Jump to content
Nytro

Cisco switch security features cheatsheet

By Nytro, in Tutoriale in engleza

Recommended Posts

Nytro Mentor

Nytro

Posted
Posted

Cisco switch security features cheatsheet

Published July 20, 2018 by Shahriar
Shahriar 0
Cisco switch

Cisco switches (running IOS) have plenty of features that are critical to modern networks. Some are Cisco security features that eliminate several important attack vectors on layer 2. This is arguably the most important defense mechanism because ACLs and security mechanisms on software (layer 7) will sometimes fall short protecting the network because of the extreme complexity of communication up in this layer. So the earlier you close the holes the better!

As an example security features like protected ports can effectively harden lateral movement in windows networks (Active Directory domains), also while being so dead simple compared to more advanced methods implemented on top of active directory itself.

In this post I will give you the commands needed to implement some security features in a Cisco switch in a cheetsheet like manner.

It is important to fully understand what each feature will do, as failing to do so and running the commands blindly may cause disruption in your network. Just look up each one and read about it. 🙂

Reading official Cisco CCNP books is super recommended!

Port Security

 

int INTERFACE switchport mode access switchport access vlan 123 #port security configuration starts here: switchport port-security maximum # switchport port-security aging type inactive switchport port-security aging time 5 switchport port-security violation restrict switchport port-security mac-address MAC switchport port-security mac-address sticky
1
2
3
4
5
6
7
8
9
10
11
int INTERFACE
switchport mode access
switchport access vlan 123
 
#port security configuration starts here:
switchport port-security maximum #
switchport port-security aging type inactive
switchport port-security aging time 5
switchport port-security violation restrict
switchport port-security mac-address MAC
switchport port-security mac-address sticky

These two commands show you port-security stats and make troubleshooting easier:

show port-sec address show port-sec interface INTERFACE
1
2
show port-sec address
show port-sec interface INTERFACE

 

DHCP Snooping

 

#(conf) ip dhcp snooping ip dhcp snooping vlan # interface INTERFACE ip dhcp snooping trust int USER-INTERFACE ip dhcp snooping limit rate #(pps)
1
2
3
4
5
6
7
8
9
#(conf)
ip dhcp snooping
ip dhcp snooping vlan #
 
interface INTERFACE
ip dhcp snooping trust
 
int USER-INTERFACE
ip dhcp snooping limit rate #(pps)

Related show command:

show ip dhcp snooping
1
show ip dhcp snooping

 

Dynamic ARP Inspection

 

ip arp inspection ip arp inspection vlan 123 interface INTERFACE ip arp inspection trust interface USER-INTERFACE ip arp inspection limit rate #(pps)
1
2
3
4
5
6
7
8
ip arp inspection
ip arp inspection vlan 123
 
interface INTERFACE
ip arp inspection trust
 
interface USER-INTERFACE
ip arp inspection limit rate #(pps)

Related show command:

show ip arp inspection vlan 123
1
show ip arp inspection vlan 123

 

IP Source Guard

  • It requires DHCP snooping (or static ip/mac bindings)

Port based:

interface INTERFACE ip verify source(ip) port-security(mac)
1
2
interface INTERFACE
ip verify source(ip) port-security(mac)

Creating manual entries:

ip source binding MAC vlan # IP_ADDRESS interface INTERFACE
1
ip source binding MAC vlan # IP_ADDRESS interface INTERFACE

Related show command:

show ip source binding
1
show ip source binding

 

Protected ports

Ports that cannot communicate with each other directly.

##private vlan edge aka protected ports : no direct traffic between those ports## interface INTERFACE switchport protected
1
2
3
4
##private vlan edge aka protected ports : no direct traffic between those ports##
 
interface INTERFACE
switchport protected

 

Spanning Tress root guard

 

int INTERFACE spanning-tree guard root superior bpdu
1
2
int INTERFACE
spanning-tree guard root   superior bpdu

 

STP BPDU Guard:

  • with Spanning tree port-fast

 

spanning-tree bpduguard enable
1
spanning-tree bpduguard enable

 

Storm Control

 

interface INTERFACE #(do not clip anymore – all specified traffic is dropped until end of duration [1s]) storm-conftrol broadcast level (bbp | pps | %) # # show storm-control b|m|u storm-control action ACTION
1
2
3
4
5
interface INTERFACE
#(do not clip anymore – all specified traffic is dropped until end of duration [1s])
storm-conftrol broadcast level (bbp | pps | %) # #
show storm-control b|m|u
storm-control action ACTION

 

I hope you like this post.

I am looking forward to improving this post using your contributions in a wiki-like manner. so if you think of any other feature which would be nice to be included in this post, please comment or email me and I will add it here. Thanks 🙂

 

Sursa: https://rayanfam.com/topics/cisco-switch-sec-cheatsheet/

  • Thanks 1
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...