By default there is no limit to the number of MAC addresses a switch can learn on an interface and all MAC addresses are allowed. If we want we can change this behavior with port-security. Let’s take a look at the following situation:
When it comes to securing the network, AAA and 802.1X authentication are two powerful tools we can use. Let me show you an example why you might want this for your switches:
In this blog we will take a look how to configure a Cisco Catalyst Switch to use AAA and 802.1X for port based authentication. If you have no idea what AAA (Authentication, Authorization and Accounting) or 802.1X are about then you should look at AAA and 802.1X Introduction first. Having said that, let’s look at the configuration. We will use the following topology:
VLAN access-lists (VACL) are very useful if you want to filter traffic within the VLAN. Let me give you an example:
One security issue that has to do with flooding is called a broadcast storm. When we have an excessive amount of broadcast traffic on the network then all devices within the broadcast domain will suffer. The switch has to flood all broadcast frames to interfaces in the same VLAN, hosts within the VLAN might have to process these frames (ARP requests for example).
VLAN Hopping is an attack where the attacker is able to send traffic from one VLAN into another. There are two different methods to accomplish this:
DHCP snooping is a technique where we configure our switch to listen in on DHCP traffic and stop any malicious DHCP packets. This is best explained with an example so take a look at the picture below:
The ARP (Address Resolution Protocol) is used to find the MAC address of any IP address that you are trying to reach on your local network, it’s a simple protocol and vulnerable to an attack called ARP poisoning (or ARP spoofing).
Dynamic ARP Inspection (DAI) is a security feature that protects ARP (Address Resolution Protocol) which is vulnerable to an attack ike ARP poisoning.
DAI checks all ARP packets on untrusted interfaces, it will compare the information in the ARP packet with the DHCP snooping database and/or an ARP access-list. If the information in the ARP packet doesn’t matter, it will be dropped. In this blog I’ll show you how to configure DAI. Here’s the topology we will use: