Amity Institute of Information Technology

CSIT242 – Switched Networks

Module 1: Introduction to Switched Networks and

Basic Switching Concepts and Configuration
Introduction, LAN Design, Switched Networks, Switch Features, The Switched
Environment, Switching Domains, Basic Switch Configuration, Switch
Security: Management and Implementation, Security Concerns in LANs,
Security Best Practices, Switch Port Security

Dr. Partha Sarathi Chakraborty

AIIT, Amity University Uttar Pradesh Noida

The slides are used for education purpose.

Not support or used for commercial purpose.
Slides are prepared from different cisco courses slides. 1
 Amity Institute of Information Technology

Switched Networks

2
 Amity Institute of Information Technology

Sections & Objectives

LAN Design
• Explain how switched networks support small to medium-sized businesses.
• Explain how data, voice, and video are converged in a switched network.
• Describe a switched network in a small to medium-sized business.

The Switched Environment

• Explain how Layer 2 switches forward data in a small to medium-sized LAN.
• Explain how frames are forwarded in a switched network.
• Compare a collision domain to a broadcast domain.

3
 Amity Institute of Information Technology

Introduction
▪ LAN
▪ A switched network comprises of a progression of interlinked hubs, called
switches. Switches are gadgets fit for making transitory associations
between at least two devices connected to the switch.
▪ In a switched network, a portion of these hubs are associated with the end
frameworks (PCs or phones, for instance). Others are utilized uniquely for
routing.
▪ Switches are prepared to interface different devices together on a relating
network. During an appropriately intended network, LAN switches are
obligated for coordinating and controlling into the progression of
information at the entrance layer to networked resources.
▪ LAN Topology Design: Three different network topology models are
Hierarchical model, Redundant model, and Secure model.
4
 Amity Institute of Information Technology

Hardware for LAN Design

▪ The following hardware technologies as they can be applied
to LAN design:
• Repeaters
• Hubs
• Bridges
• Switches
• Routers
• Layer 3 switches
• Combining hubs, switches, and router

5
 Amity Institute of Information Technology

OSI Model

6
 Amity Institute of Information Technology

LAN Design

7
 Amity Institute of Information Technology

Converged Networks
Growing Complexity of Networks

▪ Our digital world is

changing.
▪ Information must be
accessed from
anywhere in the
world.

8
 Amity Institute of Information Technology

Converged Networks
Elements of a Converged Network
▪ To support collaboration, networks employ
converged solutions.
▪ Data services include voice systems, IP
phones, voice gateways, video support, and
video conferencing.
▪ Call control, voice messaging, mobility, and
automated attendant are also common features.
▪ Multiple types of traffic; only one network to
manage.
▪ Substantial savings over installation and
management of separate voice, video, and data
networks.
▪ Integrates IT management.
9
 Amity Institute of Information Technology

Converged Networks
Cisco Borderless Networks
▪ A network architecture
that allows organizations
to connect anyone,
anywhere, anytime, and
on any device securely,
reliably, and seamlessly.
▪ Designed to address IT
and business challenges,
such as supporting the
converged network and
changing work patterns.

10
 Amity Institute of Information Technology

Converged Networks
Hierarchy in the Borderless Switched Network
Borderless switched network
design guidelines are built
upon the following principles:
▪ Hierarchical
▪ Modularity
▪ Resiliency
▪ Flexibility

11
 Amity Institute of Information Technology

Converged Networks
Access, Distribution, and Core Layers

12
 Amity Institute of Information Technology

Switched Networks
Role of Switched Networks
▪ Switching technologies are
crucial to network design.
▪ Switching allows traffic to
be sent only where it is
needed in most cases,
using fast methods.
▪ A switched LAN:
▪ Allows more flexibility
▪ Allows more traffic
management
▪ Supports quality of service,
additional security, wireless,
IP telephony, and mobility
services

13
 Amity Institute of Information Technology

Switched Networks
Form Factors

Fixed
Configuration
Switches

14
 Amity Institute of Information Technology

Switched Networks
Form Factors

Modular
Platform

15
 Amity Institute of Information Technology

Switched Networks
Form Factors

Stackable
Configuration
Switches

16
 Amity Institute of Information Technology

The Switched Environment

17
 Amity Institute of Information Technology

Frame Forwarding
Switching as a General Concept in Networking
and Telecommunications
▪ A switch makes a decision based on ingress and a destination port.
▪ A LAN switch keeps a table that it uses to determine how to forward
traffic through the switch.
▪ Cisco LAN switches forward Ethernet frames based on the
destination MAC address of the frames.

