Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1455
Views
0
Helpful
4
Replies

Switch Port Security Options

avilt
Level 3
Level 3

‎02-18-2015 08:04 AM - edited ‎03-07-2019 10:43 PM

I need to implement Switch port security to one of my customers.
So I suggested the following,
a) bind the MAC address to ports (switch port security, sticky MAC)
b) shutdown unused ports, assign them to unused vlan which is in shutdown state.

Customer doesn't like mac address binding and asking me to explore other steps to protect against DOS attack and MAC spoofing. I do not have DHCP environment, all systems are assigned static IP's.

So what are the other steps needed in order to achieve port security & protection against DOS, MAC spoofing?

Labels:
0 Helpful
4 Replies 4

Aaron Castro Sanchez
Level 1
Level 1

‎02-18-2015 08:26 AM

Hi,

Port-Security is one feature you can use among others to start securing the access layer of the network. If MAC binding with sticky mac addresses is not good for your environment you should start thinking in deploying Dot1X.

I don't recall if DAI will work without DHCP in the network. If the network is not too big and endpoint don't use to move across locations or switchports then sticky should do the job.

You should also check in the security section of the DocCD and look for L2 security to start knowing what measures to deploy in order to fit your requirements.

 

Cheers,

0 Helpful

avilt
Level 3
Level 3
In response to Aaron Castro Sanchez

‎02-18-2015 08:51 AM

In what way sticky mac is different from manual MAC binding?

Manual binding always remain active, drawback is MAC management during the device move.

Sticky will learn dynamically, does it retain the MAC after reboot? How the protection mechanism work in terms of learning the MAC, flexibility (movement of devices).

 

Also I don't see any reference to DOS attacks against L2 ports.

0 Helpful

Seth Bjorn
Level 1
Level 1
In response to avilt

‎02-18-2015 02:22 PM

A DOS attack to a layer 2 port is when a rogue host floods the interface with mac addresses. The switch will learn as many as it can until it fills it's mac address table. Once the mac address table is full, the switch will essentially turn into a hub and will begin flooding packets to all ports as it cannot do it's normal forwarding based on the mac address table.

Different switches have different capacities, but in general every host port should be protected from this flood attack by limiting the amount of mac addresses it will learn on each port.

 

http://en.wikipedia.org/wiki/MAC_flooding

0 Helpful

Seth Bjorn
Level 1
Level 1

‎02-18-2015 02:15 PM

You can protect against DOS by using port security. This should be done on every non trunk port.

interface gig0/1

 switchport port-security maximum 3
 switchport port-security
 switchport port-security violation restrict

This will allow only 3 active mac addresses on port gig0/1.

 

In order to protect against MAC spoofing you would need either dot1x security or dynamic arp inspection (which requires DHCP snooping and you are using static ips).

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card