Home
Flashcards
Preview
Network Authentication Chapter 6 Part 1
Home
Get App
Take Quiz
Create
Types of Layer 2 attacks (5)
•MAC address spoofing
•MAC address table overflows
•STP manipulation
•LAN storms
•VLAN attacks
Port security can either: (2)
–Statically
specify the MAC addresses on a particular switch port.
–Allow
the switch to dynamically learn a fixed number of MAC addresses for a switch
port.
Enable Port Security
(config-if)# switchport mode access
(config-if)# switchport port-security
Set max number of secure MAC addresses for the interface
(config-if)# switchport port-security max (1-132)
default is 1
Config a static secure MAC address for the int
(config-if)# switchport port-security mac-address
mac-address
Enable sticky learning on the interface
(config-if)# switchport port-security mac-address sticky
Port security violations (4)
protect
- number of MAC addresses has reached the limit
restrict
- same as protect but sends out an SNMP trap
shutdown
- port shuts down because of a violation
shutdown vlan
- only the vlan is error-disabled
re-enable an error-disabled port (2)
1) (config)# errdisable recovery
cause
psecure-violation
2) (config-ig)# shut
no shut
Types of port aging (2)
absolute
inactivity
absolute port aging
the secure addresses on the port are deleted after the specified aging time
Inactivity port aging
The secure addresses on the port are only deleted if they are inactive for the specified aging time
Config port aging
(config-if)# port-security aging {static | time
minutes
| type {absolute | inactivity}}
Configure violation response
(config-if)# port-security violation {protect | restrict | shutdown | shutdown vlan}
PortFast
Bypasses listening and learning states
configure portfast
(config-if)# spanning-tree portfast
globally enable the PortFast feature on all nontrunking ports
(config)# spanning-tree portfast default
Determine if portfast has been configured
show run-config int
type slot/port
BPDU Guard
prevents ports from receiving BPDUs when they are not supposed to
What happens when an interface configured with PortFast and BPDU Guard recieves a BPDU?
The switch will put the port into the disabled state
Enable BPDU Guard on all PortFast enabled ports
(config)# spanning-tree portfast bpduguard default
Display STP state info
sh spanning-tree summary totals
What happens when an interface with PortFast and BPDU Filtering receives a BPDU packet?
PortFast and BPDU Filtering are disabled
Config BPDU Filtering (2)
1) (config)# spanning-tree portfast bpdufilter default
2) (config-if)# spanning-tree bpdufilter enable
Verify bpdu filtering
sh spanning-tree summary
Root Guard
Limits the switch ports out of which the root bridge can be negotiated.
If a root-guard-enabled port receives a BPDU that are superior to those the current root bridge is sending what happens?
The port is moved to the root-inconsistent state
Config Root Guard
(config-if)# spanning-tree guard root
verify root guard
sh spanning-tree inconsistentports
With Storm Control, what happens when the traffic threshold is reached?
The port blocks traffic until the traffic rate drops back below the threshold.
config Storm Control
(config-if)# storm-control {{broadcast | multicast | unicast} level [
level-low
] | bps
bps
[
bps-low
] }} | action {shutdown | trap}}
verify storm control
sh storm-control [int]
prevent the generation of DTP frames
(config-if)# switchport nonegotiate
Set the native VLAN on the trunk to an unused VLAN
(config-if)# switchport trunk native vlan
#
Layer 2 Best Practices
Use SSH, ACLs, etc
Set all user ports to non-trunking ports
Use port security when able
Use CDP only where necessary
Config PortFast on non-trunking ports
Config BPDU guard on all non-trunking ports
Configure Root Guard on STP root ports
Disable auto-trunking on user facing ports (DTP off)
config trunking on infrastructure ports
Disable unused ports and put them in an unused VLAN
Use distinct VLAN assignments
Do not use VLAN 1 for anything other than Layer 2 protocol control traffic
Author
jal128
ID
299592
Card Set
Network Authentication Chapter 6 Part 1
Description
Network Authentication Chapter 6 Part 1
Updated
2015-03-31T12:36:31Z
Show Answers
Home
Flashcards
Preview