Secure Switching Crib Notes

These are my ‘crib notes’ that I’ve made to serve as a last minute refresher. Please forgive the grammer / spelling as I did not develop these notes with publishing in mind.

Secure Switching        

*** Theory ****

  • Port Security – Secure port by MAC address.  Done on interface level. Does not work with TRUNK / Dynamic desire mode, ether channels, span ports or 802.1x ports 
    • Maximum – No. Of Mac-addresses allowed on this port
    • MAC-Addresses – What MAC addresses are allowed in conjunction to maximum value. Can be static or sticky
      • Sticky – Static MAC based on current device on port
      • Violation – What happens if port security is violated. Default is shutdown, port is put into err-disable state and admin will need to manually re-open it. It also sends SNMP. Protect mode drops the frames and restrict will drop the frame and generate SNMP and Syslog.
      • Err-disable-recovery: Allows you to state how long the ports stays in err-disable before restoring
      • Catches: Is you statically assign MAC and set the maximum more, then it will allow the static plus dynamics = no security!
      • Dot1x Port-Based Authentication – Auth with Radius. Need to configure PC/Host too For 802.1X EAPOL. Until user has authenticated, only EAPOL, STP and CDP can travel through port. Configure globally and then on port
      • SPAN – Mirror traffic. Destination port is known as monitor port, which is the port the network analyzer is connected to. Enable with Monitor Session. Source port is the ports you want to capture data Show Monitor. Destination port can’t be part of etherchannel but source ports can. Dst ports do not participate in STP, CDP, VTP, Link Agg, DTP
      • VSPAN – Like Span, but monitor VLAN traffics.
      • RSPAN – Remote Span, if you want to monitor a port not on the local switch. Can use VTP. All switches including and between Src and Dst will need to be RSPAN enabled. MAC address learning is disabled
      • VACL – Cant create access lists between hosts in a vlan, so we need VACL.
      • Private VLAN – Share common subnet. VTP needs to be in transparent mode.
        • Community –  Host can speak to other hosts in it secondary VLAN and Primary VLAN, but not with hosts in  other secondary VLANs.
        • Isolated – Can comms with Primary VLAN, but no other hosts even in it own vlan
        • Promiscuous – connect to gateway device, can talk to all primary and secondary VLAN
        • DHCP Snooping – Rogue DHCP servers can offer DHCP offers. DHCP snooping allows to set the interface of the switch that connects to the valid DHCP as trust. Any DHCP servers not on this interface is dropped and placed in err-disabled mode. All ports are untrust by default when enabling DHCP snooping
        • Dynamic Arp Inspection (DAI) – Prevents ARP man in the middle attacks. Listens to IP-Mac mapping and performs on ARP receive not sent. Issue running this on trunks and etherchannels. DHCP snooping must be enabled.
        • IP Source Guard – Prevents host on the network from using another host IP address. Works with DHCP snooping database.           
        • Mac Address flooding – Send multiple frames from different MAC. Overwhelm the CAM table so that it starts broadcasting rather than unicasting, then use wireshark etc to sniff.
        • VLAN Hopping –
          • Double –Tagging – Host must be attached to an access port & native vlan. PC tag frame as e.g. VLAN 100. So packet has VLAN 1 (Native) and VLAN 100. Switch removes Native vlan and packet is seen as VLAN 100. To combat, set the native vlan as a VLAN unused number (block hole)
          • Switch Spoofing – Cisco by default sends dynamic desirable DTP. A host can form a trunk and access all vlans, as trunks member of all vlans. Combat this by posting ports in access mode except for legitimate trunk ports


*** Commands ****

Show Port Security – Shows violations and port states etc.

Config# IP Arp Inspections VLAN 75 // Enables DAI

Vlan access-map

Config# vlan filter