Leaderboard

https://www.happysocks.com Sunt noi, nefolosite, pentru orice tara.

Cisco switch security features cheatsheet Published July 20, 2018 by Shahriar 0 Cisco switches (running IOS) have plenty of features that are critical to modern networks. Some are Cisco security features that eliminate several important attack vectors on layer 2. This is arguably the most important defense mechanism because ACLs and security mechanisms on software (layer 7) will sometimes fall short protecting the network because of the extreme complexity of communication up in this layer. So the earlier you close the holes the better! As an example security features like protected ports can effectively harden lateral movement in windows networks (Active Directory domains), also while being so dead simple compared to more advanced methods implemented on top of active directory itself. In this post I will give you the commands needed to implement some security features in a Cisco switch in a cheetsheet like manner. It is important to fully understand what each feature will do, as failing to do so and running the commands blindly may cause disruption in your network. Just look up each one and read about it. 🙂 Reading official Cisco CCNP books is super recommended! Port Security int INTERFACE switchport mode access switchport access vlan 123 #port security configuration starts here: switchport port-security maximum # switchport port-security aging type inactive switchport port-security aging time 5 switchport port-security violation restrict switchport port-security mac-address MAC switchport port-security mac-address sticky 1 2 3 4 5 6 7 8 9 10 11 int INTERFACE switchport mode access switchport access vlan 123 #port security configuration starts here: switchport port-security maximum # switchport port-security aging type inactive switchport port-security aging time 5 switchport port-security violation restrict switchport port-security mac-address MAC switchport port-security mac-address sticky These two commands show you port-security stats and make troubleshooting easier: show port-sec address show port-sec interface INTERFACE 1 2 show port-sec address show port-sec interface INTERFACE DHCP Snooping #(conf) ip dhcp snooping ip dhcp snooping vlan # interface INTERFACE ip dhcp snooping trust int USER-INTERFACE ip dhcp snooping limit rate #(pps) 1 2 3 4 5 6 7 8 9 #(conf) ip dhcp snooping ip dhcp snooping vlan # interface INTERFACE ip dhcp snooping trust int USER-INTERFACE ip dhcp snooping limit rate #(pps) Related show command: show ip dhcp snooping 1 show ip dhcp snooping Dynamic ARP Inspection ip arp inspection ip arp inspection vlan 123 interface INTERFACE ip arp inspection trust interface USER-INTERFACE ip arp inspection limit rate #(pps) 1 2 3 4 5 6 7 8 ip arp inspection ip arp inspection vlan 123 interface INTERFACE ip arp inspection trust interface USER-INTERFACE ip arp inspection limit rate #(pps) Related show command: show ip arp inspection vlan 123 1 show ip arp inspection vlan 123 IP Source Guard It requires DHCP snooping (or static ip/mac bindings) Port based: interface INTERFACE ip verify source(ip) port-security(mac) 1 2 interface INTERFACE ip verify source(ip) port-security(mac) Creating manual entries: ip source binding MAC vlan # IP_ADDRESS interface INTERFACE 1 ip source binding MAC vlan # IP_ADDRESS interface INTERFACE Related show command: show ip source binding 1 show ip source binding Protected ports Ports that cannot communicate with each other directly. ##private vlan edge aka protected ports : no direct traffic between those ports## interface INTERFACE switchport protected 1 2 3 4 ##private vlan edge aka protected ports : no direct traffic between those ports## interface INTERFACE switchport protected Spanning Tress root guard int INTERFACE spanning-tree guard root superior bpdu 1 2 int INTERFACE spanning-tree guard root superior bpdu STP BPDU Guard: with Spanning tree port-fast spanning-tree bpduguard enable 1 spanning-tree bpduguard enable Storm Control interface INTERFACE #(do not clip anymore – all specified traffic is dropped until end of duration [1s]) storm-conftrol broadcast level (bbp | pps | %) # # show storm-control b|m|u storm-control action ACTION 1 2 3 4 5 interface INTERFACE #(do not clip anymore – all specified traffic is dropped until end of duration [1s]) storm-conftrol broadcast level (bbp | pps | %) # # show storm-control b|m|u storm-control action ACTION I hope you like this post. I am looking forward to improving this post using your contributions in a wiki-like manner. so if you think of any other feature which would be nice to be included in this post, please comment or email me and I will add it here. Thanks 🙂 Sursa: https://rayanfam.com/topics/cisco-switch-sec-cheatsheet/

Foarte ciudat, acum vreo doua saptamani intreba o femeie pe aici cum poate afla parola de facebook de la un cont. Cred ca a fost sters postul ei de pe forum. Da-ne link-ul cu profilul ei si vedem ce putem face.

Am citit Codul lui da Vinci, super cartea. Si am mai citit Cartea fara nume, 480 de pagini intr-o zi.