18
 Amity Institute of Information Technology

Frame Forwarding
Dynamically Populating a Switch MAC Address
Table
▪ A switch must first learn which devices exist on each port before it
can transmit a frame.
▪ As a switch learns the relationship of ports to devices, it builds a table
called a MAC address or content addressable memory (CAM) table.
▪ CAM is a special type of memory used in high-speed searching
applications.
▪ The information in the MAC address table is used to send frames.
▪ When a switch receives an incoming frame with a MAC address that
is not found in the CAM table, it floods it to all ports, except the one
that received the frame.

19
 Amity Institute of Information Technology

Frame Forwarding
Switch Forwarding Methods

20
 Amity Institute of Information Technology

Frame Forwarding
Store-and-Forward Switching
▪ Allows the switch to:
▪ Check for errors
(via FCS check)
▪ Perform automatic
buffering
▪ Slower forwarding
process

21
 Amity Institute of Information Technology

Frame Forwarding
Cut-Through Switching

▪ Allows the switch to

start forwarding in
about 10
microseconds
▪ No FCS check
▪ No automatic
buffering

22
 Amity Institute of Information Technology

Switching Domains
Collision Domains
Collision domain - Segment where devices compete to communicate.
Ethernet switch port:
▪ Operating in half
duplex, each segment
is in its own collision
domain.
▪ Operating in full duplex
eliminates collisions.
▪ By default, will auto-
negotiate full duplex
when the adjacent
device can also
operate in full duplex.

23
 Amity Institute of Information Technology

Switching Domains
Broadcast Domains
A broadcast domain is the extent of the network where a broadcast
frame can be heard.
▪ Switches forward broadcast frames to all ports; therefore, switches
do not break broadcast domains.
▪ All ports of a switch, with its default configuration, belong to the same
broadcast domain.
▪ If two or more switches are connected, broadcasts are forwarded to
all ports of all switches, except for the port that originally received the
broadcast.

24
 Amity Institute of Information Technology

Switching Domains
Alleviating Network Congestion
Switches help alleviate network congestion by:
▪ Facilitating the segmentation of a LAN into separate collision
domains.
▪ Providing full-duplex communication between devices.
▪ Taking advantage of their high-port density.
▪ Buffering large frames.
▪ Employing high-speed ports.
▪ Taking advantage of their fast internal switching process.
▪ Having a low, per-port cost.

25
 Amity Institute of Information Technology

Summary
▪ The trend in networks is towards convergence using a single set of wires and devices to
handle voice, video, and data transmission.
▪ There has been a dramatic shift in the way businesses operate.
▪ There are no physical offices or geographic boundaries constraints. Resources must now
be seamlessly available anytime and anywhere.
▪ The Cisco Borderless Network architecture enables different elements, from access
switches to wireless access points, to work together and allow users to access resources
from any place, at any time.
▪ The traditional, three-layer hierarchical design model divides the network into core,
distribution, and access layers, and allows each portion of the network to be optimized for
specific functionality.
▪ It provides modularity, resiliency, and flexibility, which provides a foundation that allows
network designers to overlay security, mobility, and unified communication features.
▪ Switches use either store-and-forward or cut-through switching.
▪ Every port on a switch forms a separate collision domain allowing for extremely high-
speed, full-duplex communication.
▪ Switch ports do not block broadcasts and connecting switches can extend the size of the
broadcast domain, often resulting in degraded network performance.
26
 Amity Institute of Information Technology

Sections & Objectives

Basic Switch Configuration
• Configure initial settings on a Cisco switch.
• Configure switch ports to meet network requirements.

Switch Security: Management and Implementation

• Configure the management virtual interface on a switch.
• Configure the port security feature to restrict network access.

28
 Amity Institute of Information Technology

Basic Switch Configuration

29
 Amity Institute of Information Technology

Configure a Switch with Initial Settings

Switch Boot Sequence
1. Power-on self test (POST).
2. Run boot loader software.
3. Boot loader performs low-level CPU initialization.
4. Boot loader initializes the flash file system.
5. Boot loader locates and loads a default IOS operating system software
image into memory and passes control of the switch over to the IOS.

30
 Amity Institute of Information Technology

Configure a Switch with Initial Settings

Switch Boot Sequence (cont.)
To find a suitable Cisco IOS image, the switch goes through the following steps:
Step 1. It attempts to automatically boot by using information in the BOOT environment
variable.
Step 2. If this variable is not set, the switch performs a top-to-bottom search through the flash
file system. It loads and executes the first executable file, if it can.
Step 3. The IOS software then initializes the interfaces using the Cisco IOS commands found
in the configuration file and startup configuration, which is stored in NVRAM.
Note: The boot system command can be used to set the BOOT environment variable. Use the
show boot command to see to what the current IOS boot file is set.

