003 L2 Security

Sikandar Shaik CCLEX3 (RS/; mi SEO) DT e ache ‘Sikandar Shaik CCIEXS (RS/SP/SEC) Whatsapp - +91 9985048840, +91 7036826345Table of Contents About the Author... vn LAYER 2 SECURITY ...nnonnonenn ‘VUAN HOPPING ATTACKS (NATIVE VLAN , OTF CONCEFTS) UAB: VERIFYING DTP Native VLAN ~ Vian Hopping Attacks. CISCO DISCOVERY PROTOCOL... UAB: VERIFY COP... 7 SPANNING TREE PORTFAST......... ee UAB: STP PORT FAST: ..ncnsnnnonnn sen BPDU GUARO 6 BPOU FILTER. nnn (AB: BPDU Guard: UAB: BPOU filter (interface level)... so MAC FLOODING & MAC SPOOFING ATTACKS- PORT SECURITY.... UAB : PORT-SECURITY..... DHCP SPOOFING - DHCP SNOOPING. UB: DHCP Snooping SI LAB: Dynamic ARP inspection... : 69 PROTECTED PORTS - PRIVATE VLAN ED... a —_— 7B PRIVATE VIAN testi sel UAB: PRIVATE VAN... 8About the Author Sikandar Shaik, a Triple CCIE (RS/SP/SEC # 35012), is a highly experienced and extremely driven senior technical insfructor and network consultant. He has been training networking courses for more than 15 years, teaching on a wide range of topics including Routing and Switching, Service Provider and Security (CCNA to CCIE). In addifion, he has been developing and updating the content for these courses. He has assisted many engineers in passing out the lab examinations and securing certifications. Sikandar Shaik is highly skilled at designing, planning, coordinating, maintaining, troubleshooting and implementing changes to various aspects of mulfi-scaled, multi-platform, multi-protocol complex networks as well as course development and instruction for a technical workforce in a varied networking environment. His experience includes responsibilities ranging from operating and maintaining PC's and peripherals to network control programs for multi-faceted data communication networks in LAN, MAN and WAN environments. Sikandar Shaik has delivered instructor led trainings in several states in India as well as in abroad in countries like China, Kenya and UAE. He has also worked as a Freelance Cisco Certified Instructor globally for Corporate Major Clients. Acknowledgment First and foremost | would like fo thank the Almighty for his continued blessings and for always being there for me. You have given me the power and confidence fo believe in myself and pursue my dreams. | could never have done this without the faith I have in you. Secondly | would like to thank my family for understanding my long nights at the computer. | have spent a lot of fime on preparing workbooks and this workbook would not have been possible without their support and encouragement. 1 would also like fo recognize the cooperation of my students who took my trainings and workbooks. 1 believe my workbooks have helped them in upskilling themselves with respect fo the subject and technologies and | will continue preparing workbooks for the updated technology versions. Shaik Gouse Moinuddin Sikandar CCIE x 3 (RS/SP/SEC) Feedback Please send feedback if there are any issues with respect to the content of this workbook. | would also appreciate suggestions from you which can improve this workbook further. Kindly send your feedback and suggestions af info@noasolutions.comLAYER 2 SECURITY NETWORK ONLINE ACADEMYOverview of Switch Security OA, 8 3 ot g og Qe 2 Edge and DMZ Core and Distribution Access Submodule Rouge Network Devices —- LAN NOA NETWORK ONENE ACADEMY Wireless hubs Rogue Network Devices. | Trusted Network Wireless routers ‘Access switches Hubs ‘These devices are typically connected at access level switches.Disable Unused Ports NOA ‘ONLINE ACADEMY Default all ports of switch will be in NO SHUTDOWN state. ‘Switch(confighinterface range (0/11 - 15,, (0/18 Disable all unused ports on a switch. Switch(config-ifrange)# shutdown Disable unused ports using the shutdown command ‘SI show run Building coatigur Version 15.0 hostname si Waeaet Interface Fasttthernet0/¢ FastEthernet0/S hr2.17.9921 Fastithernet0/6 jcription web server Fastathernet0/7Dynamic Trunking Protocol — Overview NOA, » Trunking can be done automatically through Negotiation process using DTP. » DTP is enabled by default, but may be disabled. Switch show dtp Global DTP information Sending DTP Hello packets every 30 seconds Dynamic Trunk timeout is 300 seconds 0 interfaces using DTP DTP Modes NOA NETWORK ONINE ACADEMY TRUNK TP Mesaoee » Configured Trunk manually a ay > Port still negotiates Trunking with the port on the other end of the fink pa ea Links connecting to Switch, Router, Server. aan aa ACCESS » Configured Access manually. (never become Trunk) » Links connecting to end devices ( single VLAN) NO-NEGOTIATE » Tum off DTP messages (Disable DTP)DTP Modes OA. DESIRABLE » Attempt to become trunk (send & Receive DTP messages) ortaes mae A fm som Becomes trunk if other end switch i set to trunk, Desirable or Auto modes » Default mode in older switches 2950, 3550 series. uncrgen meds oramic cocrins _-Sachpat mode eynamledesate AUTO > Only reply to DTP messages if received from other side. ley » Becomes trunk if other end switch is et to trunk, Desirable mode » Default mode in most modem switches. ee a” =e y eel Se et ee OTP Messages ma em OTP essages seu ef a ~ ae ar ee me se Sense se a Bee DTP Modes — Summary NA, Acces ‘Aute Desirable Trunk ea ‘Teunk formed ho Detrabie formed Deseable aaa No ‘Trunk formed. Vee Tekan ‘Trunk formed - coeoaeee ‘Trunk formed rea nemeaer ‘switch A ‘switchDTP - Vulnerabilities NOA (NETWORK ONLINE ACADEMY » Attacker may use DTP negotiation, to become trunk link feet IS formed v _ Intertace goo Saiehpot mode dynamic desirable DTP — Possible attack Mitigation OTP Messages deme OTP Messages > Hosts facing interfaces should be in access ports ( Switchport mode access) > Disable DTP using no-negotiate ( use always manual Access’ Trunks)LAB: VERIFYING DTP 10/20 10/21 swl Sw2 TAS Configure f0/20 of SW! to actively negotiate the DIP messages and SW2 0/20 port should only reply fo the DTP messges © Configure {0/21 of SWI and SW2 should not negotiate any DTP essages ‘Sw-1# sh interfaces fa0/20 switchport Name: Fa0/20 Switchport: Enabled Administrative Trunking Encapsulation: dotlq Operational Trunking Encapsulation: native On sw-1 ‘Sw-1 [config] #int f0/20 Sw-1{[config-#] #switchport mode ? access Set irunking mode to ACCESS unconaitionally ynomic Set runking mode to dynamicaly negotiate access or trunk mode trunk Set trunking mode to TRUNK unconditionally Sw-1 [config-if #switchport mode dynamic desirable ‘SW. I#tsh interfaces fa0/20 switchport Name: Fa0/20 ‘Switchport: Enabled Administrative Trunking Encapsulation: dotla ‘SW-1# sh interfaces trunk Port Mode Encapsulation Status __Native vlan Port Vlans allowed on trunk Fa0/20 1-1005 Switch#sh interfaces trunk Port Mode Encapsulation Status Native vian Fa0/20 auto n-802.1q trunking I Port Vlans allowed on trunk Fa0/20 1-105 Port Vlans allowed and active in management domain Fa0/20 1 Port Vians in spanning tree forwarding state and not pruned Foo/20 1 wrote Saronieshonscsi mearaseahtonesem® "Page 10TASK: Configure SWI and $W2 to Configure Manau! Trunk and Disable the DTP negotiation Process. On swi/sw2 ‘Sw-x(config) #int f0/21 Sw-x(config-if] #switchport mode trunk Sw-x(config-if) #switchport trunk encapsulation dotlq Sw-x(config-if] #switchport nonegotiate Sw-1itsh interfaces trunk Port Mode — Encapsulation Status —_ Native vian Fa0/20_ auto n-802.1q__frunking Port Vians allowed on trunk Fa0/20 1-1005 Fa0/21 — 1-1005 Port Vlans allowed and active in management domain Fa0/20 1 Fa0/21 1 Port Vlans in spanning tree forwarding state and not pruned Fa0/20 1 Fa0/21 1 Sw-2#sh interfaces trunk Port Mode — Encapsulation Status Native vian Fa0/20_ auto n-802.1q__frunkins Port Vlans allowed on trunk Fa0/20 1-1005 Fa0/21 1-105 Port Vlans allowed and active in management domain Fa0/20 1 Foo/2! 1 Port Vlans in spanning tree forwarding state and not pruned Fa0/20 1 Fa0/21 noneNative VLAN - Overview NOA ‘ONLINE AcADEMY > Ifa packet is received on a dotig fink, that does not have VLAN tagged, itis assumed that it belongs to native VLAN. > Default native VLAN is VLAN 1 Native VLAN Native VLAN Native VLAN ‘TRUNK Link SB 33 VLAN Hopping Attacks NA, Attacker connected to access port try to gain access network traffic from other VLANs. Attacker sends 802.1Q/ ISL tagged frames trying to get access other VLAN traffic, 1) Uses DTP negotiation, to become trunk link Trunk Link 2) Sends Double Ta IS formed Trunk Link. Native VLAN = VLAN 1 Sy. rae Sotcnpatinose oynamicdeiabie vant DWP iesseges mp ee oP tesssgeeVLAN Hopping Attacks - Mitigation JM OA. » Hosts facing interfaces should be in access ports ( Switchport mode access) » Disable DTP using no-negotlate ( use always manual Access/ Trunks) » Do not use VLAN 1 ( native VLAN by default) » Unused ports should be in should be VLAN ( not in use) » Configure the Native VLAN ID to VLAN 666 and to ensure that this VLAN is not used anywhere in the network. > Anattacker who attempts to use the VLAN hopping attack will end up in a dead VLAN that has no hosts to leverage. a Native VLAN - VLAN 1 ‘Trunk Link ca Wa irtace a0 Sorichportmese dam esabe Ow tessooee a dem ovr terse Native VLAN Configuration NOA NETWORK ONLINE ACADEMY For Cisco switches the Native VLAN ID must match on both end of the trunk. ‘SWx(confighevian 999 ‘SWa(config-vian}vexit 3 ‘SWexi(confighint fo/20 wore ‘SWx(configiftswitchport mode trunk ‘SWI ‘SW2 ‘SWx(config-ifaswitchport trunk native vian 999 ‘This message appears when the native VLAN is mismatched on the two Cisco switches: ssCDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on FastEtherneto/20 (1), with SW1 FastEthernet0/20 (999). ‘SW1ish interfaces fo/20 switchport ‘SW-1ash interfaces trunk Name: Fa0/20 Port Mode Encapsulation Status Native vlan Switchport: Enabled F200 on 80214 trunking 999 ‘Administrative Mode: dynamic auto ‘Operational Mode: trunk Administrative Trunking Encapsulation: dotig ‘Operational Trunking Encapsulation: dotiq Negotiation of Trunking: On ‘Access Mode VLAN: 1 (default) ‘Trunking Native Mode VLAN: 999 (VLANo99) Voice VLAN: noneLAB: Native VLAN 192.168.1.2 I 192.168.1.1 ! swt ay TASK: ‘Connect Devices and assign the IP addressing as per the diagram. Create vian 999 on both switches. Configure f0/20 port as trunk link Ensure that vlan 999 should be native vian on both trunks. Verify the connectivity between PC (192.168.1.1 and 192.168.1.2). PC>ipconfig FastEthemet0 Connection:(default port) IP AdOPeSS..csssnssnne! 192,168.11 SubNe! MASK. .s.snnnnee! 255.255.255.0 Default Gatewaynrnnnnnn! 0.0.0.0 PC>ping 192.168.1.2 Pinging 192. 168.1.2 with 32 bytes of dat Reply from 192,168. 