Layer 2 Security

作者:admin发表时间:2010-10-12 评论:0 点击 2,728+

Topology Diagram

Objectives

Assign the Central switch as the root bridge.

Secure spanning-tree parameters to prevent STP manipulation attacks.

Enable storm control to prevent broadcast storms.

Enable port security to prevent MAC address table overflow attacks.

Introduction

There have been a number of attacks on the network recently. For this reason, the

network administrator has assigned you the task of configuring Layer 2 security.

For optimum performance and security, the administrator would like to ensure that the

root bridge is the 3560

Central switch. To prevent against spanning-tree manipulation attacks, the administrator

wants to ensure that the STP parameters are secure. In addition, the network

administrator would like to enable storm control to prevent broadcast storms. Finally,

to prevent against MAC address table overflow attacks, the network administrator has

decided to configure port security to limit the number of MAC addresses that can be

learned

per switch port. If the number of MAC addresses exceeds the set limit, the administrator

would like for the port to be shutdown.

All switch devices have been preconfigured with the following:

Enable password: ciscoenpa55

Console password: ciscoconpa55

VTY line password: ciscovtypa55

Task 1: Configure Root Bridge

S tep 1. Determin e the c u rrent ro o t bridge.

From Central, issue the show spanning-tree command to determine the current root bridge

and to see the ports in use and their status.

Which switch is the current root-bridge? Current root is SW-1

Based on the current root-bridge, what is the resulting spanning-tree? (Draw the

spanning-tree topology.)

S tep 2. A s s ign C entra l as the prima r y ro o t bridge.

Using the spanning-tree vlan 1 root primary command, assign the 3560 Central switch as

the root bridge.

Central(config)# spanning-tree vlan 1 root primary

S tep 3. A ss ign SW -1 a s a s ec o nda r y ro o t bridge.

Assign SW-1 as the secondary root bridge using the spanning-tree vlan 1 root secondary

command.

SW-1(config)# spanning-tree vlan 1 root secondary

S tep 4. V er ify the s pa nning-tree c o nfigu ra tio n .

Issue the show spanning-tree command to verify that 3560 Central switch is the root

bridge. Which switch is the current root-bridge? Current root is Central

Based on the new root-bridge, what is the resulting spanning-tree? (Draw the spanning-

tree topology.)

Task 2: Protect Against STP Attacks

Secure the STP parameters to prevent STP manipulation attacks.

S tep 1. E na ble P o rtF a s t o n a ll a c c es s po rts .

PortFast is configured on access ports that connect to a single workstation or server to

enable them to become active more quickly. On the connected access ports of the SW-A and

SW-B switches, use the spanning-tree portfast command.

SW-A(config)# interface range fastethernet 0/1 – 4

SW-A(config-if-range)# spanning-tree portfast

SW-B(config)# interface range fastethernet 0/1 – 4

SW-B(config-if-range)# spanning-tree portfast

S tep 2. E nable B P D U gu ard o n all ac c es s po rts .

BPDU guard is a feature that can help prevent rogue switches and spoofing on access

ports. Enable BPDU

guard on SW-A and SW-B access ports.

SW-A(config)# interface range fastethernet 0/1 – 4

SW-A(config-if-range)# spanning-tree bpduguard enable

SW-B(config)# interface range fastethernet 0/1 – 4

SW-B(config-if-range)# spanning-tree bpduguard enable

Note: Spanning-tree bpduguard can be enabled on each individual port using the command

spanning-tree bpduguard enable, or in global configuration mode with the command

spanning-tree portfast bpduguard default. For grading purposes, in this activity please

use the spanning-tree bpduguard enable command.

S tep 3. E na ble ro o t gu a rd.

Root guard can be enabled on all ports on a switch that are not root ports. It is best

deployed on ports that connect to other non-root switches. Use the show spanning-tree

command to determine the location of the root port on each switch.