31
 Amity Institute of Information Technology

Configure a Switch with Initial Settings

Recovering From a System Crash
▪ The boot loader can also be used to manage the switch if the IOS cannot
be loaded.
▪ The boot loader can be accessed through a console connection by:
1. Connecting a PC by console cable to the switch console port. Unplug
the switch power cord.
2. Reconnecting the power cord to the switch and press and hold
the Mode button.
3. The System LED turns briefly amber and then solid green. Release
the Mode button.
▪ The boot loader switch: prompt appears in the terminal emulation
software on the PC.

32
 Amity Institute of Information Technology

Configure a Switch with Initial Settings

Switch LED Indicators
▪ Each port on Cisco Catalyst switches have status LED indicator lights.
▪ By default, these LED lights reflect port activity, but they can also provide other
information about the switch through the Mode button.
▪ The following modes are available on Cisco Catalyst 2960 switches:
• System LED
• Redundant Power System (RPS) LED
• Port Status LED
• Port Duplex LED
• Port Speed LED
• Power over Ethernet (PoE) Mode LED

33
 Amity Institute of Information Technology

Configure a Switch with Initial Settings

Preparing for Basic Switch Management
To remotely manage a Cisco switch, it must be configured to access the
network.
▪ A console cable is used to connect a PC to the console port of a switch for configuration.
▪ The IP information (address, subnet mask, gateway) is to be assigned to a switch virtual
interface (SVI).
▪ If managing the switch from a remote network, a default gateway must also be configured.
▪ Although these IP settings allow remote management and remote access to the switch,
they do not allow the switch to route Layer 3 packets.

34
 Amity Institute of Information Technology

Configure a Switch with Initial Settings

Configuring Switch Management Access

35
 Amity Institute of Information Technology

Configure a Switch with Initial Settings

Configuring Switch Management Access
(cont.)

36
 Amity Institute of Information Technology

Configure a Switch with Initial Settings

Configuring Switch Management Access
(cont.)

37
 Amity Institute of Information Technology

Configure Switch Ports

Duplex Communication

38
 Amity Institute of Information Technology

Configure Switch Ports

Configure Switch Ports at the Physical Layer

39
 Amity Institute of Information Technology

Configure Switch Ports

Auto-MDIX
▪ Certain cable types (straight-through or crossover) were historically required when
connecting devices.
▪ The automatic medium-dependent interface crossover (auto-MDIX) feature eliminates
this problem.
▪ When auto-MDIX is enabled, the interface automatically detects and appropriately
configures the connection.
▪ When using auto-MDIX on an interface, the interface speed and duplex must be set to
auto.

40
 Amity Institute of Information Technology

Configure Switch Ports

Auto-MDIX (cont.)

41
 Amity Institute of Information Technology

Configure Switch Ports

Auto-MDIX (cont.)

42
 Amity Institute of Information Technology

Configure Switch Ports

Verifying Switch Port Configuration

43
 Amity Institute of Information Technology

Configure Switch Ports

Network Access Layer Issue

44
 Amity Institute of Information Technology

Configure Switch Ports

Network Access Layer Issue (cont.)

45
 Amity Institute of Information Technology

Configure Switch Ports

Troubleshooting Network Access Layer
Issues

46
 Amity Institute of Information Technology

Switch Security: Management and

Implementation

47
 Amity Institute of Information Technology

Secure Remote Access

SSH Operation
▪ Secure Shell (SSH) is a protocol that provides a secure (encrypted),
command-line based connection to a remote device.
▪ Because of strong encryption features, SSH should replace Telnet for
management connections.
▪ SSH uses TCP port 22, by default.
▪ Telnet uses TCP port 23.
▪ A version of the IOS software, including cryptographic (encrypted)
features and capabilities, is required to enable SSH on Catalyst 2960
switches.

48
 Amity Institute of Information Technology

Secure Remote Access

Configuring
SSH
1. Verify SHH Support –
show ip ssh

2. Configure the IP
domain.

3. Generate RSA key

pairs.

4. Configure user
authentication.

5. Configure the vty lines.

6. Enable SSH version 2.

49
 Amity Institute of Information Technology

Secure Remote Access

Verifying SSH

50
 Amity Institute of Information Technology

Secure Remote Access

Verifying SSH (cont.)

