwork Security- port security.pptx
Network Security- port security.pptxSulSya
 
Switching and Port Security
Switching and Port Security Switching and Port Security
Switching and Port Securityusman19
 
Port Security
Port SecurityPort Security
Port SecurityNetProtocol Xpert
 
Spannig tree
Spannig treeSpannig tree
Spannig tree1 2d
 
4.4.1.3 packet tracer configuring a zone-based policy firewall (zpf) instru...
4.4.1.3 packet tracer configuring a zone-based policy firewall (zpf) instru...4.4.1.3 packet tracer configuring a zone-based policy firewall (zpf) instru...
4.4.1.3 packet tracer configuring a zone-based policy firewall (zpf) instru...Salem Trabelsi
 
Cisco Switch Security
Cisco Switch SecurityCisco Switch Security
Cisco Switch Securitydkaya
 
Hot standby router protocol (hsrp) using
Hot standby router protocol (hsrp) usingHot standby router protocol (hsrp) using
Hot standby router protocol (hsrp) usingShubhiGupta94
 
Cisco hsrp configuration
Cisco hsrp configurationCisco hsrp configuration
Cisco hsrp configurationWahyu Nasution
 

Recommended

Network Security- port security.pptx
Network Security- port security.pptxNetwork Security- port security.pptx
Network Security- port security.pptxSulSya
 
Switching and Port Security
Switching and Port Security Switching and Port Security
Switching and Port Securityusman19
 
Port Security
Port SecurityPort Security
Port SecurityNetProtocol Xpert
 
Spannig tree
Spannig treeSpannig tree
Spannig tree1 2d
 
4.4.1.3 packet tracer configuring a zone-based policy firewall (zpf) instru...
4.4.1.3 packet tracer configuring a zone-based policy firewall (zpf) instru...4.4.1.3 packet tracer configuring a zone-based policy firewall (zpf) instru...
4.4.1.3 packet tracer configuring a zone-based policy firewall (zpf) instru...Salem Trabelsi
 
Cisco Switch Security
Cisco Switch SecurityCisco Switch Security
Cisco Switch Securitydkaya
 
Hot standby router protocol (hsrp) using
Hot standby router protocol (hsrp) usingHot standby router protocol (hsrp) using
Hot standby router protocol (hsrp) usingShubhiGupta94
 
Cisco hsrp configuration
Cisco hsrp configurationCisco hsrp configuration
Cisco hsrp configurationWahyu Nasution
 
Layer 2 switching
Layer 2 switchingLayer 2 switching
Layer 2 switchingNetProtocol Xpert
 
Firewall
FirewallFirewall
FirewallNilkanth Shingala
 
Cisco Networking (Routing and Switching)
Cisco Networking (Routing and Switching)Cisco Networking (Routing and Switching)
Cisco Networking (Routing and Switching)Alan Mark
 
OTV Configuration
OTV ConfigurationOTV Configuration
OTV ConfigurationNetProtocol Xpert
 
Vlans
VlansVlans
VlansMohan Kumaresan
 
Access Control List & its Types
Access Control List & its TypesAccess Control List & its Types
Access Control List & its TypesNetwax Lab
 
Routers and Routing Configuration
Routers and Routing ConfigurationRouters and Routing Configuration
Routers and Routing Configurationyasir1122
 
network Switch
network Switch network Switch
network Switchzeeshan hanif
 
ccna networking ppt
ccna networking pptccna networking ppt
ccna networking pptEr. Anmol Bhagat
 
CCNA CheatSheet
CCNA CheatSheetCCNA CheatSheet
CCNA CheatSheetEng. Emad Al-Atoum
 
Firewall and its purpose
Firewall and its purposeFirewall and its purpose
Firewall and its purposeRohit Phulsunge
 
Ethernet and token ring
Ethernet and token ringEthernet and token ring
Ethernet and token ringAbhijeet Shah
 
Ccnp workbook network bulls
Ccnp workbook network bullsCcnp workbook network bulls
Ccnp workbook network bullsSwapnil Kapate
 
Networking basics
Networking basicsNetworking basics
Networking basicsVadiraj Jahagirdar
 
