Task 4Configure Miami User Switches and Router to Mitigate Layer 2 Attacks

The steps taken to secure the Miami's router and switches are as follows:

Step 1. Configure port security.

Configure the switch ports on the user switches as access ports and set dynamic port security with the maximum number of addresses learned to 1. The violation mode is to shut down the interface, sticky learning is enabled, and no static MAC addresses are configured:

Switch#configure terminal

Miami-Switch1(config)#interface range fastethernet0/1 - 48

Miami-Switch1(config-if)#switchport mode access Miami-Switch1(config-if)#switchport access VLAN 100 Miami-Switch1(config-if)#switchport port-security Miami-Switch1(config-if)#switchport port-security maximum 1 Miami-Switch1(config-if)#switchport port-security mac-address sticky

Step 2. Explicitly configure trunk ports.

For backbone switch-to-switch connections on the Gigabit Ethernet ports, explicitly configure trunking. Allow user VLANs 100 through 104 to pass via the trunk. Use the dedicated VLAN ID of 200 for the native VLAN of the trunk port:

Miami-Switch1(config)#interface GigabitEthernet0/1

Miami-Switch1(config-if)#switchport mode trunk

Miami-Switch1(config-if)#switchport trunk allowed vlan 100-104 Miami-Switch1(config-if)#switchport trunk native vlan 200


Step 3. Configure STP parameters.

Enable bridge protocol data unit (BPDU) guard to disable ports using portfast upon detection of a BPDU message and disable ports that would become the root bridge based on their BPDU advertisement:

Miami-Switch1#configure terminal

Miami-Switch1(config)#spanning-tree portfast bpduguard default Miami-Switch1(config)#interface GigabitEthernet0/1 Miami-Switch1(config)#spanning-tree guard root

Step 4. Configure DHCP snooping.

Enable DHCP snooping for VLANs 100 through 104. Then configure a rate limit of 70

packets per second on all user ports:

Miami-Switch1#configure terminal Miami-Switch1(config)#ip dhcp snooping Miami-Switch1(config)#ip dhcp snooping vlan 100-104 Miami-Switch1(config)#ip dhcp snooping information option Miami-Switch1(config)#interface range fastethernet 0/1 - 48 Miami-Switch1(config-if)#ip dhcp snooping limit rate 70

Step 5. Disable CDP on user ports.

Disable Cisco Discovery Protocol (CDP) on user ports with the following command:

Miami-Switch1#configure terminal

Miami-Switch1(config)#interface range fastethernet 0/1 - 48

Miami-Switch1(config-if)#no cdp enable

Step 6. Set the VTP password.

Configure a Virtual Terminal Protocol (VTP) domain password for all Miami LAN switches. All these switches must share the same password. Switches without a password or with the wrong password reject VTP advertisements:

Miami-Switch1#configure terminal

Miami-Switch1(config)#vtp password MiamiVTPPass


0 0

Post a comment