51
 Amity Institute of Information Technology

Switch Port Security

Secure Unused Ports

52
 Amity Institute of Information Technology

Switch Port Security

Port Security: Operation
▪ The MAC addresses of legitimate devices are allowed access, while
other MAC addresses are denied.
▪ Any additional attempts to connect by unknown MAC addresses
generate a security violation.
▪ Secure MAC addresses can be configured in a number of ways:
▪ Static secure MAC addresses – manually configured and added
to running configuration - switchport port-security mac-
address mac-address
▪ Dynamic secure MAC addresses – removed when switch restarts
▪ Sticky secure MAC addresses – added to running configuration
and learned dynamically - switchport port-security
mac-address sticky interface configuration mode command

53
 Amity Institute of Information Technology

Switch Port Security

Port Security: Violation Modes
▪ IOS considers a security violation when:
▪ The maximum number of secure MAC addresses for that interface have
been added to the CAM, and a station whose MAC address is not in the
address table attempts to access the interface.
▪ There are three possible actions to take when a violation is detected:
▪ Protect – no notification received
▪ Restrict – notification received of security violation
▪ Shutdown
▪ switchport port-security
violation {protect | restrict |shutdown} interface
configuration mode command

54
 Amity Institute of Information Technology

Switch Port Security

Port Security: Violation Modes (cont.)

55
 Amity Institute of Information Technology

Switch Port Security

Port Security: Configuring

56
 Amity Institute of Information Technology

Switch Port Security

Port Security: Verifying

57
 Amity Institute of Information Technology

Switch Port Security

Port Security: Verifying (cont.)

58
 Amity Institute of Information Technology

Switch Port Security

Ports in Error Disabled State
▪ A port security violation can put a switch in error disabled state.
▪ A port in error disabled is effectively shutdown.
▪ The switch communicates these events through console messages.

59
 Amity Institute of Information Technology

Switch Port Security

Ports in Error Disabled State (cont.)

The show interface

command also reveals a
switch port on error
disabled state.

A shutdown or no
shutdown interface
configuration mode command
must be issued to re-enable
the port.
60
 Amity Institute of Information Technology

Summary
▪ Cisco LAN switch boot sequence.
▪ Cisco LAN switch LED modes.
▪ How to remotely access and manage a Cisco LAN switch through a secure connection.
▪ Cisco LAN switch port duplex modes.
▪ Cisco LAN switch port security, violation modes, and actions.
▪ Best practices for switched networks.

61
 Amity Institute of Information Technology

Summary
▪ When a Cisco LAN switch is first powered on it goes through the following boot sequence:
1. First, the switch loads a power-on self-test (POST) program stored in ROM. POST
checks the CPU subsystem. It tests the CPU, DRAM, and the portion of the flash
device that makes up the flash file system.
2. Next, the switch loads the boot loader software. The boot loader is a small program
stored in ROM and is run immediately after POST successfully completes.
3. The boot loader performs low-level CPU initialization. It initializes the CPU registers,
which control where physical memory is mapped, the quantity of memory, and its
speed.
4. The boot loader initializes the flash file system on the system board.
5. Finally, the boot loader locates and loads a default IOS operating system software
image into memory and gives control of the switch over to the IOS.
▪ If the Cisco IOS files are missing or damaged, the boot loader program can be used to
reload or recover from the problem.
▪ The operational status of the switch is displayed by a series of LEDs on the front panel.
These LEDs display such things as port status, duplex, and speed.

62
 Amity Institute of Information Technology

Summary

▪ An IP address is configured on the SVI of the management VLAN to allow for remote
configuration of the device. A default gateway belonging to the management VLAN must be
configured on the switch using the ip default-gateway command. If the default gateway is
not properly configured, remote management is not possible.
▪ It is recommended that Secure Shell (SSH) be used to provide a secure (encrypted)
management connection to a remote device to prevent the sniffing of unencrypted user
names and passwords, which is possible when using protocols such as Telnet.
▪ One of the advantages of a switch is that it allows full-duplex communication between
devices, effectively doubling the communication rate. Although it is possible to specify the
speed and duplex settings of a switch interface, it is recommended that the switch be
allowed to set these parameters automatically to avoid errors.
▪ Port security is only one defense against network compromise.

63
 Amity Institute of Information Technology

Security Concern in LANs

66
 Amity Institute of Information Technology

Endpoint Security
Network Attacks Today

The news media commonly covers attacks on enterprise networks. Simply search the
internet for “latest network attacks” to find up-to-date information on current attacks. Most
likely, these attacks will involve one or more of the following:
• Distributed Denial of Service (DDoS) – This is a coordinated attack from many
devices, called zombies, with the intention of degrading or halting public access to an
organization’s website and resources.
• Data Breach – This is an attack in which an organization’s data servers or hosts are
compromised to steal confidential information.
• Malware – This is an attack in which an organization’s hosts are infected with
malicious software that cause a variety of problems. For example, ransomware such
as WannaCry encrypts the data on a host and locks access to it until a ransom is
paid.

