Module 11: Switch Security Configuration
•Instructor Materials
Switching, Routing and Wireless Essentials v7.0 (SRWE)

Cisco Networking Academy Program
Switching, Routing and Wireless Essentials v7.0 (SRWE)
Module 11: Switch Security Configuration

‹#›
© 2016  Cisco and/or its affiliates. All rights reserved.   Cisco Confidential
Instructor Materials – Module 11 Planning Guide
•This PowerPoint deck is divided in two parts:
•Instructor Planning Guide
•Information to help you become familiar with the module
•Teaching aids
•Instructor Class Presentation
•Optional slides that you can use in the classroom
•Begins on slide # 9
•Note: Remove the Planning Guide from this presentation before sharing with anyone.
•For additional help and resources go to the Instructor Home Page and Course Resources for this
course. You also can visit the professional development site on netacad.com, the official Cisco
Networking Academy Facebook page, or Instructor Only FB group.

‹#›
© 2016  Cisco and/or its affiliates. All rights reserved.   Cisco Confidential
What to Expect in this Module
§To facilitate learning, the following features within the GUI may be included in this module:
§
§
•
Feature
Description
Animations
Expose learners to new skills and concepts.
Videos
Expose learners to new skills and concepts.
Check Your Understanding(CYU)
Per topic online quiz to help learners gauge content understanding.
Interactive Activities
A variety of formats to help learners gauge content understanding.
Syntax Checker
Small simulations that expose learners to Cisco command line to practice configuration skills.
PT Activity
Simulation and modeling activities designed to explore, acquire, reinforce, and expand skills.

‹#›
© 2016  Cisco and/or its affiliates. All rights reserved.   Cisco Confidential
What to Expect in this Module (Cont.)
§To facilitate learning, the following features may be included in this module:
Feature
Description
Hands-On Labs
Labs designed for working with physical equipment.
Class Activities
These are found on the Instructor Resources page. Class Activities are designed to facilitate
learning, class discussion, and collaboration.
Module Quizzes
Self-assessments that integrate concepts and skills learned throughout the series of topics
presented in the module.
Module Summary
Briefly recaps module content.

‹#›
© 2016  Cisco and/or its affiliates. All rights reserved.   Cisco Confidential
Check Your Understanding
•Check Your Understanding activities are designed to let students quickly determine if they
understand the content and can proceed, or if they need to review.
•Check Your Understanding activities do not affect student grades.
•There are no separate slides for these activities in the PPT. They are listed in the notes area of
the slide that appears before these activities.
•
§

‹#›
© 2016  Cisco and/or its affiliates. All rights reserved.   Cisco Confidential
Module 11: Activities
•What activities are associated with this module?
•
•
•
Page #
Activity Type
Activity Name
Optional?
11.1.9
Syntax Checker
Implement Port Security
Recommended
11.1.10
Packet Tracer
Implement Port Security
Recommended
11.2.3
Syntax Checker
Mitigate VLAN Hopping Attacks
Recommended
11.3.5
Syntax Checker
Mitigate DHCP Attacks
Recommended
11.4.4
Syntax Checker
Mitigate ARP Attacks
Recommended
11.5.4
Syntax Checker
Mitigate STP Attacks
Recommended
11.6.1
Packet Tracer
Switch Security Configuration
Recommended
11.6.2
Lab
Switch Security Configuration
Recommended

‹#›
© 2016  Cisco and/or its affiliates. All rights reserved.   Cisco Confidential
Module 11: Best Practices
•Prior to teaching Module 11, the instructor should:
•Review the activities and assessments for this module.
•Try to include as many questions as possible to keep students engaged during classroom
presentation.
•Topic 11.1
•Ask the students or have a class discussion
•How might port security cause problems for legitimate users?
•What port security violation mode seems to be the most effective for general deployment and why?
•Topic 11.2
•Ask the students or have a class discussion
•Is there a downside to configuring ports as static access or static trunk?
•What benefit do you think is provided by designating an organization-wide native VLAN?
•
•
§
•
•
§
§

‹#›
© 2016  Cisco and/or its affiliates. All rights reserved.   Cisco Confidential
Module 11: Best Practices (Cont.)
•Topic 11.3
•Ask the students or have a class discussion
•How could DHCP Snooping negatively impact a user who is authorized to connect to the LAN?
•What is it about the data that DHCP Snooping collects that is so foundational to other LAN
security mechanisms?
•Topic 11.4
•Ask the students or have a class discussion
•What cold happen if another device pretends to be the default gateway in a LAN?
•Why do you think ports facing upstream are typically configured as trusted for Dynamic ARP
Inspection?
•Topic 11.5
•Ask the students or have a class discussion
•What benefit does PortFast provide to the ordinary connected user?
•Why does PortFast not error-disable an interface where it receives a spanning-tree BPDU?
•
•
§
•
•
§
§

Module 11: Switch Security Configuration
Switching, Routing and Wireless Essentials v7.0 (SRWE)

Cisco Networking Academy Program
Switching, Routing and Wireless Essentials v7.0 (SRWE)
Module 11: Switch Security Configuration

‹#›
© 2016  Cisco and/or its affiliates. All rights reserved.   Cisco Confidential
Module Objectives
•Module Title: Switch Security Configuration
•
•Module Objective: Configure switch security to mitigate LAN attacks
§
Topic Title
Topic Objective
Implement Port Security
Implement port security to mitigate MAC address table attacks.
Mitigate VLAN Attacks
Explain how to configure DTP and native VLAN to mitigate VLAN attacks.
Mitigate DHCP Attacks
Explain how to configure DHCP snooping to mitigate DHCP attacks.
Mitigate ARP Attacks
Explain how to configure ARP inspection to mitigate ARP attacks.
Mitigate STP Attacks
Explain how to configure PortFast and BPDU Guard to mitigate STP Attacks.

11- Switch Security Configuration
11.0- Introduction
11.0.2 – What will I learn in this module?

‹#›
© 2016  Cisco and/or its affiliates. All rights reserved.   Cisco Confidential
11.1 Implement Port Security

11 – Switch Security Configuration
11.1 – Implement Port Security

‹#›
© 2016  Cisco and/or its affiliates. All rights reserved.   Cisco Confidential
Implement Port Security
Secure Unused Ports
•Layer 2 attacks are some of the easiest for hackers to deploy but these threats can also be
mitigated with some common Layer 2 solutions.
•All switch ports (interfaces) should be secured before the switch is deployed for production use.
How a port is secured depends on its function.
•A simple method that many administrators use to help secure the network from unauthorized access
is to disable all unused ports on a switch. Navigate to each unused port and issue the Cisco
IOS shutdown command. If a port must be reactivated at a later time, it can be enabled with the no
shutdown command.
•To configure a range of ports, use the interface range command.
Switch(config)# interface range type module/first-number – last-number

11 – Switch Security Configuration
11.1 – Implement Port Security
11.1.1 – Secure Unused Ports

‹#›
© 2016  Cisco and/or its affiliates. All rights reserved.   Cisco Confidential
Implement Port Security
Mitigate MAC Address Table Attacks
•The simplest and most effective method to prevent MAC address table overflow attacks is to enable
port security.
•Port security limits the number of valid MAC addresses allowed on a port. It allows an
administrator to manually configure MAC addresses for a port or to permit the switch to dynamically
learn a limited number of MAC addresses. When a port configured with port security receives a
frame, the source MAC address of the frame is compared to the list of secure source MAC addresses
that were manually configured or dynamically learned on the port.
•By limiting the number of permitted MAC addresses on a port to one, port security can be used to
control unauthorized access to the network.
•

11 – Switch Security Configuration
11.1 – Implement Port Security
11.1.2 – Mitigate MAC Address Table Attacks

‹#›
© 2016  Cisco and/or its affiliates. All rights reserved.   Cisco Confidential
Implement Port Security
Enable Port Security
•Port security is enabled with the switchport port-security interface configuration command.
•
•Notice in the example, the switchport port-security command was rejected. This is because port
security can only be configured on manually configured access ports or manually configured trunk
ports. By default, Layer 2 switch ports are set to dynamic auto (trunking on). Therefore, in the
example, the port is configured with the switchport mode access interface configuration command.
•
•Note: Trunk port security is beyond the scope of this course.
•

11 – Switch Security Configuration
11.1 – Implement Port Security
11.1.3 – Enable Port Security

‹#›
© 2016  Cisco and/or its affiliates. All rights reserved.   Cisco Confidential
Implement Port Security
Enable Port Security (Cont.)
•Use the show port-security interface command to display the current port security settings for
FastEthernet 0/1.
•Notice how port security is enabled, the violation mode is shutdown, and how the maximum number of
MAC addresses is 1.
•If a device is connected to the port, the switch will automatically add the device’s MAC address
as a secure MAC. In this example, no device is connected to the port.
•
•Note: If an active port is configured with the switchport port-security command and more than one
device is connected to that port, the port will transition to the error-disabled state.

