Computer Network Security – Week 3 – Lab 4

Layer 2 Security

 

In this lab you will be configuring basic layer 2 security features to mitigate layer 2 attacks.  Unfortunately you will not be able to test most of these features, but should still get familiar with configuration, testing, and debugging.  All configuration should be done on the 3550 POD switch (use pods 1-8).

 

Step 1: Mitigate CAM overflow attacks.  On your switch configure ports 1-5  with port security:

1.      Enable port-security (hint, port needs to be set to mode access first).

2.      Configure the maximum number of MAC addresses that can be learned on the port to 3, except port 1 set to 1..

3.      Configure the port to shutdown if more than 3 MAC addresses try to be learned.

4.      Set arp timeout to 60 seconds (what is default?).

5.      Configure a static MAC address on port 1 of 0000.ffff.1111

6.      Issue ‘show port-security’ and ‘show port-security interface fastethernet0/1’ and examine output.

7.      Issue ‘show port-security address’ and examine output

8.      Issue ‘show interfaces status err-disabled’

 

 

Step 2: Mitigate DHCP Starvation Attacks.

1.      Configure VLAN 10 on switch, put ports 1-5 in vlan 10.

2.      Configure DHCP snooping on vlan 10, allowing DHCP responses on interface fastethernet0/1, allowing 100 DHCP packets per second on the interface.

3.      Issue ‘show ip dhcp snooping’ command

 

 

Step 3: Spanning Tree attacks.

1.      Configure ports 1-5 to deny BPDUs claiming to be spanning tree root.

2.      Configure ports 3-5 to deny any BPDUs.