1.2: bytes=32 fime=12ms TTL=128 Reply from 192, 168.1.2: bytes=32 fime=Oms TTL=128 Reply from 192, 168. 1.2: bytes=32 fime=Oms TTL=128 Reply from 192,168. 1.2: bytes=32 fime=Oms ITL=128 on swi/sw2 SWx{config) #vlan 999 SWx{config-vian) tend SWx(config) #int [0/20 5Wx(config-if] #switchport trunk encapsulation dotlq SWx(configri} #switehport mode trunk ‘SW2ttsh interfaces trunk Port Mode — Encapsulation Status Native vian Fa0/20 on —802.1q Port Vians allowed on trunk Fa0/20 1-105 Port Vians allowed and active in management domain Fa0/20 1 Port Vians in spanning tree forwarding state and net pruned Fa0/20 1 PC>ping 192.168.1.2 Pinging 192.168. .2 with 32 bytes of data: Reply from 192.168. 1.2: bytes=32 fime=Ims T=128 Reply from 192.168, 1.2: bytes=32 time=Oms TIL=128 Reply from 192.168. 1.2: bytes=32 time=Oms TTL=128 wheat Sari) onscsi maraeaahtonesam® Page 14Reply from 192, 168. 1.2: bytes=32 time=0ms TTL=128 TASK: change native vian to 999 on SWI and verify connectivity ‘SWI (config) #int f0/20 SWI (config.if #switchport trunk native vian 999 SWI(configui}#end FAME MAN MAT: Nae VAN mitch corer on othe 9 ih PC>ping 192.168.1.2 Pinging 192. 168.1.2 with 32 byles of data: Request fimed out, Request fimed out, Request fimed out. Request fimed out. ‘SW1#sh interfaces trunk Port Mode Encapsulation Status __Native vlan Fao/20 on = 802.1q Port Vians allowed on frunk Fa0/20.. 1-105 Port Vians allowed and active in management demain F020 1 Port Vians in spanning tree forwarding state and not pruned Fooj20 1 ‘SW1#sh interfaces {0/20 switchport Name: Fa0/20 Switchport: Enabled Administrative Mode: dynamic auto Operational Mode: irunk Administrative Trunking Encapsulation: dotiq Operational Trunking Encapsulation: dotlq Negotiation of Trunking: On Access Mode VLAN: I (default Voice VLAN: none SW2#tsh interfaces trunk Port Mode Encapsulation Status Native vlan Fa0/20 on —802.1q_— trunking J Port Vians allowed on trunk Fa0/20 1-105 Port Vians allowed and active in management demain Foo/20 1 Port Vlans in spanning tree forwarding state and not pruned Fool20 1 SW2(config) #int (0/20 /SW2(config-if] #switchport trunk native vian 999 ‘Sw2{contigal) #endPC>ping 192.168.1.2 Pinging 192.168. 1.2 with 32 bytes of data: Reply from 192.168. 1.2: bytes=32 time=Ims T.=128 Reply from 192. 168. 1.2: bytes=32 time=Oms TL=128 Reply from 192. 168. 1.2: bytes=32 time=Oms TL=128 Reply from 192. 168, .2: bytes=32 time=Oms TL=128 CISCO DISCOVERY PROTOCOLCisco Discovery protocol NEA, » Proprietary protocol developed by Cisco Systems. » Enabled by default » Used to share information about other directly connected Cisco equipment’s such as the connected ports ,operating system version and IP address. ‘sh dp neighbors Device ID Local Interface Holdtime Capability Platform Port ID 4 sh cdp neighbors detall 4 sh cdp interface ‘SW-28sh cdp neighbors: Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge S - Switch, H - Host, |- IGMP, r - Repeater, P- Phone Device ID Local Intrfce Holdtme Capability Platform Port ID Ra Fas 0/1 14 R C200 Fas 0 Fas 0/22 us S 2950 Fas 0/22 Fas 0/2 18 R Cie1— Fas oro Fas 0/3 160 R C2s00 Fas 0/0 Fas 0/20 168 3560 Fas 0/20 Fas 0/22 Ws S 2950 Fas 0/22Device ID: Ret wt Cie: ae of tra hati Pt ep Fee oldie: 125 ee vn a - ‘Cico Internetwork Operating System Software ha 105 car Casco Sofovare (C2s0-LM), Version 12.208), RELEASE SOFTWARE (ks) | Technical Suppor: hap /mww: cco com tehsupport Conde yee br ea Sn fie \ 7 Cet Wed3-Apry mbrand | stim charter eal Deve ch S So Duplex: Entry adress(es m1 = w Platform: clsco 2950, Capabilities Switch Interface: FastEthernet0/22, Port ID (outgoing port): FastEthernetO/22 Holdtime: 46 Version Cisco Internetwork Operating System Software 108 (tm) C2950 Software (C2950-6Q4L2-M), Version 12.1(22)EA4, RELEASE SOFTWARE(FeI) Copyright (€) 1986-2008 by cisco Systems, Inc Compiled Wed 18-May-05 22:31 by jharrba advertivement version: 2 Duplex fullCCP & LLDP NOA vee oa eater » By default, CDP announcements are sent every 60 seconds on interfaces. > CDP can be used by Network Management Systems (NMS) or during troubleshooting. » From a troubleshooting perspective CDP can be used to either confirm or fix the documentation shown in a network diagram ‘or even discover the devices and interfaces used in a network. > LLDP is standard equivalent of CDP. (IEEE standard 802.1AB in 2005) » LDP is disabled by default on Cisco devices. ‘show op Configuring CDP OA. > CDP is enabled by default. » Theno cdp run command disables CDP globally. » Theno cdp enable command disables CDP on an interface. Configuring LLDP » LDP is disabled by default. » The command 11dp run enables LLDP globally. » The command 11dp enable enables LLDP on an interface. em ooCDP/ LLDP Vulnerabilities - Network Device Reconnaissance Attacks NOA NETWORK ONCINE ACADEMY » Network Device information for introducing attacks using CDP or LLDP. Changing native VLAN, VTP information, Router IP, IOS vulnerabil » Attacker may be directly connected to the victims interfaces ( Router or Switch) ‘System administrator uses CDP to view neighbor information. Attacker uses a packet analyzer to intercept CDP traffic. Attacker analyzes information in CDP packets to gain knowledge of network address and device information. Attacker formulates attacks based on known vulnerabilities of network platforms. ies Attacker Running Protocol Analyzer CDP/ LLDP Vulnerabilities — Mitigation NOA NETWORK ONLINE ACADEMY » Disable CDP/LLDP on untrusted interfaces for example on external interfaces such those at the Internet edge. > Ifall interfaces are untrusted , globally disable CDP/LLDP Disable CDP Globally Router(config)* no cdp run Disable CDP on selected Interfaces. Router(confight interface Router(config-if no cdp enable Enable LLDP Globally Router(config® { no } LLDP run Disable LLDP on sefected Interfaces. Router(configh Interface Router(config-i# no fldp transmit Router(config-if no Ildp recieve ‘tack Running Protocol Analyser‘0/0 RL TASK: Confgure on RI, R2, R3, SWI using IP address as per the Diagram. R-I(config) #int 0/0 R-I{contigrif)#ip address 192, 168.1.100 255.255.255.0 R-I{configsif}#no sh R-I{configeif) exit R-2{contfig) tint f0/0 R-2[configeif ip address 192.168.2.100 255.255.255.0 R-2{config-if #no sh R-2[configrif) #exit R-3(contfig) Hint 0/0 R-3{configci Hip address 192. 168.3.100 255.255,255.0 R-3{configcif)#no shutdown R-3{configni) #exit W- (config) #int vian 1 SW- (config) tip address 172,16. 1.1 255.255.255.0 ‘SW-I (configrif]#no sh SW-I (config) Hexit ‘SW-2#sh cdp neighbors Capability Codes: R - Router, T- Trans Bridge, B - Source Route Bridge 5 Switch, H - Host, |- IGMP, r- Repeater, P - Phone Device D_Localintrfce Holdtme Copabilily Platform Port iD 134 R 2600 1s 3 _ 2950 133 R 160 R 168 175 sSW-2ish ep Global COP information: Sending CDP packets Sending a holatime Sending CDPv2 advertisements is enabled ‘SW-2ish cdp interface FastEthemet0/1 is up, line protocolis up Sending CDP packets every 60 seconds Holdtime is 180 seconds Fastéthemet0/2 is up, line protocolis up Sending CDP packets every 60 seconds Holdtime is 180 seconds FastEthemet0/3 is up, line protocols up Sending CDP packets every 60 seconds Holatime is 180 seconds FastEthemet0/4 is down, line protocol is down Sending COP packets every 60 seconds Holatime is 180 seconds FastEthemet0/5 is down, line protocol is down Sending CDP packets every 60 seconds Holdtime is 180 seconds FastEthemet0/6 is down, line protocol is down Sending CDP packets every 60 seconds Holattime is 180 seconds FastEthemet0/7 is down, line protocol down Sending COP packets every 60 seconds Holatime is 180 seconds Fast€themet0/8 is down, line protocol is down Sending COP packets every 60 seconds Holatime is 180 seconds Fast€themet0/9 is down, line protocol is down Sending COP packets every 60 seconds Holdtime is 180 seconds FastEthemet0/10 is down, line protocol is down Sending CDP packets every 60 seconds Holdtime is 180 seconds FastEthemet0/1 is down, line protocol is down Sending CDP packets every 60 seconds Holatime is 180 seconds FastEthemet0/12 is down, line protocol is down Sending CDP packets every 60 seconds Holatime is 180 seconds FastEthemet0/13 is down, line protocol is down Sending CDP packets every 60 seconds Holdtime is 180 seconds FastEthemet0/14 is down, line protocol is down Sending CDP packets every 60 seconds Holdtime is 180 seconds FastEthemet0/15 is down, line protocol is down Sending CDP packets every 60 seconds Holatime is 180 seconds FastEthemet0/16 is down, line protocol is down Sending COP packets every 60 seconds Holatime is 180 seconds FastEthemet0/17 is down, line protocol is down Sending COP packets every 60 secondsHoldtime is 180 seconds Fastéthenet0/i8 is down, ine protocols down Sending COP packets every 60 seconds Holdtime is 180 seconds FastEthemet0/19 is down, line protocol is down Sending COP packets every 60 seconds Holdtime is 180 seconds Fastéthemet0/20 is up. line profocol is up Sending COP packets every 60 seconds Holdtime is 180 seconds Fastéthemet0/21 is down, ine protocols down Sending CDP packets every 60 seconds Holdtime is 180 seconds Fastétherne!0/22 is up, line protocol is up Sending COP packets every 60 seconds Holdtime is 180 seconds FastEtheme!0/23 is down, line protocols down Sending COP packets every 60 seconds Holatime is 180 seconds FastEtheme!0/24 is down, line protocols down Sending COP packets every 60 seconds Holaitime is 180 seconds Gigabitethemet! /1is down, ine protocol s down Sending CDP packets every 60 seconds Holaitime is 180 seconds Gigabitéthemet/2 Is down, tine protocol s down Sending CDP packets every 60 seconds Holatime is 180 seconds SW-2Hish, ‘i cd detail sre address(es): Interface: FastEthemet0/1, Port ID (outgoing port): Fastéthernet0/0 Holdtime: 125 Version Cisco intemetwork Operating System Software 108 fm) C2600 Software (C2600+-M), Version 12.2128), RELEASE SOFTHARE fe) Technical Support: htfp:/ /www.cisco.com/techsupport Copyright (c) 1986-2005 by cisco Systems, Inc. Compiled Wed 27-Apr-04 19:01 by miwang advertisement version: 2 Duplex ful ou cadaress(e Holdtime: 46 Version : Cito htemetwork Operating Sytem sttwore 105 (en) 960 Semis [CBSOASCALDN, VERRSAMAT22)c 4, RELEASE SOFTWARE) Copyright (c) 1986-2005 by cisco Systems, Inc. Compiled Wed 18-May-05 22:31 by jhariroa advertisement version: 2 Duplex: ful2 address(es): Holdtime: 129 Version: Cisco 10S Software, 1841 Software (C1841-ADVIPSERVICESK9-M), Version 12.4(15)TI, RELEASE SOFTWARE (fc2) Technical Support: hifp:/ /www.cisco.com/techsupport Copyright (c) 1986-2007 by Cisco Systems, Inc. Compiled Wed 18-Jul07 