11 – Switch Security Configuration
11.1 – Implement Port Security
11.1.3 – Enable Port Security (Cont.)

‹#›
© 2016  Cisco and/or its affiliates. All rights reserved.   Cisco Confidential
Implement Port Security
Enable Port Security (Cont.)
•After port security is enabled, other port security specifics can be configured, as shown in the
example.

11 – Switch Security Configuration
11.1 – Implement Port Security
11.1.3 – Enable Port Security (Cont.)

‹#›
© 2016  Cisco and/or its affiliates. All rights reserved.   Cisco Confidential
Implement Port Security
Limit and Learn MAC Addresses
•To set the maximum number of MAC addresses allowed on a port, use the following command:
•
•
•The default port security value is 1.
•The maximum number of secure MAC addresses that can be configured depends the switch and the IOS.
•In this example, the maximum is 8192.
Switch(config-if)# switchport port-security maximum value

11 – Switch Security Configuration
11.1 – Implement Port Security
11.1.4 – Limit and Learn MAC Addresses

‹#›
© 2016  Cisco and/or its affiliates. All rights reserved.   Cisco Confidential
Implement Port Security
Limit and Learn MAC Addresses (Cont.)
•The switch can be configured to learn about MAC addresses on a secure port in one of three ways:
•1. Manually Configured: The administrator manually configures a static MAC address(es) by using
the following command for each secure MAC address on the port:
1.
1.
•
•
•
Switch(config-if)# switchport port-security mac-address mac-address
2. Dynamically Learned: When the switchport port-security command is entered, the current source
MAC for the device connected to the port is automatically secured but is not added to the running
configuration. If the switch is rebooted, the port will have to re-learn the device’s MAC address.
1.
3. Dynamically Learned – Sticky: The administrator can enable the switch to dynamically learn the
MAC address and “stick” them to the running configuration by using the following command:
Switch(config-if)# switchport port-security mac-address sticky
Saving the running configuration will commit the dynamically learned MAC address to NVRAM.

11 – Switch Security Configuration
11.1 – Implement Port Security
11.1.4 – Limit and Learn MAC Addresses (Cont.)

‹#›
© 2016  Cisco and/or its affiliates. All rights reserved.   Cisco Confidential
Implement Port Security
Limit and Learn MAC Addresses (Cont.)
•The example demonstrates a complete port security configuration for FastEthernet 0/1.
•The administrator specifies a maximum of 4 MAC addresses, manually configures one secure MAC
address, and then configures the port to dynamically learn additional secure MAC addresses up to
the 4 secure MAC address maximum.
•Use the show port-security interface and the show port-security address command to verify the
configuration.

11 – Switch Security Configuration
11.1 – Implement Port Security
11.1.4 – Limit and Learn MAC Addresses (Cont.)

‹#›
© 2016  Cisco and/or its affiliates. All rights reserved.   Cisco Confidential
Implement Port Security
Port Security Aging
•Port security aging can be used to set the aging time for static and dynamic secure addresses on a
port and two types of aging are supported per port:
•Absolute - The secure addresses on the port are deleted after the specified aging time.
•Inactivity - The secure addresses on the port are deleted if they are inactive for a specified
time.
•
•Use aging to remove secure MAC addresses on a secure port without manually deleting the existing
secure MAC addresses.
•Aging of statically configured secure addresses can be enabled or disabled on a per-port basis.
•
•Use the switchport port-security aging command to enable or disable static aging for the secure
port, or to set the aging time or type.
•
Switch(config-if)# switchport port-security aging {static | time time | type {absolute |
inactivity}}

11 – Switch Security Configuration
11.1 – Implement Port Security
11.1.5 – Port Security Aging

‹#›
© 2016  Cisco and/or its affiliates. All rights reserved.   Cisco Confidential
Implement Port Security
Port Security Aging (Cont.)
•The example shows an administrator configuring the aging type to 10 minutes of inactivity.
•
•The show port-security command confirms the changes. interface command to verify the
configuration.

11 – Switch Security Configuration
11.1 – Implement Port Security
11.1.5 – Port Security Aging (Cont.)

