Layer 2 Security-NEW
Layer 2 Security-NEW
Layer 2 Security-NEW
BSCI v3.0—2-1
Types of Attacks
• VLAN hopping
• Spanning Tree manipulation
• MAC address spoofing
• DHCP attacks
CAM Table Overflow Attack
3/25 MAC X
3/25 MAC Y
3/25 MAC Z
3/25 XYZ
VLAN 10 VLAN 10 BD
C D
Port Security
MAC A
PC A
MAC A MAC D
MAC E
MAC F
Attacker
Attacker
Port security allows you to configure Layer 2 interfaces that allow inbound traffic
from only a restricted set of MAC addresses.
The MAC addresses in the restricted set are called secure MAC addresses.
Secure MAC Addresses
• Static
– Manually configure secure MAC addresses for an interface
– Stored in the address table & added to running configuration
• Dynamic (default)
– Dynamically learned and configure secure MAC addresses
with the MAC addresses of connected devices
– Stored only in the address table & removed when the switch
restarts (or when the aging time expires)
• Sticky
– Dynamically learned
– Stored in the address table & added to running configuration
– If these addresses are saved in the configuration file, the
interface does not need to dynamically relearn them when
the switch restarts
Port Security Violation Modes
Enable or disable static aging for the secure port, or set the aging
time or type
• static: enable aging for statically configured secure addresses
on this port
• time time: specify the aging time (mins)
• type absolute: age out exactly after the specified time period
• type inactivity: age out only if there is no data traffic for the
specified time period
Verifying Port Security
• If the port – security feature has shutdown a port, the port can be
restored to an operational state using the error-disable recovery
procedure.
802.1Q VLAN
10
Trunk
VLAN Server
20
Attacker sees
Server
traffic to servers
Mitigating VLAN Hopping
Root Bridge
F F F B
F
F F F
F B F F
Root Bridge
Implementing BPDUGuard to Mitigate
Spanning Tree Manipulation
• If the BPDU – guard feature has shutdown a port, the port can be
restored to an operational state using the error-disable recovery
procedure.
DHCP Server
DHCP
requests with
spoofed MAC
addresses
Untrusted
√
Network
X
No Access Corporate
Invalid/No Credentials Resources
Unauthorized External
Wireless User
802.1x and Port Security
A = Attacker
Hub
I don’t know A,
I know B.
Port unauthorized
Cisco Secure
Port Security ACS/RADIUS
and
Identity
B = Legitimate User
Local Authentication, SSH
BSCI v3.0—2-27
Telnet vs SSH Access
• Telnet
- Most commond access method
- Insecure
- TCP, port 23
Telnet vs SSH Access (Cont.)
• SSH (Secure Shell Protocol)
- More secure
- TCP, port 22
Enhanced Username Password Security
router(config)#
username name password {[0] password | 7 hidden-password}
• Traditional user configuration with plaintext password
router(config)#
username name secret {[0] password | 5 encrypted-secret}
• Uses MD5 hashing for strong password protection
• Better than the type 7 encryption found in service password-
encryption command