L2 security

08 September 2011 PM 10:15

L2 SECURITY TECH - NOTE

LAYER 2 ATTACK MITIGATION AND OTHER SECURITY:

INDEX:

Console protection Vty protection Enable/secret password Encrypt all password Minimum length Telnet Ssh Acl for telnet/ssh,http Port security CDP banner Logging SNMP Time stamps Mac based blocking STP protection Storm control Password recovery DHCP snooping IPSG DAI VACL MACL Best practices Vlan hopping SPAN, RSPAN PVLAN Port block Protected port Etherchannel guard DOS & DDOS protection

1. Console protection 1. By password: Line console 0 Password <password> Login 2. By Exec-timeout Exec-timeout < 0-35791 min 0-2147483 sec>
3. By baud rate

//Transmit and receive speeds //it is plain-text in configuration

Speed < 0-4294967295 >

2. Enable password Enable password <password>
security Page 1

Enable password <password>

3. Enable secret password Enable secret <password>

//uses MD5 algorithm

4. minimum length for all passwords Security passwords min-length <0-16 length> % Password too short - must be at least 5 characters. Password configuration failed 5. Encrypt all password once Service password-encryption 6. Telnet Step 1: Configure IP for vlan Interface vlan VLAN-ID Ip address x.x.x.x x.x.x.x.x No shut Step 2: Enable vty users Line vty 0 4 Password <password> Login OR login local Step 3: Enable password Enable password <password> // global mode

//uses CISCO's own algorithm - weak // plain text - port no 23 // global mode

Attacker will use victim ip address to get a copy of all data from there PC

7. SSH- SECURE SHELL

// encrypted using AES- port 22

Encrypt the data flow between a switch to admin PC Steps:

1. 2. 3. 4. 5. 6. 7. 8.

Configure hostname Configure domain name Create username and password

Create enable secret or enable password

Enable crypto key with 1024 Disable vty 0 15 Decide the range of VTY Enable ssh only for that range

Username admin password admin switch(config)#crypto key generate rsa <-----RIVEST SHAMIR ADLEMAN
% Please define a hostname other than switch switch(config)#Hostname SW1 SW1(config)#Ip domain-name cisco.com SW1(config)#Crypto key generate rsa : 1024 The name for the keys will be: SW1.cisco.com SW1(config)#Inter vlan 1 SW1(config-if)#Ip address x.x.x.x x.x.x.x SW1(config-if)#No shut SW1(config)#Line vty 0 15 SW1(config-line)#Transport input none SW1(config-line)#Lin vty 0 15 SW1(config-line)#Tranport input ssh SW1(config-line)#Login local
SW1(config)#ip ssh authentication-retires <0-5> SW1(config)#ip ssh time-out <0-120sec> //optional //optional

security Page 2

Verification:
In secureCRT type the following:

Veirification: Show user Show ssh 8. Protect telnet Access-list <1-99> permit <ip.add> <wildcard.mask> Lin vty <0 - 15> Access-class <1-99> in
Verification: Show ip access-list Sh run | be line

//any named or numbered will support

9. Http access with ACL 1. For access switches via HTTP:

Ip add for vlan Inter vlan 1 Ip add 10.1.1.100 255.255.255.0 No shu
Username <username> privilege 15 password <password >

Ip http server

// for enable http services

Ip http authentication local Verification:

security Page 3

Access-list <1-99> permit <ip.add> <wildcard.mask> Ip http access-class <ACL-NO>

After acl

//support only standard numbered acl

10. PORT-SECURITY Used to protect port from unauthorized access Default not enabled Default violation is SHUTDOWN Applied only on ACCESS port Default 1 Maximum 1024 mac allowed in a port [depends on models in 3550 switches total mac capacity 5120] For sticky no aging - can be set if a system is silent for some time Maximum no is given but not specify all mac so remaining mac will be learned dynamically SW1(config-if)#switchport port-security Command rejected: Fa0/10 is not an access or trunk or tunnel port. SW1(config-if)#no switchport SW1(config-if)#switchport port-security

