Using Port Security to Mitigate Layer 2 Attacks. Get rid of the MAC flooding attacks on your switch and all kinds of other attacks that will mitigate you network security by implementing switch port security.
What does port security prevent?
Port Security helps secure the network by preventing unknown devices from forwarding packets. When a link goes down, all dynamically locked addresses are freed. The port security feature offers the following benefits: You can limit the number of MAC addresses on a given port.
Which of the following attacks can be avoided by port security features?
Port Security feature can protect the switch from MAC flooding attacks. Port security feature can also protect the switch from DHCP starvation attacks, where a client start flooding the network with very large number of DHCP requests, each using a different source MAC address.
What are three types of action that can be set for port security violation?
You can configure the port for one of three violation modes: protect, restrict, or shutdown. See the “Configuring Port Security” section on page 62-5. To ensure that an attached device has the full bandwidth of the port, set the maximum number of addresses to one and configure the MAC address of the attached device.
Which two methods are used to mitigate VLAN attacks?
There are two primary methods of VLAN hopping: switch spoofing and double tagging. Both attack vectors can be mitigated with proper switch port configuration.
Why should you disable unused ports?
Disabling unused ports can stop a bad guy from plugging a malicious device into an unused port and getting unauthorized access to the network. … It can also help train users—especially those in remote offices—to call IT before moving things around.
How do I enable port security?
You can make your L3 switch port to an access interface by using the “switchport” command. 2) Then you need to enable port security by using the “switchport port-security” command. This can also be applied in a range of the interfaces on a switch or individual interfaces.
What is Switchport port security?
The switchport security feature (Port Security) is an important piece of the network switch security puzzle; it provides the ability to limit what addresses will be allowed to send traffic on individual switchports within the switched network.
How does port security identify a device?
Port security uses the MAC address to identify allowed and denied devices. By default, port security allows only a single device to connect through a switch port. You can, however, modify the maximum number of allowed devices.
What is the command in disabling unused switch ports?
Disable Unused Ports
Navigate to each unused port and issue the Cisco IOS shutdown command. If a port later on needs to be reactivated, it can be enabled with the no shutdown command.
What is aging time in port security?
The inactivity aging feature prevents the unauthorized use of a secure MAC address when the authorized user is offline. The feature also removes outdated secure MAC addresses so that new secure MAC addresses can be learned or configured.
Can we configure port security on trunk ports?
Port security supports trunks. –On a trunk, you can configure the maximum number of secure MAC addresses both on the trunk and for all the VLANs on the trunk. –You can configure the maximum number of secure MAC addresses on a single VLAN or a range of VLANs.
What are VLAN attacks?
VLAN hopping (virtual local area network hopping) is a method of attacking a network by sending packets to a port that is not normally accessible from a given end system. … VLAN hopping can be used to steal passwords and other sensitive information from specific network subscribers.
Can a VLAN be hacked?
MAC flooding attack is one of the common attacks on a VLAN. In a MAC flooding attack, the switch is flooded with packets of different MAC address therefore consuming memory on the switch. … The best way to secure VLAN from MAC flooding attack is through Static Secure MAC address.
How do I stop VLAN hopping?
To prevent the VLAN hopping from being exploited, we can do the below mitigations: Ensure that ports are not set to negotiate trunks automatically by disabling DTP: NEVER use VLAN 1 at all. Disable unused ports and put them in an unused VLAN ▪ Always use a dedicated VLAN ID for all trunk ports.