Packet Tracer Tutorial # 1
Packet Tracer Tutorial # 1Packet Tracer Tutorial # 1
Packet Tracer Tutorial # 1Abdul Basit
 
Connect Laptop/PC to Router Console Port
Connect Laptop/PC to Router Console Port Connect Laptop/PC to Router Console Port
Connect Laptop/PC to Router Console Port Yaser Rahmati
 
Access Control List (ACL)
Access Control List (ACL)Access Control List (ACL)
Access Control List (ACL)ISMT College
 
GRE (Generic Routing Encapsulation)
GRE (Generic Routing Encapsulation)GRE (Generic Routing Encapsulation)
GRE (Generic Routing Encapsulation)NetProtocol Xpert
 
Ch08 Authentication
Ch08 AuthenticationCh08 Authentication
Ch08 AuthenticationInformation Technology
 
Routing
RoutingRouting
RoutingSaima Azam
 
Ch6
Ch6Ch6
Ch6scary5800
 
Security Concerns in LANs.pptx
Security Concerns in LANs.pptxSecurity Concerns in LANs.pptx
Security Concerns in LANs.pptxjoko
 

More Related Content

What's hot

Cisco Networking (Routing and Switching)
Cisco Networking (Routing and Switching)Cisco Networking (Routing and Switching)
Cisco Networking (Routing and Switching)Alan Mark
 
Access Control List & its Types
Access Control List & its TypesAccess Control List & its Types
Access Control List & its TypesNetwax Lab
 
Routers and Routing Configuration
Routers and Routing ConfigurationRouters and Routing Configuration
Routers and Routing Configurationyasir1122
 
Firewall and its purpose
Firewall and its purposeFirewall and its purpose
Firewall and its purposeRohit Phulsunge
 
Ethernet and token ring
Ethernet and token ringEthernet and token ring
Ethernet and token ringAbhijeet Shah
 
Ccnp workbook network bulls
Ccnp workbook network bullsCcnp workbook network bulls
Ccnp workbook network bullsSwapnil Kapate
 
Packet Tracer Tutorial # 1
Packet Tracer Tutorial # 1Packet Tracer Tutorial # 1
Packet Tracer Tutorial # 1Abdul Basit
 
Connect Laptop/PC to Router Console Port
Connect Laptop/PC to Router Console Port Connect Laptop/PC to Router Console Port
Connect Laptop/PC to Router Console Port Yaser Rahmati
 
Access Control List (ACL)
Access Control List (ACL)Access Control List (ACL)
Access Control List (ACL)ISMT College
 
GRE (Generic Routing Encapsulation)
GRE (Generic Routing Encapsulation)GRE (Generic Routing Encapsulation)
GRE (Generic Routing Encapsulation)NetProtocol Xpert
 

What's hot (20)

Layer 2 switching
Layer 2 switchingLayer 2 switching
Layer 2 switching
 
Firewall
FirewallFirewall
Firewall
 
Cisco Networking (Routing and Switching)
Cisco Networking (Routing and Switching)Cisco Networking (Routing and Switching)
Cisco Networking (Routing and Switching)
 
OTV Configuration
OTV ConfigurationOTV Configuration
OTV Configuration
 
Vlans
VlansVlans
Vlans
 
Access Control List & its Types
Access Control List & its TypesAccess Control List & its Types
Access Control List & its Types
 
Routers and Routing Configuration
Routers and Routing ConfigurationRouters and Routing Configuration
Routers and Routing Configuration
 
network Switch
network Switch network Switch
network Switch
 
ccna networking ppt
ccna networking pptccna networking ppt
ccna networking ppt
 
CCNA CheatSheet
CCNA CheatSheetCCNA CheatSheet
CCNA CheatSheet
 
Firewall and its purpose
Firewall and its purposeFirewall and its purpose
Firewall and its purpose
 
Ethernet and token ring
Ethernet and token ringEthernet and token ring
Ethernet and token ring
 
Ccnp workbook network bulls
Ccnp workbook network bullsCcnp workbook network bulls
Ccnp workbook network bulls
 
Networking basics
Networking basicsNetworking basics
Networking basics
 
Packet Tracer Tutorial # 1
Packet Tracer Tutorial # 1Packet Tracer Tutorial # 1
Packet Tracer Tutorial # 1
 
