Reading...
Play button
Play button
Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
21 Cards in this Set
- Front
- Back
|
Some best Practices in VLAN security
|
VLAN configuration: Consider the following recommendations when configuring switch VLANs:
— Configure ports that do not need to form a trunk to a trunk setting of “off,” as opposed to “auto.” — Do not send user data over an IEEE 802.1Q trunk’s native VLAN. — Use private VLANs to prevent an attacker from compromising one host in a VLAN and then using that host as a jumping-off point to attack other hosts within the VLAN. |
|
|
VLAN Hopping
|
A VLAN hopping attack allows traffic from one VLAN to pass into another VLAN, without
first being routed |
|
|
Switch Spoofing
|
By default, Ethernet trunks on Cisco Catalyst switches carry traffic for all VLANs.
Therefore, if an attacker can persuade a switch to go into trunking mode, the attacker could then see traffic for all VLANs |
|
|
Disabling Trunking
|
At the interface:
switchport mode access |
|
|
Preventing the use of DTP (Dynamic Trunking Protocol)
|
At the interface:
switchport trunk encapsulation dot1q switchport mode trunk switchport nonegotiate |
|
|
How to avoid Double Tagging
|
Create a VLAN that does not have any port and it is assigned like Native VLAN
|
|
|
Setting the Native VLAN
|
at the interface:
switchport trunk native vlan 400 |
|
|
Two approcaches for portecting a network from STP attacks:
|
Protecting with Root Guard
Protecting with BPDU Guard |
|
|
Root Guard
|
If a port configured for Root Guard receives a superior BPDU, instead of believing the BPDU, the port goes into a root-inconsistent state. While a port is in the root-inconsistent state, no user data is sent across
at the interface: spanning-tree guard root |
|
|
BPDU Guard
|
It reduces the amount of time required for the port to go into forwarding state after being connected.
Because these PortFast ports are connected to end-user devices, they should never receive a BPDU. Therefore, if a port enabled for BPDU Guard receives a BPDU, the port is disabled At the interface: spanning-tree portfast bpduguard |
|
|
Enable proteccion agains dhcp snooping
|
At global config:
ip dhcp snooping At the interface: ip dhcp snooping limit trust Limit the dhcp messages: ip dhcp snooping limit rate 3 |
|
|
Dynamic ARP Inspection
|
Bulid the MAC address associate with ip address obtaining from dhcp
at the interface: ip arp inspection trust |
|
|
Configuring a SPAN Port
|
At global config:
monitor session 1 source interface (name-interface) monitor session 1 destination interface (name-interface) |
|
|
Cisco Catalyst switches support two categories of secondary VLANs
|
Isolated VLANs
Community VLANs |
|
|
When a switch port security violation occurs, you can configure the switch port to respond in one of three ways:
|
Protect
Restrict Shutdown |
|
|
Ports support one of three types of secure MAC addresses:
|
Static secure MAC address
Sticky secure MAC address Dynamic secure MAC address: |
|
|
Static secure MAC address
|
switchport port-security mac-address
|
|
|
Sticky secure MAC address
|
store MAC address-to-port
associations in their switch’s running configuration and CAM table. |
|
|
Dynamic secure MAC address
|
dynamic secure MAC addresses are stored only in a switch’s CAM table, not in a switch’s running configuration.
|
|
|
Enable port security
|
switchport port-security
|
|
|
Cisco Network Admission
Control (NAC) |
To ensure that every endpoint complies with network security policies before being granted access to the network,
Noncompliant is set in qurantine or given restricted access to resources |
