CCNASecurityChapter6:SecuringtheLocalAreaNetworkLessonPlanningThislessonshouldtake3-4hourstopresentThelessonshouldincludelecture,demonstrations,discussionsandassessmentsThelessoncanbetaughtinpersonorusingremoteinstructionMajorConceptsDescribeendpointvulnerabilitiesandprotectionmethodsDescribebasicCatalystswitchvulnerabilitiesConfigureandverifyswitchsecurityfeatures,includingportsecurityandstormcontrolDescribethefundamentalsecurityconsiderationsofWireless,VoIP,andSANs.Contents6.1EndpointSecurity6.2Layer2SecurityConsiderations6.3ConfiguringLayer2Security6.4Wireless,VoIP,andSANSecurity6.1EndpointSecurityEndpointSecurityConsiderationsIntroducingEndpointSecurityEndpointSecuritywithIronPortEndpointSecuritywithNetworkAdmissionControlEndpointSecuritywithCiscoSecurityAgent6.1.1IntroducingEndpointSecuritySecuringtheLANAddressingEndpointSecurityOperatingSystemsBasicSecurityServicesTypesofApplicationAttacksCiscoSystemsEndpointSecuritySolutionsSecuringtheedgedevicebecauseofitsWANconnection?SecuringtheinternalLAN?Both!SecuringtheinternalLANisjustasimportantassecuringtheperimeterofanetwork.InternalLANsconsistsof:EndpointsNon-endpointLANdevicesLANinfrastructureWhichshouldbeprotected?SecuringtheLANIPSMARSVPNACSIronPortFirewallWeb

ServerEmailServerDNSLANHostsPerimeterInternetAreasofconcentration:SecuringendpointsSecuringnetwork

infrastructureALANconnectsmanynetworkendpointdevicesthatactasanetworkclients.Endpointdevicesinclude:LaptopsDesktopsIPphonesPersonaldigitalassistants(PDAs)ServersPrintersSecuringEndpointDevicesALANalsorequiresmanyintermediarydevicestointerconnectendpointdevices.Non-endpointLANdevices:SwitchesWirelessdevicesIPtelephonydevicesStorageareanetworking(SAN)devicesSecuringNon-EndpointDevicesAnetworkmustalsobeabletomitigatespecificLANattacksincluding:MACaddressspoofingattacksSTPmanipulationattacksMACaddresstableoverflowattacksLANstormattacksVLANattacksSecuringtheLANInfrastructureOperatingSystemsBasicSecurityServicesTrustedcodeandtrustedpath–ensuresthattheintegrityoftheoperatingsystemisnotviolatedPrivilegedcontextofexecution–providesidentity

authenticationandcertainprivilegesbasedontheidentityProcessmemoryprotectionandisolation–providesseparationfromotherusersandtheirdataAccesscontroltoresources–ensuresconfidentialityandintegrityofdataTypesofApplicationAttacksIhavegaineddirectaccesstothisapplication’sprivilegesIhavegainedaccesstothissystemwhichistrustedbytheothersystem,allowingmetoaccessit.IndirectDirectCiscoSystemsEndpointSecuritySolutionsCiscoNACIronPortCiscoSecurityAgentIronPortisaleadingproviderofanti-spam,anti-virus,andanti-spywareappliances.CiscoacquiredIronPortSystemsin2007.ItusesSenderBase,theworld'slargestthreatdetectiondatabase,tohelpprovidepreventiveandreactivesecuritymeasures.IronPort6.1.2EndpointSecuritywithIronPortCiscoIronPortProductsIronPortC-Series:Iron-PortS-SeriesCiscoIronPortProductsIronPortproductsinclude:E-mailsecurityappliancesforvirusandspamcontrolWebsecurityapplianceforspywarefiltering,URLfiltering,andanti-malwareSecuritymanagementapplianceIronPortC-SeriesInternetInternetAntispamAntivirusPolicyEnforcementMailRoutingBeforeIronPortIronPortE-mailSecurityApplianceFirewallGroupwareUsersAfterIronPortUsersGroupwareFirewallEncryptionPlatformMTADLPScannerDLPPolicyManagerIronPortS-SeriesWebProxyAntispywareAntivirusAntiphishingURLFilteringPolicyManagementFirewallUsersUsersFirewallIronPortS-SeriesBeforeIronPortAfterIronPortInternetInternet6.1.3EndpointSecuritywithNetworkAdmissionControlCiscoNACTheNACFrameworkNACComponentsCiscoNACApplianceProcessAccessWindowsCiscoNACNACFrameworkSoftwaremoduleembeddedwithinNAC-enabledproductsIntegratedframeworkleveragingmultipleCiscoandNAC-awarevendorproductsIn-bandCiscoNACAppliancesolutioncanbeusedonanyswitchorrouterplatformSelf-contained,turnkeysolution