Connect Laptop/PC to Router Console Port
Connect Laptop/PC to Router Console Port Connect Laptop/PC to Router Console Port
Connect Laptop/PC to Router Console Port
 
Access Control List (ACL)
Access Control List (ACL)Access Control List (ACL)
Access Control List (ACL)
 
GRE (Generic Routing Encapsulation)
GRE (Generic Routing Encapsulation)GRE (Generic Routing Encapsulation)
GRE (Generic Routing Encapsulation)
 
Ch08 Authentication
Ch08 AuthenticationCh08 Authentication
Ch08 Authentication
 
Routing
RoutingRouting
Routing
 

Similar to Switch security

Security Concerns in LANs.pptx
Security Concerns in LANs.pptxSecurity Concerns in LANs.pptx
Security Concerns in LANs.pptxjoko
 
Cisco Switch How To - Secure a Switch Port
Cisco Switch How To - Secure a Switch PortCisco Switch How To - Secure a Switch Port
Cisco Switch How To - Secure a Switch PortIPMAX s.r.l.
 
Configuring dynamic switchport security
Configuring dynamic switchport securityConfiguring dynamic switchport security
Configuring dynamic switchport securityIT Tech
 
Mitigating Layer2 Attacks
Mitigating Layer2 AttacksMitigating Layer2 Attacks
Mitigating Layer2 Attacksdkaya
 
Chapter 14 - Sw Conf
Chapter 14 - Sw ConfChapter 14 - Sw Conf
Chapter 14 - Sw Confphanleson
 
LAN Switching and Wireless: Ch2 - Basic Switch Concepts and Configuration
LAN Switching and Wireless: Ch2 - Basic Switch Concepts and ConfigurationLAN Switching and Wireless: Ch2 - Basic Switch Concepts and Configuration
LAN Switching and Wireless: Ch2 - Basic Switch Concepts and ConfigurationAbdelkhalik Mosa
 
How to Configure Port-Security on Cisco Switch for Enhanced Network Security ...
How to Configure Port-Security on Cisco Switch for Enhanced Network Security ...How to Configure Port-Security on Cisco Switch for Enhanced Network Security ...
How to Configure Port-Security on Cisco Switch for Enhanced Network Security ...INFitunes
 
Nexus 1000v part ii
Nexus 1000v part iiNexus 1000v part ii
Nexus 1000v part iiKrunal Shah
 
Catalyst Smart Operations : Simplify Your Network
Catalyst Smart Operations : Simplify Your NetworkCatalyst Smart Operations : Simplify Your Network
Catalyst Smart Operations : Simplify Your NetworkCisco Russia
 
6.5.1.2 packet tracer layer 2 security instructor
6.5.1.2 packet tracer layer 2 security instructor6.5.1.2 packet tracer layer 2 security instructor
6.5.1.2 packet tracer layer 2 security instructorSalem Trabelsi
 

Similar to Switch security (20)

Ch6
Ch6Ch6
Ch6
 
Security Concerns in LANs.pptx
Security Concerns in LANs.pptxSecurity Concerns in LANs.pptx
Security Concerns in LANs.pptx
 
Cap2 configuring switch
Cap2 configuring switchCap2 configuring switch
Cap2 configuring switch
 
Cisco Switch How To - Secure a Switch Port
Cisco Switch How To - Secure a Switch PortCisco Switch How To - Secure a Switch Port
Cisco Switch How To - Secure a Switch Port
 
VLAN
VLANVLAN
VLAN
 
SRWE_Module_11.pptx
SRWE_Module_11.pptxSRWE_Module_11.pptx
SRWE_Module_11.pptx
 
Configuring dynamic switchport security
Configuring dynamic switchport securityConfiguring dynamic switchport security
Configuring dynamic switchport security
 
1-300-206 (SENSS)=Firewall (642-618)
1-300-206 (SENSS)=Firewall (642-618) 1-300-206 (SENSS)=Firewall (642-618)
1-300-206 (SENSS)=Firewall (642-618)
 
Mitigating Layer2 Attacks
Mitigating Layer2 AttacksMitigating Layer2 Attacks
Mitigating Layer2 Attacks
 
