8/22 Securing Layer 2 Technologies (CCNA Security 640-554 Exam Cram)

8.1 Memory Tables

8.1.2 Tool Kit for L2 Security

Tool > Description

Port security > Limits the number of MAC addresses to be learned on an access switch port.

BPDU guard > If BPDUs show up where they should not, the switch protects itself.

Root guard > Control which ports are not allowed to become root ports to remote root switches.

Dynamic ARP inspection > Prevents spoofing of Layer 2 information by hosts.

IP source guard > Prevents spoofing of Layer 3 information by hosts.

802.1x > Authenticates users before allowing their data frames into the network.

DHCP snooping > Prevents rogue DHCP servers from impacting the network.

Storm control > Limits the amount of broadcast or multicast traffic flowing through the switch.

Access control lists > Traffic control to enforce policy. Access control is covered in another chapter.

8.2 Things to Remember

Command > Description

switchport mode access > Assign a switch port as an access port

switchport access vlan 10 > Control the VLAN assignment for the device connecting to this port, and associate that device with a single specific VLAN of 10

show interfaces fa0/1 switchport > Verify the current configuration and operating status of a switch port

switchport trunk encapsulation dot1q > Specify the trunking encapsulation to be used, if doing trunking

switchport mode trunk > Specify that this port should be a trunk

switchport trunk native vlan 3 > Specify the native VLAN should be 3, if the port is acting as a trunk port

switchport nonegotiate > Disable negotiation between the switch and the device connected to the device related to trunking

spanning-tree bpduguard enable > Protect the switch port against being connected on this port to another device that is generating any type of BPDUs

spanning-tree guard root > Protect this switch port against believing the root bridge is reachable via this port

switchport port-security > Protect the switch (on this port at least) against a MAC address table flooding attack (CAM table overflow) and prevent a DHCP starvation attack from being launched from the device connected to this port

8.3 Command Examples

Creating a New VLAN and Placing Switch Ports into That VLAN

SW1 (config)# vlan 10

SW1 (config-vlan)# interface fa0/1

SW1 (config-if)# switchport mode access

SW1 (config-if)# switchport access vlan 10

SW1 (config-if)# do show vlan brief

SW1# show vlan id 10

SW1# show interfaces fa0/1 switchport

Configure Interfaces as Trunk Ports

SW2 (config)# interface range fa0/23-24

SW2 (config-if-range)# switchport trunk encapsulation dot1q

SW2 (config-if-range)# switchport mode trunk

SW2 (config-if-range)#

SW2 (config-if-range)# do show interface trunk

SW2# show interface fa0/23 switchport

Using Virtual “Sub” Interfaces

Configuring Router on a Stick and Switch Support for the Router

SW1 (config)# int fa 0/3

SW1 (config-if)# switchport trunk encapsulation dot1q

SW1 (config-if)# switchport mode trunk

R3 (config)# int fa 0/0

R3 (config-if)# no shutdown

Create a logical sub interface, using any number following the .

R3 (config-if)# int fa 0/0.1

R3 (config-subif)# encapsulation dot1q 10

R3 (config-subif)# ip address 10.0.0.1 255.255.255.0

R3 (config-subif)# do ping 10.0.0.11

R3 (config-subif)# do ping 10.0.0.22

R3 (config-subif)#

STP Verification and Annotations

SW1# show spanning-tree vlan 10

SW2# show spanning-tree vlan 10

SW2# show interfaces trunk

Configure PortFast, Then Rapid Spanning Tree

SW2 (config)# interface fa0/2

SW2 (config-if)# spanning-tree portfast

SW2 (config-if)#

SW2 (config)# spanning-tree portfast default

SW2 (config)# spanning-tree mode rapid-pvst

SW2# show spanning-tree vlan 10

Administratively Locking Down Switch Ports

SW2 (config)# int fa0/2

SW2 (config-if)# switchport mode access

SW2 (config-if)# switchport access VLAN 10

SW2 (config-if)# switchport nonegotiate

SW2 (config-if)# int fa0/23

SW2 (config-if)# switchport trunk encapsulation dot1q

SW2 (config-if)# switchport mode trunk

SW2 (config-if)# switchport trunk native vlan 3

SW2 (config-if)# switchport nonegotiate

Implementing BPDU Guard on a Switch Port

SW2 (config-if)# int fa 0/2

SW2 (config-if)# spanning-tree bpduguard enable

SW2# show int fa0/2 status

Configuring the Switch to Automatically Restore Err-Disabled Ports

SW2 (config)# errdisable recovery cause bpduguard

SW2 (config)# errdisable recovery interval 30

SW2# show errdisable recovery

Controlling Which Ports Face the Root of the Spanning Tree

SW1 (config)# int fa 0/24

SW1 (config-if)# spanning-tree guard root

Implementing Port Security

SW2 (config-if)# switchport port-security

SW2 (config-if)# switchport port-security maximum 5

SW2 (config-if)# switchport port-security violation protect

SW2 (config-if)# switchport port-security mac-address sticky

SW2# show port-security

SW2# show port-security interface fa0/2

9 Securing the Data Plane in IPv6

0 Contents and Introduction

Exam Cram Notes & Other Stuff

Search This Blog

8/22 Securing Layer 2 Technologies (CCNA Security 640-554 Exam Cram)

Comments

Post a Comment