ThepurposeofNAC:AllowonlyauthorizedandcompliantsystemstoaccessthenetworkToenforcenetworksecuritypolicyCiscoNACApplianceReferto

fourimportantfeaturesofNACTheNACFrameworkAAA

ServerCredentialsCredentialsEAP/UDP,EAP/802.1xRADIUSCredentialsHTTPSAccessRightsNotificationCiscoTrustAgentComply?VendorServersHostsAttemptingNetworkAccessNetworkAccessDevicesPolicyServerDecisionPointsandRemediationEnforcementNAC的示意圖當運行NAC時，首先由網絡接入設備發出消息，從主機請求委托書。然后，AAA服務器CiscoTrustAgent(CTA)與主機上的CiscoTrustAgent(CTA)建立安全的EAP對話。此時，CTA對AAA服務器執行檢查。委托書可以通過主機應用、CTA或網絡設備傳遞，由思科ACS接收后進行認證和授權。某些情況下，ACS可以作為防病毒策略服務器的代理，直接將防病毒軟件應用委托書傳送到廠商的AV服務器接收檢查。委托書通過審查后，ACS將為網絡設備選擇相應的實施策略。例如，ACS可以向路由器發送準入控制表，對此主機實施特殊策略。對于非響應性設備，可以對主動運行CTA(網絡或ACS)的設備實施默認策略。在以后的各階段，還將通過掃描或其它機制對主機系統執行進一步檢查，以便收集其他端點安全信息。NACComponentsCiscoNAS(CiscoNACApplianceServer)Servesasanin-bandorout-of-banddevicefornetworkaccesscontrolCiscoNAM(CiscoNACApplianceManager)Centralizesmanagementforadministrators,supportpersonnel,andoperatorsCiscoNAA(CiscoNACApplianceAgent)Optionallightweightclientfordevice-basedregistryscansinunmanagedenvironmentsRule-setupdatesScheduledautomaticupdatesforantivirus,criticalhotfixes,andotherapplicationsMGRCiscoNACApplianceProcessTHEGOALIntranet/

Network2.Hostis

redirectedtoaloginpage.CiscoNACAppliancevalidatesusernameandpassword,alsoperformsdeviceandnetworkscanstoassessvulnerabilitiesondevice.Deviceisnoncompliant

orloginisincorrect.Hostisdeniedaccessandassigned

toaquarantinerolewithaccesstoonlineremediationresources.3a.3b.Deviceis“clean”.Machinegetson“certifieddeviceslist”andisgrantedaccesstonetwork.CiscoNASCiscoNAM1.Hostattemptstoaccessawebpageorusesanoptionalclient.Networkaccessisblockeduntilwiredorwirelesshostprovideslogininformation.AuthenticationServerMGRQuarantineRole3.Thehostisauthenticatedandoptionally

scannedforposturecomplianceAccessWindows4.LoginScreenScanisperformed(typesofchecksdependonuserrole)ScanfailsRemediate6.1.4EndpointSecuritywithCiscoSecurityAgentCSAArchitectureModelCSAOverviewCSAFunctionalityAttackPhasesCSALogMessagesCSAArchitectureManagementCenterforCiscoSecurityAgent

withInternalorExternalDatabaseSecurity

PolicyServerProtectedbyCiscoSecurityAgentAdministration

WorkstationSSLEventsAlertsCSAOverviewStateRulesandPoliciesRules

EngineCorrelation

EngineFileSystemInterceptorNetwork

InterceptorConfiguration

InterceptorExecutionSpaceInterceptorApplicationAllowedRequestBlockedRequestCSAFunctionalitySecurityApplicationNetwork