04:52 by pt_team advertisement version: 2 Duplex: ful 2 address(es} Holdtime: 150 Version : Cisco 1OS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version 12.4(15]T1, RELEASE SOFTWARE (12) Technical Support: htt://www.cisco.com/techsupport Copyright (c) 1986-2007 by Cisco Systems, Inc. Compiled Wed 18-Jul-07 06:21 by pt_rel_feam advertisement version: 2 Duplex: ful wt address(es): Holdtime: 159 Version Cisco IOS Software, C3560 Software (C3560-ADVIPSERVICESK9-M), Version 12.2(37)SE1, RELEASE SOFTWARE (fc) Copyright (c) 1986-2007 by Cisco Systems, Inc. Compiled Thu 05-Ju-07 22:22 by pt_feam advertisement version: 2 Duplex ful mak address(es): Holdtime: 166 Version Cisco ntemetwork Operating System Software [OS (1m) C2950 Software (C2950-46Q4L2-M), Version 12.1(22)EA4, RELEASE SOFTWARE( fC) Copyright (c} 1986-2005 by cisco Systems, inc. Compiled Wed 18-May-05 22:31 by jhariroa aavertisement version: 2 Duplex: fullTASK: configure SW2 to Disable CDP ‘SW-2(config)#tno edp run ‘SW-2Hsh. az TASK: configure SW2 toEnable CDP ‘SW-2(config)#edp run ‘SW-2(config)#end ‘SW-2itsh cdp- Global COP information: Sending CDP packets every 60 seconds Sending a holdlime value of 180 seconds Sending CDPV2 advertisements is enabled ‘SW-2(config)#int 0/20 ‘SW-2(config-i}#no cdp enable ‘SW-24sh cdp interface {0/20 SW-2lish cdp interface (0/1 Fastéthernet0/I is up, line protocols up Sending COP packets every 60 seconds Holdtime is 180 seconds SW-28sh cdp neighbors Capability Codes: R - Router, T- Trans Bridge. B - Source Route Bridge S- Switch, H- Host, |-IGMP, r- Repeater, P- Phone Device ID Localinirice Holdtme Copabiity Platform Port ID Rl FasO/l 136 R 2600 Fas 0/0 R2 Faso/2 40 R C1841 Fas0/o R3 Fas0/3 161 R_— ©2800 Fas.0/0 SW3 fas0/22 177 S- 2950 Fas0/22/ANNING TREE PORTFAST Spanning-Tree PortFast OA. > Cisco-proprietary enhancement to Spanning Tree. » Helps speed up network convergence on end Devices (PC/ Printers/Servers) > Port Fast causes a port to enter the spanning-tree forwarding state immediately, bypassing the listening and learning states. PXE Cent PAE Remote Boot Server Loeds 08 fom PXE Remote Boot Server Folly * oHcP “THR Catalyst 7506-247 NOTE. > PortFast should be used only when connecting a single end station to a switch port. » If you enable PortFast on a port connected to another networking device, such as a switch, you can create network loops. Spanning-Tree PortFast_- Configuration | Portfast on specific ports ‘Switch(configlt interface range fo/1 - 10 Switchiconfig-) spanning-tree portfast Portfast on all access ports globally Switch(confighsspanning-tree portfast default NOTE. > PortFast should be used only when connecting a single end station to a switch port. » If you enable PortFast on a port connected to another networking device, such as a switch, you can create network loops. + The portfast enabled interface willbe stil sending BPDUs, LAB: STP PORT FAS’TASK: + Connect Four PC in the LAN as per the Diagram. Shutdown the ports on Switch & reconfigure No shutdown and observer the ports going through LSN & LRN stages of STP process before they come to FWD... Switch(config) #int range f0/1 - 4 Switch(config-itrange)# shutdown Switch(config-itrange)# no shutdown Switch#tsh spanning-tree VLANOOO? Spanning tree enabled protocol ieee Root ID. Priority 32769 ‘Address 0001.6336.1BA3 This bridge is the root Hello Time 2sec Max Age 20sec Forward Delay 15 sec Bridge ID Priority 32769 (priority 32768 sys-id-ext 1) Address 0001.6336.1BA3 Hello Time 2sec Max Age 20 sec Forward Delay 15 sec Aging Time 20 Interface Role Sts Cost Prio.Nbr Type Fa0/I Des 19 128.1. P2p Fa0/2 19 128.2 P2p Fa0/4 19 128.4 P2p Fa0, 19 128.3. P2p Switchish spanning-tree VLANOO01 Spanning ree enabled protocol ieee Root ID Priority 32769 Address 0001.6336.1BA3 This bridge is the rootHello Time 2sec Max Age 20sec Forward Delay 15 sec Bridge ID Priority 32769 (priority 32768 sys-id-ext 1) Address 0001.6336.1BA3 Hello Time 2sec Max Age 20sec Forward Delay 15 sec Aging Time 20 Interface Role Sts Cost Prio.Nbr Type Fa0/! Desg IRNII9 128.) P2p Fa0/2 Desg LRNI9 128.2 P2p Foo/4 Desg IRN 19 128.4 P2p Fa0/3 Desg LRN 19 128.3 P2p Switch#tsh spanning-tree VLANOOO1 Spanning iree enabled protocol ieee Root ID Priority 32769 ‘Address 0001.6336.1BA3 This bridge is the root Hello Time 2sec Max Age 20sec Forward Delay 15 sec Bridge ID Priority 32769 (priority 32768 sys-id-ext 1) Address 0001.6336.1BA3 Hello Time 2sec Max Age 20sec Forward Delay 15 sec Aging Time 20 Interface Role Sts Cost Prio.Nbr Type Fa0/I Desg EWDII9 = 128.1. P2p Fo0/2 Desg FWDI9 128.2 Pap Fao/a Desg FWD 19 = 128.4. P2p Fa0/3 Desg FWDII9 = 128.3. P2p + Allthe ports connecting fo end devices go through listening and Learning states by default before they comes fo Forwarding State © This is the default STP Loop prevention mechanism on switches Here we want these access ports fo bypass the LSN, LRN stages and transition to FWD immediately To do this we configure portfast on these ports (used only on access ports) Switch{config] #int range f0/1 - 4 Switch{config-itrange) #spanning-tree portfast Switch(config-itrange) tendTO verify: ‘Switch(config) #interface range f0/1 - 4 Switch(config-Frange) #shutdown Switch(config-iFrange) #no shutdown Switch#tsh spanning-free VLANOOO1 Spanning tree enabled protocol ieee Root ID Priority 32769 ‘Address 0001.6336.1BA3 This bridge is the root Hello Time 2sec Max Age 20sec Forward Delay 15 sec Bridge ID Priority 32769 (priority 32768 sys-id-ext I) Address 0001.6336.1BA3 Hello Time 2sec Max Age 20sec Forward Delay 15 sec Aging Time 20 Interface Role Sts Cost Prio.Nbr Type Fa0/1 Desg FWDII9 128.1 P2p Fo0/2 Desg FWD 19 128.2 P2p Foo/a DesgFWDI9 128.4 P2p Fo0/3 DesgFWDII9 128.3 P2p Once port fast configured on the interfaces all the ports transitions fo Forwarding immediately without LSN, LRN states TASK: Configure Switch fo ensure that all future access ports should bypass LSN, LRN states using single command. Pct Po2 PCs Pca Switch(config) #spanning-free portfast default Switch{config) #end Switchi#sh spanning-freeVLANO001 Spanning tree enabled protocol ieee Root ID Priority 32769 ‘Address 0001.6336.1BA3 This bridge is the root Hello Time 2sec Max Age 20sec Forward Delay 15 sec Bridge ID Priority 32769 (priority 32768 sys-id-ext 1) Address _0001.6336.1BA3 Hello Time 2sec Max Age 20sec Forward Delay 15 sec Aging Time 20 Interface Role Sts Cost Prio.Nbr Type Fao/1 Desg FWD 19 128.1 Fa0/2 DesgFWD19 128.2 P2p Fa0/4 DesgFWD 19 128.4 P2p Fao/3 DesgFWD19 128.3. P2pBPDU Guard > BPDU Guard prevents loops if another switch is attached to a Port fast port. > Puts port into an error-disabled state (basically, shut down) if a BPDU is received on the interface. (config) interface f0/1 (config-if spanning-tree portfast (config-ifs spanning-tree bpduguard enable BPDUGuard on all access ports globally using one command (configs spanning-tree portfast bpduguard default OR (confight interface f0/2 (config spanning-tree portfast (config-if spanning-tree bpduguard enable y Laptop ‘SeSPANTREE-?-BLOCK_BPDUGUARD: Received BPDU on port FasEtverneto’2 with BPDUI Guard enabled. Disabling por. SoPM-4-ERR_DISABLE: bpduguard error detected on Fao’2, putting Fa0/2 In er-dsable state Witshow interface status err-disabled Port Name Status__—Reason Err-isabled Vlans Fao err-disabled_bpduguard ‘The port is err-disabled has to be manually re-enabled via shut/no shutBPDU Filtering Mf G ZA, «config)# spanning-tree portfast bpdufilter default » Ifa Portfast interface receives any BPDUs, itis taken out of Portfast status. » The interfaces still send some BPDUs at the link-up (config)# interface fo/2 (config-if# spanning-tree bpdufilter enable > The interface doesn’t send any BPDU and ignores the received ones. © The port is not shutdown and this basically disables spanning-tree on the interface.LAB:_BPDU Guard: sono swi eae TASK: © Connect link between SW1 and SW2 {0/19 and shutdown alll remaining ports. * Configure SW2 10/19 as layer 3 ports to test BPDU guard feature. * Enable BPDU Gaurd and portfast feature on SWI. sW2(contfig) int 0/19 SW2{configuif| #no switchport SW2{configrf) ip address 10.0.0.1 255.0.0.0 sW2{configri) #exit SWI (config) #vlan 10 SWI (config-vian} #exit SWI (config) int 10/19 SWI (config: f)#switchport mode access SW (configu) #switchport access vian 10 SW (config-f #spanning-tree porttast SW (config: #spanning-tree bpduguard enable SWI {configrif #exit ‘SW/I#tshow spanning-tree interface f0/19 detail Port 19 (FastEthemet0/19) of VLANOO10 is forwarding Port path cost 19, Port priority 128, Port Identifier 128.19. Designated root has priority 32778, address 000b.bee2,fa00 Designated bridge has priority 32778, address 000b.bee2.f000 Designated port id is 128.19, designated path cost 0 Timers: message age 0, forward delay 0, hold 0 Number of transitions to forwarding state: | Link type is point-to-point by default | TASK: Reconfigure F0/19 port on sw2 back to layer 2 port ( adding switchporl) sW2(contfig) int 10/19 sW2(config-) #switehport sW2(config-f) #exit ‘SW1#sh interfaces (0/19 status err-disabled Port Name Status Reason ‘SWI ish interfaces status Port Name Status Vian Duplex Speed Type Fao/1 connected J a-full a-100 10/100BaseTx TASK: Configure 10/19 port back to layer 3 port and ensure that port comes back up... sW2{config:f #int 0/19 wheat Saronie honest mearassahtonssam® Page 55SW2(configiif ino switchport ‘SW2{config-if #ip address 10.0.0.1 255.0.0.0 ‘SW2{(configni #exit ‘SW2(config)'#do sh jp int br Interface IP-Address OK? Method Status Protocol ‘SW2{config) Hint 10/19 SW2/configiif)#shutdown ‘SW2(configrif}#no shutdown SW2(configui #end SW2#sh ip int brief Interface IP-Address OK? Method Status Protocol SW2itsh interfaces status TASK: + Configure Err-disable recovery for BPDU GAURD such that port should come up automatcially after 60 sec of en-disable state. SW (config) #errdisable recovery cause bpduguard SW (contig) #errdisable recovery interval ? <30-86400> timer-intervallsec] SW/I (contig) ferrdisable recovery interval 60 SW (contig) #exit SWI#sh endisable recovery EnDisable Reason Timer Status udid Disabled security-violafio Disabled channelmisconfig Disabled vmps Disabled pagp-flap Disabled dip-flap Disabled link-flap Disabled l2ptguard Disabled psecure-violation Disabled gbic-invalid Disabled dhep-ateimit Disabled unicasHficod Disabled sform-control_ Disabled arp-inspection Disabled loopback Disabled Timer interva 60 seconds Interfaces that will be enabled at the next fimeout: TASK: Test by chaning layer 3 inteface f0/19 to switchport and then back to layer 3; sw2{config) Hint