67
 Amity Institute of Information Technology

Endpoint Security
Network Security Devices
Various network security devices are required to protect the network perimeter from
outside access. These devices could include the following:
• Virtual Private Network (VPN) enabled router - provides a secure connection to remote
users across a public network and into the enterprise network. VPN services can be
integrated into the firewall.
• Next-Generation Firewall (NGFW) - provides stateful packet inspection, application
visibility and control, a next-generation intrusion prevention system (NGIPS), advanced
malware protection (AMP), and URL filtering.
• Network Access Control (NAC) - includes authentication, authorization, and accounting
(AAA) services. In larger enterprises, these services might be incorporated into an
appliance that can manage access policies across a wide variety of users and device
types. The Cisco Identity Services Engine (ISE) is an example of a NAC device.

68
 Amity Institute of Information Technology

Endpoint Security
Endpoint Protection

• Endpoints are hosts which commonly

consist of laptops, desktops, servers,
and IP phones, as well as employee-
owned devices. Endpoints are
particularly susceptible to malware-
related attacks that originate through
email or web browsing.
• Endpoints have typically used traditional
host-based security features, such as
antivirus/antimalware, host-based
firewalls, and host-based intrusion
prevention systems (HIPSs).
• Endpoints today are best protected by a
combination of NAC, AMP software, an
email security appliance (ESA), and a
web security appliance (WSA).

69
 Amity Institute of Information Technology

Endpoint Security
Cisco Email Security Appliance
The Cisco ESA device is designed to monitor Simple Mail Transfer Protocol (SMTP). The
Cisco ESA is constantly updated by real-time feeds from the Cisco Talos, which detects
and correlates threats and solutions by using a worldwide database monitoring system.
This threat intelligence data is pulled by the Cisco ESA every three to five minutes.

These are some of the functions of the Cisco ESA:

• Block known threats
• Remediate against stealth malware that evaded initial detection
• Discard emails with bad links
• Block access to newly infected sites.
• Encrypt content in outgoing email to prevent data loss.

70
 Amity Institute of Information Technology

Endpoint Security
Cisco Web Security Appliance
• The Cisco Web Security Appliance (WSA) is a mitigation technology for web-based
threats. It helps organizations address the challenges of securing and controlling web
traffic.
• The Cisco WSA combines advanced malware protection, application visibility and
control, acceptable use policy controls, and reporting.
• Cisco WSA provides complete control over how users access the internet. Certain
features and applications, such as chat, messaging, video and audio, can be allowed,
restricted with time and bandwidth limits, or blocked, according to the organization’s
requirements.
• The WSA can perform blacklisting of URLs, URL-filtering, malware scanning, URL
categorization, Web application filtering, and encryption and decryption of web traffic.

71
 Amity Institute of Information Technology

Access Control
Authentication with a Local Password
Many types of authentication can be performed on networking devices, and each
method offers varying levels of security.
The simplest method of remote access
authentication is to configure a login and password
combination on console, vty lines, and aux ports.

SSH is a more secure form of remote access:

• It requires a username and a password.
• The username and password can be authenticated
locally.

The local database method has some limitations:

• User accounts must be configured locally on each
device which is not scalable.
• The method provides no fallback authentication
method.

72
 Amity Institute of Information Technology

Access Control
AAA Components

AAA stands for Authentication, Authorization, and Accounting, and provides the primary
framework to set up access control on a network device.

AAA is a way to control who is permitted to access a network (authenticate), what they
can do while they are there (authorize), and to audit what actions they performed while
accessing the network (accounting).

73
 Amity Institute of Information Technology

Access Control
Authentication
Local and server-based are two common methods of implementing AAA authentication.

Local AAA Authentication:

• Method stores usernames and passwords locally in a network device (e.g., Cisco router).
• Users authenticate against the local database.
• Local AAA is ideal for small networks.

Server-Based AAA Authentication:

• With the server-based method, the router accesses a central AAA server.
• The AAA server contains the usernames and password for all users.
• The router uses either the Remote Authentication Dial-In User Service (RADIUS) or Terminal
Access Controller Access Control System (TACACS+) protocols to communicate with the AAA
server.
• When there are multiple routers and switches, server-based AAA is more appropriate.

74
 Amity Institute of Information Technology

Access Control
Authorization

• AAA authorization is automatic and does not require users to perform additional
steps after authentication.

• Authorization governs what users can and cannot do on the network after they
are authenticated.

• Authorization uses a set of attributes that describes the user’s access to the
network. These attributes are used by the AAA server to determine privileges and
restrictions for that user.

75
 Amity Institute of Information Technology

Access Control
Accounting
AAA accounting collects and reports usage data. This data can be used for such
purposes as auditing or billing. The collected data might include the start and stop
connection times, executed commands, number of packets, and number of bytes.

A primary use of accounting is to combine it with AAA authentication.