//only in access-port should be enabled

security Page 4

SW1(config-if)#switchport port-security ^ % Invalid input detected at '^' marker. OR SW1(config-if)#no switchport SW1(config-if)#switchport port-security Command rejected: Fa0/7 not a switching port. SW1(config-if)#channel-protocol lacp SW1(config-if)#switchport por? % Unrecognized command VIOLATION METHODS: 0023.32b9.ad97 - trusted 0023.32b9.ad96 - untrusted PROTECT Drop frame from unauthorized user Forward frame from authorized user No trap message for admin RESTRICT Drop frame from unauthorized user Forward frame from authorized user trap message for admin via console and SNMP if it is configured Violation count will increased whenever violation is happening 03:05:49: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0023.32b9.ad96 on port FastEthernet0/2.

SHUTDOWN Port will be moved to err-disable state if violation is happened Admin have to type shutdown to bring err-disable port to administratively down Steps to recover Shutdown - so it will come to admin down from err-disable No shutdown - from admin down to up state Or use recovery mechanism for auto recovery 03:07:54: %PM-4-ERR_DISABLE: psecure-violation error detected on FastEthernet0/24, putting FastEthernet0/24 in err -disable state SW1#sh inter f0/2 | in err FastEthernet0/2 is down, line protocol is down (err-disabled)

To recover err-disable state manually: SW1(config-if)#shutdown SW1(config-if)#no shutdown To recover err-disable state automatically: SW1(config)#errdisable recovery cause psecure-violation SW1(config)#errdisable recovery interval <30-86400 sec> *Mar 1 00:57:28.227: %PM-4-ERR_RECOVER: Attempting to recover from psecure-violation err-disable state on Fa0/2 Verification: show port-security interface <int-name> Show port-security show interfaces status err-disabled For clear a mac in restrict or protect mode to allow a other host to be communicate Sw#clear port-security dynamic [address mac-addr | interface type mod/num] 11. CDP - CISCO DISCOVERY PROTOCOL Disable CDP services if its not necessary no cdp run <------config MODE no cdp enable <------config-if MODE SW1#sh cdp
security Page 5

SW1#sh cdp % CDP is not enabled SW1(config)#no cdp run SW1(config)#inter fa0/24 SW1(config-if)#cdp enable % Cannot enable CDP on this interface, since CDP is not running

Verification: Sh cdp Sh cdp neigbor Sh cdp neigbor details

12. Banners - MOTD - LOGIN banner motd # You are connected to $(hostname) on line $(line) on domain $(domain) and your ip $(peer -ip) # ip domain-name cisco.com Hostname SW1 13. time-stamps for log and debug Service time-stamps log/debug datetime/uptime show-timezone/localtime msec SW1#sh clock 10:17:26.283 Fri Oct 14 2011 SW1(config)#service timestamps log datetime Oct 14 10:17:26: %LINK-5-CHANGED: Interf..
SW1(config)#clock time-zone IST 5 30

SW1#sh clock 15:45:26.283 Fri Oct 14 2011 SW1(config)#service timestamps log datetime localtime Oct 14 3:45:51: %LINK-5-CHANGED: Interf.. SW1(config)#service timestamps log uptime 01:10:17: %LINK-5-CHANGED: Interf.. SW1(config)#service timestamps log datetime localtime show -timezone Oct 14 15:51:14 IST: %LINK-5-CHANGED: Interf.. 14. Logging via CONSOLE, TERMINAL (TELNET) WINDOW SYSLOG, BUFFER, SNMP

Name emergencies alerts

Logging severity level System is unusable Immediate action needed

level (severity=0) (severity=1)

critical
errors warnings notifications

Critical conditions
Error conditions Warning conditions Normal but significant conditions

(severity=2)
(severity=3) (severity=4) (severity=5)

informational
debugging

Informational messages
Debugging messages

(severity=6)
(severity=7)

Terminal monitor used to see the debug message in telnet window

Logging console used to see the console message in console window Logging buffered Logging buffered Logging buffered <4096-2147483647> Logging buffered <severity level>
Logging host - syslog server

//For storing logs in local database

//Memory allocation for logging

Logging host x.x.x.x Logging trap <severity level>

//(0 7 usually set to level 5 then logs 0-5, 0 = highest, 7 lowest)

//x.x.x.x - syslog server installed PC //Logging trap will enable all severity level to be logged

*Oct 14 10:52:01.443: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 10.1.1.10 port 514 started - CLI initiated

security Page 6

Kiwi syslog, splunk Downloads for syslog stuff

To change port no for syslog communication

Default UDP with port no 514 To change SW1(config)#logging host <host-ip> transport <TCP/UDP> port <port-no>
Verification: Sh logging history Sh logging Sh logging xml

15. MAC based traffic blocking MAC address based traffic blocking: Mac-address-table static <mac-address> vlan <VLAN-ID> drop Verification: Show mac address-table 1 b8ac.6f5a.6650 STATIC

Drop

STP ATTACK: Sending RAW Configuration BPDU Sending RAW TCN BPDU Denial of Service (DoS) sending RAW Configuration BPDU DoS Sending RAW TCN BPDU Claiming Root Role Claiming Other Role Claiming Root Role Dual-Home (MITM) 16. BPDU guard move a port to err-disable state whenever receive any BPDU Spanning-tree bpduguard enable //interface mode

Oct 14 16:40:04 IST: %SPANTREE-2-BLOCK_BPDUGUARD: Received BPDU on port FastEthernet0/23 with BPDU Guard enabled. Disabling port. Oct 14 16:40:04 IST: %PM-4-ERR_DISABLE: bpduguard error detected on Fa0/23, putting Fa0/23 in err -disable state SW1(config)#errdisable recovery cause bpduguard Oct 14 16:42:56 IST: %PM-4-ERR_RECOVER: Attempting to recover from bpduguard err -disable state on Fa0/23

17. BPDU filter Stop sending and Stop processing any BPDU
Spanning-tree bpdufilter enable 18. ROOT guard prevent other switches to become ROOT Spanning-tree guard root enable //interface mode //interface mode

*Mar 1 00:12:05.231: %SPANTREE-2-ROOTGUARD_CONFIG_CHANGE: Root guard enabled on port FastEthernet0/23. *Mar 1 00:12:48.791: %SPANTREE-2-ROOTGUARD_BLOCK: Root guard blocking port FastEthernet0/23 on VLAN0001.

If inferior BPDU is started receiving on root guard enabled port the port will come out of root inconsistence state *Mar 1 00:14:52.791: %SPANTREE-2-ROOTGUARD_UNBLOCK: Root guard unblocking port FastEthernet0/23 on VLAN0001.

If Root Guard is disabled on port: *Mar 1 00:39:53.151: %SPANTREE-2-ROOTGUARD_CONFIG_CHANGE: Root guard disabled on port FastEthernet0/23.
19. STORM CONTROL Inter f0/10 storm-control unicast/broadcast/multicast <threshold level>/ pps <pps> storm-control action shutdown/trap

security Page 7

Without action defined: 01:55:36: %STORM_CONTROL-3-FILTERED: A Unicast storm detected on Fa0/9. A packet filter action has been applied on the interface. With action shutdown defined: 01:50:37: %PM-4-ERR_DISABLE: storm-control error detected on Fa0/9, putting Fa0/9 in err-disable state 01:50:37: %STORM_CONTROL-3-SHUTDOWN: A packet storm was detected on Fa0/9. The interface has been disabled. 01:50:38: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/9, changed state to down Verification:

debug storm-control statistics *Mar 1 00:45:04.755: storm_update_receive_stats:I/F: Fa0/1, Accumulated - Bytes: 0x46140, packets: 0x140time elapsed 1012 debug storm-control detection *Mar 1 00:45:48.287: storm_detect_and_control:I/F: Fa0/1, elapsed time = 1016, bytes = 285246, packets = 318, normalized ra te = 2246 20. SWITCH PASSWORD RECOVERY Password recovery scenarios: Scenario 1: lost console password know vty, enable/secret password no password recovery required Scenario 2: Lost vty password know console, enable/secret password no password recovery required Scenario 3: Lost enable/secret password know console, vty password password recovery required Scenario 4: Lost console, vty password know enable/secret password password recovery required Scenario 5: Lost console, vty, enable/secret password password recovery required Procedure If password recovery mechanism is disabled Base ethernet MAC Address: 00:0b:be:a2:ad:00 Xmodem file system is available. The password-recovery mechanism is disabled. Initializing Flash... flashfs[0]: 12 files, 3 directories flashfs[0]: 0 orphaned files, 0 orphaned directories flashfs[0]: Total bytes: 15998976 flashfs[0]: Bytes used: 10037248 flashfs[0]: Bytes available: 5961728 flashfs[0]: flashfs fsck took 33 seconds. ...done Initializing Flash. Boot Sector Filesystem (bs:) installed, fsid: 3 The password-recovery mechanism has been triggered, but is currently disabled. Access to the boot loader prompt through the password-recovery mechanism is disallowed at this point. However, if you agree to let the system be
security Page 8

//press mode button now

this point. However, if you agree to let the system be reset back to the default system configuration, access to the boot loader prompt can still be allowed. Would you like to reset the system back to the default configuration (y/n)? The system has been interrupted, and the config file has been deleted. The following command will finish loading the operating system software: boot switch: <<<< rescue mode Step 1: unplug cable and plug it again Step 2: hold mode button within 5 sec (depends on MODEL) Step 3: switch:flash_init Step 4: Switch:dir flash: step 5: switch:load_helper //to access flash directory // it will show all files in flash note config.text file // to use rename commands

Step 6: switch:rename flash:config.text flash:config.old

Step 7: switch:boot Step 8: system configuration dialog: press ctrl+c to skip OR TYPE NO Step 9: switch>en switch#rename flash:config.old flash:config.text Swgitch#sh startup-config If its not showing then do switch#copy flash:config.text running-config Step 10: reset or know the password Step 11: save the configuration switch#copy runn start 21. DHCP snooping DORA - DISCOVER - OFFER - REQUEST - REJECT - ACKNOWLEDGE
Server uses PING Client uses gratitous ARP

03:10:19: %DHCPD-4-PING_CONFLICT: DHCP address conflict: server pinged 172.16.1.1. Its a prevention method for DHCP spoofing attack creates table that maps IP address to MAC address on per interface basis, and then it will drop DHCP messages that do not app ear inside DHCP snooping table ip dhcp snooping ip dhcp snooping vlan 10 int Fa0/3 ip dhcp snooping trust
Ip dhcp snooping limt rate <1-2048>

// DHCP server port

// to limit DHCP rate limit

int Fa0/24 ip dhcp snooping trust

// allow DHCP on port leading to the switch with DHCP server.

If no DHCP Snooping is available, then we can use VLAN ACLs to block DHCP replies from all sources except DHCP server.

security Page 9

Verification: Sw#sh ip dhcp snooping

DHCP snooping trust/rate is configured on the following Interfaces:

Interface Trusted Allow option Rate limit (pps) ----------------------- ------- ------------ ---------------FastEthernet0/2 yes yes unlimited If dhcp-rate-limit is crossing port will move into err-disable state: Errdisable recovery cause dhcp-rate-limit

22. IP Source guard (IPSG) For preventing IP, MAC, VLAN, INTERFACE spoofing
Attacker impersonates as victim's MAC address. "ip source guard" consults dhcp snooping table and if entry is not there, then blocks it

Switch(config)#ip source binding mac-address vlan vlan-id ip-address interface name

