AAA Configuration on Cisco Switch

In this blog we will take a look how to configure a Cisco Catalyst Switch to use AAA and 802.1X for port based authentication. If you have no idea what AAA (Authentication, Authorization and Accounting) or 802.1X are about then you should look at AAA and 802.1X Introduction first. Having said that, let’s look at the configuration. We will use the following topology:

Continue reading

Cisco Storm-Control Configuration

One security issue that has to do with flooding is called a broadcast storm. When we have an excessive amount of broadcast traffic on the network then all devices within the broadcast domain will suffer. The switch has to flood all broadcast frames to interfaces in the same VLAN, hosts within the VLAN might have to process these frames (ARP requests for example).

Continue reading

VLAN Hopping

VLAN Hopping is an attack where the attacker is able to send traffic from one VLAN into another. There are two different methods to accomplish this:

Continue reading

DHCP Snooping

DHCP snooping is a technique where we configure our switch to listen in on DHCP traffic and stop any malicious DHCP packets. This is best explained with an example so take a look at the picture below:

Continue reading

ARP Poisoning

The ARP (Address Resolution Protocol) is used to find the MAC address of any IP address that you are trying to reach on your local network, it’s a simple protocol and vulnerable to an attack called ARP poisoning (or ARP spoofing).

Continue reading

DAI (Dynamic ARP Inspection)

Dynamic ARP Inspection (DAI) is a security feature that protects ARP (Address Resolution Protocol) which is vulnerable to an attack ike ARP poisoning.

DAI checks all ARP packets on untrusted interfaces, it will compare the information in the ARP packet with the DHCP snooping database and/or an ARP access-list. If the information in the ARP packet doesn’t matter, it will be dropped. In this blog I’ll show you how to configure DAI. Here’s the topology we will use:

Continue reading