InterceptorFileSystemInterceptorConfiguration

InterceptorExecution

Space

InterceptorDistributedFirewallX―――HostIntrusionPreventionX――XApplication

Sandbox―XXXNetworkWormPreventionX――XFileIntegrityMonitor―XX―AttackPhasesFilesysteminterceptorNetworkinterceptorConfigurationinterceptorExecutionspaceinterceptorServerProtectedbyCiscoSecurityAgentProbephasePingscansPortscansPenetratephaseTransferexploitcodetotargetPersistphaseInstallnewcodeModifyconfigurationPropagatephaseAttackothertargetsParalyzephaseErasefilesCrashsystemStealdataCSAstoppedtheseattacksbyidentifyingtheirmaliciousbehaviorwithoutanyupdatesCSALogMessages6.2Layer2SecurityConsiderationsLayer2SecurityConsiderationsIntroductiontoLayer2SecurityMACAddressSpoofingAttacksMACAddressTableOverflowAttacksSTPManipulationAttacksLANStormAttacksVLANAttacks6.2.1IntroductiontoLayer2SecurityLayer2SecurityOverviewofOSIModelIPSMARSVPNACSIronPortFirewallWeb

ServerEmailServerDNSHostsPerimeterInternetLayer2SecurityOSIModelMACAddressesWhenitcomestonetworking,Layer2isoftenaveryweaklink.PhysicalLinksIPAddressesProtocolsandPortsApplicationStreamApplicationPresentationSessionTransportNetworkDataLinkPhysicalCompromisedApplicationPresentationSessionTransportNetworkDataLinkPhysicalInitialCompromiseLayer2VulnerabilitiesMACAddressSpoofingAttacksMACAddressTableOverflowAttacksSTPManipulationAttacksStormAttacksVLANAttacksMACAddressSpoofingAttackMACAddress:AABBccAABBcc12AbDdSwitchPort12MACAddress:AABBccAttackerPort1Port2MACAddress:12AbDdIhaveassociatedPorts1and2withtheMACaddressesofthedevicesattached.Trafficdestinedforeachdevicewillbeforwardeddirectly.Theswitchkeepstrackofthe

endpointsbymaintainingaMACaddresstable.InMAC

spoofing,theattackerposes

asanotherhost—inthiscase,

AABBcc6.2.2MACAddressSpoofingAttackMACAddress:AABBccAABBccSwitchPort12MACAddress:AABBccAttackerPort1Port2AABBcc12IhavechangedtheMAC

addressonmycomputer

tomatchtheserver.ThedevicewithMACaddressAABBcchaschangedlocationstoPort2.ImustadjustmyMACaddresstableaccordingly.MACAddressTableOverflowAttackABCDVLAN10VLAN10IntruderrunsmacoftobeginsendingunknownbogusMACaddresses.3/253/25MACX3/25MACY3/25MACZXYZfloodMACPortX3/25Y3/25C3/25BogusaddressesareaddedtotheCAMtable.CAMtableisfull.HostCTheswitchfloodstheframes.AttackerseestraffictoserversBandD.VLAN101234BothMACspoofingandMACaddresstableoverflowattackscanbemitigatedbyconfiguringportsecurityontheswitch.Portsecuritycaneither:StaticallyspecifytheMACaddressesonaparticularswitchport.AllowtheswitchtodynamicallylearnafixednumberofMACaddressesforaswitchport.StaticallyspecifyingtheMACaddressesisnotamanageablesolutionforaproductionenvironment.AllowingtheswitchtodynamicallylearnafixednumberofMACaddressesisanadministrativelyscalablesolution.MACAddressMitigationTechniquesAnSTPattacktypicallyinvolvesthecreationofabogusRootbridge.ThiscanbeaccomplishedusingavailablesoftwarefromtheInternetsuchasbrconfigorstp-packet.TheseprogramscanbeusedtosimulateabogusswitchwhichcanforwardSTPBPDUs.STPAttackMitigationtechniquesincludeenablingPortFast,rootguardandBPDUguard.6.2.4STPManipulationAttackSpanningtreeprotocoloperatesbyelectingarootbridgeSTPbuildsatreetopologySTPmanipulationchangesthetopologyofanetwork—theattackinghostappearstobetherootbridgeFFFFFBRootBridge

