Switch Security Flashcards
DHCP Snooping Configuration
ip dhcp snooping
ip dhcp snooping vlan 10
interface f0/1
ip dhcp snooping trust
Must configure ports connected to DHCP server as trusted, otherwise responses are dropped
Command: Configure DAI to trust port F0/1
interface f0/1
ip arp inspection trust
Need to configure the switch to trust the ports associated with non-dhcp hosts
Command: Enable DAI on VLAN 10
ip arp inspection vlan 10
Port Security Overview
Enables an admin to specify which MAC address(es) can send traffic in to an individual switch port
This can be used to lock a port down to a particular hosts or hosts
-It’s easy to spoof a MAC, so this isn’t port security’s main role
Can also configure individual switch ports to allow only a specified number of source MACs to send traffic into the port
-It can learn connected MAC addresses
Prevents users from adding WAPs or other shared devices
Port Security Default Behavior
If you configure Port Security with no additional parameters then only one MAC is allowed to transmit on the port
The current MAC can be disconnected & replaced
-The port is not locked down to a particular MAC
If a shared device is connected & multiple hosts try to transmit, the port will be shut down
Command: Configure port security on interface F0/2
interface f0/2
switchport port-security
Configured at interface level, typically implemented on all interfaces
Command: Verify port security information on interface F0/2
show port-security interface f0/2
Port Security: Violation Actions
Shutdown (Default)
-Interface is placed into the error-disabled state, blocking all traffic
Protect
- Traffic from unauthorized addresses is dropped
- Traffic from allowed addresses is forwarded
Restrict
- Traffic from unauthorized addresses is dropped, logged, and the violation counter incremented
- Traffic from allowed addresses is forwarded
Command: Configure interface F0/2 violation action as restrict
interface f0/2
switchport port-security violation restrict
Command: Configure interface F0/2 violation action as protect
interface f0/2
Switchport port-security violation protect
Error-Disabled Interfaces
If the Violation Action is set to Shutdown & a violation occurs, the port will move to an error-disabled state
To bring an error-disabled interface back into service:
- Physically remove the host with the offending MAC
- Manually shutdown then no shutdown the interface
Error-Disabled Interfaces: Auto-Recovery (with commands)
You can bring error disabled ports back into service automatically after they have been disabled for a configurable period of time
Errdisable recovery cause psecure-violation
Errdisable recovery interval 600
Port Security: Configure Maximum Addresses (with command)
Max MAC addresses in port security by default is one for an interface
This can be increased if multiple hosts share the port
Ex: IP phone with PC plugged into the back of it
interface f0/2
switchport port-security maximum 2
Command: Configure Static MAC on interface F0/10
interface f0/10
Switchport port-security
Switchport port-security mac-address 111.222.333
Switchport port-security maximum 1
MAC Address Learning
Scenario: You have 1000 authorized hosts connected to the network. You want to lock the ports down to these particular hosts
-Manually adding the MACs is not a scalable solution
Sticky MAC addresses add the learned MAC to the running config. Save to the startup config to make permanent
