Cisco Switches Layer 2 Security

fgdfg

　　■ Disable unneeded dynamic protocols like CDP and DTP.
　　example:
　　int fa0/0
　　no cdp enable
　　switchport nonegotiate
　　■ Disable trunking by configuring these ports as access ports.
　　example:
　　int fa0/0
　　switchport mode access
　　■ Enable BPDU Guard and Root Guard to prevent STP attacks and keep a stable STP topology, normal on access-layer switches
　　example:
　　int fa0/0
　　spanning-tree guard root
　　spanning-tree bpduguard enable
　　■ Enable port security to at least limit the number of allowed MAC addresses, and possibly restrict the port to use only specific MAC addresses.
　　example:
　　interface FastEthernet0/1
　　switchport mode access
　　switchport port-security
　　switchport port-security mac-address 0200.1111.1111
　　■ Use 802.1X user authentication.
　　example:
　　aaa new-model
　　aaa authentication dot1x default group radius
　　dot1x system auth-control
　　radius-server host 10.1.1.1 key cisco
　　! The server ports (fa0/1 and fa0/2), inside a secure datacenter, do not require 802.1x authentication.
　　int fa0/1
　　dot1x port-control force-authorized
　　int fa0/2
　　dot1x port-control force-authorized
　　! The client ports (fa0/3 and fa0/4) require 802.1x authentication.
　　int fa0/3
　　dot1x port-control auto
　　int fa0/4
　　dot1x port-control auto
　　! The unused port (fa0/5) is configured to be in a permanently unauthorized
　　! state until the dot1x port-controlcommand is reconfigured for this port. As such, the port will only allow CDP, STP, and EAPoL frames.
　　int fa0/5
　　dot1x port-control force-unauthorized
　　Note:
　　· Using 802.1X (auto)
　　· Not using 802.1X, but the interface is automatically authorized (force-authorized) (default)
　　· Not using 802.1X, but the interface is automatically unauthorized (force-unauthorized)
　　■ Using storm-control to imply rate limit on Layer 2 interfaces
　　example:
　　Cat3560(config)# interface FastEthernet0/10
　　Cat3560(config-if)# storm-control broadcast level pps 100 50
　　Cat3560(config-if)# storm-control multicast level 0.50 0.40
　　Cat3560(config-if)# storm-control unicast level 80.00
　　Cat3560(config-if)# storm-control action trap
　　■ Use DHCP snooping and IP Source Guard to prevent DHCP DoS and man-in-the-middle attacks.
　　example:
　　建议在接入层交换机上设置
　　Switch(config)# ip dhcp snooping   开启dhcp snooping
　　Switch(config)# ip dhcp snooping vlan 104  开启vlan 104 dhcp snooping
　　Switch(config)# ip dhcp snooping database tftp://192.168.1.1/dhcp-snooping.db      将绑定表保存在flash中
　　Switch(config)# interface range fastethernet 0/35 – 36  nontrust端口设置
　　Switch(config-if)# ip dhcp snooping limit rate 3
　　Switch(config-if)# ip dhcp snooping verify mac-address   --optional
　　Switch(config-if)# ip verify source   只需在nontrust端口上设置
　　IP Source Guard针对静态地址的机器：
　　Switch(config)# ip source binding mac-address vlan vlan-id ip-address interface type mod/num
　　例如：Switch(config)# ip source binding 0016.d49f.4866 vlan 104 192.168.10.3 interface fa0/2
　　Switch(config-if)# interface gigabitethernet 0/1  trust端口，连接DHCP服务器或者上联端口
　　Switch(config-if)# ip dhcp snooping trust
　　■ Use either Dynamic ARP Inspection (DAI) or private VLANs to prevent frame sniffing.
　　example:
　　Switch(config)# ip arp inspection vlan 104  开启arp inspect
　　Switch(config)# ip arp inspection limit rate 15
　　Switch(config)# ip arp inspection validate src-mac dst-mac ip
　　Switch(config)# ip arp inspection log-buffer entries 1024
　　Switch(config)# ip arp inspection log-buffer logs 1024 interval 300
　　Switch(config)# errdisable recovery cause arp-inspection
　　Switch(config)# errdisable recovery interval 30
　　Switch(config)# arp access-list StaticARP   针对静态地址的机器配置arp inspect
　　Switch(config-acl)# permit ip host 192.168.1.10 mac host 0006.5b02.a841
　　Switch(config)# ip arp inspection filter StaticARP vlan 104
　　Switch(config)# interface gigabitethernet 0/1   对于上联端口开启trust
　　Switch(config-if)# ip arp inspection trust
　　■ For any port (including trusted ports), consider the general use of private VLANs to further protect the network from sniffing, including preventing routers or L3 switches from routing packets between devices in the private VLAN. If private VLANs are used, Cisco also recommends additional protection against a trick by which an attacker can use the default gateway to overcome the protections provided by private VLANs.
　　To solve such a problem, the router simply needs an inbound ACL on its LAN interface that denies traffic whose source and destination IP addresses are in the same local connected subnet. For example, an access-list 101 deny ip 10.1.1.0. 0.0.0.255 10.1.1.0 0.0.0.255 command would prevent this attack.
　　■ Configure VTP authentication globally on each switch to prevent DoS attacks.
　　■ Disable unused switch ports and place them in an unused VLAN.
　　■ Avoid using VLAN 1.
　　■ For trunks, do not use the native VLAN, suggest using a different native VLAN for each trunk