Chapter 14 - Sw Conf
Chapter 14 - Sw ConfChapter 14 - Sw Conf
Chapter 14 - Sw Conf
 
Hacking L2 Switches
Hacking L2 SwitchesHacking L2 Switches
Hacking L2 Switches
 
Switching
SwitchingSwitching
Switching
 
LAN Switching and Wireless: Ch2 - Basic Switch Concepts and Configuration
LAN Switching and Wireless: Ch2 - Basic Switch Concepts and ConfigurationLAN Switching and Wireless: Ch2 - Basic Switch Concepts and Configuration
LAN Switching and Wireless: Ch2 - Basic Switch Concepts and Configuration
 
LAYER2_
LAYER2_LAYER2_
LAYER2_
 
How to Configure Port-Security on Cisco Switch for Enhanced Network Security ...
How to Configure Port-Security on Cisco Switch for Enhanced Network Security ...How to Configure Port-Security on Cisco Switch for Enhanced Network Security ...
How to Configure Port-Security on Cisco Switch for Enhanced Network Security ...
 
Nexus 1000v part ii
Nexus 1000v part iiNexus 1000v part ii
Nexus 1000v part ii
 
Vlan
VlanVlan
Vlan
 
ENCOR_Capitulo 1.pptx
ENCOR_Capitulo 1.pptxENCOR_Capitulo 1.pptx
ENCOR_Capitulo 1.pptx
 
Catalyst Smart Operations : Simplify Your Network
Catalyst Smart Operations : Simplify Your NetworkCatalyst Smart Operations : Simplify Your Network
Catalyst Smart Operations : Simplify Your Network
 
6.5.1.2 packet tracer layer 2 security instructor
6.5.1.2 packet tracer layer 2 security instructor6.5.1.2 packet tracer layer 2 security instructor
6.5.1.2 packet tracer layer 2 security instructor
 

More from nullowaspmumbai

ELK in Security Analytics
ELK in Security Analytics ELK in Security Analytics
ELK in Security Analytics nullowaspmumbai
 
Infrastructure security & Incident Management
Infrastructure security & Incident Management Infrastructure security & Incident Management
Infrastructure security & Incident Management nullowaspmumbai
 
Internet censorship circumvention techniques
Internet censorship circumvention techniquesInternet censorship circumvention techniques
Internet censorship circumvention techniquesnullowaspmumbai
 
Adversarial machine learning updated
Adversarial machine learning updatedAdversarial machine learning updated
Adversarial machine learning updatednullowaspmumbai
 
Adversarial machine learning
Adversarial machine learning Adversarial machine learning
Adversarial machine learning nullowaspmumbai
 
Drozer - An Android Application Security Tool
Drozer - An Android Application Security Tool Drozer - An Android Application Security Tool
Drozer - An Android Application Security Tool nullowaspmumbai
 
Ganesh naik linux_kernel_internals
Ganesh naik linux_kernel_internalsGanesh naik linux_kernel_internals
Ganesh naik linux_kernel_internalsnullowaspmumbai
 
Null Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat DasNull Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat Dasnullowaspmumbai
 

More from nullowaspmumbai (20)

Xxe
XxeXxe
Xxe
 
ELK in Security Analytics
ELK in Security Analytics ELK in Security Analytics
ELK in Security Analytics
 
Radio hacking - Part 1
Radio hacking - Part 1 Radio hacking - Part 1
Radio hacking - Part 1
 
How I got my First CVE
How I got my First CVE How I got my First CVE
How I got my First CVE
 
Power forensics
Power forensicsPower forensics
Power forensics
 
Infrastructure security & Incident Management
Infrastructure security & Incident Management Infrastructure security & Incident Management
Infrastructure security & Incident Management
 
Middleware hacking
Middleware hackingMiddleware hacking
Middleware hacking
 
Internet censorship circumvention techniques
Internet censorship circumvention techniquesInternet censorship circumvention techniques
Internet censorship circumvention techniques
 
How i got my first cve
How i got my first cveHow i got my first cve
How i got my first cve
 
Adversarial machine learning updated
Adversarial machine learning updatedAdversarial machine learning updated
Adversarial machine learning updated
 
