Network Authentication Chapter 6 Part 1

  1. Types of Layer 2 attacks (5)
    •MAC address spoofing

    •MAC address table overflows

    •STP manipulation

    •LAN storms

    •VLAN attacks
  2. Port security can either: (2)
    • –Statically
    • specify the MAC addresses on a particular switch port.

    • –Allow
    • the switch to dynamically learn a fixed number of MAC addresses for a switch
    • port.
  3. Enable Port Security
    • (config-if)# switchport mode access
    • (config-if)# switchport port-security
  4. Set max number of secure MAC addresses for the interface
    • (config-if)# switchport port-security max (1-132)
    • default is 1
  5. Config a static secure MAC address for the int
    (config-if)# switchport port-security mac-address mac-address
  6. Enable sticky learning on the interface
    (config-if)# switchport port-security mac-address sticky
  7. Port security violations (4)
    • protect
    •      - number of MAC addresses has reached the limit
    • restrict
    •      - same as protect but sends out an SNMP trap
    • shutdown
    •      - port shuts down because of a violation
    • shutdown vlan
    •      - only the vlan is error-disabled
  8. re-enable an error-disabled port (2)
    1) (config)# errdisable recovery cause psecure-violation

    • 2) (config-ig)# shut
    •                       no shut
  9. Types of port aging (2)
    • absolute
    • inactivity
  10. absolute port aging
    the secure addresses on the port are deleted after the specified aging time
  11. Inactivity port aging
    The secure addresses on the port are only deleted if they are inactive for the specified aging time
  12. Config port aging
    (config-if)# port-security aging {static | time minutes | type {absolute | inactivity}}
  13. Configure violation response
    (config-if)# port-security violation {protect | restrict | shutdown | shutdown vlan}
  14. PortFast
    Bypasses listening and learning states
  15. configure portfast
    (config-if)# spanning-tree portfast
  16. globally enable the PortFast feature on all nontrunking ports
    (config)# spanning-tree portfast default
  17. Determine if portfast has been configured
    show run-config int type slot/port
  18. BPDU Guard
    prevents ports from receiving BPDUs when they are not supposed to
  19. What happens when an interface configured with PortFast and BPDU Guard recieves a BPDU?
    The switch will put the port into the disabled state
  20. Enable BPDU Guard on all PortFast enabled ports
    (config)# spanning-tree portfast bpduguard default
  21. Display STP state info
    sh spanning-tree summary totals
  22. What happens when an interface with PortFast and BPDU Filtering receives a BPDU packet?
    PortFast and BPDU Filtering are disabled
  23. Config BPDU Filtering (2)
    1) (config)# spanning-tree portfast bpdufilter default

    2) (config-if)# spanning-tree bpdufilter enable
  24. Verify bpdu filtering
    sh spanning-tree summary
  25. Root Guard
    Limits the switch ports out of which the root bridge can be negotiated.
  26. If a root-guard-enabled port receives a BPDU that are superior to those the current root bridge is sending what happens?
    The port is moved to the root-inconsistent state
  27. Config Root Guard
    (config-if)# spanning-tree guard root
  28. verify root guard
    sh spanning-tree inconsistentports
  29. With Storm Control, what happens when the traffic threshold is reached?
    The port blocks traffic until the traffic rate drops back below the threshold.
  30. config Storm Control
    (config-if)# storm-control {{broadcast | multicast | unicast} level [level-low] | bps bps [bps-low] }} | action {shutdown | trap}}
  31. verify storm control
    sh storm-control [int]
  32. prevent the generation of DTP frames
    (config-if)# switchport nonegotiate
  33. Set the native VLAN on the trunk to an unused VLAN
    (config-if)# switchport trunk native vlan #
  34. Layer 2 Best Practices
    • Use SSH, ACLs, etc
    • Set all user ports to non-trunking ports
    • Use port security when able
    • Use CDP only where necessary
    • Config PortFast on non-trunking ports
    • Config BPDU guard on all non-trunking ports
    • Configure Root Guard on STP root ports
    • Disable auto-trunking on user facing ports (DTP off)
    • config trunking on infrastructure ports
    • Disable unused ports and put them in an unused VLAN
    • Use distinct VLAN assignments
    • Do not use VLAN 1 for anything other than Layer 2 protocol control traffic
Card Set
Network Authentication Chapter 6 Part 1
Network Authentication Chapter 6 Part 1