f0/19SW2{config-if #switchport SW2{confignif #exit ‘SWI#sh interfaces f0/19 status Port Name Stofus Vian ae ‘SW2(config) Hint f0/19 SW2(configiif| ino switchport ‘SW2{configuif] #ip address 10.0.0.1 255.0.0.0 SW2{configsf} #end SWI#sh errdisable recovery EnDisable Reason Timer Status udicl Disabled bpduguard Enabled security-violatio Disabled channebmisconfig Disabled vmps Disabled pagp-flap Disabled dip-flap Disabled link-fla Disabled l2ptguard Disabled psecure-violation Disabled gbic-invalid Disabled dhep-rate-limit Disabled unicastficod Disabled. storm-control__ Disabled arp-inspection Disabled loopback Disabled Timer intervak 60 seconds Interfaces that will be enabled at the next timeout: Interface Erraisable reason Time left(sec) SW1#sh errdisable recovery EnDisable Reason Timer Status udid Disabled bpduguard Enabled secutity-violatio Disabled channelmisconfig Disabled vmps Disabled pagp-flap Disabled dip-flop Disabled link-flap Disabled lptguard Disabled psecure-violation Disabled gbic-invalid Disabled dhep-rate-limit Disabled unicastficod Disabled sform-control_ Disabled arp-inspection Disabled loopback DisabledTimer intervat 60 seconds Interfaces that will be enabled at the next timeout: Interface Errdisable reason Time left(sec) ‘SW1#sh interfaces f0/19 status Port Name Status Vian er aie TASK: Reconfigure and verify the same task by removing on interface mode and enabling BPDU guard on global configuration mode: SWI (config) #int 0/19 SW1 (config:f}#no spanning-hree porttast SW1 (config: #no_ spanning-free bpduguard enable SWI {config} texit SW1 (config) #no errdisable recovery cause bpduguard SW! (contig) #no endisable recovery interval 60 SWlitsh errdisable recovery EnDisable Reason Timer Status Udi Disabled bpduguara Disabled security-violatio Disabled channel-misconfig Disabled vmps Disabled pagp-flap Disabled dip-flop Disabled link-flap Disabled l2ptguard Disabled psecure-violation Disabled gbic-invalid Disabled dhcp-rate-limit Disabled unicastflood Disabled storm-control_ Disabled arp-inspection Disabled loopback Disabled Timer interval: 300 seconds Interfaces that will be enabled at the next fimeout: ‘SWIsh interfaces f0/19 status Port Name Status Vian pipes speee es SW 1 (contig) #spanning-tree portfast bpduguard default SWI (config) #errdisable recovery cause bpduguard SWI (config) #errdisable recovery interval 60‘SW2(config) Hint f0/19 ‘SW2{config-if #switchport SW2(configri #exit ‘SW2tsh interfaces f0/19 status Port Name Status Vian eas SW1#sh interfaces (0/19 status Port Name Status Vian iia ‘SW2{config) Hint 10/19 SW2{configrif) tno switchport SW2{contigrf)#ip address 10.0.0.1 255.0.0.0 Sw2{configui tend SWI#sh errdisable recovery EnDisable Reason Timer Status udid Disabled security-violatio Disabled channelmisconfig Disabled vmps Disabled pagp-flap Disabled dip-flop Disabled link-flap Disabled lptguard Disabled psecure-violation Disabled gbic-invalid Disabled dhep-ate-limit Disabled unicasHficod Disabled storm-control_ Disabled arp-inspection Disabled loopback Disabled Timer intervat 60 seconds Interfaces that will be enabled at the next fimeout: Interface Errdisable reason Time left(sec) ‘SW1#sh interfaces f0/19 status Port Name Status Vian __ Duplex Speed TypeLAB: BPDU filter (interface level) BPDU Filfer is used fo terminate the STP domain, but it has a different functionality: it can also be configured globally or at the interface level. However, behavior is different based on this; this was not the case For BPDU Guard, this had the same functionality regardless of how it was enabled. When configured at the interface level, BPDU Filter silently drops all received inbound BPDUs and does not send any outbound BPDUs on the port. There Is no violation option for BPDU Filter, so the port never goes info err- disabled state. BPDU Filter needs fo be carefully enabled at the port level, because it will cause permanent loops if on the other end of the link a switch is connected and the network is physically looped in this case, STP will not be able to detect the loop and the network will become unusable within seconds. 0/19 swt ewe TASK: ‘Connect link between SWI and SW2 10/19 and shutdown all remaining ports. Configure sw2 f0/19 as layer 3 ports fo test BPDU guard feature. Enable BPDU Gaurd and portfast feature on sw1. SW2(config) #int 10/19 'SW2(configuf]#no switchport ‘SW2(contiguf) #ip address 10.0.0.1 255.0.0.0 sw2{(contigrf) #exit SWI {config) #vlan 10 SWI [config-vian) #exit SWI (config) int 10/19 SW (config: f)#swifchport mode access SW (configu) #switchport access vian 10 SW (configu) #spanning-tree portfast SW (Config-f)#spanning-tree bpdufiter enable SWI {configri) #exit ‘SW1#sh spanning-tree interface 10/19 detail Port 19 (Fastéthemet0/ 19) of VLANOO0 is forwarding Port path cost 19, Port priority 128, Por! Identifier 128.19. Designated root has priority 32778, address 000b.bee?. {400 Designated bridge has priority 32778, address 000b.bee2.fa00 Designated port id is 128.19, designated path cost 0 Timers: message age 0, forward delay 0, hold 0 Number of transitions fo forwarding state: 1 Link type is point-to-point by default BPDU: sent 9, received 0 TASK: Configure SW2 10/19 as layer 2 ports so that if can start sending BPDU ‘sW2(config) #int £0/19 SW2{configui#switchport W2{configHf}#end sw2it hte saree, sh nese marameahitimnsom Page 58‘SW1#sh interfaces f0/19 status Port Name Status Vian Supe speed ipe ‘SWI#sh spanning-tree int 0/19 detail Port 19 (Fastéthernet0/19) of VLANOO10 is forwarding Port path cost 19, Port priority 128, Port Identifier 128.19. Designated root has priority 32778, address 000b.bee2.fa00 Designated bridge has priority 32778, address 000b.bee?.fa00 Designated port id is 128. 19, designated path cost 0 Timers: message age 0, forward delay 0, hold 0 Number of transitions to forwarding state: 1 Link type is point-to-point by default SWI#sh interfaces 10/19 status Port Name Status Vian epi easing SW1#sh spanning-tree vian 10 VLANOO10 Spanning tree enabled protocol ieee Root ID Priority 32778 ‘Address 000b.bee2.fa00 This bridge is the root Hello Time 2sec Max Age 20sec Forward Delay 15sec Bridge ID Priority 32778 (priority 32768 sys-id-ext 10) ‘Address 000b.bee2.fa00 Hello Time 2sec Max Age 20sec Forward Delay 15 sec ‘Aging Time 300 Interface Role Sts Cost Prio.Nbr Type TASK: BPDU global configuration mode: + Remove the Bpdv filter on the interface and enable it globally. * Configure portfast on f0/19 on Sw! for verification. SW2(config) # int 10/19 ‘SW2(config-if] # no switchport SW2(config-if] # ip address 10.0.0.1 255.0.0.0 ‘sw2[configrfl #end SW1 (config) #int 10/19 SWI (config: #spanning-tree portfast SW (configuf)#no spanning-tree bpdufier enable SWI [config.f) #exit SWI (config) #spanning-tree portfast bpdufilter default ‘SW (config) #end ‘SWI#sh interfaces f0/19 status Port Name Status Vian Oe oe eeSWI#sh spanning-free vian 10 VLANOOTO Spanning tree enabled protocol ieee Root ID Priority 32778 ‘Address 000b.bee2.fa00 This bridge is the root Hello Time 2sec Max Age 20sec Forward Delay 15 sec Bridge ID Priority 32778 {priority 32768 sys-id-ext 10) ‘Address 000b.bee2.fa00 Hello Time 2sec Max Age 20sec Forward Delay 15 sec Aging Time 300 Interface Role SisCost_Prio.Nbr Type ‘SW1#sh spanning-tree int f0/19 detail Port 19 (FastEthernet0/19) of VLANOO10 is forwarring Port path cost 19, Port priority 128, Port Identifier 128.19. Designated root has priority 32778, address 000b.bee2.ta00 Designated bridge has priority 32778, address 000b.bee?.f400 Designated port id is 128.19, designated path cost 0 Timers: message age 0, forward delay 0, hold 0 Number of transitions to forwarding state: | The port isin the portfast mode: Link type is point-to-point by defauit eeu filter s enabled Ee ‘default SW2{config-if #int 10/19 ‘Sw2{config-if #switchport Sw2{configf} #end ‘SWI#sh spanning-tree int 0/19 detail Port 19 (Fastéthemnet0/19) of VLANOO!0 is forwarding Port path cost 19, Port priority 128, Port Identifier 128.19. Designated root has priority 32769, address 000b.be78.8300 Designated bridge has priority 32769, address 000b.be78.8300 Designated port id is 128.19, designated path cost 0 Timers: message age 2, forward delay 0, hold 0 Number of transitions to forwarding state: 1 Link a 's pba by defauit ‘SWI#show ama? interface fastEtheret0/19 porttast ‘SW2{config) Hint f0/19 SW2{configHf|#no switchport SWI#show spansing-tee intertace fastEtheret0/19 porttast SWI sh spanning-tree int 10/19 detail Port 19 (Fastéthemnet0/19) of VLANOO10 is forwardingPort path cost 19, Port priority 128, Port identifier 128.19. Designated root has priority 32778, address 000b.bee2.f400 Designated bridge has priority 32778, address 000b.bee?.fa00 Designated port id is 128.19, designated path cost 0 Timers: message age 0, forward delay 0, hold 0 Number of transitions to forwarding state: 1 The port isin the portfast mode Link type is point-to-point by defautt Body filter s enabled by default BPDU: sent I, received 0MAC FLOODING & MAC SPOOFING ATTACKS- PORT SECURITY MAC Flooding Attack KOA, » Attacker connected to a switch port floods large number of Ethernet frames with different fake source MAC addres. » Also known as CAM table overflow attack. » Within a very shor time, the switchs MAC Adaress table is full with fake MAC address/port mappings. »Switeh’s MAC address table has only a limited amount of memory. » The switch cam not save any more MAC address in its MAC Address table, » Switch behave like a Hub. Frames are flooded to all port, similar to broadcast type of communication Poe + Attacker's machine will be delivered with all he frames between the victim and another machines. » The atacker will be able to capture sensitive data from network. MAC Flooding Attack NPA, ‘y 1. Attacker floods CAM table with frames with numerous invalid source MACs. Valid hosts cannot create CAM entries. 