(config-if)# switchport port-security
\n(config-if)# switchport port-security maximum 1 [1 is default]
\n(config-if)# switchport port-security violation shutdown [shutdown is default]<\/p><\/blockquote>\n
The violation options are :<\/p>\n
shutdown (default)<\/strong>\u00a0– The interface is transitioned to\u00a0a state pf error-disable, that in turn blocks all\u00a0traffic.
\nprotect\u00a0–<\/strong> Frames from MAC addresses other than the permitted\u00a0addresses\u00a0are dropped; traffic from allowed addresses is permitted to pass normally.
\nrestrict\u00a0– <\/strong>The same as protect mode but additionally generates a syslog message.<\/p>\nSticky MAC allows the configured number of mac address that enters the port to be assigned against it, any further MACs would be denied. Learnt addresses are added to the switches configuration much the same as if you were to explicitly define the allowed address via the port security command, such as :<\/p>\n
(config-if)# switchport port-security mac-address [mac]<\/p><\/blockquote>\n
To enable port-security sticky the following command can be used :<\/p>\n
(config-if)# switchport port-security mac-address [sticky mac]<\/p><\/blockquote>\n
Below are the main show commands :<\/p>\n
show port-security interface fastethernet 0\/8
\nshow port-security\u00a0<\/strong><\/p><\/blockquote>\n<\/span>7. SPANNING TREE SECURITY<\/strong><\/span><\/h4>\nIntruders can attempt to sabotage the root bridge role, changing the root bridge role can then allow them to force traffic over alternative STP path that is possible slower and also allow them to span traffic from the switch that they have forced to become the root bridge.<\/p>\n
To guard against this you can use the guard root feature. This will ensure that if someone plugs a switch into this port and tries to place themselves as the root bridge the switch will place this port into a “blocking” state.<\/p>\n
(config-if)# spanning-tree guard root<\/p><\/blockquote>\n
BPDU guard ensures that no STP Protocol traffic (BPDU`s) are sent over ports that are designated as access ports.<\/p>\n
(config-if)# spanning-tree bpduguard enable
\n(config-if)# spanning-tree portfast<\/p><\/blockquote>\n
You can also enable this globally on any port that has portfast enabled by running the following command,<\/p>\n
(config) spanning-tree portfast bpduguard default<\/p><\/blockquote>\n
<\/span>8. DHCP<\/strong><\/span><\/h4>\nDHCP attacks can cause network outages and can also become a catalyst for man in the middle attacks. Man in the middle attacks are produced via rogue DHCP server replying to DHCP requests and then providing them with a default gateway of themselves. They then receive the traffic, sniff it and pass it on to their own default gateway.<\/p>\n
DHCP Snooping – DHCP Snooping is intended to prevent a malicious user from pretending to be the network DHCP server. This is achieved via :<\/p>\n
\n- Telling the switch which port(s)\u00a0the DHCP server is connected to via\u00a0issuing the ip dhcp snooping trust command.<\/li>\n
- DHCP snooping building a table of all DHCP REQUESTS and OFFERS which is then uses to determine malicious intent.<\/li>\n<\/ol>\n
Note : <\/em><\/strong>DHCP snooping also provides security against ARP spoofing. Due to the switch building a table of all DHCP requests and responses it can determine if a rogue ARP response is sent from a\u00a0device based on the information within its table.<\/p>\nBelow we stop DHCP replies on the following VLANs.<\/p>\n
(config)# ip dhcp snooping vlan 1,4,3<\/p><\/blockquote>\n
As our DHCP server is on port 24 we allow DHCP<\/p>\n
(config)# interface fastethethernet 0\/24
\n(config-if)# ip dhcp snooping trust<\/p><\/blockquote>\n
DHCP rate limiting prevents pool exhaustion. The example below would allow for 3 DHCP replies per second.<\/p>\n
(config-if) ip dhcp snooping limit rate 3<\/p><\/blockquote>\n