Switch Port Protection Flashcards
Loop protection
- Connect two switches to each other
- They’ll send traffic back and forth forever
- There’s no “counting” mechanism at the MAC layer
- This is an easy way to bring down a network
- And somewhat difficult to troubleshoot
• Relatively easy to resolve
• IEEE standard 802.1D to prevent loops in bridged
(switched) networks (1990)
• Created by Radia Perlman
• Used practically everywhere
BPDU guard
• Spanning tree takes time to determine if a switch port
should forward frames
• Bypass the listening and learning states
• Cisco calls this PortFast
- BPDU (Bridge Protocol Data Unit)
- The spanning tree control protocol
• If a BPDU frame is seen on a PortFast configured
interface (i.e., a workstation), shut down the interface
• This shouldn’t happen - Workstations don’t send
BPDUs
Root guard
• Spanning tree determines the root bridge
• You can set the root bridge priority to 0, but that
doesn’t always guarantee the root
- Root guard allows you to pick the root
- Cisco feature
- Prevents a rogue root bridge
• If your root bridge receives a superior STP BPDU
on a root guard port, root guard changes
the interface status to “root-inconsistent” (listening)
• This effectively disables the interface to the rogue
root
Flood guard
• Configure a maximum number of source MAC
addresses on an interface
• You decide how many is too many
• You can also configure specific MAC addresses
• The switch monitors the number of unique MAC
addresses
• Maintains a list of every source MAC address
• Once you exceed the maximum, port security
activates
• Interface is usually disabled by default
DHCP snooping
• IP tracking on a layer 2 device (switch)
• The switch is a DHCP firewall
• Trusted: Routers, switches, DHCP servers
• Untrusted: Other computers, unofficial DHCP
servers
- Switch watches for DHCP conversations
- Adds a list of untrusted devices to a table
- Filters invalid IP and DHCP information
- Static IP addresses
- Devices acting as DHCP servers
- Other invalid traffic patterns