‹#›
© 2016  Cisco and/or its affiliates. All rights reserved.   Cisco Confidential
Implement Port Security
Port Security Violation Modes
•If the MAC address of a device attached to a port differs from the list of secure addresses, then
a port violation occurs and the port enters the error-disabled state.
•To set the port security violation mode, use the following command:
•
Switch(config-if)# switchport port-security violation {shutdown | restrict | protect}
Mode
Description
shutdown
(default)
The port transitions to the error-disabled state immediately, turns off the port LED, and sends a
syslog message. It increments the violation counter. When a secure port is in the error-disabled
state, an administrator must re-enable it by entering the shutdown and no shutdown commands.
restrict
The port drops packets with unknown source addresses until you remove a sufficient number of secure
MAC addresses to drop below the maximum value or increase the maximum value. This mode causes the
Security Violation counter to increment and generates a syslog message.
protect
This is the least secure of the security violation modes. The port drops packets with unknown MAC
source addresses until you remove a sufficient number of secure MAC addresses to drop below the
maximum value or increase the maximum value. No syslog message is sent.
•
The following table shows how a switch reacts based on the configured violation mode.

11 – Switch Security Configuration
11.1 – Implement Port Security
11.1.6 – Port Security Violation Modes

‹#›
© 2016  Cisco and/or its affiliates. All rights reserved.   Cisco Confidential
Implement Port Security
Port Security Violation Modes (Cont.)
•The example shows an administrator changing the security violation to “Restrict”.
•
•The output of the show port-security interface command confirms that the change has been made.

11 – Switch Security Configuration
11.1 – Implement Port Security
11.1.6 – Port Security Violation Modes (Cont.)

‹#›
© 2016  Cisco and/or its affiliates. All rights reserved.   Cisco Confidential
Implement Port Security
Ports in error-disabled State
•When a port is shutdown and placed in the error-disabled state, no traffic is sent or received on
that port.
•A series of port security related messages display on the console, as shown in the following
example.
•
•Note: The port protocol and link status are changed to down and the port LED is turned off.

11 – Switch Security Configuration
11.1 – Implement Port Security
11.1.7 – Ports in error-disabled State

‹#›
© 2016  Cisco and/or its affiliates. All rights reserved.   Cisco Confidential
Implement Port Security
Ports in error-disabled State (Cont.)
•In the example, the show interface command identifies the port status as err-disabled. The output
of the show port-security interface command now shows the port status as secure-shutdown. The
Security Violation counter increments by 1.
•The administrator should determine what caused the security violation If an unauthorized device is
connected to a secure port, the security threat is eliminated before re-enabling the port.
•To re-enable the port, first use the shutdown command, then, use the no shutdown command.

11 – Switch Security Configuration
11.1 – Implement Port Security
11.1.7 – Ports in error-disabled State (Cont.)

‹#›
© 2016  Cisco and/or its affiliates. All rights reserved.   Cisco Confidential
Implement Port Security
Verify Port Security
•After configuring port security on a switch, check each interface to verify that the port security
is set correctly, and check to ensure that the static MAC addresses have been configured correctly.
•
•To display port security settings for the switch, use the show port-security command.
•The example indicates that all 24 interfaces are configured with the switchport
port-security command because the maximum allowed is 1 and the violation mode is shutdown.
•No devices are connected, therefore, the CurrentAddr (Count) is 0 for each interface.
•

11 – Switch Security Configuration
11.1 – Implement Port Security
11.1.8 – Verify Port Security

‹#›
© 2016  Cisco and/or its affiliates. All rights reserved.   Cisco Confidential
Implement Port Security
Verify Port Security (Cont.)
•Use the show port-security interface command to view details for a specific interface, as shown
previously and in this example.

11 – Switch Security Configuration
11.1 – Implement Port Security
11.1.8 – Verify Port Security (Cont.)

‹#›
© 2016  Cisco and/or its affiliates. All rights reserved.   Cisco Confidential
Implement Port Security
Verify Port Security (Cont.)
•To verify that MAC addresses are “sticking” to the configuration, use the show run command as
shown in the example for FastEthernet 0/19.

11 – Switch Security Configuration
11.1 – Implement Port Security
11.1.8 – Verify Port Security (Cont.)

‹#›
© 2016  Cisco and/or its affiliates. All rights reserved.   Cisco Confidential
Implement Port Security
Verify Port Security (Cont.)
•To display all secure MAC addresses that are manually configured or dynamically learned on all
switch interfaces, use the show port-security address command as shown in the example.

