Cisco® CCNA Exam Cram Notes : Layer2 security features

VIII. Security Fundamentals

4. Layer2 security features

1. Switch ports and port security: Each port on a Cisco switch can be configured as either an access or a trunk port. The type of a port specifies how the switch determines the incoming frame’s VLAN. Here is a description of these two port types

Access port – a port that can be assigned to a single VLAN. The frames that arrive on an access port are assumed to be part of the access VLAN. This port type is configured on switch ports that are connected to devices with a normal network card, for example a host on a network.

  • Frames sent through this port belong to a single VLAN

  • Typically uses a straight-through cable to connect a host

  • Connects an end-user host to a switch

Trunk port – a port that is connected to another switch. This port type can carry traffic of multiple VLANs, thus allowing you to extend VLANs across your entire network. Frames are tagged by assigning a VLAN ID to each frame as they traverse between switches.

  • Frames sent through this port belong to multiple VLANs

  • Facilitates inter VLAN communications when connected to a Layer 3 device

  • Uses tags to identify traffic from different VLANs

Port Security:You can use the port security feature to restrict input to an interface by limiting and identifying MAC addresses of the workstations that are allowed to access the port. When you assign secure MAC addresses to a secure port, the port does not forward packets with source addresses outside the group of defined addresses. If you limit the number of secure MAC addresses to one and assign a single secure MAC address, the workstation attached to that port is assured the full bandwidth of the port.

There are three different main violation types: shutdown, protect, and restrict.

Shutdown - When a violation occurs in this mode, the switchport will be taken out of service and placed in the err-disabled state. The switchport will remain in this state until manually removed; this is the default switchport security violation mode.

Protect - When a violation occurs in this mode, the switchport will permit traffic from known MAC addresses to continue sending traffic while dropping traffic from unknown MAC addresses. When using this mode, no notification message is sent when this violation occurs.

Restrict - When a violation occurs in this mode, the switchport will permit traffic from known MAC addresses to continue sending traffic while dropping traffic from unknown MAC addresses. However, unlike the protect violation type, a message is also sent indicating that a violation has occurred.

The default behavior for a security violation is to shutdown that port permanently. To find out which interface associated with a given MAC address, use the "show mac-address-table" command. It shows the learned MAC addresses and their associated interfaces.

Port-security is configured on layer 2 interfaces to allow specified number of MAC addresses.

The command #switchport port-security only enables port security but before you enable you have to specify if the port is access or trunk by issuing a command

switchport mode access
switchport mode trunk

To configure the maximum number of MAC addresses allowed by issuing the following command:

switchport port-security maximum 3 (you can put the number of max number you wish).

And finally in case of violation you can either set to protect, restrict or shutdown the interface by issuing the following command:

switchport port-security violation shutdown/restrict/protect

The "switchport mode access" command typically precedes the "switchport port-security" command as the port must be configured as an access or trunk port before configuring switchport port security.

The command "switchport mode access" configures the port as a static access port. The port operates as a non-trunking, single VLAN interface that transmits and receives non-encapsulated frames. An access port can be assigned to only one VLAN. On the other hand, a switchport configured as a "trunk" port, transmits and receives encapsulated (tagged) frames that identify the VLAN of origination. A trunk is a point-to-point link between two switches or between a switch and a router.

The command "switchport access vlan1" is also typically configured before "switchport port-security" command.

The command "switchport port-security maximum1" sets limit for hosts that can be associated with interface. Default value is 1. Skip this command to use default value. This command typically follows "switchport port-security" command.

The command "switchport port-security violation shutdown" command sets security violation mode. Default mode is shutdown. This command typically follows "switchport port-security" command.

2. DHCP snooping: DHCP snooping acts like a firewall between untrusted hosts and DHCP servers. You use DHCP snooping to differentiate between untrusted interfaces connected to the end user and trusted interfaces connected to the DHCP server or another switch. When a switch receives a packet on an untrusted interface and the interface belongs to a VLAN that has DHCP snooping enabled, the switch compares the source MAC address and the DHCP client hardware address. If the addresses match (the default), the switch forwards the packet. If the addresses do not match, the switch drops the packet. The switch drops a DHCP packet when one of these situations occurs:

3. Dynamic ARP Inspection (DAI): Dynamic ARP inspection is a security feature that validates ARP packets in a network. It intercepts, logs, and discards ARP packets with invalid IP-to-MAC address bindings. This capability protects the network from certain man-in-the-middle attacks. Dynamic ARP inspection ensures that only valid ARP requests and responses are relayed.

Previous    Contents    Next

CCNA Cram Notes Contents
certexams ad

simulationexams ad