Wednesday 17 February 2016

STP BPDU GUARD

BPDU GUARD - Layer 2 security feature to terminate STP domain.

Port that have BPDU GUARD enabled will shut down port if it will receive incoming STP packet.

This function can be enabled at global level or at interface level.

Global level:

spanning-tree portfast bpduguard default

 Interface level:

spanning-tree bpduguard enable

To view if BPDU Guard is enabled:

show spanning-tree interface <interface-number> detail

 If

 bpdu guard is enabled by default - global

 bpdu guard is enabled - interface level

at

Tuesday 16 February 2016

Switchport Protected & Switchport Block

Switchport protected is syntax used for Layer 2 ports - this command stops direct traffic inside VLAN between 2 and more ports.

Switchport block is syntax used for Layer 2 ports - this command is protecting ports from unicast/multicast traffic from unknown source.
at

STORM Control

To limit received unicast/broadcast/multicast  traffic on Layer 2 port to we can use storm-control
command.

Most common use for this command is to prevent Broadcast storms, but it can also be use to limit all received traffic on layer 2 port.

Syntax:

interface faX/X
storm-control unicast/broadcast/multicast xxxxx

When threshold is reached there can be one of the 3 action;

Syslog - default, switch will trigger syslog message.

Trap - Switch will trigger syslog and also will send SNMP trap ( SNMP trap needs additional configuration)

Shutdown - switch will trigger syslog message and will shut down switch port (err-disable)

Syntax:

storm-control action trap/shutdown
at

Monday 15 February 2016

Switch Dynamic Trunking Protocol

Cisco Catalyst layer 2 ports are configured with Dynamic Trunking Protocol (DTP) enabled.

2 options:

Dynamic Desirable (DTP Active) - switch port sends DTP messages to initiate trunk with connected switch
Dynamic Auto ( DTP Passive ) - switch port waits for DTP messages to initiate trunk interface

Two ports connected together with DTP passive will never initialize trunk interface as both only passively waiting for DTP messages from DTP active switch.

As DTP behavior is not always desirable we can switch off DTP by using command:

switchport nonegotiate - trunk port
switchport mode access - access port (switchport nonegotiate can be also use on access port to make it visible in config)
at

no IP unreachables

This command is use under interface configuration to stop device sending ICMP unreachable to source device if the packet is dropped by router.

This is desirable to protect router CPU as router generated traffic is CPU process and not CEF switched


at

BGP - Security Hack


iBGP sending packet with value with TTL of 255

eBGP sending packet with value with TTL of 1

However:

BGP will accept packet with a TTL of any value if equal 1 or larger

It can be protected by ACL or by using MD5 hashing for BGP session.

Or  by using RFC 3682:

neighbor X>X>X>X ttl-security hops 5

(this will accept packet with TTL value of minimum 250 )

More on:

Protecting Border Gateway Protocol for the Enterprise

at
Subscribe to: Posts (Atom)

1.1 Switched campus 1.1.a Switch administration 1.1.a i Managing MAC address table Show Commands: Switch#show mac address-table ?   address ...