Administrators alternatively can configure the switch via a switch's console port. Therefore, Secure Shell (SSH) is preferred as an alternative to Telnet, because it offers confidentiality and data integrity.
RSPAN MAC ADDRESS LEARNING PASSWORD
If an attacker intercepted the Telnet packets, he might be able to glean the password credentials necessary to gain administrative access to the switch. Unfortunately, Telnet is not a secure protocol. Telnet access: Administrators can connect to a Cisco Catalyst switch using Telnet. Physical Basic Approaches to Protecting Layer 2 SwitchesĪlthough this chapter explores several advanced approaches to securing Ethernet switches, for now, consider the following basic approaches to Layer 2 protection, which should be applied to switches throughout the network:
RSPAN MAC ADDRESS LEARNING SERIES
As a result, Layer 2 switches, such as a series of Cisco Catalyst switches, might appear to be an attractive target of attacks. If an attacker were to gain control of an Ethernet switch operating at Layer 2, all the upper layers could be compromised. Traffic must be routed to travel from one VLAN to another VLAN.Ĭisco Catalyst switches operate at Layer 2 of the OSI model (the Data Link Layer), as illustrated in Figure 6-1.
Many Ethernet switches can also logically group ports to form a Virtual LAN (VLAN), where each VLAN is its own broadcast domain. However, if the switch does not have the frame's destination MAC address stored in its CAM table (also known as a MAC address table), or if the frame's destination MAC address is a broadcast address of all Fs (that is, ), the frame is forwarded out all ports other than the port it was received on.
Then, when a frame enters the switch, the switch forwards the frame based on the frame's destination MAC address. An Ethernet switch learns the MAC addresses connected off each of its ports. Shared media hubs have largely been eliminated from today's corporate networks, with Ethernet switches taking their place. Other switch-related security topics include port security, Switch Port Analyzer (SPAN), Remote SPAN (RSPAN), VLAN access control lists (VACL), private VLANs, rate limiting, and MAC address notification. These strategies include best practices for securing a Layer 2 network, protecting against VLAN hopping attacks, preventing an attacker from manipulating Spanning Tree Protocol (STP) settings, stopping DHCP server and ARP spoofing, preventing Content Addressable Memory ( CAM) table overflow attacks, and disallowing MAC address spoofing. Then, approaches for mitigating a variety of Layer 2 attacks are addressed. In this situation (if there is only one incoming interface and one outgoing interface in the vlan) we can disable mac address learning function in the vlan 950 and rspan will work.This section begins by exploring the nature of Layer 2 switch operation and why it is such an attractive target for attackers. For example, A is a source mac-address, B is a destination mac-address, and switch has learned A's mac-address, when B sends packets to A, and the intermediate switch gets these packets from mirroring traffic, the switch will drop these packets. In case of mirroring incoming and outgoing traffic (from sgsn and ggsn) such mac-address table on the switch ekb_s9312_dmz2 is normal, but at the same time no any mirrored ethernet frames were switched and sent out through outgoing interface eth-trunk5, because switch will drop ethernet frames which come through the interface which has learned these frame’s destination mac address. Total matching items on slot 5 displayed = 63 During problem analysis it was found that traffic in vlan 950 on the switch “ekb_s9312_dmz2” was coming from interface eth-trunk2, but there was no outgoing traffic in the vlan 950 on the interface eth-trunk5 such as follows.Īfter this it was found that in the mac-address table all macs were learned on the interface eth-trunk2.
0 kommentar(er)
