Minimizing Service Loss and Data Theft in a Campus Network

Understanding Switch Security Issues

Overview of Switch Security
Rogue Access Points

• Rogue network
devices can be:
– Wireless hubs
– Wireless routers
– Access switches
– Hubs
• These devices are
typically connected
at access level
switches.
Switch Attack Categories

• VLAN Hopping.
• MAC layer attacks
• VLAN attacks
• Spoofing attacks
• Attacks on switch devices
Explaining VLAN Hopping
VLAN Hopping with Double Tagging
Mitigating VLAN Hopping
MAC Flooding Attack
Port Security

Port security restricts port access by MAC address.

 Configuring Port Security on a Switch

• Enable port security

• Set MAC address limit
• Specify allowable MAC addresses
• Define violation actions

Switch(config-if)#switchport port-security [maximum value]

violation {protect | restrict | shutdown}

• Enables port security and specifies the maximum number of

MAC addresses that can be supported by this port.
Auto recovery from err-disable state

• If the port – security feature has shutdown a port, the port

can be restored to an operational state using the error-
disable recovery procedure.
• Enable recovery cause is port – security:
Switch(config)#errdisable recovery cause psecure-violation

• Set a global recovery timeout by using the command:

Switch(config)#errdisable recovery interval seconds

 Verifying Port Security

Switch#show port-security

• Displays security information for all interfaces

Switch#show port-security
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security
Action
(Count) (Count) (Count)
---------------------------------------------------------------------------

Fa5/1 11 11 0 Shutdown
Fa5/5 15 5 0 Restrict
Fa5/11 5 4 0 Protect
---------------------------------------------------------------------------

Total Addresses in System: 21

Max Addresses limit in System: 128
 Verifying Port Security (Cont.)

Switch#show port-security interface type mod/port

• Displays security information for a specific interface

Switch#show port-security interface fastethernet 5/1

Port Security: Enabled

Port status: SecureUp
Violation mode: Shutdown
Maximum MAC Addresses: 11
Total MAC Addresses: 11
Configured MAC Addresses: 3
Aging time: 20 mins
Aging type: Inactivity
SecureStatic address aging: Enabled
Security Violation count: 0
 Verifying Port Security (Cont.)
Switch#show port-security address

• Displays MAC address table security information

Switch#show port-security address
Secure Mac Address Table
-------------------------------------------------------------------
Vlan Mac Address Type Ports Remaining Age
(mins)
---- ----------- ---- ----- -------------
1 0001.0001.0001 SecureDynamic Fa5/1 15 (I)
1 0001.0001.0002 SecureDynamic Fa5/1 15 (I)
1 0001.0001.1111 SecureConfigured Fa5/1 16 (I)
1 0001.0001.1112 SecureConfigured Fa5/1 -
1 0001.0001.1113 SecureConfigured Fa5/1 -
1 0005.0005.0001 SecureConfigured Fa5/5 23
1 0005.0005.0002 SecureConfigured Fa5/5 23
1 0005.0005.0003 SecureConfigured Fa5/5 23
1 0011.0011.0001 SecureConfigured Fa5/11 25 (I)
1 0011.0011.0002 SecureConfigured Fa5/11 25 (I)
-------------------------------------------------------------------
Total Addresses in System: 10
Max Addresses limit in System: 128
 Port Security with Sticky MAC Addresses

Sticky MAC stores dynamically learned MAC addresses.

Minimizing Service Loss and Data Theft in a Campus Network

Storm Control
LAN Storm

Broadcast Broadcast

Broadcast Broadcast

Broadcast Broadcast

• Broadcast, multicast, or unicast packets are flooded on all

ports in the same VLAN.
• These storms can increase the CPU utilization on a switch to
100%, reducing the performance of the network.
 Storm Control

Switch(config-if)#
storm-control {{broadcast | multicast | unicast} level {level
[level-low]|bps bps [bps-low]|pps pps [pps-low]}} | {action
{shutdown|trap}}

 Enables storm control

 Specifies the level at which it is enabled
 Specifies the action that should take place when the threshold
(level) is reached, in addition to filtering traffic
Switch(config-if)# storm-control broadcast level 75.5
Switch(config-if)# storm-control multicast level pps 2k 1k
Switch(config-if)# storm-control action shutdown
Minimizing Service Loss and Data Theft in a Campus Network

Protecting Against Spoof Attacks

DHCP Spoof Attacks

• Attacker activates DHCP

server on VLAN.
• Attacker replies to valid
client DHCP requests.
• Attacker assigns IP
configuration information
that establishes rogue
device as client default
gateway.
• Attacker establishes
“man-in-the-middle”
attack.
DHCP Snooping

• DHCP snooping allows

the configuration of
ports as trusted or
untrusted.
• Untrusted ports cannot
process DHCP replies.
• Configure DHCP
snooping on uplinks to a
DHCP server.
• Do not configure DHCP
snooping on client ports.
Securing Against DHCP Snooping Attacks
Switch(config)# ip dhcp snooping
• Enables DHCP snooping globally
Switch(config)# ip dhcp snooping information option
• Enables DHCP Option 82 data insertion

Switch(config-if)# ip dhcp snooping trust

• Configures a trusted interface

Switch(config)# ip dhcp snooping limit rate [rate]

• Number of packets per second accepted on a port
Switch(config)# ip dhcp snooping vlan number [number]
• Enables DHCP snooping on your VLANs
 Verifying DHCP Snooping

Switch# show ip dhcp snooping

• Verifies the DHCP snooping configuration

Switch# show ip dhcp snooping

Switch DHCP snooping is enabled
DHCP Snooping is configured on the following VLANs:
10 30-40 100 200-220
Insertion of option 82 information is enabled.
Interface Trusted Rate limit (pps)
--------- ------- ----------------
FastEthernet2/1 yes none
FastEthernet2/2 yes none
FastEthernet3/1 no 20
Switch#
IP Source Guard

IP source guard is configured on

untrusted L2 interfaces
 Configuring IP Source Guard on a Switch

Switch(config)# ip dhcp snooping

• Enables DHCP snooping globally

Switch(config)# ip dhcp snooping vlan number [number]

• Enables DHCP snooping on a specific VLAN

Switch(config-if)# ip verify source vlan

dhcp-snooping port-security

• Enables IP Source Guard, source IP, and source MAC

address filter on a port
ARP Spoofing
 Dynamic ARP Inspection

• DAI associates each interface

with a trusted state or an
untrusted state.
• Trusted interfaces bypass all
DAI.
• Untrusted interfaces undergo
DAI validation.
 Configuring DAI

Switch(config)#ip arp inspection vlan vlan_id[,vlan_id]

• Enables DAI on a VLAN or range of VLANs

Switch(config-if)#ip arp inspection trust

• Enables DAI on an interface and sets the interface as a trusted

interface

Switch(config-if)#ip arp inspection validate {[src-mac]

[dst-mac] [ip]}

• Configures DAI to drop ARP packets when the IP addresses are

invalid
Protection from ARP Spoofing

• Configure to protect
against rogue DHCP
servers.
• Configure for dynamic
ARP inspection.