Commix
Commix Commix
Commix
 
Adversarial machine learning
Adversarial machine learning Adversarial machine learning
Adversarial machine learning
 
Dll Hijacking
Dll Hijacking Dll Hijacking
Dll Hijacking
 
Abusing Target
Abusing Target Abusing Target
Abusing Target
 
NTFS Forensics
NTFS Forensics NTFS Forensics
NTFS Forensics
 
Drozer - An Android Application Security Tool
Drozer - An Android Application Security Tool Drozer - An Android Application Security Tool
Drozer - An Android Application Security Tool
 
Middleware hacking
Middleware hackingMiddleware hacking
Middleware hacking
 
Ganesh naik linux_kernel_internals
Ganesh naik linux_kernel_internalsGanesh naik linux_kernel_internals
Ganesh naik linux_kernel_internals
 
Buffer overflow null
Buffer overflow nullBuffer overflow null
Buffer overflow null
 
Null Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat DasNull Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat Das
 

Recently uploaded

08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Hyundai Motor Group
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 

Recently uploaded (20)

08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
The transition to renewables in India.pdf
The transition to renewables in India.pdfThe transition to renewables in India.pdf
The transition to renewables in India.pdf
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 

Switch security

  • 2. Table of content 1. Defense in depth 2. Switch security 3. Mac flooding attack 4. Strom control 5. Private Vlan 6. DHCP snooping 7. IP spoofing 8. DAI 9. AAA 10. Traffic Analysis
  • 3. Defence in depth • Add security at multiple layers & not rely on perimeter firewall • Networks cannot be partitioned inside and outside Defense in depth requires relation between network resource & network user be a controlled scallable & granular system premission & access controls that goes beyond simply dropping firewalls between network segment
  • 5. MAC Address Spoofing Attack MAC Address: AABBcc AABBcc 12AbDdSwitch Port 1 2 MAC Address: AABBcc Attacker Port 1 Port 2 MAC Address: 12AbDd I have associated Ports 1 and 2 with the MAC addresses of the devices attached. Traffic destined for each device will be forwarded directly. The switch keeps track of the endpoints by maintaining a MAC address table. In MAC spoofing, the attacker poses as another host—in this case, AABBcc
  • 6. MAC Address Spoofing Attack MAC Address: AABBcc AABBcc Switch Port 1 2 MAC Address: AABBcc Attacker Port 1 Port 2 AABBcc 1 2I have changed the MAC address on my computer to match the server. The device with MAC address AABBcc has changed locations to Port2. I must adjust my MAC address table accordingly.
  • 7. MAC Address Table Overflow Attack The switch can forward frames between PC1 and PC2 without flooding because the MAC address table contains port-to-MAC-address mappings in the MAC address table for these PCs.
  • 8. MAC Address Table Overflow Attack A B C D VLAN 10 VLAN 10 Intruder runs macof to begin sending unknown bogus MAC addresses. 3/25 3/25 MAC X 3/25 MAC Y 3/25 MAC Z XYZ flood MAC Port X 3/25 Y 3/25 C 3/25 Bogus addresses are added to the CAM table. CAM table is full. Host C The switch floods the frames. Attacker sees traffic to servers B and D. VLAN 10 1 2 3 4
  • 9. Port Security Overview MAC A MAC A Port 0/1 allows MAC A Port 0/2 allows MAC B Port 0/3 allows MAC C Attacker 1 Attacker 2 0/1 0/2 0/3 MAC F Allows an administrator to statically specify MAC Addresses for a port or to permit the switch to dynamically learn a limited number of MAC addresses
  • 10. CLI Commands switchport mode access Switch(config-if)# • Sets the interface mode as access switchport port-security Switch(config-if)# • Enables port security on the interface switchport port-security maximum value Switch(config-if)# • Sets the maximum number of secure MAC addresses for the interface (optional)