11 – Switch Security Configuration
11.1 – Implement Port Security
11.1.8 – Verify Port Security (Cont.)
11.1.9 – Syntax Checker – Implement Port Security

‹#›
© 2016  Cisco and/or its affiliates. All rights reserved.   Cisco Confidential
Implement Port Security
Packet Tracer – Implement Port Security
•In this Packet Tracer, you will complete the following objectives:
•Part 1: Configure Port Security
•Part 2: Verify Port Security

11 – Switch Security Configuration
11.1 – Implement Port Security
11.1.10 – Packet Tracer – Implement Port Security

‹#›
© 2016  Cisco and/or its affiliates. All rights reserved.   Cisco Confidential
11.2 Mitigate VLAN Attacks

11 – Switch Security Configuration
11.2 – Mitigate VLAN Attacks

‹#›
© 2016  Cisco and/or its affiliates. All rights reserved.   Cisco Confidential
Mitigate VLAN Attacks
VLAN Attacks Review
•A VLAN hopping attack can be launched in one of three ways:
•Spoofing DTP messages from the attacking host to cause the switch to enter trunking mode. From
here, the attacker can send traffic tagged with the target VLAN, and the switch then delivers the
packets to the destination.
•Introducing a rogue switch and enabling trunking. The attacker can then access all the VLANs on
the victim switch from the rogue switch.
•Another type of VLAN hopping attack is a double-tagging (or double-encapsulated) attack. This
attack takes advantage of the way hardware on most switches operate.
•

11 – Switch Security Configuration
11.2 – Mitigate VLAN Attacks
11.2.1 – VLAN Attacks Review

‹#›
© 2016  Cisco and/or its affiliates. All rights reserved.   Cisco Confidential
Mitigate VLAN Attacks
Steps to Mitigate VLAN Hopping Attacks
•Use the following steps to mitigate VLAN hopping attacks:
•Step 1: Disable DTP (auto trunking) negotiations on non-trunking ports by using the switchport
mode access interface configuration command.
•Step 2: Disable unused ports and put them in an unused VLAN.
•Step 3: Manually enable the trunk link on a trunking port by using the switchport mode
trunk command.
•Step 4: Disable DTP (auto trunking) negotiations on trunking ports by using the switchport
nonegotiate command.
•Step 5: Set the native VLAN to a VLAN other than VLAN 1 by using the switchport trunk native
vlan vlan_number command.
•

11 – Switch Security Configuration
11.2 – Mitigate VLAN Attacks
11.2.2 – Steps to Mitigate VLAN Hopping Attacks
11.2.3 – Syntax Checker – Mitigate VLAN Hopping Attacks

‹#›
© 2016  Cisco and/or its affiliates. All rights reserved.   Cisco Confidential
11.3 Mitigate DHCP Attacks

11 – Switch Security Configuration
11.3 - Mitigate DHCP Attacks

‹#›
© 2016  Cisco and/or its affiliates. All rights reserved.   Cisco Confidential
Mitigate DHCP Attacks
DHCP Attack Review
•The goal of a DHCP starvation attack is to an attack tool such as Gobbler to create a Denial of
Service (DoS) for connecting clients.
•
•Recall that DHCP starvation attacks can be effectively mitigated by using port security because
Gobbler uses a unique source MAC address for each DHCP request sent. However, mitigating DHCP
spoofing attacks requires more protection.
•
•Gobbler could be configured to use the actual interface MAC address as the source Ethernet
address, but specify a different Ethernet address in the DHCP payload. This would render port
security ineffective because the source MAC address would be legitimate.
•
•DHCP spoofing attacks can be mitigated by using DHCP snooping on trusted ports.
•

11 – Switch Security Configuration
11.3 - Mitigate DHCP Attacks
11.3.1 – DHCP Attack Review

‹#›
© 2016  Cisco and/or its affiliates. All rights reserved.   Cisco Confidential
Mitigate DHCP Attacks
DHCP Snooping
•DHCP snooping filters DHCP messages and rate-limits DHCP traffic on untrusted ports.
•Devices under administrative control (e.g., switches, routers, and servers) are trusted sources.
•Trusted interfaces (e.g., trunk links, server ports) must be explicitly configured as trusted.
•Devices outside the network and all access ports are generally treated as untrusted sources.
•
•A DHCP table is built that includes the source MAC address of a device on an untrusted port and
the IP address assigned by the DHCP server to that device.
•The MAC address and IP address are bound together.
•Therefore, this table is called the DHCP snooping binding table.
•

11 – Switch Security Configuration
11.3 - Mitigate DHCP Attacks
11.3.2 – DHCP Snooping

‹#›
© 2016  Cisco and/or its affiliates. All rights reserved.   Cisco Confidential
Mitigate DHCP Attacks
Steps to Implement DHCP Snooping
•Use the following steps to enable DHCP snooping:
•Step 1. Enable DHCP snooping by using the ip dhcp snooping global configuration command.
•Step 2. On trusted ports, use the ip dhcp snooping trust interface configuration command.
•Step 3: On untrusted interfaces, limit the number of DHCP discovery messages that can be received
using the ip dhcp snooping limit rate packets-per-second interface configuration command.
•Step 4. Enable DHCP snooping by VLAN, or by a range of VLANs, by using the ip dhcp
snooping vlan global configuration command.
•

11 – Switch Security Configuration
11.3 - Mitigate DHCP Attacks
11.3.3 – Steps to Implement DHCP Snooping

‹#›
© 2016  Cisco and/or its affiliates. All rights reserved.   Cisco Confidential
Mitigate DHCP Attacks
DHCP Snooping Configuration Example
•Refer to the DHCP snooping sample topology with trusted and untrusted ports.
•DHCP snooping is first enabled on S1.
•The upstream interface to the DHCP server is explicitly trusted.
•F0/5 to F0/24 are untrusted and are, therefore, rate limited to six packets per second.
•Finally, DHCP snooping is enabled on VLANS 5, 10, 50, 51, and 52.

11 – Switch Security Configuration
11.3 - Mitigate DHCP Attacks
11.3.4 - DHCP Snooping Configuration Example

‹#›
© 2016  Cisco and/or its affiliates. All rights reserved.   Cisco Confidential
Mitigate DHCP Attacks
DHCP Snooping Configuration Example (Cont.)
•Use the show ip dhcp snooping privileged EXEC command to verify DHCP snooping settings.
•
•Use the show ip dhcp snooping binding command to view the clients that have received DHCP
information.
•
•Note: DHCP snooping is also required by Dynamic ARP Inspection (DAI).
•

11 – Switch Security Configuration
11.3 - Mitigate DHCP Attacks
11.3.4 - DHCP Snooping Configuration Example (Cont.)
11.3.5 – Syntax Checker – Mitigate DHCP Attacks

‹#›
© 2016  Cisco and/or its affiliates. All rights reserved.   Cisco Confidential
11.4 Mitigate ARP Attacks

11 – Switch Security Configuration
11.4- Mitigate ARP Attacks

‹#›
© 2016  Cisco and/or its affiliates. All rights reserved.   Cisco Confidential
Mitigate ARP Attacks
Dynamic ARP Inspection
•In a typical ARP attack, a threat actor can send unsolicited ARP replies to other hosts on the
subnet with the MAC Address of the threat actor and the IP address of the default gateway. To
prevent ARP spoofing and the resulting ARP poisoning, a switch must ensure that only valid ARP
Requests and Replies are relayed.
•
•Dynamic ARP inspection (DAI) requires DHCP snooping and helps prevent ARP attacks by:
•Not relaying invalid or gratuitous ARP Replies out to other ports in the same VLAN.
•Intercepting all ARP Requests and Replies on untrusted ports.
•Verifying each intercepted packet for a valid IP-to-MAC binding.
•Dropping and logging ARP Replies coming from invalid to prevent ARP poisoning.
•Error-disabling the interface if the configured DAI number of ARP packets is exceeded.
•

11 – Switch Security Configuration
11.4- Mitigate ARP Attacks
11.4.1 – Dynamic ARP Inspection

‹#›
© 2016  Cisco and/or its affiliates. All rights reserved.   Cisco Confidential
Mitigate ARP Attacks
DAI Implementation Guidelines
•To mitigate the chances of ARP spoofing and ARP poisoning, follow these DAI implementation
guidelines:
•Enable DHCP snooping globally.
•Enable DHCP snooping on selected VLANs.
•Enable DAI on selected VLANs.
•Configure trusted interfaces for DHCP snooping and ARP inspection.
•It is generally advisable to configure all access switch ports as untrusted and to configure all
uplink ports that are connected to other switches as trusted.
•

11 – Switch Security Configuration
11.4- Mitigate ARP Attacks
11.4.2 – DAI Implementation Guidelines

‹#›
© 2016  Cisco and/or its affiliates. All rights reserved.   Cisco Confidential
Mitigate ARP Attacks
DAI Configuration Example
•In the previous topology, S1 is connecting two users on VLAN 10.
•DAI will be configured to mitigate against ARP spoofing and ARP poisoning attacks.
•DHCP snooping is enabled because DAI requires the DHCP snooping binding table to operate.
•Next, DHCP snooping and ARP inspection are enabled for the PCs on VLAN10.
•The uplink port to the router is trusted, and therefore, is configured as trusted for DHCP
snooping and ARP inspection.