Priority=8192

MACAddress=0000.00C0.1234STPManipulationAttackRootBridge

Priority=8192RootBridgeFFFFFBSTPBPDU

Priority=0STPBPDU

Priority=0FBFFFFAttackerTheattackinghostbroadcastsoutSTP

configurationandtopologychangeBPDUs.Thisisanattempttoforcespanningtree

recalculations.6.2.5LANStormAttackBroadcast,multicast,orunicastpacketsarefloodedonallportsinthesameVLAN.ThesestormscanincreasetheCPUutilizationonaswitchto100%,reducingtheperformanceofthenetwork.BroadcastBroadcastBroadcastBroadcastBroadcastBroadcastBroadcastBroadcastBroadcastBroadcastBroadcastBroadcastALANstormoccurswhenpacketsfloodtheLAN,creatingexcessivetrafficanddegradingnetworkperformance.Possiblecauses:ErrorsintheprotocolstackimplementationMis-configurationsUsersissuingaDoSattackBroadcaststormscanalsooccuronnetworks.Rememberthatswitchesalwaysforwardbroadcastsoutallports.Somenecessaryprotocols,suchasARPandDHCPusebroadcasts;therefore,switchesmustbeabletoforwardbroadcasttraffic.LANStormAttacksMitigationtechniquesincludeconfiguringstormcontrol.StormControlTotal

numberof

broadcastpacketsorbytes6.2.6VLANAttacksVLAN=BroadcastDomain=LogicalNetwork(Subnet)SegmentationFlexibilitySecurityTrunkportspasstrafficforallVLANsusingeitherIEEE802.1Qorinter-switchlink(ISL)VLANencapsulation.AVLANhoppingattackcanbelaunchedinoneoftwoways:IntroducingarogueswitchonanetworkwithDTPenabled.DTPenablestrunkingtoaccessalltheVLANsonthetargetswitch.Double-taggingVLANattackbyspoofingDTPmessagesfromtheattackinghosttocausetheswitchtoentertrunkingmode.TheattackercanthensendtraffictaggedwiththetargetVLAN,andtheswitchthendeliversthepacketstothedestination.VLANAttacksBydefaultmostswitchessupportDynamicTrunkProtocol(DTP)whichautomaticallytrytonegotiatetrunklinks.AnattackercouldconfigureahosttospoofaswitchandadvertiseitselfasbeingcapableofusingeitherISLor802.1q.Ifsuccessful,theattackingsystemthenbecomesamemberofallVLANs.VLANHoppingAttack-RogueSwitchThesecondswitchreceivesthepacket,onthenativeVLANDouble-TaggingVLANAttackAttackeron

VLAN10,butputsa20taginthepacketVictim

(VLAN20)Note:ThisattackworksonlyifthetrunkhasthesamenativeVLANastheattacker.Thefirstswitchstripsoffthefirsttaganddoesnotretagit(nativetrafficisnotretagged).Itthenforwardsthepackettoswitch2.20,1020Trunk

(NativeVLAN=10)802.1Q,802.1Qtrunk802.1Q,FrameFrame1234Thesecondswitchexaminesthepacket,seestheVLAN20tagandforwardsitaccordingly.Involvestaggingtransmittedframeswithtwo802.1qheadersinordertoforwardtheframestothewrongVLAN.Thefirstswitchstripsthefirsttagofftheframeandforwardstheframe.ThesecondswitchthenforwardsthepackettothedestinationbasedontheVLANidentifierinthesecond802.1qheader.UseadedicatednativeVLANforalltrunkports.SetthenativeVLANonthetrunkportstoanunusedVLAN.Disabletrunknegotiationonallportsconnectingtoworkstations.VLANHoppingAttack-Double-TaggingMitigationtechniquesincludeensuringthatthenativeVLANofthetrunkportsisdifferentfromthenativeVLANoftheuserports.6.3ConfiguringLayer2SecurityConfiguringSwitchSecurityConfiguringPortSecurityVerifyingPortSecurityBPDUGuardandRootGuardStormControlVLANConfigurationCiscoSwitchedPortAnalyzerCiscoRemoteSwitchedPortAnalyzerBestPracticesforLayer26.3.1ConfiguringPortSecurityPortSecurityOverviewPortSecurityConfigurationSwitchportPort-SecurityParametersPort-SecurityViolationConfigurationSwitchportPort-SecurityViolationParametersPortSecurityAgingConfigurationSwitchportPort-SecurityAgingParametersTypicalConfigurationPortSecurityOverviewMACAMACAPort0/1allowsMACA

