Port & Network security

Securing switchports and avoiding spoofing attacks (ARP / DHCP) on a Cisco device.

Port security

Restricting VLAN access

Restricting access to VLANs is covered in the VLANs and trunking chapter.

Restrict MACs

config-if#
! Enable port-security
switchport port-security

! Maximum MAC addresses
switchport port-security maximum 5

! Manual MAC address config
switchport port-security mac-address 0123.4567.89ab

! Dynamically learn new addresses until max
switchport port-security mac-address sticky

! Delete inactive addresses
switchport port-security aging time 10
switchport port-security aging type inactivity

Security violations

config-if#
switchport port-security violation shutdown

Evaluation

#
show port-security
show port-security address
show port-security interface fa0/1

DHCP snooping

Stops bad actors from running their own DHCP server in a network.

ip dhcp snooping

! On all interfaces valid DHCP packets may be received from
interface gi0/1
  ip dhcp snooping trust

! Limits DHCPDISCOVER packets on an interface
interface fa0/1
  ! dhcp snooping limit rate <seconds>
  dhcp snooping limit rate 5

! Limit to vlans
dhcp snooping vlan 5,10,40-42

ARP inspection

Requires dhcp snooping to be active!

! On all interfaces ARP packets can be trusted from
interface gi0/1
  ip arp inspection trust

! Limit to vlans
ip arp inspection vlan 5,10,40-42

BPDU Guard (STP)

spanning-tree bpduguard enable

! On all interfaces attached to end devices
interface fa0/1
  spanning-tree portfast bpduguard enable

! Enable on all portfast ports by default
spanning-tree portfast bpduguard default

Port & Network security

Port security​

Restricting VLAN access​

Restrict MACs​

Security violations​

Evaluation​

DHCP snooping​

ARP inspection​

BPDU Guard (STP)​