Switch(config-if)#Ip verify source [port-security] Verification: SW2#sh ip verify source interface <> SW2#sh ip source binding MacAddress IpAddress Lease(sec) Type VLAN Interface ------------------ --------------- ---------- ------------- ---- -------------------11:11:11:11:11:11 1.1.1.1 infinite static 1 FastEthernet0/4 Total number of bindings: 1

security Page 10

23. DAI - dynamic ARP inspection

*Mar 1 00:06:13.519: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa0/2, vlan 10.([b8ac.6f6a.b36f/10.1.1.10/0000.0000.0000/10.1.1.1/00:06:13 UTC Mon Mar 1 1993])
ATTACKING TOOL: Dsniff Ettercap cain
Prevent ARP Spoofing when victim sends ARP Request message requesting MAC of IP 1.2.3.4, attacker replies "I'm 1.2.3.4 and my MAC is a.b.c.d", pre tending that they have the requested IP address Gratuitous ARP is a feature that sends ARP request or reply without being ask for it. So attacker can send Gratuitous ARP and all the hosts will store that information

Mitigation: clear cache, DHCP snooping, Dynamic ARP Inspection

Verification:

sh ip arp inspection sh ip arp inspection vlan 10 ADVANCED ARP INSPECTION: ip arp inspection log-buffer entries 1024 ip arp inspection log-buffer logs 100 interval 10 interface Fa1/1 ip arp inspection limit rate 100 burst interval 1

24. VACL - vlan access-control-list

security Page 11

TOPOLOGY:

CONFIGURATION:

Verification: SW1#sh vlan access-map Vlan access-map "VMAP" 10 Match clauses: ip address: deny-10 Action: drop Vlan access-map "VMAP" 20 Match clauses: Action: forward 25. MACL - mac access-control list mac access-list extended <macl-name> Permit host <source mac> <source mac mask> <destination mac> <dest mac mask> <protocol> To apply MACL Inter <inter name> mac access-group <macl-name> in For verification: sh mac access-group <output omitted> Interface FastEthernet0/3: Inbound access-list is MACL <output omitted> 26. Best practice in SWITCH Unused port Should be shutdown Unused port to be in Access mode should be in Unused vlan (unused vlan means NO VLAN MEMBER in a particular VLAN) Inter f0/10 Shutdown Switchport mode access Switchport access vlan 200 Description **** unused port - access port - unused vlan 200 - shutdown state **** 27. VLAN HOPPING - double tagging - vlan spoofing Scenario 1:
security Page 12

Scenario 1: Attacker plugs to the network with the rogue switch. Attacker configures it to establish trunk with other network switches. O nce trunk is up, attacker will be able to gain access to any VLAN available on the trunk port. Scenario 2: attacker sends 802.1q frames with multiple vlan tags. Outside VLAN tag is for padding, and inside tag is of victim's VLAN. Mitigation: avoid using VLAN 1, explicitly configure "access" mode on all of the non-trunk ports. Native VLAN - is a VLAN where all untagged frames are matched. On trunks native VLAN does not get encapsulated with ISL or dot1q. vlan dot1q tag native is a feature that tags all outgoing frames with Native VLAN ID, but all incoming frames without tag are dropped.

1. Move unused port into unused VLAN aka bogus VLAN Inter ra f0/10-23 Switchport access vlan 10 <<<<<< VLAN 10 is unused vlan it mean no active member on that VLAN

2. On trunk configure unused vlan as nativeVLAN Inter f0/24 <<<<< trunk port Switchport mode trunk Switchport trunk native vlan 10
3. On Trunk dont allow native vlan to pass through Inter f0/24 <<<<< trunk port Switchport trunk allowed vlan remove 10

VLAN HOOPING BY ROGUE TRUNK

28. Analyzer

1. SPAN - SWITCHPORT ANALYZER 2. RSPAN - REMOTE SWITCHPORT ANALYZER

Source port:

Also called monitored port It can be Switchport It can be Any no of ports It can be in multiple session Ingress or egress or both can be monitored It can access, voice vlan port, trunk port, routed port Can be from any vlan
Source VLAN:

security Page 13

Source VLAN:

Also called VSPAN - VLAN SPAN All active ports in VLAN will be monitored Either or both direction If destination belong to same vlan it will be excluded from monitor Maximum 64 ports
Destination port:

It cannot be secure port It cannot be source port

Destination port is unique in each session It cannot be a Other session destination port