  • 11. Switchport Port-Security Parameters Parameter Description mac-address mac-address (Optional) Specify a secure MAC address for the port by entering a 48-bit MAC aaddress. You can add additional secure MAC addresses up to the maximum value configured. vlan vlan-id (Optional) On a trunk port only, specify the VLAN ID and the MAC address. If no VLAN ID is specified, the native VLAN is used. vlan access (Optional) On an access port only, specify the VLAN as an access VLAN. vlan voice (Optional) On an access port only, specify the VLAN as a voice VLAN mac-address sticky [mac-address] (Optional) Enable the interface for sticky learning by entering only the mac-address sticky keywords. When sticky learning is enabled, the interface adds all secure MAC addresses that are dynamically learned to the running configuration and converts these addresses to sticky secure MAC addresses. Specify a sticky secure MAC address by entering the mac-address sticky mac-address keywords.. maximum value (Optional) Set the maximum number of secure MAC addresses for the interface. The maximum number of secure MAC addresses that you can configure on a switch is set by the maximum number of available MAC addresses allowed in the system. The active Switch Database Management (SDM) template determines this number. This number represents the total of available MAC addresses, including those used for other Layer 2 functions and any other secure MAC addresses configured on interfaces. The default setting is 1. vlan [vlan-list] (Optional) For trunk ports, you can set the maximum number of secure MAC addresses on a VLAN. If the vlan keyword is not entered, the default value is used. n vlan: set a per-VLAN maximum value. n vlan vlan-list: set a per-VLAN maximum value on a range of VLANs separated by a hyphen or a series of VLANs separated by commas. For nonspecified VLANs, the per-VLAN maximum value is used.
  • 12. Port Security Violation Configuration switchport port-security mac-address sticky Switch(config-if)# • Enables sticky learning on the interface (optional) switchport port-security violation {protect | restrict | shutdown} Switch(config-if)# • Sets the violation mode (optional) switchport port-security mac-address mac-address Switch(config-if)# • Enters a static secure MAC address for the interface (optional)
  • 13. Switchport Port-Security Violation Parameters Parameter Description protect (Optional) Set the security violation protect mode. When the number of secure MAC addresses reaches the limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses or increase the number of maximum allowable addresses. You are not notified that a security violation has occurred. restrict (Optional) Set the security violation restrict mode. When the number of secure MAC addresses reaches the limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses or increase the number of maximum allowable addresses. In this mode, you are notified that a security violation has occurred. shutdown (Optional) Set the security violation shutdown mode. In this mode, a port security violation causes the interface to immediately become error-disabled and turns off the port LED. It also sends an SNMP trap, logs a syslog message, and increments the violation counter. When a secure port is in the error-disabled state, you can bring it out of this state by entering the errdisable recovery cause psecure-violation global configuration command, or you can manually re-enable it by entering the shutdown and no shut down interface configuration commands. shutdown vlan Set the security violation mode to per-VLAN shutdown. In this mode, only the VLAN on which the violation occurred is error-disabled.
  • 14. Port Security Aging Configuration switchport port-security aging {static | time time | type {absolute | inactivity}} Switch(config-if)# • Enables or disables static aging for the secure port or sets the aging time or type
  • 15. Switchport Port-Security Aging Parameters Parameter Description static Enable aging for statically configured secure addresses on this port. time time Specify the aging time for this port. The range is 0 to 1440 minutes. If the time is 0, aging is disabled for this port. type absolute Set absolute aging type. All the secure addresses on this port age out exactly after the time (minutes) specified and are removed from the secure address list. type inactivity Set the inactivity aging type. The secure addresses on this port age out only if there is no data traffic from the secure source address for the specified time period.
  • 16. Typical Configuration switchport mode access switchport port-security switchport port-security maximum 2 switchport port-security violation shutdown switchport port-security mac-address sticky switchport port-security aging time 120 Switch(config-if)# S2 PC B
