Presentation is loading. Please wait.

Presentation is loading. Please wait.

© 2015 Mohamed Samir YouTube channel All rights reserved. www.mohamedsamir.comMohamed Samir CCNP-SWITCHING 300-115 Mohamed Samir YouTube channel Double.

Published byAusten Alexander Modified over 8 years ago

Similar presentations

Presentation on theme: "© 2015 Mohamed Samir YouTube channel All rights reserved. www.mohamedsamir.comMohamed Samir CCNP-SWITCHING 300-115 Mohamed Samir YouTube channel Double."— Presentation transcript:

1 © 2015 Mohamed Samir YouTube channel All rights reserved. www.mohamedsamir.comMohamed Samir CCNP-SWITCHING 300-115 Mohamed Samir YouTube channel Double CCIEs #27042(R/S&SP)

2 © 2015 Mohamed Samir YouTube channel All rights reserved. www.mohamedsamir.comMohamed Samir Part VII: Securing Switched Networks

3 © 2015 Mohamed Samir YouTube channel All rights reserved. www.mohamedsamir.comMohamed Samir Securing Switch Access

4 © 2015 Mohamed Samir YouTube channel All rights reserved. www.mohamedsamir.comMohamed Samir Port Security Switch(config-if)# switchport port-security Switch(config-if)# switchport port-security maximum 2 (1-1024) By default, port security will make sure that only one MAC address To make the learned addresses persistent across a switch reboot Switch(config-if)# switchport port-security mac-address sticky static Switch(config-if)# switchport port-security mac-address 0006.5b02.a841 Switch(config-if)# switchport port-security violation {shutdown | restrict |protect} Protect : all packets from violating MAC addresses are dropped Restrict: Protect but send syslog message as an alert of the violation

5 © 2015 Mohamed Samir YouTube channel All rights reserved. www.mohamedsamir.comMohamed Samir Port Security interface GigabitEthernet1/0/11 switchport access vlan 991 switchport mode access switchport port-security switchport port-security violation restrict spanning-tree portfast Jun 3 17:18:41.888 EDT: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0000.5e00.0101 on port GigabitEthernet1/0/11. You need to clear before this action Switch# clear port-security {all | configured | dynamic | sticky} [address mac-addr | interface type member/mod/num]

6 © 2015 Mohamed Samir YouTube channel All rights reserved. www.mohamedsamir.comMohamed Samir

7 © 2015 Mohamed Samir YouTube channel All rights reserved. www.mohamedsamir.comMohamed Samir Port-Based Authentication switch port will not pass any traffic until a user has authenticated with the switch both the switch and the end user’s PC must support the 802.1X standard, using the Extensible Authentication Protocol over LANs (EAPOL). Click here to view code image Switch(config)# aaa new-model Switch(config)# radius-server host 10.1.1.1 key BigSecret Switch(config)# radius-server host 10.1.1.2 key AnotherBigSecret Switch(config)# aaa authentication dot1x default group radius Switch(config)# dot1x system-auth-control Switch(config)# interface range gigabitethernet1/0/1 - 40 Switch(config-if)# switchport access vlan 10 Switch(config-if)# switchport mode access Switch(config-if)# dot1x port-control auto {force-authorized | forceunauthorized| auto} Switch(config-if)# dot1x host-mode multi-host

8 © 2015 Mohamed Samir YouTube channel All rights reserved. www.mohamedsamir.comMohamed Samir Storm Control Broadcast frames Multicast frames Unknown unicast frames Switch(config-if)# storm-control {broadcast | multicast | unicast} level {level [level-low] | bps bps [bps-low] | pps pps [pps-low]} Level : percentage Bps bits per second PPS packet per second Switch(config-if)# storm-control action {shutdown | trap} default action to drop excessive frames Switch# show storm-control [interface-id] [broadcast | multicast | unicast]

9 © 2015 Mohamed Samir YouTube channel All rights reserved. www.mohamedsamir.comMohamed Samir Best Practices for Securing Switches Configure secure passwords: enable secret Use system banners: Secure the web interface: If you not need it disable no ip http server Else Switch(config)# ip http secure server Switch(config)# access-list 1 permit 10.100.50.0 0.0.0.255 Switch(config)# ip http access-class 1 Secure the switch console: Secure virtual terminal access: Switch(config)# access-list 10 permit 192.168.199.10 Switch(config)# access-list 10 permit 192.168.201.100 Switch(config)# line vty 0 15 Switch(config-line)# access-class 10 in

10 © 2015 Mohamed Samir YouTube channel All rights reserved. www.mohamedsamir.comMohamed Samir Best Practices for Securing Switches Use SSH whenever possible: SSH uses strong encryption to secure session data You should use the highest SSH version that is available on a switch Secure SNMP access: secure features of SNMPv3. Secure unused switch ports: Secure STP operation: Secure the use of CDP and LLDP Link Layer Discovery Protocol (LLDP)

11 © 2015 Mohamed Samir YouTube channel All rights reserved. www.mohamedsamir.comMohamed Samir Any questions ?