11 – Switch Security Configuration
11.4- Mitigate ARP Attacks
11.4.3 – DAI Configuration Example

‹#›
© 2016  Cisco and/or its affiliates. All rights reserved.   Cisco Confidential
Mitigate ARP Attacks
DAI Configuration Example (Cont.)
•DAI can also be configured to check for both destination or source MAC and IP addresses:
•Destination MAC - Checks the destination MAC address in the Ethernet header against the target MAC
address in ARP body.
•Source MAC - Checks the source MAC address in the Ethernet header against the sender MAC address
in the ARP body.
•IP address - Checks the ARP body for invalid and unexpected IP addresses including addresses
0.0.0.0, 255.255.255.255, and all IP multicast addresses.
•

11 – Switch Security Configuration
11.4- Mitigate ARP Attacks
11.4.3 – DAI Configuration Example (Cont.)

‹#›
© 2016  Cisco and/or its affiliates. All rights reserved.   Cisco Confidential
Mitigate ARP Attacks
DAI Configuration Example (Cont.)
•The ip arp inspection validate {[src-mac] [dst-mac] [ip]} global configuration command is used to
configure DAI to drop ARP packets when the IP addresses are invalid.
•It can be used when the MAC addresses in the body of the ARP packets do not match the addresses
that are specified in the Ethernet header.
•Notice in the following example how only one command can be configured.
•
•
•Therefore, entering multiple ip arp inspection validate commands overwrites the previous command.
•To include more than one validation method, enter them on the same command line as shown in the
output.
•

11 – Switch Security Configuration
11.4- Mitigate ARP Attacks
11.4.3 – DAI Configuration Example (Cont.)
11.4.4 – Syntax Checker – Mitigate ARP Attacks

‹#›
© 2016  Cisco and/or its affiliates. All rights reserved.   Cisco Confidential
11.5 Mitigate STP Attacks

11 – Switch Security Configuration
11.5- Mitigate STP Attacks

‹#›
© 2016  Cisco and/or its affiliates. All rights reserved.   Cisco Confidential
Mitigate STP Attacks
PortFast and BPDU Guard
•Recall that network attackers can manipulate the Spanning Tree Protocol (STP) to conduct an attack
by spoofing the root bridge and changing the topology of a network.
•To mitigate STP attacks, use PortFast and Bridge Protocol Data Unit (BPDU) Guard:
•PortFast
•PortFast immediately brings a port to the forwarding state from a blocking state, bypassing the
listening and learning states.
•Apply to all end-user access ports.
•
•BPDU Guard
•BPDU guard immediately error disables a port that receives a BPDU.
•Like PortFast, BPDU guard should only be configured on interfaces attached to end devices.
•

11 – Switch Security Configuration
11.5- Mitigate STP Attacks
11.5.1 – PortFast and BPDU Guard

‹#›
© 2016  Cisco and/or its affiliates. All rights reserved.   Cisco Confidential
Mitigate STP Attacks
Configure PortFast
•PortFast bypasses the STP listening and learning states to minimize the time that access ports
must wait for STP to converge.
•Only enable PortFast on access ports.
•PortFast on inter switch links can create a spanning-tree loop.
PortFast can be enabled:
•On an interface – Use the spanning-tree portfast interface configuration command.
•Globally – Use the spanning-tree portfast default global configuration command to enable PortFast
on all access ports.
•
•

11 – Switch Security Configuration
11.5- Mitigate STP Attacks
11.5.2 – Configure PortFast

‹#›
© 2016  Cisco and/or its affiliates. All rights reserved.   Cisco Confidential
Mitigate STP Attacks
Configure PortFast (Cont.)
•To verify whether PortFast is enabled globally you can use either the:
•show running-config | begin span command
•show spanning-tree summary command
•
•To verify if PortFast is enabled an interface, use the show running-config interface type/number
command.
•
•The show spanning-tree interface type/number detail command can also be used for verification.

11 – Switch Security Configuration
11.5- Mitigate STP Attacks
11.5.2 – Configure PortFast (Cont.)

