# Switch Security Configuration ## Secure Unused Ports - To help secure the network from unauthorized access is to disable all unused ports on a switch. ``` Switch(config)# interface range type module/first-number – last-number ``` ``` S1(config)# interface range fa0/8 - 24 S1(config-if-range)# shutdown ``` ## Mitigate MAC address table attacks - The most effective to prevent MAC address table overflow attack is to enable port security. => can control authorized access. ## Enable Port Security - By default, Layer 2 switch ports are set to dynamic auto (trunking on) (choosing access or trunk mode). => use `switchport mode access` => allow to connect 1 VLAN or 1 device. ``` S1(config)# interface f0/1 S1(config-if)# switchport port-security Command rejected: FastEthernet0/1 is a dynamic port. S1(config-if)# switchport mode access S1(config-if)# switchport port-security S1(config-if)# end S1# ``` ``` S1# show port-security interface f0/1 Port Security : Enabled Port Status : Secure-down Violation Mode : Shutdown Aging Time : 0 mins Aging Type : Absolute SecureStatic Address Aging : Disabled Maximum MAC Addresses : 1 Total MAC Addresses : 0 Configured MAC Addresses : 0 Sticky MAC Addresses : 0 Last Source Address:Vlan : 0000.0000.0000:0 Security Violation Count : 0 ``` ## Limit and Learn MAC addresses ``` S1(config-if)# switchport port-security ? aging Port-security aging commands mac-address Secure mac address maximum Max secure addresses violation Security violation mode ``` - `switch port-security maximum ...` => maximum number of MAC addresses allowed on a port. - `switchport port-security mac-address mac-address`=> manually configured MAC address for a port. - `switchport port-security` => dynamically learned. - `switchport port-security mac-address sticky` => dynamically learned and "stick" them to configuration. ## Port Security Aging ``` Switch(config-if)# switchport port-security aging { static | time time | type {absolute | inactivity}} ```  ``` S1(config)# interface fa0/1 S1(config-if)# switchport port-security aging time 10 S1(config-if)# switchport port-security aging type inactivity S1(config-if)# end S1# show port-security interface fa0/1 Port Security : Enabled Port Status : Secure-up Violation Mode : Shutdown Aging Time : 10 mins Aging Type : Inactivity SecureStatic Address Aging : Disabled Maximum MAC Addresses : 2 Total MAC Addresses : 2 Configured MAC Addresses : 1 Sticky MAC Addresses : 1 Last Source Address:Vlan : a41f.7272.676a:1 Security Violation Count : 0 ``` ## Port Security Violation Modes ``` Switch(config-if)# switchport port-security violation { protect | restrict | shutdown} ```   # Mitigate VLAN Attacks  ## Step to mitigate VLAN Hopping Attacks    # Mitigate DHCP Attack  ## DCHP snooping  ## Steps to implement DHCP snooping  ## Example  ``` S1(config)# ip dhcp snooping S1(config)# interface f0/1 S1(config-if)# ip dhcp snooping trust S1(config-if)# exit S1(config)# interface range f0/5 - 24 S1(config-if-range)# ip dhcp snooping limit rate 6 S1(config-if-range)# exit S1(config)# ip dhcp snooping vlan 5,10,50-52 S1(config)# end ```  # Mitigate ARP Attacks ## Dynamic ARP Inspection  ## DAI Implementation Guidelines  ``` S1(config)# ip dhcp snooping S1(config)# ip dhcp snooping vlan 10 S1(config)# ip arp inspection vlan 10 S1(config)# interface fa0/24 S1(config-if)# ip dhcp snooping trust S1(config-if)# ip arp inspection trust ``` # Mitigate STP Attacks   ## Configure PortFast => **a risk of creating a spanning-tree loop**. - PortFast can be enabled on an interface by using the spanning-tree portfast interface configuration command. Alternatively, Portfast can be configured globally on all access ports by using the spanning-tree portfast default global configuration command. ``` S1(config)# interface fa0/1 S1(config-if)# switchport mode access S1(config-if)# spanning-tree portfast %Warning: portfast should only be enabled on ports connected to a single host. Connecting hubs, concentrators, switches, bridges, etc... to this interface when portfast is enabled, can cause temporary bridging loops. Use with CAUTION %Portfast has been configured on FastEthernet0/1 but will only have effect when the interface is in a non-trunking mode. S1(config-if)# exit S1(config)# spanning-tree portfast default %Warning: this command enables portfast by default on all interfaces. You should now disable portfast explicitly on switched ports leading to hubs, switches and bridges as they may create temporary bridging loops. S1(config)# exit S1# show running-config | begin span spanning-tree mode pvst spanning-tree portfast default spanning-tree extend system-id ! interface FastEthernet0/1 switchport mode access spanning-tree portfast ! interface FastEthernet0/2 ! interface FastEthernet0/3 ! interface FastEthernet0/4 ! interface FastEthernet0/5 ! (output omitted) S1# ``` ## Configure BPDU Guard - Even though PortFast is enabled, the interface will still listen for BPDUs. Unexpected BPDUs might be accidental, or part of an unauthorized attempt to add a switch to the network. - If any BPDUs are received on a BPDU Guard enabled port, that port is put into error-disabled state. This means the port is shut down and must be manually re-enabled or automatically recovered through the errdisable recovery cause bpduguard global command. - BPDU Guard can be enabled on a port by using the spanning-tree bpduguard enable interface configuration command. Alternatively, Use the spanning-tree portfast bpduguard default global configuration command to globally enable BPDU guard on all PortFast-enabled ports. ``` S1(config)# interface fa0/1 S1(config-if)# spanning-tree bpduguard enable S1(config-if)# exit S1(config)# spanning-tree portfast bpduguard default S1(config)# end S1# show spanning-tree summary Switch is in pvst mode Root bridge for: none Extended system ID is enabled Portfast Default is enabled PortFast BPDU Guard Default is enabled Portfast BPDU Filter Default is disabled Loopguard Default is disabled EtherChannel misconfig guard is enabled UplinkFast is disabled BackboneFast is disabled Configured Pathcost method used is short (output omitted) ``` # Some questions: