© 2015 Mohamed Samir YouTube channel All rights reserved. Samir CCNP-SWITCHING Mohamed Samir YouTube channel Double CCIEs #27042(R/S&SP)
© 2015 Mohamed Samir YouTube channel All rights reserved. Samir Part VII: Securing Switched Networks
© 2015 Mohamed Samir YouTube channel All rights reserved. Samir Securing Switch Access
© 2015 Mohamed Samir YouTube channel All rights reserved. Samir Port Security Switch(config-if)# switchport port-security Switch(config-if)# switchport port-security maximum 2 (1-1024) By default, port security will make sure that only one MAC address To make the learned addresses persistent across a switch reboot Switch(config-if)# switchport port-security mac-address sticky static Switch(config-if)# switchport port-security mac-address b02.a841 Switch(config-if)# switchport port-security violation {shutdown | restrict |protect} Protect : all packets from violating MAC addresses are dropped Restrict: Protect but send syslog message as an alert of the violation
© 2015 Mohamed Samir YouTube channel All rights reserved. Samir Port Security interface GigabitEthernet1/0/11 switchport access vlan 991 switchport mode access switchport port-security switchport port-security violation restrict spanning-tree portfast Jun 3 17:18: EDT: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address e on port GigabitEthernet1/0/11. You need to clear before this action Switch# clear port-security {all | configured | dynamic | sticky} [address mac-addr | interface type member/mod/num]
© 2015 Mohamed Samir YouTube channel All rights reserved. Samir
© 2015 Mohamed Samir YouTube channel All rights reserved. Samir Port-Based Authentication switch port will not pass any traffic until a user has authenticated with the switch both the switch and the end user’s PC must support the 802.1X standard, using the Extensible Authentication Protocol over LANs (EAPOL). Click here to view code image Switch(config)# aaa new-model Switch(config)# radius-server host key BigSecret Switch(config)# radius-server host key AnotherBigSecret Switch(config)# aaa authentication dot1x default group radius Switch(config)# dot1x system-auth-control Switch(config)# interface range gigabitethernet1/0/ Switch(config-if)# switchport access vlan 10 Switch(config-if)# switchport mode access Switch(config-if)# dot1x port-control auto {force-authorized | forceunauthorized| auto} Switch(config-if)# dot1x host-mode multi-host
© 2015 Mohamed Samir YouTube channel All rights reserved. Samir Storm Control Broadcast frames Multicast frames Unknown unicast frames Switch(config-if)# storm-control {broadcast | multicast | unicast} level {level [level-low] | bps bps [bps-low] | pps pps [pps-low]} Level : percentage Bps bits per second PPS packet per second Switch(config-if)# storm-control action {shutdown | trap} default action to drop excessive frames Switch# show storm-control [interface-id] [broadcast | multicast | unicast]
© 2015 Mohamed Samir YouTube channel All rights reserved. Samir Best Practices for Securing Switches Configure secure passwords: enable secret Use system banners: Secure the web interface: If you not need it disable no ip http server Else Switch(config)# ip http secure server Switch(config)# access-list 1 permit Switch(config)# ip http access-class 1 Secure the switch console: Secure virtual terminal access: Switch(config)# access-list 10 permit Switch(config)# access-list 10 permit Switch(config)# line vty 0 15 Switch(config-line)# access-class 10 in
© 2015 Mohamed Samir YouTube channel All rights reserved. Samir Best Practices for Securing Switches Use SSH whenever possible: SSH uses strong encryption to secure session data You should use the highest SSH version that is available on a switch Secure SNMP access: secure features of SNMPv3. Secure unused switch ports: Secure STP operation: Secure the use of CDP and LLDP Link Layer Discovery Protocol (LLDP)
© 2015 Mohamed Samir YouTube channel All rights reserved. Samir Any questions ?
© 2015 Mohamed Samir YouTube channel All rights reserved. Samir Thank you for your time ! شكرا جزاكم الله خير