It cannot be etherchannel port //it wiill be removed from etherchannel It cannot be routed port //it will be l2 port It cannot be PVLAN port It can be 802.1x port Participate in only one session Incoming traffic is disabled default STP, VTP, CDP, DTP, PagP disabled For RSPAN, original VLAN ID is lost because it is overwritten by RSPAN VLAN ID. Therefore, all packets appear on destination port as untagged
Reflector port:

mechanism that copies packets onto an RSPAN VLAN forwards only traffic from the RSPAN source session with which it is affiliated Any device connected to a port set as a reflector port loses connectivity until the RSPAN source session is disabled It cannot be an EtherChannel group it does not trunk Destination port on one session cannot be used as destination on other session % Interface(s) Fa0/25 already configured as monitor destinations in other monitor sessions Destination port cannot be a source port for same or other session % Interface(s) Fa0/25 already configured as monitor destinations
Criteria for SPAN, VSPAN,RSPAN:

1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. 18.

Source of one session cannot be destination for same/other session Destination of one session cannot be a source/destination same/other session Source of one session can be a source other session Multiple source can be in same/other session Only single destination are allowed in each session Source interfaces can be any vlan Source interface & destination interface can be in same/other vlan In VSPAN Source vlan and destination port vlan should not be in same VLAN Session ID are local to the switches If source direction not mentioned both direction will be monitored By default in monitoring incoming traffic is not allowed & can be allowed by ingress command In ingress command have to untagged vlan RSPAN vlan should not have any active member. That vlan only to carry monitored interfaces traffic RSPAN will reflect a copy of data on only one port On reflected port return traffic is not allowed Reflected port cannot a source or destination of any session Once port declared as reflector port the port LED will goes to OFF Separate port will be used to carry other VLAN traffic from one switch to other switch

CONFIGURATION: SPAN: In sw1

monitor session 1 source interface Fa0/13 monitor session 1 destination interface Fa0/2 ingress vlan 10
VSPAN: In sw1

monitor session 1 source vlan <vlan-id> monitor session 1 destination interface Fa0/2 ingress vlan <id>
RSPAN: In sw1 & sw2 Vlan 100 Remote-span

In sw1 monitor session 1 source interface Fa0/13 monitor session 1 destination remote vlan 100 reflector-port Fa0/23 In sw2 monitor session 1 source remote vlan 100 monitor session 1 destination interface Fa0/2 encapsulation dot1q ingress vlan 10 <<<analyzer pc allow incoming traffic Monitor session 1 filter vlan <> //to limit vlan on Verification: sh monitor session 1

vlan 100 remote-span !

security Page 14

! interface F0/1 description Monitor Port ! interface Vlan10 ip address 10.10.10.1 255.255.255.0 ! interface Vlan20 ip address 10.20.20.1 255.255.255.0 ! ! VACLs require that a corresponding SVI (L3 interface) exists ! It can remain unconfigured and administratively shutdown interface Vlan100 description RSPAN VLAN - Must exist for VACL on RSPAN VLAN shutdown ! ! The IP extended ACL that matches TCP traffic destined to ports 5000 6000 ip access-list extended TCP-TRAFFIC permit tcp any any range 5000 6000 ! ! Defines the VLAN access-map (VACL) vlan access-map RSPAN-VACL 10 match ip address TCP-TRAFFIC action forward ! ! Maps the VACL to the RSPAN VLAN vlan filter RSPAN-VACL vlan-list 100 ! ! Monitor session 1 captures bidirectional traffic from ! VLANs 10 and 20 to RSPAN VLAN 100 monitor session 1 source vlan 10 , 20 monitor session 1 destination remote vlan 100 ! ! Monitor session 2 captures bidirectional traffic from ! RSPAN VLAN 100 to interface gig4/5 monitor session 2 source remote vlan 100 monitor session 2 destination interface Gi4/5