• The AAA server keeps a detailed log of exactly what the authenticated user does on
the device, as shown in the figure. This includes all EXEC and configuration
commands issued by the user.
• The log contains numerous data fields, including the username, the date and time,
and the actual command that was entered by the user. This information is useful
when troubleshooting devices. It also provides evidence for when individuals
perform malicious acts.

76
 Amity Institute of Information Technology

Access Control
802.1X
The IEEE 802.1X standard is a port-based access control and authentication protocol. This
protocol restricts unauthorized workstations from connecting to a LAN through publicly accessible
switch ports. The authentication server authenticates each workstation that is connected to a
switch port before making available any services offered by the switch or the LAN.

With 802.1X port-based authentication, the devices in the network have specific roles:
• Client (Supplicant) - This is a device running 802.1X-compliant client software, which is available for wired
or wireless devices.
• Switch (Authenticator) –The switch acts as an intermediary between the client and the authentication
server. It requests identifying information from the client, verifies that information with the authentication
server, and relays a response to the client. Another device that could act as authenticator is a wireless
access point.
• Authentication server –The server validates the identity of the client and notifies the switch or wireless
access point that the client is or is not authorized to access the LAN and switch services.

77
 Amity Institute of Information Technology

Layer 2 Security Threats

Layer 2 Vulnerabilities
Recall that the OSI reference model is divided
into seven layers which work independently of
each other. The figure shows the function of
each layer and the core elements that can be
exploited.

Network administrators routinely implement

security solutions to protect the elements in
Layer 3 up through Layer 7. They use VPNs,
firewalls, and IPS devices to protect these
elements. However, if Layer 2 is compromised,
then all the layers above it are also affected.
For example, if a threat actor with access to the
internal network captured Layer 2 frames, then
all the security implemented on the layers
above would be useless. The threat actor could
cause a lot of damage on the Layer 2 LAN
networking infrastructure.

78
 Amity Institute of Information Technology

Layer 2 Security Threats

Switch Attack Categories
Security is only as strong as the weakest link in the system, and Layer 2 is considered to be that weak
link. This is because LANs were traditionally under the administrative control of a single organization.
We inherently trusted all persons and devices connected to our LAN. Today, with BYOD and more
sophisticated attacks, our LANs have become more vulnerable to penetration.

Category Examples
MAC Table Attacks Includes MAC address flooding attacks.
Includes VLAN hopping and VLAN double-tagging
VLAN Attacks attacks. It also includes attacks between devices on
a common VLAN.
Includes DHCP starvation and DHCP spoofing
DHCP Attacks
attacks.
ARP Attacks Includes ARP spoofing and ARP poisoning attacks.
Address Spoofing Includes MAC address and IP address spoofing
Attacks attacks.
Includes Spanning Tree Protocol manipulation
STP Attacks
attacks.
79
 Amity Institute of Information Technology

Layer 2 Security Threats

Switch Attack Mitigation Techniques
Solution Description

Prevents many types of attacks including MAC address flooding attacks and
Port Security
DHCP starvation attacks.

DHCP Snooping Prevents DHCP starvation and DHCP spoofing attacks.

Dynamic ARP Inspection (DAI) Prevents ARP spoofing and ARP poisoning attacks.

IP Source Guard (IPSG) Prevents MAC and IP address spoofing attacks.

These Layer 2 solutions will not be effective if the management protocols are not secured. The
following strategies are recommended:
• Always use secure variants of management protocols such as SSH, Secure Copy Protocol
(SCP), Secure FTP (SFTP), and Secure Socket Layer/Transport Layer Security (SSL/TLS).
• Consider using out-of-band management network to manage devices.
• Use a dedicated management VLAN where nothing but management traffic resides.
• Use ACLs to filter unwanted access.

80
 Amity Institute of Information Technology

MAC Address Table Attack

Switch Operation Review
Recall that to make forwarding decisions, a Layer 2 LAN switch builds a table based on
the source MAC addresses in received frames. This is called a MAC address table. MAC
address tables are stored in memory and are used to more efficiently switch frames.

81
 Amity Institute of Information Technology

MAC Address Table Attack

MAC Address Table Flooding
All MAC tables have a fixed size and consequently, a switch can run out of resources in
which to store MAC addresses. MAC address flooding attacks take advantage of this
limitation by bombarding the switch with fake source MAC addresses until the switch MAC
address table is full.
When this occurs, the switch treats the frame as an unknown unicast and begins to flood
all incoming traffic out all ports on the same VLAN without referencing the MAC table.
This condition now allows a threat actor to capture all of the frames sent from one host to
another on the local LAN or local VLAN.
Note: Traffic is flooded only within the local LAN or VLAN. The threat actor can only capture traffic
within the local LAN or VLAN to which the threat actor is connected.