  • 17. CLI Commands sw-class# show port-security Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action (Count) (Count) (Count) --------------------------------------------------------------------------- Fa0/12 2 0 0 Shutdown --------------------------------------------------------------------------- Total Addresses in System (excluding one mac per port) : 0 Max Addresses limit in System (excluding one mac per port) : 1024 sw-class# show port-security interface f0/12 Port Security : Enabled Port status : Secure-down Violation mode : Shutdown Maximum MAC Addresses : 2 Total MAC Addresses : 1 Configured MAC Addresses : 0 Aging time : 120 mins Aging type : Absolute SecureStatic address aging : Disabled Security Violation Count : 0
  • 18. View Secure MAC Addresses sw-class# show port-security address Secure Mac Address Table ------------------------------------------------------------------- Vlan Mac Address Type Ports Remaining Age (mins) ---- ----------- ---- ----- ------------- 1 0000.ffff.aaaa SecureConfigured Fa0/12 - ------------------------------------------------------------------- Total Addresses in System (excluding one mac per port) : 0 Max Addresses limit in System (excluding one mac per port) : 1024
  • 20. LAN Storm Attack • Broadcast, multicast, or unicast packets are flooded on all ports in the same VLAN. •These storms can increase the CPU utilization on a switch to 100%, reducing the performance of the network. Broadcast Broadcast Broadcast Broadcast Broadcast Broadcast
  • 21.
  • 22. Storm Control Methods • Bandwidth as a percentage of the total available bandwidth of the port that can be used by the broadcast, multicast, or unicast traffic • Traffic rate in packets per second at which broadcast, multicast, or unicast packets are received • Traffic rate in bits per second at which broadcast, multicast, or unicast packets are received • Traffic rate in packets per second and for small frames. This feature is enabled globally. The threshold for small frames is configured for each interface.
  • 23. Storm Control Configuration • Enables storm control • Specifies the level at which it is enabled • Specifies the action that should take place when the threshold (level) is reached, in addition to filtering traffic Switch(config-if)# storm-control broadcast level 75.5 Switch(config-if)# storm-control multicast level pps 2k 1k Switch(config-if)# storm-control action shutdown
  • 24.
  • 25.
  • 26. Storm Control Parameters Parameter Description broadcast This parameter enables broadcast storm control on the interface. multicast This parameter enables multicast storm control on the interface. unicast This parameter enables unicast storm control on the interface. level level [level-low] Rising and falling suppression levels as a percentage of total bandwidth of the port. • level: Rising suppression level. The range is 0.00 to 100.00. Block the flooding of storm packets when the value specified for level is reached. • level-low: (Optional) Falling suppression level, up to two decimal places. This value must be less than or equal to the rising suppression value. level bps bps [bps-low] Specify the rising and falling suppression levels as a rate in bits per second at which traffic is received on the port. • bps: Rising suppression level. The range is 0.0 to 10000000000.0. Block the flooding of storm packets when the value specified for bps is reached. • bps-low: (Optional) Falling suppression level, up to one decimal place. This value must be equal to or less than the rising suppression value. level pps pps [pps-low] Specify the rising and falling suppression levels as a rate in packets per second at which traffic is received on the port. • pps: Rising suppression level. The range is 0.0 to 10000000000.0. Block the flooding of storm packets when the value specified for pps is reached. • pps-low: (Optional) Falling suppression level, up to one decimal place. This value must be equal to or less than the rising suppression value. action {shutdown|trap} The action taken when a storm occurs on a port. The default action is to filter traffic and to not send an SNMP trap. The keywords have these meanings: • shutdown: Disables the port during a storm • trap: Sends an SNMP trap when a storm occurs
  • 27. Verify Storm Control Settings Switch# show storm-control Interface Filter State Upper Lower Current --------- ------------- ---------- --------- -------- -Gi0/1 Forwarding 20 pps 10 pps 5 pps Gi0/2 Forwarding 50.00% 40.00% 0.00% <output omitted>
  • 28.
  • 29.
  • 30.
  • 31.
  • 32.
