The first day back at work so not much as time to focus on learning CCNA commands so the goal this week is to follow the Study plan for week four which is 1 to 2 hours a night. It will be a little tough but anything worthwhile is worth spending time on completing.
Section 27: Swtich Security
- DHCP Snooping
- Drops DHCP Server responses if they don’t arrive on a trusted port.
- Command Example
- (config)#ip dhcp snooping
- (config)#IP dhcp snooping vlan 10
- (config)#int f0/1
- (config-if)#ip dhcp snooping trust
- DAI: Dynamic ARP Inspection
- Protect against Man in the Middle ARP Spoofing
- Must have DHCP Snooping
- The switch inspects the DHCP traqffic and keeps track of which IP addresses were assigned to which MAC addresses
- If invalid ARP traffic tries to pass through the swtich, the switch drops the traffic.
- Command example:
- Trust ports that are not assigned through DHCP
- (config)#int f0/1
- (config-if)#ip arp inspection trust
- Enable ARP inspection at the VLAN level
- (config)#ip arp inspection vlan 10
- Trust ports that are not assigned through DHCP
- 802.1S Identity Based networking
- Only authentication traffic is allowed on port, until host and user are authenticated
- AFter a valid username and password are entered the switch port switches to a normal access port in the correct VLAN.
- Steps taken in 802.1X
- Supplicant (end user) sends username and password to Authenticator Switch
- Authenticator Switch confirms the username and password with Authentication server
- Port on the switch then transition the port to a regular switch port and allows the supplicant to transverse the network.
- Preventing Unauthorised Device with Port Security
- Shut Donw Unused Interfaces when not in use
- (config)#int f0/2
- (config-if)#shutdown
- Port Security
- Enable an admin to specify which MAC address or addresses can send traffic on a individual switch port.
- This can be used to lock a port down to specific host(s)
- You can specify a certain number of MACs to be able to connect to a port
- You can set the port to learn MAC addresses automatically
- MAC address can easily be spoofed, so this is used more for keeping from adding Wireless Access Points or other shared devices to the network on these protected ports
- Command Example, this is set at the interface level
- This allows a single MAC address at a time but doesn’t specify or care what the MAC address is and devices can be swapped out allowing only one device at a time. If two MACs are connected the port will shutdown
- Must be set on access ports
- (config)#int f0/2
- (config-if)#switchport port-security
- Verification Commands
- show port-security interface [interface]
- Security Violation Actions – 3 options
- Shutdown (Default):
- Interface is placed into an error-disabled state
- Will block traffic
- Command – Restore an error-disabled interface back to service
- Remove offending MAC address
- Perform a shutdown and no shutdown command.
- Command – Auto-Recovery, set at global level
- (config)#errdisable recovery cause psecurity-violation
- (config)#errdisable recovery interval 600
- Protect:
- Unauthorised address(es) traffice will be dropped.
- Only authorised traffic will be forwarded
- Restrict:
- Same as Protected
- Also Unauthorised addresses will be logged and the violation counter is incremented.
- Command set at the interface level
- (config)#int f0/2
- (config-if)#swtichport-sectuity violation [protect | restrict]
- Shutdown (Default):
- Locking Ports to Hosts with Port Security
- Maximum MAC Address
- Default to 1 MAC address per port, this can be changed to whatever number needed
- Example Command at interface level
- (config)# interface f0/2
- (config-if)#swtichport port-security maximum 2
- Verification command
- #show port-security int f0/2
- Maximum MAC Address
- manually adding MAC Addresses
- Statically added MAC addresses to a specified port
- Example Command – Set at the interface level
- (config)#int f0/10
- (config-if)#switchport port-security
- (config-if)#switchport port-security mac-address [MAC address]
- (config-if)#switchport port-security maximum 1
- MAC Adress Learning
- Used when you have a large number of ports that you need to be locked down and Manually configuring each port is not a scalable solution
- Sticky MAC address add learned MAC addresses to the running-config (Save to startup-config to make permanent)
- Example Command – Set at the interface level
- (config)#interface f0/2
- (config-if)#swtichport port-security
- (config-if)#swtichport port-security mac-address sticky
- Verification command
- #show port-security address
- Shows how the MAC addresses were assigned to the port [DyanmicConfigured | SecureConfigured]
- Also shows how many MAC addresses have been assigned and how many MAX it can have.
- #show port-security
- Show a summary of the number of Max Secured addresses, Current address, Security Violation, and Security Action.
- #show port-security address
- Shut Donw Unused Interfaces when not in use