2. Normal traffic is flooded out all ports because no CAM entries exist for valid hosts.Port Security — MAC Flooding attack Mitigation NEA, » Can protect the switch from MAC flooding attacks > We can Specify a maximum number of MAC addresses allowed on that interface. » If the port learned with excess of MAC , we can tell switch to shutdown the port ( err-disable state). eature is for access ports and it will not work on trunk ports, Ether-channel ports or SPAN (Switch Port Analyzer) ports Port Security - Configuration MOA, (config interface fo/1 (config: switchport mode access (config: switchport port-security (config: switchport portsecurity maximum valve (configs switchport port security violation (protect iestrict | shutdown} Pa) NOTE: + The default “shutdown” action + Defaule maximum macraddess = 1 + Portsecurty works only on ports configured as static acess or static trunks (does not work on dynamic ports)Port-Security - Violation Parameters NOA [NETWORK ONEWE ACADEMY (config-if}# switchport port-security violation {protect restrict | shutdown} is SHUTDOWN » Port immediately is put into the Err-disable state » Generate SNMP or syslog Messages. PROTECT » Drop traffic learned from exceeding mac entries. ( Violating MAC above Limit) » Valid Entries still can forward traffic on those ports. RESTRICT » Drop traffic learned from exceeding mac entries. ( Violating MAC above Limit) » Valid Entries still can forward traffic on those ports. > Generate SNMP or syslog Messages. MAC Address Spoofing Attack 1 \ nee == DN ee , 1 2 — # a wmorocace » Technique for changing a factory-assigned MAC. address of a network interface on a networked device. + Hiding a computer on a network or allowing it to imitate another network device. + Allow the bypassing of access control lists on servers or routersPort Security — Binding MAC with Ports NA, Catalyst Switch Pert secur rests port access by MAC aktess, | Sana] ee ae a a o- a a eT a a g ae » Allows the switch to bind MAC to specific ports. » Binding can be done either Static or Dynamic methods. » Static Binding : Manually Administrator binds MAC on every single interface. » Dynamic Binding: Dynamically teamed MAC binded as static using Sticky Option. Port Security — Binding MAC with Ports - Configuration NPA. Port security restricts port access by MAC address, (confight interface Fastethernet 0/10 (config-f switchport mode access (configs swltchport port-securtty — es (config-if}* switchport port-security maximum valve —. (config-f switchport port-security violation {protect restrict | shutdown} eee nual Bin) add (config: switchport port-security mac-address mac-address OR Dynamic Binding of Learned MAC Address (config-if} switchport port-security mac-address stickyLAB : PORT-SECURITY 1014 y j92160.1.1 192-168.1.2 192,168.1.3 192.168.1.4 Configure Port-security on f0/1 with maximum mac-address limit to 2 also the mac-address sticky option to bind the Mac on port f0/1 if it exceeds it has to apply the default violation rule ( shutdown) ‘Switch(config) #int 0/1 Switch{configeif) #5 Switch(config) # int 10/1 Switch(config-i# switchport mode access Switch(configrif}# switchport port-security Switch(config-f) # switchport port-secutity maximum 2 Switch(config-if) #switchport port-security mac-address sticky Switch(config-f]#end ‘Switch#tsh running-config Building configuration... interface FastEthernet0/1 switchport mode access switchport portsecurity switchport portsecurity maximum 2 switchport port-security mac-address sticky Switch#tclear mac-address-table Switch#tsh mac-address-table ‘Mac Address Table Vian Mac Address Type Ports ‘Switch#sh port-security Secure Port MaxSecureAddr CurrentAdat Security Violation Security Action (Count) (Count) (Count) when saree sh nse memraeeahitinsson Page 46TASK: * Configure FO/I port to use port-fast fo ensure that it comes to forwarding immediately. * Connect PC(192.168.1.1) on f0/1 and generate traffic by using ping fo other devices in the LAN. + Try connecting another device and generate traffic to test Port-security violation rule. Switch(config) #int 0/1 Switch(config-if) #spanning-tree portfast Switch(config-f) tend NOTE In order to test and verify we are using port-fast ( portfast is not mandatory to configure port-security) here we are using to speed up the access ports convergence fime. PC>ipconfig FastEthernef0 Connection:(default port) Link-local IPvé Address. IP Address, Subnet MASK. o Default Gateway. 2 192,168.11 255.255.255.0 2 192.168.1.100 PC>ping 192.168.1.2 Pinging 192.168.1.2 with 32 bytes of data: Reply from 192.168. 1.2: byte: Reply from 192.168. 1.2: byte: Reply from 192.168. 1.2: byte: Reply from 192.168. 1.2: byte: Ping statistics for 192. 168. 1.2: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in mill-seconds: ‘Minimum = Oms, Maximum = Oms, Average = Oms Switchi#tsh mac-address-table Mac Address Table Vian Mac Address Type Ports 1 0001.974d.5308 DYNAMIC Fa0/2 1 0005.5e88.800b STATIC Fa0/1 Switchitsh run Building configuration. spanning-tree mode pyst! interface FastEthemet0/1 switchport mode access switchport portsecurity switchport port-security maximum 2 ee ee mac-address it spanning-tree portfast Switchitsh port-security Secure Port MaxSecureAddr CurrentAdar Security Violation Security Action (Count) (Count) (Count) Sticky will automatically bind the mac-address learned on f0/1 port. maximum mac-address option will not allow to learn more than one mac-address as per our configuration here. TASK: + Remove the PC connected on f0/1 and try connecting another PC (here 192.168.1.3) and generate traffic from new PC connected. Switchi#sh running-config interface FastEthernet0/1 switchport mode access switchport port-security switchport port-security maximum 2 switehport ‘curity mac-adatress stic spanning-tree portfast Switch#tsh port-security Secure Port MaxSecureAddr CurrentAddr Security Violation Security Action (Count) (Count) {Count} TASK + Connect PC4 (192.168.1.4) to f0/1 port by removing 192.168.1.3 + Verify as per the configuration the f0/1 port should go in fo ert-disable state. PC>ipconfig FastEthernet0 Connection:(default port) Link-local IPV6 AdAPeS8 ne! FEBO::20C:CFFF:FEE2:3946 IP Address. 2 192,168.1.4 Subnet Mask... 255.255.255.0 Default Gateway... 0.0.0.0PC>ping 192.168.1.2 Pinging 192.168.1.2 with 32 bytes of data: Ping statistics for 192.168. 1.2: Packets: Sent = 4, Received = ), Lost = 4 (100% loss), Switchitsh ip int brief Interface IP-Address OK? Method Status Protocol TASK: * Reconnect PCI (192.168.1.1) back on f0/1 port. * and ensure that port comes back to up state and should be reach other devices in the LAN. ‘Switch#tsh ip int brief Interface IP-Address OK@ Method Status Protocol Switch(config)#int 10/1 Switch(config-if) #shutdown Switch(config-if) #ne shutdown Switch(config-f] tend ‘Switchitsh ip int brief Interface IP-Address _OK@ Method Status Protocol Switchish running-config interface FastEtheret0/1 switchport mode access switchport port-security switchport portsecurity maximum 2 switchport port-security mac-address stict spanning-free portfast Switchi#sh mac-address-table Mac Address Table Vian Mac Address Type Ports 1 0001.9740.5308_ DYNAMIC Fa0/2On f0/1 there is MAC biniding done with PCI and PC2 Mac-address. if anyother device is connected ‘on 0/1 it will put the port in to shutdown state. TASK: Confugure the Violation rule to protect mode instead of shutdown Switch(config) #int f0/1 Switch{config-if] #switchport port-security violation ? protect Security violation protect mode restrict Security violation restrict mode shutdown Security violation shutdown mode Switch(contig-it) #switchport port-security violation protect Switch(configeif) #end Switch#tsh running-config interface FastEthemet0/1 switchport mode access switchport port-security switchport port-security maximum 2 oe ee mac-adaress sticky switchport port-security mac-address sticky 0005.5E88.8008 switchport portsecurity mac-address sticky 00E0.A325.1980 spanning-free portfast ! To test connect PC3 to f0/1 and. traffic to other devices in the LAN, ‘Switchitsh ip int brief Interface IP-Address OK? Method Status Protocol Switch#tshow port-security Secure Port MaxSecureAdar CurrentAdar Security Violation Security Action (Count) (Count) (Count) PC>ipconfig Fastéthemet0 Connection: (default port) Link-local IPvé Adaress. FE8O::20C:CFFF:FEE2:3946 IP Address. 2 192,168.1.4 Subnet MASK. .vnsotssesnee! 255.255.255.0 Default Gateway... 0.0.0.0 PC>ping 192.168.1.2 Pinging 192.168. 1.2 with 32 bytes of data:Ping statistics for 192.168.1.2: Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),DHCP SPOOFING - DHCP SNOOPING What is DHCP 2 XA, Allows a server to dynamically distribute IP addressing and configuration information to clients, > IP Address » Subnet Mask ff » Default Gateway & > DNS server — ——— fa-@ wana oem — DHCP Server Advantages : » Centralized network client configuration » easier IP address management » Reduced network administration. » large network support Assigning a Static IPva Address to a Host NOA. nethont te Acabtey LAN Interface Properties Configuring a Static IPv4 Address © cera 1 serve adttess womataly © Une te ning OS server adress Prefered 16 server: =a erate ONS server: ee vakdate stings pon ext Avance (ec |Assigning a Dynamic IPv4 Address to a Host NOA. Assigning a Dynamic IPv4 Address (ee [sara Cantgatin > DHCP- preferred method of “leasing” IPva addresses to hosts on large networks > Reduces the burden on network support staff and iM @ vA. 0 =a DHCP Process IP address request > ) = q S ® } DHCP client IP address selection DHCP server < ® IP address acknowledgment ws DHCP ServerDHCP spoofing Attack NEA. HCP Responwe Rogue ORC? server Offering valid P addresses racers Rogar DHCP » Attacker activates DHCP server on VLAN. » Attacker replies to valid client DHCP requests. » Attacker provides wrong network information ( leads to Dos attack) » Attacker assigns IP configuration information that establishes rogue device as client default gateway. » Attacker establishes “man-in-the-middle” attack. DHCP Snooping XA, » DHCP snooping allows the Configuration of ports as trusted or untrusted on Switches. » Trusted ports connecting to DHCP or Trunk links ( send DHCP offer messages) > Untrusted ports do not send any DHCP replies/offers (ports connecting to end devices) » Once DHCP snooping Enabled, All ports automatically become untrusted. + We need to configure ports facing DHCP or trunk links as trusted ports. == oad 2p. Ja o-S@-6 gw -+4 onwer : a 3 neoseret lout = axa over iosponas i oft a nk iDHCP Snooping - Configuration NA. DHCP Snooping Switch(config)+ ip dhep snooping Switch(config) ip dhcp snooping vian number [number] Switch(config)# interface fo/1 Switch(config-ifs ip dhcp snooping trust DHCP Server DHCP Snooping Untrusted Port HCP Dees (default) Seooping waa ‘Trusted Port Verifying DHCP Snooping NEA, Switch# show ip dhcp snooping Verifies the DHCP snooping configuration Switch# show ip dhcp snooping Switch DHCP snooping is enabled DHCP Snooping is configured on the following VLANs: 10 30-40 100 200-220 Insertion of option 82 information is enabled, Interface Trusted Rate limit (pps) FastEthemet2/1__ yes none FastEthemet2/2 yes none FastEthemet3/1__ no 20 when saris sh onsasi mearaesahtonssam® Page 55DHC?P Starvation Attack NOA NETWORK ONINE