4, Ch2- Switch Security
-
Upload
daniel-lisowsky -
Category
Documents
-
view
223 -
download
0
Transcript of 4, Ch2- Switch Security
![Page 1: 4, Ch2- Switch Security](https://reader034.fdocuments.us/reader034/viewer/2022051300/577cceb81a28ab9e788e31c8/html5/thumbnails/1.jpg)
Ali Nezhad
Routing and Switching
CNET 311
Centennial CollegeCentennial College
Basic Switch Concepts and ConfigurationSwitch Security
Week #4Ch2. Wayne Lewis
![Page 2: 4, Ch2- Switch Security](https://reader034.fdocuments.us/reader034/viewer/2022051300/577cceb81a28ab9e788e31c8/html5/thumbnails/2.jpg)
2Ali Nezhad
Routing and SwitchingCNET 311
Outline
� Password Protection
� Securing Remote Access
� Security Risks
� Security Tools
� Configuring Port Security
![Page 3: 4, Ch2- Switch Security](https://reader034.fdocuments.us/reader034/viewer/2022051300/577cceb81a28ab9e788e31c8/html5/thumbnails/3.jpg)
3Ali Nezhad
Routing and SwitchingCNET 311
Password Protection
![Page 4: 4, Ch2- Switch Security](https://reader034.fdocuments.us/reader034/viewer/2022051300/577cceb81a28ab9e788e31c8/html5/thumbnails/4.jpg)
4Ali Nezhad
Routing and SwitchingCNET 311
Configuring Password Options
� Protection from unauthorized access
� Passwords for
� Console line
� vty lines
� Privileged EXEC mode
� Encrypt passwords
� Recover Passwords
![Page 5: 4, Ch2- Switch Security](https://reader034.fdocuments.us/reader034/viewer/2022051300/577cceb81a28ab9e788e31c8/html5/thumbnails/5.jpg)
5Ali Nezhad
Routing and SwitchingCNET 311
Securing Console Access
� Need direct local physical access
� Removing password protection� (config-line)#no password and no login
![Page 6: 4, Ch2- Switch Security](https://reader034.fdocuments.us/reader034/viewer/2022051300/577cceb81a28ab9e788e31c8/html5/thumbnails/6.jpg)
6Ali Nezhad
Routing and SwitchingCNET 311
Securing Virtual Terminal Access
� vty allows remote access.
� Does not need local access.
� Important to be secured
� All vty lines must be protected.
� 2960 has 15 terminal lines.
![Page 7: 4, Ch2- Switch Security](https://reader034.fdocuments.us/reader034/viewer/2022051300/577cceb81a28ab9e788e31c8/html5/thumbnails/7.jpg)
7Ali Nezhad
Routing and SwitchingCNET 311
Securing Virtual Terminal Access
� Removing password: similar to console line
![Page 8: 4, Ch2- Switch Security](https://reader034.fdocuments.us/reader034/viewer/2022051300/577cceb81a28ab9e788e31c8/html5/thumbnails/8.jpg)
8Ali Nezhad
Routing and SwitchingCNET 311
Securing Privileged EXEC Access
� This mode allows to view/config all options.
� You can also see unencrypted passwords.
� Important to be secured.
� Commands:
� enable password
� Stores password in startup-config and running-config as cleartext.
� enable secret
� Stores the password in an encrypted format.
� If configured, replaces the enable password.
� Cannot be the same as the enable password.
![Page 9: 4, Ch2- Switch Security](https://reader034.fdocuments.us/reader034/viewer/2022051300/577cceb81a28ab9e788e31c8/html5/thumbnails/9.jpg)
9Ali Nezhad
Routing and SwitchingCNET 311
Encrypting Switch Passwords
� service password-encryption command
� Encrypts already set passwords that are stored as
cleartext.
� Uses the very weak type7 encryption standard.
� Type5 is more secure but must be invoked manually for
each password.
� Disable with the keyword no:
� Only stops encrypting new passwords.
� Previously encrypted passwords remain encrypted.
![Page 10: 4, Ch2- Switch Security](https://reader034.fdocuments.us/reader034/viewer/2022051300/577cceb81a28ab9e788e31c8/html5/thumbnails/10.jpg)
10Ali Nezhad
Routing and SwitchingCNET 311
Password Recovery
� Different for different devices.
� Requires physical access.
� May not be able to recover passwords:
� Specially if encrypted.
� Can reset them to a new value.
� Will practice in the lab.
![Page 11: 4, Ch2- Switch Security](https://reader034.fdocuments.us/reader034/viewer/2022051300/577cceb81a28ab9e788e31c8/html5/thumbnails/11.jpg)
11Ali Nezhad
Routing and SwitchingCNET 311
Login Banners and MOTD
� Messages that people can see at login.
� Login Banner
� (config)# banner login “Authorized …”
� Appears before login prompts.
� MOTD Banner
� Appears before the login banner.
� (config)# banner motd “Device Maintenance!”
� Remove both with no.