Port0/2allowsMACB

Port0/3allowsMACCAttacker1Attacker20/10/20/3MACFAllowsanadministratortostaticallyspecifyMACAddressesforaportortopermittheswitchtodynamicallylearnalimitednumberofMACaddressesConfiguringPortSecurityTopreventMACspoofingandMACtableoverflows,enableportsecurity.PortSecuritycanbeusedtostaticallyspecifyMACaddressesforaportortopermittheswitchtodynamicallylearnalimitednumberofMACaddresses.BylimitingthenumberofpermittedMACaddressesonaporttoone,portsecuritycanbeusedtocontrolunauthorizedexpansionofthenetwork.OnceMACaddressesareassignedtoasecureport,theportdoesnotforwardframeswithsourceMACaddressesoutsidethegroupofdefinedaddresses.Securesourceaddressescanbe:ManuallyconfiguredAutoconfigured(learned)PortSecurityWhenaMACaddressdiffersfromthelistofsecureaddresses,theporteither:Shutsdownuntilitisadministrativelyenabled(defaultmode).Dropsincomingframesfromtheinsecurehost(restrictoption).Theportbehaviordependsonhowitisconfiguredtorespondtoasecurityviolation.Shutdownistherecommendedsecurityviolation.PortSecurityCLICommandsswitchportmodeaccess

Switch(config-if)#Setstheinterfacemodeasaccessswitchportport-security

Switch(config-if)#Enablesportsecurityontheinterfaceswitchportport-securitymaximumvalue

Switch(config-if)#SetsthemaximumnumberofsecureMACaddressesfortheinterface(optional)SwitchportPort-SecurityParametersParameterDescriptionmac-address

mac-address(Optional)SpecifyasecureMACaddressfortheportbyenteringa48-bitMACaaddress.YoucanaddadditionalsecureMACaddressesuptothemaximumvalueconfigured.vlanvlan-id(Optional)Onatrunkportonly,specifytheVLANIDandtheMACaddress.IfnoVLANIDisspecified,thenativeVLANisused.vlanaccess(Optional)Onanaccessportonly,specifytheVLANasanaccessVLAN.vlanvoice(Optional)Onanaccessportonly,specifytheVLANasavoiceVLANmac-addresssticky

[mac-address](Optional)Enabletheinterfaceforstickylearningbyenteringonlythemac-addressstickykeywords.Whenstickylearningisenabled,theinterfaceaddsallsecureMACaddressesthataredynamicallylearnedtotherunningconfigurationandconvertstheseaddressestostickysecureMACaddresses.SpecifyastickysecureMACaddressbyenteringthemac-addressstickymac-addresskeywords..maximum

value(Optional)SetthemaximumnumberofsecureMACaddressesfortheinterface.ThemaximumnumberofsecureMACaddressesthatyoucanconfigureonaswitchissetbythemaximumnumberofavailableMACaddressesallowedinthesystem.TheactiveSwitchDatabaseManagement(SDM)templatedeterminesthisnumber.ThisnumberrepresentsthetotalofavailableMACaddresses,includingthoseusedforotherLayer2functionsandanyothersecureMACaddressesconfiguredoninterfaces.Thedefaultsettingis1.vlan[vlan-list](Optional)Fortrunkports,youcansetthemaximumnumberofsecureMACaddressesonaVLAN.Ifthevlankeywordisnotentered,thedefaultvalueisused.vlan:setaper-VLANmaximumvalue.vlanvlan-list:setaper-VLANmaximumvalueonarangeofVLANsseparatedbyahyphenoraseriesofVLANsseparatedbycommas.FornonspecifiedVLANs,theper-VLANmaximumvalueisused.PortSecurityViolationConfigurationswitchportport-securitymac-addresssticky