82
 Amity Institute of Information Technology

MAC Address Table Attack

MAC Address Table Attack Mitigation

What makes tools such as macof so dangerous is that an attacker can create a MAC
table overflow attack very quickly. For instance, a Catalyst 6500 switch can store 132,000
MAC addresses in its MAC address table. A tool such as macof can flood a switch with
up to 8,000 bogus frames per second; creating a MAC address table overflow attack in a
matter of a few seconds.

Another reason why these attack tools are dangerous is because they not only affect the
local switch, they can also affect other connected Layer 2 switches. When the MAC
address table of a switch is full, it starts flooding out all ports including those connected to
other Layer 2 switches.

To mitigate MAC address table overflow attacks, network administrators must implement
port security. Port security will only allow a specified number of source MAC addresses to
be learned on the port. Port security is further discussed in another module.

83
 Amity Institute of Information Technology

Switch Port Security

84
 Amity Institute of Information Technology

Implement Port Security

Secure Unused Ports

Layer 2 attacks are some of the easiest for hackers to deploy but these threats can also
be mitigated with some common Layer 2 solutions.
• All switch ports (interfaces) should be secured before the switch is deployed for
production use. How a port is secured depends on its function.
• A simple method that many administrators use to help secure the network from
unauthorized access is to disable all unused ports on a switch. Navigate to each
unused port and issue the Cisco IOS shutdown command. If a port must be
reactivated at a later time, it can be enabled with the no shutdown command.
• To configure a range of ports, use the interface range command.

Switch(config)# interface range type module/first-number – last-number

85
 Amity Institute of Information Technology

Implement Port Security

Mitigate MAC Address Table Attacks

The simplest and most effective method to prevent MAC address table overflow attacks is
to enable port security.
• Port security limits the number of valid MAC addresses allowed on a port. It allows an
administrator to manually configure MAC addresses for a port or to permit the switch
to dynamically learn a limited number of MAC addresses. When a port configured with
port security receives a frame, the source MAC address of the frame is compared to
the list of secure source MAC addresses that were manually configured or
dynamically learned on the port.
• By limiting the number of permitted MAC addresses on a port to one, port security can
be used to control unauthorized access to the network.

86
 Amity Institute of Information Technology

Implement Port Security

Enable Port Security
Port security is enabled with the switchport port-security interface configuration
command.

Notice in the example, the switchport port-security command was rejected. This is
because port security can only be configured on manually configured access ports or
manually configured trunk ports. By default, Layer 2 switch ports are set to dynamic auto
(trunking on). Therefore, in the example, the port is configured with the switchport mode
access interface configuration command.

Note: Trunk port security is beyond the scope of this course.

87
 Amity Institute of Information Technology

Implement Port Security

Enable Port Security (Cont.)
Use the show port-security
interface command to display the current
port security settings for FastEthernet 0/1.
• Notice how port security is enabled, the
violation mode is shutdown, and how
the maximum number of MAC
addresses is 1.
• If a device is connected to the port, the
switch will automatically add the
device’s MAC address as a secure
MAC. In this example, no device is
connected to the port.

Note: If an active port is configured with

the switchport port-security command and
more than one device is connected to that port,
the port will transition to the error-disabled state.

88
 Amity Institute of Information Technology

Implement Port Security

Enable Port Security (Cont.)
After port security is enabled, other port security specifics can be configured, as shown in
the example.

89
 Amity Institute of Information Technology

Implement Port Security

Limit and Learn MAC Addresses

To set the maximum number of MAC addresses allowed on a port, use the following
command:
Switch(config-if)# switchport port-security maximum value

• The default port security value is 1.

• The maximum number of secure MAC addresses that can be configured depends the
switch and the IOS.
• In this example, the maximum is 8192.

90
 Amity Institute of Information Technology

Implement Port Security

Limit and Learn MAC Addresses (Cont.)
The switch can be configured to learn about MAC addresses on a secure port in one of
three ways:
1. Manually Configured: The administrator manually configures a static MAC
address(es) by using the following command for each secure MAC address on the port:
Switch(config-if)# switchport port-security mac-address mac-address
2. Dynamically Learned: When the switchport port-security command is entered,
the current source MAC for the device connected to the port is automatically secured
but is not added to the running configuration. If the switch is rebooted, the port will
have to re-learn the device’s MAC address.

3. Dynamically Learned – Sticky: The administrator can enable the switch to

dynamically learn the MAC address and “stick” them to the running configuration by
using the following command:

Switch(config-if)# switchport port-security mac-address sticky

Saving the running configuration will commit the dynamically learned MAC address to NVRAM.