‹#›
© 2016  Cisco and/or its affiliates. All rights reserved.   Cisco Confidential
Mitigate STP Attacks
Configure BPDU Guard
•An access port could receive an unexpected BPDUs accidentally or because a user connected an
unauthorized switch to the access port.
•If a BPDU is received on a BPDU Guard enabled access port, the port is put into error-disabled
state.
•This means the port is shut down and must be manually re-enabled or automatically recovered
through the errdisable recovery cause psecure_violation global command.
BPDU Guard can be enabled:
•On an interface – Use the spanning-tree bpduguard enable interface configuration command.
•Globally – Use the spanning-tree portfast bpduguard default global configuration command to enable
BPDU Guard on all access ports.
•
•

11 – Switch Security Configuration
11.5- Mitigate STP Attacks
11.5.3 – Configure BPDU Guard
11.5.4 – Syntax Checker – Mitigate STP Attacks

‹#›
© 2016  Cisco and/or its affiliates. All rights reserved.   Cisco Confidential
11.6 Module Practice and Quiz

11 – Switch Security Configuration
11.6 – Module Practice and Quiz

‹#›
© 2016  Cisco and/or its affiliates. All rights reserved.   Cisco Confidential
Module Practice and Quiz
Packet Tracer – Switch Security Configuration
•In this Packet Tracer activity, you will:
•Secure unused ports
•Implement port security
•Mitigate VLAN hopping attacks
•Mitigate DHCP attacks
•Mitigate ARP attacks
•Mitigate STP attacks
•Verify the switch security configuration

11 – Switch Security Configuration
11.6 – Module Practice and Quiz
11.6.1 – Packet Tracer – Switch Security Configuration

‹#›
© 2016  Cisco and/or its affiliates. All rights reserved.   Cisco Confidential
Module Practice and Quiz
Lab – Switch Security Configuration
•In this lab, you will:
•Secure unused ports
•Implement port security
•Mitigate VLAN hopping attacks
•Mitigate DHCP attacks
•Mitigate ARP attacks
•Mitigate STP attacks
•Verify the switch security configuration
•

11 – Switch Security Configuration
11.6 – Module Practice and Quiz
11.6.2 – Lab – Switch Security Configuration

‹#›
© 2016  Cisco and/or its affiliates. All rights reserved.   Cisco Confidential
Module Practice and Quiz
What Did I Learn In This Module?
•All switch ports (interfaces) should be secured before the switch is deployed for production use.
•By default, Layer 2 switch ports are set to dynamic auto (trunking on).
•The simplest and most effective method to prevent MAC address table overflow attacks is to enable
port security.
•The switch can be configured to learn about MAC addresses on a secure port in one of three ways:
manually configured, dynamically learned, and dynamically learned – sticky.
•If the MAC address of a device attached to the port differs from the list of secure addresses,
then a port violation occurs. By default, the port enters the error-disabled state. When a port is
placed in the error-disabled state, no traffic is sent or received on that port.
•Mitigate VLAN Hopping attacks by disabling DTP negotiations, disabling unused ports, manually
setting trunking where required, and using a native VLAN other than VLAN 1.
§

11 – Switch Security Configuration
11.6 – Module Practice and Quiz
11.6.3 – What Did I Learn In This Module?

‹#›
© 2016  Cisco and/or its affiliates. All rights reserved.   Cisco Confidential
Module Practice and Quiz
What Did I Learn In This Module? (Cont.)
•The goal of a DHCP starvation attack is to create a Denial of Service (DoS) for connecting
clients. DHCP spoofing attacks can be mitigated by using DHCP snooping on trusted ports.
•DHCP snooping determines whether DHCP messages are from an administratively-configured trusted or
untrusted source. It then filters DHCP messages and rate-limits DHCP traffic from untrusted
sources.
•Dynamic ARP inspection (DAI) requires DHCP snooping and helps prevent ARP attacks by verifying ARP
traffic.
•Implement Dynamic ARP Inspection to mitigate ARP spoofing and ARP poisoning.
•To mitigate Spanning Tree Protocol (STP) manipulation attacks, use PortFast and Bridge Protocol
Data Unit (BPDU) Guard.
§

11 – Switch Security Configuration
11.6 – Module Practice and Quiz
11.6.3 – What Did I Learn In This Module? (Cont.)
11.6.4 – Module Quiz

‹#›
© 2016  Cisco and/or its affiliates. All rights reserved.   Cisco Confidential
Module 11: LAN Security Concepts
New Terms and Commands
•interface range
•switchport port-security
•switchport port-security interface
•switchport port-security maximum
•switchport port-security mac-address
•switchport port-security mac-address sticky
•switchport port-security aging time #
•switchport port-security aging type
•switchport port-security violation
•show switchport port-security
•switchport mode access|trunk
•switchport nonegotiate
•switchport trunk native vlan #
•ip dhcp snooping
•ip dhcp snooping vlan #
•ip dhcp snooping limit rate
•show ip dhcp snooping
•ip arp inspection vlan #
•ip dhcp snooping trust
•ip arp inspection trust
•ip arp inspection validate
•spanning-tree portfast {default}
•spanning-tree bpduguard enable
•spanning-tree porfast bpduguard default