Switch(config-if)#Enablesstickylearningontheinterface(optional)switchportport-securityviolation{protect|restrict|shutdown}

Switch(config-if)#Setstheviolationmode(optional)switchportport-securitymac-addressmac-address

Switch(config-if)#EntersastaticsecureMACaddressfortheinterface(optional)SwitchportPort-SecurityViolationParametersParameterDescriptionprotect(Optional)Setthesecurityviolationprotectmode.WhenthenumberofsecureMACaddressesreachesthelimitallowedontheport,packetswithunknownsourceaddressesaredroppeduntilyouremoveasufficientnumberofsecureMACaddressesorincreasethenumberofmaximumallowableaddresses.Youarenotnotifiedthatasecurityviolationhasoccurred.restrict(Optional)Setthesecurityviolationrestrictmode.WhenthenumberofsecureMACaddressesreachesthelimitallowedontheport,packetswithunknownsourceaddressesaredroppeduntilyouremoveasufficientnumberofsecureMACaddressesorincreasethenumberofmaximumallowableaddresses.Inthismode,youarenotifiedthatasecurityviolationhasoccurred.shutdown(Optional)Setthesecurityviolationshutdownmode.Inthismode,aportsecurityviolationcausestheinterfacetoimmediatelybecomeerror-disabledandturnsofftheportLED.ItalsosendsanSNMPtrap,logsasyslogmessage,andincrementstheviolationcounter.Whenasecureportisintheerror-disabledstate,youcanbringitoutofthisstatebyenteringtheerrdisablerecoverycause

psecure-violation

globalconfigurationcommand,oryoucanmanuallyre-enableitbyenteringtheshutdownandnoshutdowninterfaceconfigurationcommands.shutdown

vlanSetthesecurityviolationmodetoper-VLANshutdown.Inthismode,onlytheVLANonwhichtheviolationoccurrediserror-disabled.PortSecurityAgingConfigurationswitchportport-securityaging{static|timetime|type{absolute|inactivity}}

Switch(config-if)#EnablesordisablesstaticagingforthesecureportorsetstheagingtimeortypePortsecurityagingcanbeusedtosettheagingtimeforstaticanddynamicsecureaddressesonaport.Twotypesofagingaresupportedperport:absolute-Thesecureaddressesontheportaredeletedafterthespecifiedagingtime.inactivity-Thesecureaddressesontheportaredeletedonlyiftheyareinactiveforthespecifiedagingtime.SwitchportPort-SecurityAgingParametersParameterDescriptionstaticEnableagingforstaticallyconfiguredsecureaddressesonthisport.timetimeSpecifytheagingtimeforthisport.Therangeis0to1440minutes.Ifthetimeis0,agingisdisabledforthisport.typeabsoluteSetabsoluteagingtype.Allthesecureaddressesonthisportageoutexactlyafterthetime(minutes)specifiedandareremovedfromthesecureaddresslist.typeinactivitySettheinactivityagingtype.Thesecureaddressesonthisportageoutonlyifthereisnodatatrafficfromthesecuresourceaddressforthespecifiedtimeperiod.TypicalConfigurationswitchportmodeaccessswitchportport-securityswitchportport-securitymaximum2

switchportport-securityviolationshutdown switchportport-securitymac-addressstickyswitchportport-securityagingtime120Switch(config-if)#S2PCB(config)#errdisablerecoverycausepsecure-violation(config)#Errdiablerecoveryintervla1006.3.2VerifyingPortSecurityCLICommandsViewSecureMACAddressesMACAddressNotificationsw-class#showport-securitySecurePortMaxSecureAddrCurrentAddrSecurityViolationSecurityAction(Count)(Count)(Count)Fa0/12200ShutdownTotalAddressesinSystem(excludingonemacperport):0MaxAddresseslimitinSystem(excludingonemacperport):1024CLICommandssw-class#showport-securityinterfacef0/12PortSecurity:EnabledPortstatus:Secure-downViolationmode:ShutdownMaximumMACAddresses:2TotalMACAddresses:1ConfiguredMACAddresses:0Agingtime:120minsAgingtype:AbsoluteSecureStaticaddressaging:DisabledSecurityViolationCount:0ViewSecureMACAddressessw-class#showport-securityaddressSecureMacAddressTableVlanMacAddressTypePortsRemainingAge(mins)