  • 33.
  • 34.
  • 35.
  • 36.
  • 37.
  • 39.
  • 40.
  • 41.
  • 42.
  • 43. Scenario  Config ure SW2-client as a DHCP client  Config ure SW3-serveras a DHCP serverforVLAN 1: - Configure the VLAN1 SVI as 192.168.7.3/24 - Scope:192.168.7.100-254/24 - Default gateway:192.168.7.1 - Lease time: 7 days
  • 44.
  • 45. When a client no longer needs its IP address, it sends a DHCPRELEASE message to the DHCP server Client Spoofing Attack DHCPRELEASE messages can be spoofed! DHCP snooping does not tell you when it blocks a rogue server
  • 46. If the DHCPRELEASE message doesn’t match what’s in the DHCP snooping binding database, the packet will get dropped Client Spoofing Attack Examples: Source interface doesn’t match port client is connected to Source MAC doesn’t match client’s MAC address
  • 47. Prevent a malicious device from hijacking an IP address DHCP Snooping Does Not… Prevent a device from using an unallocated IP address
  • 48. IP Source Guard Prevents a device from using an IP address it’s not entitled to DHCP Snooping Prevents unauthorized DHCP servers from handing out IP addresses DHCP Snooping and IP Source Guard
  • 49.
  • 51.
  • 52. Configuring IP Source Guard You must enable DHCP snooping on the VLANs corresponding to the ports you want IP source guard to protect
  • 53.
  • 54. You can’t configure IP source guard on a layer 3 routed interface
  • 55.
  • 56. 172.31.98. 214 172.31.9 8.1 Who has 172.31.98.1? Understanding ARP poisoning requires an in-depth understanding of how ARP works
  • 58. 172.31.98. 214 172.31.9 8.1 I am 172.31.98.1 My MAC is 9c1c.12c9.7257 Who has 172.31.98.1?
  • 60. Scenario To: FFFF.FFFF.FFFF I am 192.168.7.1!  SW1 is the default gateway for the 192.168.7.0/24 subnet  A hacker is trying to intercept traffic from SW2-client (192.168.7.2) destined for SW1 (192.168.7.1)
  • 61. 172.31.98.214 172.31.98.1 To: FFFF.FFFF.FFFF I am 172.31.98.1 My MAC is 9c1c.12c9.7257 Gratuitous ARP
  • 63. Intercepts ARP requests and replies on untrusted ports Dynamic ARP Inspection Compares contents with the DHCP snooping binding database Limits the number of incoming ARP packets to 15 per second on an untrusted interface
  • 64. Does not inspect incoming ARP packets on trusted ports Dynamic ARP Inspection Does not inspect outgoing ARP packets on any interface
  • 65. Local Authentication Requires manually configuring credentials on each device
  • 66. RADIUS and TACACS+ Provide centralized authentication
  • 67.
  • 68.
  • 70.
  • 71. Traffic Analysis  A SPAN port mirrors traffic to another port where a monitoring device is connected.  Without this, it can be difficult to track hackers after they have entered the network. “Intruder Alert!” Attacker IDS RMON Probe Protocol Analyzer
  • 72. CLI Commands monitor session session_number source {interface interface-id [, | -] [both | rx | tx]} | {vlan vlan- id [, | -] [both | rx | tx]}| {remote vlan vlan-id} monitor session session_number destination {interface interface-id [, | -] [encapsulation replicate] [ingress {dot1q vlan vlan-id | isl | untagged vlan vlan-id | vlan vlan-id}]} | {remote vlan vlan-id} Switch(config)# Switch(config)#
  • 74. SPAN and IDS Attacker IDS Use SPAN to mirror traffic in and out of port F0/1 to port F0/2. F0/1 F0/2
  • 75. Overview of RSPAN • An RSPAN port mirrors traffic to another port on another switch where a probe or IDS sensor is connected. • This allows more switches to be monitored with a single probe or IDS. “Intruder Alert!” Attacker IDS RSPAN VLAN Source VLAN Source VLAN Source VLAN
  • 76. Configuring RSPAN 2960-1 2960-2 2960-1(config)# vlan 100 2960-1(config-vlan)# remote-span 2960-1(config-vlan)# exit 2960-1(config)# monitor session 1 source interface FastEthernet 0/1 2960-1(config)# monitor session 1 destination remote vlan 100 reflector-port FastEthernet 0/24 2960-1(config)# interface FastEthernet 0/2 2960-1(config-if)# switchport mode trunk 2960-2(config)# monitor session 2 source remote vlan 100 2960-2(config)# monitor session 2 destination interface FastEthernet 0/3 2960-2(config)# interface FastEthernet 0/2 2960-2(config-if)# switchport mode trunk 1. Configure the RPSAN VLAN 2. Configure the RSPAN source ports and VLANs 3. Configure the RSPAN traffic to be forwarded
  • 77. Verifying RSPAN Configuration show monitor [session {session_number | all | local | range list | remote} [detail]] [ | {begin | exclude | include}expression] 2960-1 2960-2