Difference between revisions of "CCNP SWITCH/Securing the Campus Infrastructure"
m |
m (→MAC address flooding) |
||
Line 11: | Line 11: | ||
===MAC address flooding=== | ===MAC address flooding=== | ||
Frames with unique, invalid source MAC addresses flood the switch, exhausting content addressable memory (CAM) table space, disallowing new entries from valid hosts. Traffic to valid hosts is subsequently flooded out all ports.<br/> | Frames with unique, invalid source MAC addresses flood the switch, exhausting content addressable memory (CAM) table space, disallowing new entries from valid hosts. Traffic to valid hosts is subsequently flooded out all ports.<br/> | ||
− | '''Mitigation'''<br/> | + | '''Mitigation:'''<br/> |
Port security. MAC address VLAN access maps. | Port security. MAC address VLAN access maps. | ||
+ | |||
==VLAN Attacks== | ==VLAN Attacks== | ||
===VLAN Hopping=== | ===VLAN Hopping=== |
Revision as of 10:54, 2 September 2011
Contents
This article is under development....
Securing the Campus Infrastructure
Security Infrastructure Services
Rouge Devices
Company employees sometimes plug inexpensive APs into company network devices to extend the network. But securing the wireless APs is not always a priority. Wired Rouge Devices could also be a problem, because of its nature.
Layer 2 Attack Categories
MAC Layer Attacks
MAC address flooding
Frames with unique, invalid source MAC addresses flood the switch, exhausting content addressable memory (CAM) table space, disallowing new entries from valid hosts. Traffic to valid hosts is subsequently flooded out all ports.
Mitigation:
Port security. MAC address VLAN access maps.
VLAN Attacks
VLAN Hopping
By altering the VLAN ID on packets encapsulated for trunking, an attacking device can send or receive packets on various VLANs, bypassing Layer 3 security measures.
Mitigation
Tighten up trunk configurations and the negotiation state of unused ports. Place unused ports in a common VLAN.
Attacks between devices on a common VLAN
Devices might need protection from one another, even though they are on a common VLAN. This is especially true on service-provider segments that support devices from multiple customers.
Mitigation
Implement private VLANs (PVLAN).