ACADEMY DHCP Server qa-- -@-- -- Large number of DHCP Requests wth Diferert ake source MAC Aacresses » DHCP Server has finite IP address Scope. » Attacker floods with DHCP requests using Spoofed MAC addresses. » DHCP server offer one IP per MAC until the pool is depleted. » Other Valid Hosts in LAN will not get IP as there is no address with DHCP to assign. DHCP Starvation Attack Mitigation — Port Security NOA., » Port security limit number of MAC learned on one single interface.LAB : DHCP Snooping : DHCP | fo/0 Rogue DHCP 192.168.1.50 Client ‘* Create vian 10 and assign IP address 192.168.1.50 on vian 10 interface. * Connect devices as per the diagram and configure f0/1 - 4 ports in vlan 10. ‘+ Enable portfast on these ports for faster convergence. (to test not mandatory) ‘SW (config) #vlan 10 SW1(config-vian) #exit SW (config) #int vian 10 SW (config-if] #ip address 192.168.1.50 255.255.255.0 SWI (config-if] #exit ‘SW 1 (config) #int range f0/1 - 4 SW (config-iFrange) #switchport access vian 10 SW (config-itrange) #switchport mode access SW 1 (config-itrange) #spanning-tree portfast SW (config-irange] #no shutdown SW (config-itrange) #end TAS! ‘* Configure RI to be DHCP server and veriffy on R3 (as DHCP client) . * use network range 192.168.1.0/24 and RI should be default Gateway ( 192.168.1.100) . R-I (config) #int f0/0 R-1(configrif) tip address 192.168.1.100 255.255.255.0 R-I(configtif) #no shutdown R-I{configeif) #exit R-1(config) tip dhep pool CCIE R-I(dhep-config) #network 192.168.1.0 255.255.255.0 R-1(dhcp-config) #default-roufer 192.168.1.100 R-1(dhep-config) #exitR-Iitsh ip dhcp pool Pool CCIE: Utilization mark (high/low): 100 /0 Subnet size (fist/next} 0/0 Total addresses 1254 Leased addresses 0 Pending event :none 1 subnet is curently in the pool: Current index __ IP address range Leased addresses R3-DCHPClient(config) #int f0/0 R3-DCHPClient(config-if) #ip address dhcp R3-DCHPClient(configeif) #€no shuidown R3-DCHPClient(config-if) tend DCHPClienti#tsh ip int brief Interface IP-Address OK? Method Status Protocol FastEthemet0/I unassigned YES NVRAM up down R-Iitsh ip dhcp binding Bindings from alll pools not associated with VRF: IPaddress — ClentiD/ Lease expiration Type Hareware adatress/ User name TASK: * Enable DHCP snooping on SWI for vian 10 + SWI should store the binding database in flash with the filename DHCP. txt. ‘Wi (config) #ip dhep snooping SWI (config) #ip dhep snooping vian 10 ‘SWI (config) #ip dhep snooping database flash:DHCP.txt SWI (config) #end SWI#tsh ip dhep snooping Switch DHCP snooping is enabled DHCP snooping is configured on following VLANs: 10 Insertion of option 82 is enabled Option 82 on untrusted port is not allowed, Verification of hwadar field is enabled Interface Trusted Rate limit (pps)SWi#debug ip dhcp snooping agent SWi#debug ip dhcp snooping packet TASK : Release IP address on R3 client and verify if client can get IP address from DHCP server. DCHPClient#release dhcp 0/0 DCHPClientitsh ip int brief Interface IP-Address OK? Method Status Protocol FastEthernet0/0 unassigned YES DHCP up up FastEthemet0/1 unassigned YES NVRAM up down DCHPClient{config) #int f0/0 DCHPClieni{config-if) #shutdown DCHPClient{config-if) #no shutdown DCHPClient{config-if) #end 00:51:19: DHCPSN: FOURE)INGrESs KOA FGO/SIVLANITO 00:51:19: DHCPSN: DHCP packet being sent to P| snooping process 00:51:19: DHCP_SNOOPING: received new DHCP packet from input interface (FastEthernet 0/3) 00:51:19: DHCP_SNOOPING: ess new DHCP packet, message f) »: DHCPDISCOVER, input interface: sa: 0.0.0.0, DHCP ciadar. 0.0.0.0, DHCP yiaddr, 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP DHCP chadar: 001c.5808.ff8e 00:51:19: DHCP_SNOOPING: cite information eae 00:51:19: DHCP_SNOOPING: binary dump of relay info option, length: 20 data: (0x52 Ox12 Ox Oxé Ox0 Oxd OxO OxA x0 0x2 Ox2 Ox8 OxO Ox6 0x0 OxB OxBE OxE2 OxFA OxO 00:51:19: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, pac ket is flooded to ingress VLAN: (10) 00:51:19: DHCP_SNOOPING_SW: bridge packet send packet to cpu port: Vian 10. 00:51:20: %SLINK-3-UPDOWN: Interface FastEthemet0/3, changed state fo up 00:51:21: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthemnet0/3, changed s tate foup 00:51:23: DHCPSN: Found ingress pkt on Fa0/3 VLAN 10 00:51:23: DHCPSN: DHCP packet being sent to PI snooping process DCHPClient#sh ip int brief Interface IP-Address OK? Method Status Protocol FastEthernet0/1 unassigned YES NVRAM up down Client is not able to get jp address from DHCP as by default once we enable DHCP snooping all the ports will be treated as untrusted and switch do not allow DHCP offer messanges on untrusted ports. We need to configure the ports connecting to DHCP as trusted so that I can forward DHCP offer messages ‘SW (config) #int f0/1 SWI (config-if) #ip dhcp snooping trust| SWI (config-if) #exit One more issue that with IOS DHCP servers is the switch inserts the option but leaves the “giaddr” field at zero. Thus, a DHCP Server may assume that option has been formatted incorrectly, because a DHCP Relay is supposed fo set the “giaddr” field to its own IP address. ‘An IOS DHCP server will reject by default such DHCP messages. To overcome this issue, you may use one of the following methods: Instruct the IOS DHCP Server to accept DHCP messages with a zero “giaddr” by using the global command jp dhcp relay information frust-aill or the interface-level command jp dhcp relay information trusted . Configure the DHCP Snooping feature in the switch not fo insert Option 82. This is accomplished by using the command no ip dhcp-snooping information option. Trust the port where you receive the original DHCP message. The DHCP Snooping feature does not insert any Information Option into the received packets. SW (config) tno ip dhcp snooping information option Fe pt ou eset ne ten DCHPClientitsh ip int brief Interface IP-Address OK? Method Status Protocol Fastethemet0/0 192.168.1.1_ YES DHCP. up up FastEthemet0/1 unassigned YES NVRAM up down Swit 01:00:18: %SYS-5-CONFIG_|: Configured from console by vty! (192.168.1.10) 01:00:37: DHCP_SNOOPING: checking expired snoop binding entries 01:00:38: DHCPSN: Found ingress pkt on Fa0/3 VLAN 10 01:00:38: DHCPSN: DHCP packet being sent to PI snooping process 01:00:38: DHCP_SNOOPING: received new DHCP packet from input interface (FastEthernet0/3) 01:00:38: DHCP_SNOOPING: process new DHCP packet, message type: DHCPDISCOVER, input interface: Fa0/3, MAC da: fff. FFL. ffff, MAC sa: 001c.5808.ff8e, IP da: 255.255.255.255, IP sa: 0.0.0.0, DHCP ciaddr: 0.0.0.0, DHCP yiaddr: 0.0.0.0, DHCP siadar: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chad: 001¢.5808.ff8e 01:00:38: DHCP_SNOOPING_$W: bridge packet get invalicl mat entry: FFFF.FFFF.FFFF, packet is flooded fo ingress VLAN: (10) 01:00:38: DHCP_SNOOPING_SW: bridge packet send packet to cpu port: Vian10. 01:00:38: DHCP_SNOOPING_SW: bridge packet send packet to port: Fasttherne10/1. 01:00:38: DHCPSN: Found ingress pkt on Fa0/I VLAN 10 01:00:38: DHCPSN: DHCP packet being sent to PI snooping process 01:00:38: DHCP_SNOOPING: received new DHCP oie from “e interface (FastEthemet0/1,ciaddr: 0.0.0.0, DHCP yiaddr: 192.168. 1.1, DHCP siaddr: 0.0.0.0, DHCP giadar: 0.0.0.0, DHCP chaddr: 001c.5808.f8e -0.0, DHCP siaddr: 0.0.0.0, DHCP giadar: 0.0.0.0, DHCP chaddr: 001¢.5808.ff8e 01:00:42: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded fo ingress VLAN: (10) 01:00:42: DHCP_SNOOPING_ SW: bridge packet send packet to cpu port: Vian 10. 01:00:42: DHCP_SNOOPING_SW: bridge packet send packet to port: FastEthemet0/1. 01:00:42: 01:00:42: DHCPSN: DHCP packet being sent to PI snooping process 01:00:42: DHCP_SNOOPING: received new DHCP packet from input interface (FastEthernet0/1) 01:00:42: DHCP_SNOOPING: process new DHCP packet, message type: DHCPOFFER, input interface: ciaddr: 0.0.0.0, DHCP yiaddr: 192.168. 1.1, DHCP siaddr: 0.0.0.0, DHCP giadar: 0.0.0.0, DHCP chaddr: 001c.5808.ff8e 01:00:42: DHCP_SNOOPING: direct forward ahcp reply to output port: Fastéthernet0/3. 01:00:42: DHCPSN: Found ingress pkt on Fa0/3 VLAN 10 01:00:42: DHCPSN: DHCP packet being sent to PI snooping process 01:00:42: DHCP_SNOOPING: received new DHCP packet from input interface (FastEthernet0/3) 01:00:42: DHCP_SNOOPING: process new DHCP packet, message type: DHCPREQUEST, input interface: Fa0/3, MAC dar fiff-ffF.AFF, MAC sa: 00 1c.5808.ff8e, IP da: 255.255.255.255, IP sa: 0.0.0.0, DHCP ciaddr: 0.0.0.0, DHCP yada: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chadar: 001¢.5808.fI8e 01:00:42: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded fo ingress VLAN: (10) 01:00:42: DHCP_SNOOPING.SW: bridge packet send packet to cpu port: Vian 10. 01:00:42: DHCP_SNOOPING_SW: bridge packet send packet to port: Fastéthemet0/. 01:00:42: DHCPSN: Found ingress pkt on Fa0/I VLAN 10 01:00:42: DHCPSN: DHCP packet being sent to PI snoopin. ess 01:00:42: input interface: cladar: 0.0.0.0, DHCP yiadar: 192.168. 1.1, DHCP siadar. 0.0.0.0, DHCP giadar: 0.0.0.0, DHCP chadar: 001c.5808.ff8e 01:00:42: DHCP_SNOOPING: add bindiing on port FastEthernet0/3. 01:00:42: DHCP_SNOOPING: added entry fo table [index 82) (01:00:42: DHCP_SNOOPING: dump binding entry: Mac=00: | C:58:08:FF:8E Ip=192. 