12 © 2015 Mohamed Samir YouTube channel All rights reserved. www.mohamedsamir.comMohamed Samir Thank you for your time ! شكرا جزاكم الله خير

Download ppt "© 2015 Mohamed Samir YouTube channel All rights reserved. www.mohamedsamir.comMohamed Samir CCNP-SWITCHING 300-115 Mohamed Samir YouTube channel Double."

Similar presentations

Mitigating Layer 2 Attacks

Mitigating Layer 2 Attacks
© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Common Layer 2 Attacks and Countermeasures.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Common Layer 2 Attacks and Countermeasures.
Switching & Operations. Address learning Forward/filter decision Loop avoidance Three Switch Functions.

Switching & Operations. Address learning Forward/filter decision Loop avoidance Three Switch Functions.
Sybex CCENT 100-101 Chapter 10: Layer 2 Switching Instructor & Todd Lammle.

Sybex CCENT Chapter 10: Layer 2 Switching Instructor & Todd Lammle.
© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-1 Minimizing Service Loss and Data Theft Protecting Against Spoofing Attacks.

© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-1 Minimizing Service Loss and Data Theft Protecting Against Spoofing Attacks.
Part III Working with Redundant Links

Part III Working with Redundant Links
© 2015 Mohamed Samir YouTube channel All rights reserved. Samir CCNP-SWITCHING 300-115 Mohamed Samir YouTube channel.

© 2015 Mohamed Samir YouTube channel All rights reserved. Samir CCNP-SWITCHING Mohamed Samir YouTube channel.
Part III Working with Redundant Links

Part III Working with Redundant Links
© 2015 Mohamed Samir YouTube channel All rights reserved. www.mohamedsamir.comMohamed Samir CCNP-SWITCHING 300-115 Mohamed Samir YouTube channel Double.

© 2015 Mohamed Samir YouTube channel All rights reserved. Samir CCNP-SWITCHING Mohamed Samir YouTube channel Double.
Part III Working with Redundant Links

Part III Working with Redundant Links
© 2015 Mohamed Samir YouTube channel All rights reserved. Samir CCNP-SWITCHING 300-115 Mohamed Samir YouTube channel.

© 2015 Mohamed Samir YouTube channel All rights reserved. Samir CCNP-SWITCHING Mohamed Samir YouTube channel.
Part IV: Multilayer Switching

Part IV: Multilayer Switching
Chapter 5 Secure LAN Switching.  MAC Address Flooding Causing CAM Overflow and Subsequent DOS and Traffic Analysis Attacks.

Chapter 5 Secure LAN Switching.  MAC Address Flooding Causing CAM Overflow and Subsequent DOS and Traffic Analysis Attacks.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-1 Minimizing Service Loss and Data Theft Understanding Switch Security Issues.

© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-1 Minimizing Service Loss and Data Theft Understanding Switch Security Issues.
Securing the Local Area Network

Securing the Local Area Network
© 2015 Mohamed Samir YouTube channel All rights reserved. www.mohamedsamir.comMohamed Samir CCNP-SWITCHING 300-115 Mohamed Samir YouTube channel Double.

© 2015 Mohamed Samir YouTube channel All rights reserved. Samir CCNP-SWITCHING Mohamed Samir YouTube channel Double.
© 2015 Mohamed Samir YouTube channel All rights reserved. www.mohamedsamir.comMohamed Samir CCNP-SWITCHING 300-115 Mohamed Samir YouTube channel Double.

© 2015 Mohamed Samir YouTube channel All rights reserved. Samir CCNP-SWITCHING Mohamed Samir YouTube channel Double.
802.1x Port Authentication via RADIUS By Oswaldo Perdomo cs580 Network Security.

802.1x Port Authentication via RADIUS By Oswaldo Perdomo cs580 Network Security.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.

Similar presentations

Ads by Google