پیکربندی سویچ برای بالا بردن امنیت در لایه 2

Configure Your Catalyst for a More Secure Layer 2

 IP Source Guard and Port Security

 Using just DHCP snooping, you have stopped untrusted devices from acting as a DHCP server; which is important in an environment where people think it's a good idea to bring in their Linksys access point to better cover the office with wireless. Port Security can also help to stop more than one MAC from being seen on a port, making it impossible to connect hubs and other network-extending devices.

 Now, to stop malicious people from using IP addresses that weren't assigned to them, we use IP source guard. Even better, we can also stop clients from forging their MAC address. MAC address filtering makes flooding the switch impossible. Flooding is a technique by which an attacker sends so many MAC addresses from their port that the switch's MAC table overflows. Then the switch has no choice but to flood all Ethernet frames out of every single port, since it doesn't know what MAC is connected where, allowing an attacker to see all the traffic across the switch. Some viruses have been known to do this as well.

   

Switch(config-if)# ip verify source vlan dhcp-snooping

 But be careful! If the DHCP table doesn't have an association for this port, you've just stopped all IP traffic from it. It is recommended that DHCP snooping be turned on a day before enabling IP source guard to allow it to gather information.

 To apply MAC address security, you must turn it on, then configure appropriate options:

 !Set explicit access mode (dynamic or trunk ports can't have security)

 Switch(config-if)# switchport mode access

 !Enable port-security

 Switch(config-if)# switchport port-security

 !Specify how many MAC addresses can be used:

 Switch(config-if)# switchport port-security maximum 1

 !Action to take when a violation happens:

 Switch(config-if)# switchport port-security violation {restrict | shutdown}

 Violation Restrict will not disable the switch port, but instead cause the switch to increment a security violation counter, and send an SNMP trap. These options are quite configurable, you can even specify how long to shut down the port when a violation occurs. An alternative, less dynamic method, is to program the MAC address binding as static. This stops any other MAC from working on a port, ever.

 Dynamic ARP Inspection

 ARP inspection allows the switch to discard ARP packets with invalid IP to MAC address bindings, effectively stopping common man-in-the-middle attacks. ARP poisoning is a tactic where an attacker injects false ARP packets into the subnet, normally by broadcasting ARP responses where the attacker claims to be someone else.

 To curtail poisoning, Dynamic ARP Inspection (DAI) uses our friend, the DHCP snooping table. There are many options, and you must be careful enabling DAI if all network devices don't support it. The most basic configuration is:

 Switch(config)# ip arp inspection vlan 1

 Trunk ports need to be trusted:

 Switch(config)# int range f1/1 - 4 , f2/24

 Switch(config-if)# ip arp inspection trust

 You can view the status with:

 Switch# show ip arp inspection ?

 Using the features that leverage knowledge gained from DHCP snooping can create a new level of local network security. Combine that with port-level MAC security, and network admins will no longer cringe at the thought of turning on a network connection in a public area. Testing these features in a production environment is, of course, not recommended: Many of them have wicked side effects if configured incorrectly or out of order.