10000.ffff.aaaaSecureConfiguredFa0/12-TotalAddressesinSystem(excludingonemacperport):0MaxAddresseslimitinSystem(excludingonemacperport):1024MACAddressNotification

MACaddressnotificationallowsmonitoringoftheMACaddresses,atthemoduleandportlevel,addedbytheswitchorremovedfromtheCAMtableforsecureports.NMSMACAMACBF1/1=MACAF1/2=MACBF2/1=MACD

(addressagesout)SwitchCAMTableSNMPtrapssenttoNMSwhennewMACaddressesappearorwhenoldonestimeout.MACDisaway

fromthenetwork.F1/2F1/1F2/1TheMACAddressNotificationfeaturesendsSNMPtrapstothenetworkmanagementstation(NMS)wheneveranewMACaddressisaddedtooranoldaddressisdeletedfromtheforwardingtables.MACAddressNotificationSwitch(config)#macaddress-tablenotificationSwitch(config-if)#snmptrapmac-notificationSwitch(config)#snmp-serverenabletrapsmac-notification6.3.3ConfiguringBPDUGuardandRootGuardConfigurePortfastBPDUGuardDisplaytheStateofSpanningTreeRootGuardVerifyRootGuardCausesaLayer2interfacetotransitionfromtheblockingtotheforwardingstateimmediately,bypassingthelisteningandlearningstates.UsedonLayer2accessportsthatconnecttoasingleworkstationorserver.Itallowsthosedevicestoconnecttothenetworkimmediately,insteadofwaitingforSTPtoconverge.Configuredusingthespanning-treeportfastcommand.PortFastConfigurePortfastCommand

DescriptionSwitch(config-if)#spanning-treeportfast

EnablesPortFastonaLayer2accessportandforcesittoentertheforwardingstateimmediately.Switch(config-if)#nospanning-treeportfast

DisablesPortFastonaLayer2accessport.PortFastisdisabledbydefault.Switch(config)#spanning-treeportfastdefaultGloballyenablesthePortFastfeatureonallnontrunkingports.Switch#showrunning-configinterfacetype

slot/portIndicateswhetherPortFasthasbeenconfiguredonaport.ServerWorkstationThefeaturekeepstheactivenetworktopologypredictable.ItprotectsaswitchednetworkfromreceivingBPDUsonportsthatshouldnotbereceivingthem.ReceivedBPDUsmightbeaccidentalorpartofanattack.IfaportconfiguredwithPortFastandBPDUGuardreceivesaBPDU,theswitchwillputtheportintothedisabledstate.BPDUguardisbestdeployedtowarduser-facingportstopreventrogueswitchnetworkextensionsbyanattackinghost.BPDUGuardBPDUGuardSwitch(config)#spanning-treeportfastbpduguarddefaultGloballyenablesBPDUguardonallportswithPortFastenabledFFFFFBRootBridgeBPDUGuardEnabledAttackerSTPBPDUDisplaytheStateofSpanningTreeSwitch#showspanning-treesummarytotals

Rootbridgefor:none.PortFastBPDUGuardisenabledUplinkFastisdisabledBackboneFastisdisabledSpanningtreedefaultpathcostmethodusedisshortNameBlockingListeningLearningForwardingSTPActive

1VLAN00011<outputomitted>ThefeaturepreventsinterfacesthatareinaPortFast-operationalstatefromsendingorreceivingBPDUs.TheinterfacesstillsendafewBPDUsatlink-upbeforetheswitchbeginstofilteroutboundBPDUs.Thefeaturecanbeconfiguredgloballyorattheinterfacelevel.GloballyenableBPDUfilteringonaswitchsothathostsconnectedtotheseinterfacesdonotreceiveBPDUs.IfaBPDUisreceivedonaPortFast-enabledinterfacebecauseitisconnectedtoaswitch,theinterfacelosesitsPortFast-operationalstatus,andBPDUfilteringisdisabled.Attheinterfacelevel,thefeaturepreventstheinterface