I need to implement Switch port security to one of my customers.
So I suggested the following,
a) bind the MAC address to ports (switch port security, sticky MAC)
b) shutdown unused ports, assign them to unused vlan which is in shutdown state.
Customer doesn't like mac address binding and asking me to explore other steps to protect against DOS attack and MAC spoofing. I do not have DHCP environment, all systems are assigned static IP's.
So what are the other steps needed in order to achieve port security & protection against DOS, MAC spoofing?
Port-Security is one feature you can use among others to start securing the access layer of the network. If MAC binding with sticky mac addresses is not good for your environment you should start thinking in deploying Dot1X.
I don't recall if DAI will work without DHCP in the network. If the network is not too big and endpoint don't use to move across locations or switchports then sticky should do the job.
You should also check in the security section of the DocCD and look for L2 security to start knowing what measures to deploy in order to fit your requirements.
In what way sticky mac is different from manual MAC binding?
Manual binding always remain active, drawback is MAC management during the device move.
Sticky will learn dynamically, does it retain the MAC after reboot? How the protection mechanism work in terms of learning the MAC, flexibility (movement of devices).
Also I don't see any reference to DOS attacks against L2 ports.
A DOS attack to a layer 2 port is when a rogue host floods the interface with mac addresses. The switch will learn as many as it can until it fills it's mac address table. Once the mac address table is full, the switch will essentially turn into a hub and will begin flooding packets to all ports as it cannot do it's normal forwarding based on the mac address table.
Different switches have different capacities, but in general every host port should be protected from this flood attack by limiting the amount of mac addresses it will learn on each port.
You can protect against DOS by using port security. This should be done on every non trunk port.
switchport port-security maximum 3
switchport port-security violation restrict
This will allow only 3 active mac addresses on port gig0/1.
In order to protect against MAC spoofing you would need either dot1x security or dynamic arp inspection (which requires DHCP snooping and you are using static ips).