Data link layer network security protection

Data link layer network security protection

When talking about security attacks, we often think of attacks outside the lan. These attacks come from the Internet and target enterprise network devices and servers; LAN security problems in enterprises are often ignored. Common data link layer security attacks include:

> MAC address Diffusion

> ARP attacks and Spoofing

> DHCP server spoofing and DHCP address depletion

> IP Address Spoofing

1. Port Security

Cisco switches provide a security mechanism for controlling port access permissions based on MAC addresses. Port Security can restrict traffic based on MAC addresses, you can set the number of hosts allowed to access the port (that is, the number of active MAC addresses allowed by the port), or manually set the MAC address on the port, only the traffic of the bound MAC address is forwarded.

Port Security is actually a type of network access verification. Only the LAN can be accessed if the network meets the configured rules to avoid unauthorized client access to the network. Port Security can implement the following functions:

 

> Allows user-Side Traffic Based on MAC address restrictions

> Prevent MAC Address spreading attacks

> Prevent MAC address spoofing attacks

2. Configure vswitch Port Security

Enable vswitch port security features

Switch (config-if) # switchport port-security

Note: The port security cannot be enabled in dynamic negotiation mode, but must be configured in access or trunk mode.

Configure the MAC addresses allowed to access the network

 

Switch (config-if) # switchportport-security maximum {Maximum addresses}

 

Configure the Mac address for static binding. The configured MAC address must be smaller than or equal to the maximum number of MAC addresses allowed by the port.

Switch (config-if) # switchportport-security mac-address {H. H}

3. configure the aging time (by default, the vswitch does not delete the MAC address obtained by excuses. If the user segment of the sub-street agrees to the port changes frequently, the MAC address remains unchanged, this may cause the customer to be unable to communicate with the new port. To solve this problem, Weil can configure the aging time of the switch interface so that the switch can delete the MAC address that has no traffic for a period of time)

Switch (config-if) # switchport port-security aging time {time}

The vswitch automatically deletes dynamically learned Mac addresses when the aging time expires,

Switch (config-if) # switchport port-security aging type {absolute | inactivity}

After the absolute parameter is set to expire, all MAC addresses are deleted and re-learned. The inactivity parameter is set to the Client Connected to the port for a period of time (the aging time) without traffic, delete the MAC address from the address table. Note that the static bound MAC address can access the network normally and is not affected by the aging time;

 

Of course, the Cisco switch also provides the function of deleting static bound MAC addresses. The configuration command is as follows:

Switch (config-if) # switchport port-security aging static

4. Configure the policy for MAC address violations

If the following problem occurs, the MAC address is invalid.

> A New MAC address outside the MAC address table of the maximum number of security entries accesses this port.

> A Mac address configured to be secure on other ports tries to access this port.

When a violation occurs, you can configure the following three methods.

Switch (config-if) # switchport port-security violation {protect | restrict | shutdown}

 

Protect discards the illegal MAC address group, but the port is in the up status.

Restrict discards the illegal MAC address group, the port is still up, and the switch records the illegal group

The shutdown port is err-disabled, which is equivalent to closing the port.

---- When the port is in the err-disabled status, the port will not be automatically restored by default. There are two methods to restore the port status:

~ Manual recovery: the port that needs to enter the err-disabled state, the line closes the port shutdown, and then the port no shutdown is enabled, the port returns to the normal state

~ Automatic Recovery: sets the err-disabled timer. The port enters the err-disabled status and starts timing. When the timer is exceeded, the port status is automatically restored.

  Switch(config-if)#errdisable  recovery cause  psecure-violation  Switch(config-if)#errdisable  recovery interval  {time}

5. Configure the sticky (adhesion) feature of Port Security

When port security is enabled for all ports in the enterprise intranet, it takes a lot of effort to configure the static bound MAC address for each port. This requires the sticky feature of the port, dynamically convert the mac address learned from the vswitch port to the sticky mac address and add it to the running configuration, in this way, a static mac address table entry for port security is automatically formed, and then the configuration is saved. When the switch is restarted, it will not be re-learned.

Switch (config-if) # switchport port-security mac-address sticky

View port security status

Switch # show port-security interface fastEthernet 0/1

View the summary of the port in the err-disabled status

Switch # show interfaces status err-disabled

 

To clear the MAC address or port cache of an interface, run the following command:

 

Switch # clear port-security dynamic {address mac-addr | interface type mod/num}

 

DHCP listener

DHCP Snooping is a security mechanism to protect DHCP servers. It can filter untrusted DHCP packets from hosts or other devices in the network, in order to ensure that the client can obtain the IP address from the correct DHCP server, DHCP listening can avoid DHCP server spoofing and DHCP address depletion, and can also limit the rate of DHCP requests sent through bitter packets, this reduces DHCP resource depletion attacks. Cisco switches support enabling DHCP listening on each Vlan.

DHCP listeners divide vswitch ports into two types

Untrusted port: the port of the connection terminal. The client can only send DHCP request packets and discard DHCP request packets from other ports.

Trust port: link to a valid DHCP server or aggregation port.