168.1. Lease=86400 Id Type=dhep-snooping Vian=10 If=FastEthernet0/3 01:00:42: DHCP_SNOOPING: direct forward dhcp reply to output port: Fastéthenet0/3. SWI#sh ip dhcp snooping Switch DHCP snooping is enabled DHCP snooping is configured on following VLANs: 10 Insertion of option 82 is disabled Option 82 on untrusted port is not allowed,Verification of hwadar field is enabled Interface Trusted Rate limit (pps) Fastéthemet0/1 yes. unlimited SWIsh ip dhep snooping binding MacAddress —IpAdaress Lease(sec) Type VLAN Interface 00:1 C:58:08:FF:8E 192.168.1.1 86338 dhcp-snooping 10 Fastéthemnet0/3 Total number of bindings: 1 SW1 sh ip dhcp snooping database Agent URL: flash:DHCP. txt Write delay Timer : 300 seconds Abort Timer : 300 seconds Agent Running : No Delay Timer Expiry : 112 (00:01:52) Abort Timer Expiry : Not Running Last Succeded Time : 00:30:24 UTC Mon Mar 1 1993 Last Failed Time : None Last Failed Reason : No failure recorded. Total Attempts : 1 Startup Failures: 0 Successful Transfers: | Failed Transfers: 0 SuccessfulReads : 0 FailedReads : 0 Successful Writes 1 Failed Writes : 0 Media Failures : 0 SWI#sh flash: Directory of flash:/ 2-rwx 322. Jan 1 1970 00:05:09 +00:00 system_env_vars 3 -twx 984. Mar I. 1993 00:01:19 +00:00 vian.dat 5 -1wx 6917476 Mar I 1993 00:22:16 +00:00 ¢3550-ipservicesk9-mz. 122-25.se¢2.bin 7 drwx 128 Mar I 1993 00:12:36 +00:00 ¢3550-99q3I2-mz.121-11.EAI 20 -rwx 2795 Mar I 1993 00:50:20 +00:00 config.text 22 wx 13. Jan 1 1970 00:05:09 +00:00 env_vars 26 wx 24 Mar I: 1993 00:50:21 +00:00 private-config.text 15998976 bytes total (7676416 bytes free) ‘$W1#more flash:DHCP.txt 2691605 TYPE DHCP-SNOOPING VERSION | BEGIN 192.168.1.1 10 001c.5808.ff8e 2B92B1BA Fa0/3. Ad 39S END TASK: * Configure a Rouge DHCP server on R2 ( connecting on f0/2) * SWI 0/2 is default in in untrusted port and it should not get IP addrss from DHCP rogue server.R2-RougeDHCP (config) #int 0/0 R2-RougeDHCP(contig-if]#ip address 192.168.1.200 255.255.255.0 R2-RougeDHCP|contig-if]#no shutdown R2-RougeDHCP (config) tend R2-RougeDHCP(contig) #ip dhep pool ROUGE R2-RougeDHCP/dhep-config) #network 192.168.1.0 255.255.255.0 R2-RougeDHCP{dhcp-config) # R2-RougeDHCPidhep-config) #exit DCHPClient#trelease dhcp f0/0 DCHPClienti#tsh ip int brief Interface f dress OK? Method Status Protocol FastEthemet0/1 unassigned YES NVRAM up down DCHPClient(config) #int 10/0 DCHPClient/config-f]#shutdown DCHPClient{config-if) #no shutdown DCHPClient{config-#] tend TASK: + Shutdown the interface f0/1 connecting to dhep server. * verify again by releasing IP address on Client. ‘SWI (config) #int f0/1 SW1(config-if) #shutdown SWi(configrif) #exit DCHPClient#trelease dhcp f0/0 DCHPClient#tsh ip int brief Interface IP-Address OK? Method Status Protocol FastEthernet0/0 unassigned YES DHCP. up up FastEthemet0/1 unassigned YES NVRAM up down DCHPClient{config) #int f0/0 DCHPClient{config-if] #shutdown DCHPClient{config-if) #no shutdown DCHPClienti#tsh ip int brief Interface IP-Address OK? Method Status Protocol Fastethemeto/0 unassigned YES DHCP up up Fastéthernet0/1 unassigned YES NVRAM up downTASK: Remove the IP DHCP snooping configuration from switch and verify the client. ‘SW (config) #no ip dhep snooping SW1(config) #ino ip dhcp snooping vian 10 SW (config) #no ip dhep snooping database flash:DHCP.txt SW1 (config) #exit SW1 (config) #int f0/1 SWI (config-if) #no ip dhep snooping trust SW1(config-f) #end DCHPClient#trelease dhcp f0/0 DCHPClient{config) #int f0/0 DCHPClient{config-if] #shutdown DCHPClient{config-if) #no shutdown DCHPClient#tsh ip int brief Interface IP-Address OK? Method Status Protocol FastEthernet0/0 192.168.1.1 YES DHCP. up up Fast&themet0/1 unassigned YES NVRAM up down Now the client will be getting the IP address from the rouge DHCP server as the valid DHCP server is down and there is no DHCP snooping configured. we configured gateway on rouge dhCP server to 192.168.1.200. to test and verify disable IP routing and Trace DCHPClieni{config) #no ip routing DCHPClient{config) #exit DCHPClient#traceroute 172.16.1.1 Type escape sequence fo abort. Tee the route to 172.16.1.1 TASK. Reconfigure IP dhcp snooping and prevent the client from getfing IP address and gateway from rouge DHCP ensure that Client is reachable fo Valid DHCP server. SWI (config) #int f0/T SWI (config-if) #no shutdown SW (config-f) tend SW1(config) # jp dhcp snooping SWi(config) # ip dhep snooping vian 10 SWI (config) # ip dhcp snooping database flash:DHCP.fxt SWI (config) # no ip dhcp snooping information option ‘SW1 (config) #int f0/1SW1(configeif) #ip dhcp snooping trust SW1(config-if) #end DCHPClient#trelease dhcp f0/0 DCHPClient(config) #int 0/0 DCHPClient/config-i)#shutdown DCHPClient{config-if) #no shutdown DCHPClient{confio-f] #end DCHPClient#tsh ip int brief Interface IP-Address OK? Method Status FastEthernet0/1 unassigned YES NVRAM up DCHPClient#traceroute 172.16.1.1 Type escape sequence fo abort. Tracing the route to 172.16.1-1 2.192.168.1100 1H * 1H SW1#sh ip dhcp snooping Switch DHCP snooping is enabled DHCP snooping is configured on following VLANs: 10 Insertion of option 82 is disabled Option 82 on untrusted port is not allowed Verification of hwaddr field is enabled Interface Trusted Rate limit (pps) FastEthemnet0/1 yes unlimited Protocol downARP SPOOFING - DYNAMIC ARP INSPECTION ARP Spoofing Attack KOA, » Attacker sends fake Address Resolution Protocol (ARP) messages inside a Local Area Network (LAN) » Aim is to deviate and intercept network traffic. (Man in the Middle Attacks) Nera Trafic Paton Teptcompuer Suton ose Papas Te Potoned ARP Cache WP Dynamic ARP Inspection NA. » Prevents from ARP spoofing attacks by validating ARP replies. > Creates a special IP to MAC address binding table in the switch. ‘This table is dynamically built based on the DHCP snooping database contents You can also add static entries to the database manually using ARP Inspection accessists » Once DAI is enabled, all ARP replies on every single interface validated with IP- MAC database. ~ Uses the DHC! er ‘Snooping Binding eee table information Dynamic ARP Poereery rorarters Mace Eat eRe ordDynamic ARP Inspection Configuration NOA [NETWORK ONLINE ACADEMY SW1(config)rarp access-list ARP_VLAN10 SWi(config-arp-nacl# permit ip host 192.168.1.1 mac host 0019.2a14.8596 log SWi(config-arp-nacl}+ permit ip host 192.168.1.2 mac host 0018.73c3.0b20 log. SWr(config-arp-nachtexit 192.1 SWr(confightip dhep snooping ‘SW1(confightip dhep snooping vian 10 SW1(confighrexit ‘SW/(confightip arp inspection vian 10 ‘SW/(config)tip arp Inspection filter ARP_VLAN10 vlan 10 ie 192.168.1.10 Dynamic ARP Inspection — Trusted ports NOA NETWORK ONLIE ACADEMY » DAL associates each interface with a trusted state or an untrusted state. » Default all interfaces will be untrusted and need to validated with IP ~ MAC binding database > Untrusted interfaces undergo DAI validation ( Trusted interfaces by pass all DAL) 192.168.1.50 SW1(config)sint fo/s SW1(config-ifeip arp inspection trust SWi(config-itend 192.168.1.50 192.168.1.10Dynamic ARP Inspection — Verification ‘SW1ésh ip arp Inspection vian 10 Source Mac Validation: Disabled Destination Mac Validation : Disabled IP Address Validation: Disabled 1 192.168.1.50 Vian Configuration Operation ACL Match Static ACL 192.168.1.10 10 Enabled Active ARPLVLAN1o. = No Vian ACL Logging DHCP Logging 10 Deny DenyFI 192.168.1.10 192.168.1.50 TASK ‘© Configure f0/1 - 2 connecting to R1/R2 as access ports in vian 10 * Connect topology and assign ip addressing as per the diagram. * create vian 10 and assign all ports connecting in vian 10 SWI (config) # vian 10 SW1 (config) #int vian 10 SW1/(config-if)# ip address 192.168.1.50 255.255.255.0 SW1/(config-if) #no shutdown SWI (config-if) end SW1 (config) # int range f0/1 - 2 SW1(config-ifrange)# switchport mode access SW1(config-itrange] # switchport access vlan 10 SW1(config-itrange] # spanning-free portfast SW1(config-ifrange] #exit RI (config) #int 0/0 RI (config-if) #ip address 192.168.1.1 255.255.255.0 Ri (config-if) exit R2 (config) #int f0/0 R2(config-if) #ip address 192.168.1.2 255.255.255.0 R2(config-if) #exit Rifping 192.168.1.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds: tu Success rate is 100 percent (5/5). round-trip minfavg/max = 1/2/4 ms Ri#ping 192.168.1.50 Type escape sequence to abort. when saroniestonscai maraseahtnssem® Page 68Sending 5, 100-byte ICMP Echos to 192. 168.1.50, timeout is 2 seconds: sn Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms TASK: ‘© Configure SW1 to prevent ARP poisoning attacks on VLAN 10, * Without configuring trust ports on SWI, ensure it enforces ARP security for SW2 and SW3. ‘SWi(config) #ip dhep snooping SWI (config) #ip dhep snooping vian 10 SWI (config) #exit SWI#ping 192.168.1.1 Type escape sequence fo abort. Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds: Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms SWI#ping 192.168.1.2 Type escape sequence fo abort. Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds: Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms SWI#sh ip arp Protocol Address Age (min) Hardware Addr Type Interface Intemet 192.168.1.50 - 000b.bee2.fa00 ARPA Vianl0 Intemet_192.168.1.10 0 a4ba.dbbe.d185 ARPA Vian10 ‘SWI (config) #arp access-list ARP_VLANI0 SW1(config-arp-nacl)# permit ip host 192.168.1.1 mac host 0019.aa1d.85% log SWI (config-arp-nacl)# permit ip host 192.168.1.2 mac host 0018.73c3.0b20 k SW (config-are-nac! #pemnitip host 192.1881. 10 mae hest adbc.dbbe.d185 lod SW (config-orp-nacl) #exit NOTE: * Here f0/5 port is connecting to my PC and iam accessing routers via telnet. * To ensure that this port should not go with DAI inspection we can configure this port as frusted port. * Orwe can add entry of my PC mac ( adba.dbbe.d185) binded fo ip address 192.168.1.10 in ARP access-list Note that implementing ARP Inspection may break some services, such as Proxy ARP. To resolve these issues, ARP Inspection allows you to configure some ports as trusted for ARP Inspection. On trusted ports, the switch does not inspect any ARP message. It is common fo trust ARP messages ‘on switch uplink ports, pointing toward the network core.‘SW (config) #int £0/5 SW1(config-if)# SWI (config-if #end When the switch receives an ARP packet on an ARP-untrusted (the default state) port, it inspects the packet contents. Based on the IP to MAC address binding information in the packet, the switch permits the packet only if it matches the ARP Inspection table. This prevents ARP poisoning attacks. ‘SW (config) #ip arp inspection vian 10 SW (config) #ip arp inspection filer ARP_VLAN10 vian 10 SWIHsh ip arp inspection vian 10 Source Mac Validation — : Disabled Destination Mac Validation : Disabled IP Address Validation —_: Disabled Vian Configuration Operation ACLMatch Static ACL 10 Enabled — Active ARP_VLANIO. No Vian ACLLogging DHCP Logging SWi#clear arp-cache Ri#ping 192.168.1.1 Type escape sequence fo abort. Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds: mt Success rate is 100 percent (5/5), round-trip minfavg/max = 1/1/1 ms Ri#ping 192.168.1.2 Type escape sequence fo abort. Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds: Success rate is 100 percent (5/5). round-trio min/avg/max = 1/1/4 ms Ri#ping 192.168.1.50 Type escape sequence fo abort. Sending 5, 100-byte ICMP Echos to 192.168.1.50, timeout is 2 seconds: im Success rate Is 80 percent (4/5), round-trip minfavg/max = 1/1/] ms Ri #ping 192.168.1.10 Type escape sequence fo abort. Sending 5, 100-byte ICMP Echos fo 192.168.1.10, timeout is 2 seconds: mL Success rate is 100 percent (5/5), round-trip minfavg/max = 1/1/4 msChange the MAC address entry for RI on VLAN 10 interface and observe how the switch denies the violating ARP packets. As you can see, there is no DHCP snooping entry fo match the new SW2 MAC address, so the ARP packets are dropped by the switch. SWI#sh arp access-list ARP access list ARP_VLAN1O permit jp host 192.168.1.2 mac host 0018.73¢3.0620 log permit jp host 192.168.1.10 mac host a4ba.dbbe.d185 log ‘SW (config) #arp access-list ARP_VLANTO SW (config-arp-nacl)#no_ permit ip host 192.168.1.1 mac host 0019.aa1d.85% log SW (config-arp-nacl)+# permit ip host 192.168.1.1 mac host aaaa.aaaa.aaaa log SW (config-arp-naci)#end Ri#ping 192.168.1.2 Type escape sequence fo abort. Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds: Success rate is 0 percent (0/5) (02:23:46: %SW_DAI-4-DHCP. 10,([0019.aa14.8596/192.168.1.1/000b.bee2.fa00/192. 168. 1.50/02:23:46 UTC Mon Mar 1 1993]) 02:23:46: %SW_DA\-HEDHGPSSNOOPING IDENT NIAVGIGARPSIREGNORIFGO/N vicn TASK: + Reconfigure ARP access-list back to previous stage. * configure F0/5 port as trusted port and should not go with DAI inspection. ‘SW/ (config) #arp access-list ARP_VLAN1O SW1(config-arp-nacl)#no permit ip host 192.168.1.1 mac host aaaa.aaaa.aaaq log SW1(config-arp-nacl)# permit ip host 192.168.1.1 mac host 0019.aa1d.859% log SWI (config-arp-nacl) #exitPROTECTED PORTS - PRIVATE VLAN EDGE Protected Ports - Private VLAN Edge non on A » Used to prevent interfaces from communicating with each other. > Small ISP provide access to Internet and wanted to Isolate users. (Some applications) » Utilized to protect hosts from malware and abuse. » By default all switchports are unprotected. » Protected ports are unable to communicate with each other. Sever Switch Cae —%— _o CComputera Computers Mal Serer We serverProtected Ports - Private VLAN Edge NA, » By default all switchports are unprotected. » Protected ports must be manually configured. » Protected ports are unable to communicate with each other within same Switch ( not work different switches) ata attcis period po ostatratc net parmited eo Protected ports - Configuration MOA, Computer® Switch(configh interface range fo/1,fo/3 192.168.1.2 /24 Switch(configiffr switchpore protected 3 ‘Switche show interface fo/1 switchport | inc Protected Protected ue se 8 ComputerA Computer 192.168.1.1 /24 Switeha, 392.168.1.3 /24PRIVATE VLAN Private VLAN NOA one AAR > Port-Isolation with in the same VLAN. Same as port protected isolation over multiple switches with additional features. » Uses the Concept of Sub-VLAN concept for L2 Isolation. Primary & Secondary VLAN) » Small ISP provide access to Internet and wanted to Isolate users. (Some applications) > Provides scalability and IP address management benefits for service providers and Layer 2 security for customers. » Utilized to protect hosts from malware and abuse. Private VLAN — Port Types NOA ‘ONLINE ACADEMY Isolated VLANs: > Ports within an isolated VLAN cannot communicate with each other at the Layer 2 level. (Community VLANs : > Ports within a community VLAN can communicate with each other » But cannot communicate with ports in other communities at the Layer 2 level. Promiscuous » Port attaches to a router, firewall, etc;; can communicate with all hosts (including isolated and community ports) —(__ sates and Promiscuous Pers —( Prine Pore nd CoecitiePrivate VLAN — Advantages NOA ONLINE ACADEMY ‘Advantage: » Reduce VLAN and IP subnet consump » you can prevent traffic between end stations even though they are in the same VLAN and IP subnet Private VLAN Configuration ‘SWi(configvtp mode transparent ‘SWi(configivian 10 ‘SW1(config-vlan)eprivate-vian primary ‘SWi(config-vlan)eexit ‘SW1(configyvian 100 ‘SWi\(config-vlan)eprivate-vian community ‘SWi(config-vlaneexit ‘SWr(confighvlan 200 ‘SWi(config-vlan}¢private-vlan community ‘SWi(config-vlanexit NOTE: ‘SWi(confighvian 500 » Isolated VLAN can be only one ‘SWi(config-vlaneprivate-vian Isolated > Community VLAN can be many‘SWi(confighevian 10 aM DA. ‘SW/1(config-vlanysprivate-vian association 7 WORD VLAN IDs of the private VLANs to be configured add Add a VLAN to private VLAN list remove Remove a VLAN from private VLAN list ‘SW1(config-vlan)aprivate-vian association add 100,200,500 ‘SWrash vlan private-vian Primary Secondary Type Ports 0 0 community 10 200 community 10 500 isolated Configuring Promiscuous Port ‘SWr(configitint fo/20 ‘SW/(config-i)eswitchport mode private-vian promiscuous ‘SWr(config-Ieswitchport privatevlan mapping 10 100,200,500 ‘SWr(config-ifrendConfiguring Isolated Secondary VLAN aM D A. ‘SW1(confighint range fo/3 , 07/22 ‘SW1(config-if-rangeysswitchport mode private-vian host 'SW1(config-iFrange)sswitchport private-vian host-association 10 500, Configuring Community Secondary VLAN ‘SWi(configisint range f0/1 - 2 'SW/(config-i-range)sswitchport mode private-vian host ‘SW/(config-if-range)éswitchport private-vian host-association 10 100 ‘SW/(config)sint range fo/s , fo/24 'SW/(config-f-range)sswitchport mode private-vian host ‘SW/(config-if-range)#switchport private-vian host-association 10 200 Private VLAN Verification ‘SW14sh vian private-vian Primary Secondary Type Ponts 10 100 community —_-Fao/1, Fa0/2, Fao/20 10 200 community ——_Fa0/s, Fa0/20, Fao/24 10 500 Isolated __Fa0/3, Fao/20, Faa/22 ‘SW1#sh interfaces status | in connected Foon connected 10,100 full 3-100 10/100BaseTX Foo connected 10,100 fill 3100 10/100BaseTX Foo connected 10.500 full 3-100 10/100BaseTX Foovs connected 10,200 full a100 10/100BaseTX Fa0/20 connected 10 mull 3-100 10/100BaseTX Foo/22 ‘connected 19500 full 2700 10/100BaseTX Fao/28 connected 10200 full 3700 10/100BaseTXLAB: PRIVATE VLAN Sa 192.168.1.10 Community Vian 200 TASK: * Configure VIP mode as transparent and all ports connecting to end devices in vian 10 (primary vian) * Create vian 100, 200, 500 and configure vian 100 and 200 as community vian-type and vian 500 as isolated vian-type + VLAN 100. 200.500 will be acting as secondary vians and associate them to primary vian 10 SWI (config) #interface range f0/1 -3 , 0/5, 0/20 , 0/22, f0/24 SW1{config-iFrange) #no shutdown SW! (config-itrange] #switchport mode access SW1(config-iFrange) #switchport access vian 10 SWI#sh vian VLAN Name Status Ports 1 default active Fa0/6, Fa0/7, Fa0/8, Fa0/9 Fa0/10, Fa0/11, Fa0/12, Fa0/13 Fa0/14, Fa0/15, Fa0/16, FaO/17 Fa0/18, Fa0/19, Fa0/21, Fa0/22 Fa0/23. Gi0/1, Gi0/2 SW3{config] #int 0/20 SW3{config-if)#no switchport SW3/config-if)#ip add 192.168.1.10 255.255.255.0SW3(config-if] #end SW2(config) #int 0/24 SW2(config-i9#tno switchport SW2(config-if} #ip add 192.168.1.6 255.255.255.0 SW2(config-if] #no sh SsW2{config-if] #end (config) #int g0/0 configrit] #ip add 192.168.1.1 255.255.255.0 config-if) #no sh config-if) tend (config) #int g0/0 contigrit] #ip add 192.168.1.2 255.255.255.0 config-if)#no sh config-if) tend (config) #int g0/0 config-if)#ip add 192.168.1.3 255.255.255.0 iconfig-if}#no sh config-if|¥end SW4 (config) #int 10/22 SW4(config-if] #no switchport SW4(config-if} #ip add 192.168. 1.4 255.255.255.0 SW4(config-if] #ne sh SW4(config-if] #end (config) #int go/0 (config-if}#tip add 192. 168.1.5 255.255.255.0 (config-if}#no sh (« R Re R R-5{config-i] #end 5 5| 5 5 R-5#tping 192.168.1.1 Type escape sequence fo abort. Sending 5, 100-byte ICMP Echos to 192. 168.1.1, timeout is 2 seconds: om Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/1 ms R-SHping 192.168.1.2 Type escape sequence fo abort. Sending 5, 100-byte ICMP Echos to 192.168. 1.2, timeout is 2 seconds: 1 Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/1 ms R-SHping 192.168.1.3 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1.3, timeout is 2 seconds: Mm Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/1 ms R-SHping 192.168.1.4 Type escape sequence to abort.Swi Sending 5, 100-byte ICMP Echos to 192. 168.1.4, timeout is 2 seconds: ml Success rate is 60 percent (3/5), round-trip min/avg/max = 1/2/4 ms R-Stping 192.168.1.4 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1.4, timeout is 2 seconds: mn Success rate Is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms R-SHtping 192.168.1.5 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1.5, timeout is 2 seconds: nn Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms R-Stping 192.168.1.6 Type escape sequence fo abort. Sending 5, 100-byte ICMP Echos to 192.168.1.6, timeout is 2 seconds: im Success rate is 60 percent (3/5), round-trip min/avg/max = 1/1/1 ms R-Stping 192.168.1.6 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1.6, timeout is 2 seconds: mut Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms R-5#tping 192.168.1.10 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1.10, timeout is 2 seconds: Uy Success rate is 60 percent (3/5), round-trip min/avg/max = 1/1/1 ms ‘SW! (config] #vfp mode transparent SW1 (config) #vlan 10 SW1(config-vian) #private-vian primary SW1(config-vian) #exit SW! config) #vlan 100 SW! config-vian) #private-vian community SW1(config-vian) #exit SW! (config) #vlan 200 SW! (config-vian) #private-vian community SWI (config-vian) #exit SWI (config) #vlan 500 SW! config-vian] #private-vian isolated SW1(config-vian) #endNote: * Isolated VLAN can be only one and Community VLAN can be many * Here VLAN 10s the primary VLAN and VLAN 100. 200.500 will be acting as secondary vians associated fo primary vian ( VLAN 10) with the following command : SW! (config) #vlan 10 SWI (config-vian)#private-vlan association ? WORD VLAN IDs of the private VLANs to be configured add Add a VLAN to private VLAN list remove Remove a VLAN from private VLAN list ‘SWI (config-vian) #private-vian association add 100,200,500 SWI /config-vian) #end SW1#sh vian private-vian Primary Secondary Type Ports TASK: Configure the port fa0/20 as Promiscuous as it needs to be accessed by all vian. SW! (config) #int 0/20 SWI (config-if}#switchport mode private-vian ? host Set the mode to private-vian host promiscuous Set the mode to private-vian promiscuous SWI (config-if}#tswitchport mode private-vian promiscuous ‘SWI (config-i}#switchport private-vian association ? host Set the private VLAN host association mapping Set the private VLAN promiscuous mapping ‘SWI (config-if}#tswitchport private-vian mapping 10 100,200,500 SW1(configef] tend The above command assign the port fo primary Vian and maps the vlan 100, 200, 500. TAS + Configure the port fa0/1 and fa0/2 to separate community so that they can falk to each other and promiscuous port SW! (config) #int range f0/1 - 2 SWI (config-i-range) #switchport mode private-vian host SW! (config-it-range} #switchport private-vian host-association 10 100 SW! (config-itrange) #end The above command assigns fa0/1 and fa0/2 to a separate community 100 as these two can communicate with each other and fa0/20 (promiscuous port) TASK:

003 L2 Security

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

003 L2 Security

Uploaded by

Copyright:

Available Formats

You might also like