Professional Documents
Culture Documents
Implementing
Switched Data
Plane Security
Solutions
3/25 MAC X
3/25 MAC Y
3/25 MAC Z
3/25 XYZ
VLAN 10 VLAN 10 BD
C D
MAC A
MAC A MAC D
MAC E
MAC F
Attacker
Attacker
1. Static
2. Dynamic
3. Sticky
Default
Feature Setting
Disabled
Port security
1
Maximum MAC addresses
Shutdown
Violation
Disabled mode
Sticky address
Disabled. learning
Aging time is 0. When enabled, the default type is absolute.
Port security aging
switch(config-if)#
switchport mode access
Set the interface mode as access
switch(config-if)#
switchport port-security
Enable port security on the interface
switch(config-if)#
switchport port-security maximum value
Set the maximum number of secure MAC addresses for the interface
(optional)
switch(config-if)#
switchport port-security mac-address mac-address
Enter a static secure MAC address for the interface (optional)
switch(config-if)#
switchport port-security mac-address sticky
Enable sticky learning on the interface (optional)
switch(config-if)#
1.Switch spoofing
2.Double tagging
• Switch spoofing
802.1Q VLAN
10
Trunk
nk
Tru
Q VLAN Server
2. 1 20
80
• Double tagging
Guidelines
1. Disable all unused ports and place them in an
unused VLAN.
2. Set all user ports to nontrunking mode by disabling
DTP. (It is not a bad idea to set all ports by default to
access mode and then reconfigure the trunking
ports as needed.)
3. For backbone sw itch-to-sw itch connections,
explicitly config ure trunking and dis-able DTP.
4. Do not use VLAN 1 as the switch management
VLAN.
Root
Bridge
F F F B
F
F F F
F B F F
BP TP
DU
S
ST DU
BP
P
Root
Bridge
switch(config)#
spanning-tree portfast bpduguard default
Globally enable BPDU guard on all ports
switch(config-if)#
spanning-tree guard root
Enable root guard on an interface
B B
A MAC A A
Port 1 Port 2
Attacker
Port 3
C C
© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—1-23
PVLAN
All devices using the private VLAN feature must be
configured as VTP transparent.
• Promiscuous ports
• Community ports
• Isolated ports
Source Dest
IP: A C
A MAC: A B
172.30.1.0/24
Promiscuous Port
Isolated Port