CCNA Security – Routers and Switches

Port Security

Violation mode can be protect, restrict or shutdown. In case of violation action, protect does not increment the Security Violation Counter, restrict and shutdown do. Protect and restrict drop the packet, however shutdown puts the interface into err-disabled state and sends an SNMP notification. Port security also protects against DHCP starvation attack.


! change port mode to access
switchport mode access
! associate the port to a vlan
switchport access vlan 123
! enable port security
switchport port-security
! set the violation mode, default is shutdown
switchport port-security violation restrict
! limit the number of MAC addresses, default is 1
switchport port-security maximum 5
! set the aging type, default is absolute
switchport port-security aging type inactivity
! set the aging time to 5 minutes
switchport port-security aging time 5
! configure static mac address
switchport port-security mac-address aaaa.bbbb.cccc
! dynamically learned and new mac addresses are saved into running-config
! save to startup-config with ‘copy run start’
switchport port-security mac-address sticky


! on trunk port, turn off the DTP as port-security cannot be enabled if DTP is on
switchport nonegotiate


! err-disable recovery configuration
errdisable recovery cause psec
errdisable recovery interval 30


! check port-security configuration
show port-security
show port-security address
show port-security interface f0/1
show interfaces status err-disabled


DHCP snooping

DHCP snooping drops the server type DHCP packets on untrusted ports. It protects against DHCP starvation attack and rouge DHCP. Rate limit can be specified which limits the DHCP requests on a port.


configure terminal
! enable DHCP snooping (per VLAN)
ip dhcp snooping
ip dhcp snooping vlan 100

! set a port trusted (by default it is untrusted)
interface f0/1
ip dhcp snooping trust

! configure rate limit
interface f0/2
ip dhcp snooping limit rate 10

! check configuration
show ip dhcp snooping
show ip dhcp snooping binding


Private VLAN

PVLAN groups a couple of VLANS together in the same IP subnet. PVLAN consists of one primary VLAN and one or more secondary VLAN associated with that primary VLAN. Secondary VLAN can be isolated or community. Only one isolated VLAN can exists, but community VLAN can be more than one. Port types are promiscuous, isolated and community. Promiscuous port is associated with the primary VLAN and usually connects to a router. Isolated ports are associated with the isolated secondary VLAN and can communicate only with the promiscuous port. Community ports are associated with the community secondary VLAN and can communicate only with the promiscuous port and the other community ports in the same secondary VLAN.


configure terminal
! VTP mode should be transparent if the version is v1 or v2
vtp mode transparent

! create isolated and community VLANs
vlan 200
private-vlan isolated
vlan 300
private-vlan community
vlan 400
private-vlan community

! create primary VLAN
vlan 100
private-vlan primary
! associate secondary VLANs to primary
private-vlan association 200,300,400

! create promiscuous port
interface f0/1
switchport mode private-vlan promiscuous
! map the primary and secondary VLANs to this port
switchport private-vlan mapping 100 200,300,400

! add ports to secondary VLANs
interface range f0/2-4
switchport mode private-vlan host
switchport private-vlan host-association 100 200

! check configuration
show vlan private-vlan
show interface f0/1 switchport


Hairpin routing: If we send a package from a secondary VLAN through the router connected to the promiscuous port, the destination can be another secondary VLAN and the separation can be bypassed. An ACL can prevent this on the router (drop the packet if the source and destination is in the same subnet).


DAI (Dynamic ARP Inspection)

DAI regulates the ARP traffic on ports and protects against ARP snooping (ARP poisoning). DAI learns the MAC addresses of the ports through DHCP (DHCP snooping is a prerequisite) or static address can be configured with ARP ACL. If a port sends spoofed packets, the switch puts the port into err-disabled state.


configure terminal
! enable DAI
ip arp inspection vlan 100

! set an interface trusted
interface f0/1
ip arp inspection trusted

! set rate limit on an untrusted port
interface f0/2
ip arp inspection limit rate 10

! create ARP ACL
arp access-list NAME-OF-ACL
permit ip host mac host 0000.1111.1111
ip arp inspection filter NAME-OF-ACL vlan 100

! check configuration
show ip arp inspection vlan 123
show arp access-list NAME-OF-ACL

! check err-disabled state
show interfaces status err-disabled

! configure auto recovery
errdisable recovery cause arp-inspection
errdisable recovery interval 30


VLAN hopping

The attacker can force the switch port to go into trunking mode by simulating another switch. Thus all the VLAN information will be sent on that port. Unused ports should be shutdown. VLAN 1 should never be used. Ports should be configured to access or trunk and DTP negotiation should be switched off if possible.


BPDU guard and Root guard

If two switches are connected, the attacker can plugin a rouge switch in both switches, which becomes the root and the link between the two switches are blocked. Thus the rouge switch is between the two switches and MITM attack is possible. BPDU guard shut the port down if detects BPDU. Root guard does not allow a port to be a root port. If it detects a BPDU, it goes into blocked mode.


! enable BPDU guard on an interface
interface f0/1
spanning-tree portfast
spanning-tree bpduguard enable

! check configuration
show spanning-tree summary