29. PVLAN

c3560-ipservicesk9-mz.122-53.SE2.bin

security Page 15

Promiscuous Only one Promiscuous port is allowed per PVLAN

Primary VLAN Carry traffic from promiscuous to isolated and community and other promiscuous in same primary VLAN Isolated and community vlan to be associated Not more than one isolated are allowed Isolated VLAN Carry traffic from isolated to promiscuous port One per primary VLAN Community VLAN Carry traffic to and from same community
Secondary VLAN Isolated and community VLAN PVLAN can be extended to other switch via trunk by exchange primary, isolated and community in other switches

Communication between ports

VLAN Isolated Isolated A community Isolated A community VLAN Isolated B community Promiscuous A community Communication NO NO YES YES YES

Any community NO

Any community Promiscuous

PVLAN will only in VTP mode TRANSPARENT Step 1. Create primary & secondary PVLANs Hostname(config)# vlan 101 Hostname(config-vlan)# private-vlan Hostname(config)# vlan 201 Hostname(config-vlan)# private-vlan Hostname(config)# vlan 202 Hostname(config-vlan)# private-vlan Hostname(config)# vlan 301 Hostname(config-vlan)# private-vlan primary community community isolated

Step 2. Associate secondary VLANs to primary PVLAN Hostname(config)# vlan 101

security Page 16

Hostname(config)# vlan 101 Hostname(config-vlan)# private-vlan association 201-202,301 Step 3. Map secondary VLANs to SVI which is L3 VLAN interface of primary VLAN Hostname(config)# interface vlan 101 Hostname(config-if)# private-vlan mapping add 201-202,301 Step 4. Configure L2 interface as an isolated or community port, and associate port to primary VLAN & to selected secondary VLAN pair Hostname(config)# interface Fastethernet 1/1 Hostname(config-if)# switchport mode private-vlan host Hostname(config-if)# switchport private-vlan host-association 101 201 Hostname(config)# interface Fastethernet 1/2 Hostname(config-if)# switchport mode private-vlan host Hostname(config-if)# switchport private-vlan host-association 101 301 Step 5. Configure L2 interface as a PVLAN promiscuous port & map port to primary VLAN & to selected secondary VLAN pair Hostname(config)# interface Fastethernet 1/10 Hostname(config-if)# switchport mode private-vlan promiscuous Hostname(config-if)# switchport private-vlan mapping 101 201-202,301 Verification: show interface private-vlan mapping show interface [interface-id] switchport 30. Port block Unknown unicast and multicast frame will not flood from a port Sw(config-if)#switchport block multicast Sw(config-if)#switchport block unicast Any interface in etherchannel enabled with block command all ports in etherchannel will be enabled 31. switchport protected Any interface in etherchannel enabled with protected command all ports in etherchannel will be enabled Private-vlan port cannot be protected port Two protected port wont work Protected to non-protected port work normal Switch(config-if)#switchport protected 32. Etherchannel guard if misconfiguration happened in etherchannel port will be error disabled Misconfiguration can happen: When one side etherchannel configured other side not When etherchannel protocol mismatch between switches Switch(config)#spanning-tree etherchannel guard misconfig To recover from errdisable: Switch(config)#errdisable recovery cause channel-misconfig 33. DOS & DDOS attack: Control plane protection Control plane: Controlling switch operation Any data destined for switches ex DTP, STP, VTP Data plane protection Data plane: Responsible forward users data Management plane protection Management plane: Any management traffic will be handled Ssh, telnet, snmp, http, ftp, tftp, syslog

security Page 17

Reference: 1. Catalyst 3560 Switch Software Configuration Guide Cisco IOS Release 12.2(44)SE 2. Catalyst 6500 Series Switch Cisco IOS Software Configuration GuideRelease 12.1 E 3. CCNP SWITCH 642-813 Official Certification Guide 4. Cisco Switching Black Book 5. CCIE practical studies (CCIE self study) 6. CCIE security exam certification guide 7. LAN Switch Security What Hackers Know About Your Switches 8. Virtual LAN Security Best Practices - application notes 9. Infrastructure Protection on Cisco Catalyst 6500 and 4500 Series Switches

security Page 18