On switch SW-1, enable root guard on ports Fa0/23 and Fa0/24. On switch SW-2, enable

root guard on ports

Fa0/23 and Fa0/24.

SW-1(config)# interface fa0/23

SW-1(config-if)# spanning-tree guard root

SW-1(config-if)# interface fa0/24

SW-1(config-if)# spanning-tree guard root

SW-2(config)# interface fa0/23

SW-2(config-if)# spanning-tree guard root

SW-2(config-if)# interface fa0/24

SW-2(config-if)# spanning-tree guard root

Task 3: Enable Storm Control

S tep 1. E na ble s to rm c o ntro l fo r bro a dc a s ts .

Enable storm control for broadcasts on all ports connecting switches (trunk ports). Set

a 50 percent rising suppression level using the storm-control broadcast command. Enable

storm-control on interfaces connecting Central, SW-1, and SW-2.

Example:

SW-1(config)# interface gi1/1

SW-1(config-if)# storm-control broadcast level 50

SW-1(config-if)# interface fa0/1

SW-1(config-if)# storm-control broadcast level 50

SW-1(config-if)# interface fa0/23

SW-1(config-if)# storm-control broadcast level 50

SW-1(config-if)# interface fa0/24

SW-1(config-if)# storm-control broadcast level 50

**Repeat on SW-2 (gig1/1, fa0/1, fa0/23, and fa0/24) and Central (gig0/1, gig0/2, fa0/1)

connection to other switches

S tep 2. V er ify s to rm c o ntro l c o nfigu ra tio n .

Verify your configuration with the show storm-control broadcast command and the show run

command.

Task 4: Configure Port Security and Disable Unused Ports

S tep 1. C o nfigu re ba s ic po rt s ec u rity o n a ll po rts c o nn ec ted to ho s t

dev ic es .

This procedure should be performed on all access ports on SW-A and SW-B. Set the maximum

number of learned MAC address to 2, allow the MAC address to be learned dynamically, and

set the violation to shut- down.

Keep in mind that a switch port must be configured as an access port to enable port

security.

Example:

SW-A(config)# interface FastEthernet 0/1

SW-A(config-if)# switchport mode access

SW-A(config-if)# switchport port-security

SW-A(config-if)# switchport port-security maximum 2

SW-A(config-if)# switchport port-security violation shutdown

SW-A(config-if)# switchport port-security mac-address sticky

**Repeat on other ports in SW-A and SW-B

Why would you not want to enable port-security on ports connected to other switches or

routers?

Ports connected to other switch devices and routers can, and should, have a multitude of

MAC addresses learned for that single port. Limiting the number of MAC addresses that

can be learned on these ports can significantly impact network functionality.

S tep 2. V er ify po rt s ec u rity .

On SW-A, issue the show port-security interface fa0/1 command to verify that port

security has been configured.

S tep 3. Dis a ble u nu s ed po rts .

Disable all ports that are currently unused. For efficiency purposes, the Activity

Wizard will only grade Fa0/5 and Fa0/6 on SW-A and SW-B.

Example:

SW-A(config)# interface FastEthernet 0/5

SW-A(config-if)# shutdown

**Repeat on other ports on SW-A and SW-B

S tep 4. C hec k res u lts .

Your completion percentage should be 100%. Click Check Results to see feedback and

verification of which required components have been completed.

顶一下 0 踩一下 0

你可能对以下内容感兴趣!

  1. Configure a Network for S...
  2. Configure and Verify a Si...
  3. Layer 2 VLAN Security
  4. Configure IOS Intrusion P...
  5. Configuring Context-Based...
  6. Configure IP ACLs to Miti...
  7. Configure AAA Authenticat...
  8. Configure Cisco Routers f...

发表评论

*

w_0002.gif w_0009.gif w_0007.gif w_0011.gif w_0005.gif w_0008.gif w_0010.gif w_0003.gif w_0012.gif w_0001.gif w_0006.gif