91
 Amity Institute of Information Technology

Implement Port Security

Limit and Learn MAC Addresses (Cont.)

The example demonstrates a complete

port security configuration for
FastEthernet 0/1.
• The administrator specifies a
maximum of 4 MAC addresses,
manually configures one secure
MAC address, and then configures
the port to dynamically learn
additional secure MAC addresses
up to the 4 secure MAC address
maximum.
• Use the show port-security
interface and the show port-
security address command to
verify the configuration.

92
 Amity Institute of Information Technology

Implement Port Security

Port Security Aging

Port security aging can be used to set the aging time for static and dynamic secure
addresses on a port and two types of aging are supported per port:
• Absolute - The secure addresses on the port are deleted after the
specified aging time.
• Inactivity - The secure addresses on the port are deleted if they are
inactive for a specified time.

Use aging to remove secure MAC addresses on a secure port without manually deleting
the existing secure MAC addresses.
• Aging of statically configured secure addresses can be enabled or disabled on a per-port basis.
Switch(config-if)# switchport port-security aging {static | time time | type {absolute | inactivity}}
Use the switchport port-security aging command to enable or disable static aging for
the secure port, or to set the aging time or type.

93
 Amity Institute of Information Technology

Implement Port Security

Port Security Aging (Cont.)
The example shows an
administrator configuring the
aging type to 10 minutes of
inactivity.

The show port-security

command confirms the
changes. interface command
to verify the configuration.

94
 Amity Institute of Information Technology

Implement Port Security

Port Security Violation Modes

If the MAC address of a device attached to a port differs from the list of secure addresses,
then a port violation occurs and the port enters the error-disabled state.
• To set the port security violation mode, use the following command:
Switch(config-if)# switchport port-security violation {shutdown | restrict | protect}

The following table shows how a switch reacts based on the configured violation mode.

Mode Description

The port transitions to the error-disabled state immediately, turns off the port LED, and sends a syslog
shutdown message. It increments the violation counter. When a secure port is in the error-disabled state, an
(default) administrator must re-enable it by entering the shutdown and no shutdown commands.
The port drops packets with unknown source addresses until you remove a sufficient number of secure MAC
addresses to drop below the maximum value or increase the maximum value. This mode causes the Security
restrict
Violation counter to increment and generates a syslog message.
This is the least secure of the security violation modes. The port drops packets with unknown MAC source
addresses until you remove a sufficient number of secure MAC addresses to drop below the maximum value
protect
or increase the maximum value. No syslog message is sent.

95
 Amity Institute of Information Technology

Implement Port Security

Port Security Violation Modes (Cont.)

The example shows an administrator

changing the security violation to
“Restrict”.

The output of the show port-security

interface command confirms that the
change has been made.

96
 Amity Institute of Information Technology

Implement Port Security

Ports in error-disabled State
When a port is shutdown and placed in the error-disabled state, no traffic is sent or
received on that port.
A series of port security related messages display on the console, as shown in the
following example.

Note: The port protocol and link status are changed to down and the port LED is turned off.

97
 Amity Institute of Information Technology

Implement Port Security

Ports in error-disabled State (Cont.)

• In the example, the show

interface command identifies the port
status as err-disabled. The output of
the show port-security
interface command now shows the
port status as secure-shutdown. The
Security Violation counter increments
by 1.
• The administrator should determine
what caused the security violation If an
unauthorized device is connected to a
secure port, the security threat is
eliminated before re-enabling the port.
• To re-enable the port, first use
the shutdown command, then, use
the no shutdown command.

98
 Amity Institute of Information Technology

Implement Port Security

Verify Port Security
After configuring port security on a switch, check each interface to verify that the port
security is set correctly, and check to ensure that the static MAC addresses have been
configured correctly.

To display port security settings for the switch, use the show port-security command.
• The example indicates that
all 24 interfaces are
configured with
the switchport port-
security command
because the maximum
allowed is 1 and the
violation mode is
shutdown.
• No devices are connected,
therefore, the CurrentAddr
(Count) is 0 for each
interface.

99
 Amity Institute of Information Technology

Implement Port Security

Verify Port Security (Cont.)

Use the show port-security

interface command to view
details for a specific interface, as
shown previously and in this
example.

100
 Amity Institute of Information Technology

Implement Port Security

Verify Port Security (Cont.)

To verify that MAC addresses are

“sticking” to the configuration, use
the show run command as
shown in the example for
FastEthernet 0/19.

101
 Amity Institute of Information Technology

Implement Port Security

Verify Port Security (Cont.)

To display all secure MAC

addresses that are manually
configured or dynamically learned
on all switch interfaces, use
the show port-security
address command as shown in
the example.

102