![Page 12: 4, Ch2- Switch Security](https://reader034.fdocuments.us/reader034/viewer/2022051300/577cceb81a28ab9e788e31c8/html5/thumbnails/12.jpg)
12Ali Nezhad
Routing and SwitchingCNET 311
Secure Remote Access
![Page 13: 4, Ch2- Switch Security](https://reader034.fdocuments.us/reader034/viewer/2022051300/577cceb81a28ab9e788e31c8/html5/thumbnails/13.jpg)
13Ali Nezhad
Routing and SwitchingCNET 311
Telnet and SSH
� SSH is secure and newer than
telnet.
� SSH encrypts messages.
![Page 14: 4, Ch2- Switch Security](https://reader034.fdocuments.us/reader034/viewer/2022051300/577cceb81a28ab9e788e31c8/html5/thumbnails/14.jpg)
14Ali Nezhad
Routing and SwitchingCNET 311
Configuring Telnet
� Default on all Cisco switches
� If the transport protocol has been switched
to only support SSH, telnet can be restored:
� (config-line)# transport input telnet
or
� (config-line)# transport input all
![Page 15: 4, Ch2- Switch Security](https://reader034.fdocuments.us/reader034/viewer/2022051300/577cceb81a28ab9e788e31c8/html5/thumbnails/15.jpg)
15Ali Nezhad
Routing and SwitchingCNET 311
SSH Characteristics
� Switch supports SSHv1 or SSHv2 for server.
� Switch supports only SSHv1 for client.
� Supports DES & 3DES encryption algorithms.
� Supports password-based authentication.
� Uses public key cryptography based on RSA.
![Page 16: 4, Ch2- Switch Security](https://reader034.fdocuments.us/reader034/viewer/2022051300/577cceb81a28ab9e788e31c8/html5/thumbnails/16.jpg)
16Ali Nezhad
Routing and SwitchingCNET 311
Configuring SSH
1. Configure a host domain for the switch.
(config)# ip domain-name mydomain.com
2. Generate an encrypted RSA key pair
(config)# crypto key generate rsa
� A modulus size of 1024 is recommended.
� Enables SSH server for local and remote access.
� To delete the keys, use crypto key zeroize rsa
� After deletion, SSH server is automatically disabled.
![Page 17: 4, Ch2- Switch Security](https://reader034.fdocuments.us/reader034/viewer/2022051300/577cceb81a28ab9e788e31c8/html5/thumbnails/17.jpg)
17Ali Nezhad
Routing and SwitchingCNET 311
Configuring SSH- Fine Tuning
Next steps only fine tune the SSH configuration.
1. Choose the ssh version (optional)
(config)# ip ssh version [1|2]
2. Configure SSH control parameters
A. Timeout value in seconds
� Default is 120 sec
� Range is 0-120 sec
� Applies to SSH phases such as connection, protocol
negotiation, parameter negotiation
![Page 18: 4, Ch2- Switch Security](https://reader034.fdocuments.us/reader034/viewer/2022051300/577cceb81a28ab9e788e31c8/html5/thumbnails/18.jpg)
18Ali Nezhad
Routing and SwitchingCNET 311
Configuring SSH- Fine Tuning
B. Number of times a client can re-
authenticate.
� Default is 3 and the range is 0-5.
� For example, a user may allow the SSH session
idle more than 10min, 3 times before it terminates.
(config)# ip ssh {timeout seconds|authentication-retries number}
![Page 19: 4, Ch2- Switch Security](https://reader034.fdocuments.us/reader034/viewer/2022051300/577cceb81a28ab9e788e31c8/html5/thumbnails/19.jpg)
19Ali Nezhad
Routing and SwitchingCNET 311
Configuring SSH- Fine Tuning
3. To prevent non-SSH connections
(config-line)# transport input ssh
Telnet sessions will be refused.
![Page 20: 4, Ch2- Switch Security](https://reader034.fdocuments.us/reader034/viewer/2022051300/577cceb81a28ab9e788e31c8/html5/thumbnails/20.jpg)
20Ali Nezhad
Routing and SwitchingCNET 311
SSH Configuration Example
![Page 21: 4, Ch2- Switch Security](https://reader034.fdocuments.us/reader034/viewer/2022051300/577cceb81a28ab9e788e31c8/html5/thumbnails/21.jpg)
21Ali Nezhad
Routing and SwitchingCNET 311
Security RisksCommon L2 Security Attacks
![Page 22: 4, Ch2- Switch Security](https://reader034.fdocuments.us/reader034/viewer/2022051300/577cceb81a28ab9e788e31c8/html5/thumbnails/22.jpg)
22Ali Nezhad
Routing and SwitchingCNET 311
MAC Address Flooding Attack
� Makes the MAC address table overflow.
� Floods the switch with fake SRC addresses.
� Switch enters fail-open mode.
� Acts like a hub.
� Attacker receives all packets.
� Prevention: Port Security
![Page 23: 4, Ch2- Switch Security](https://reader034.fdocuments.us/reader034/viewer/2022051300/577cceb81a28ab9e788e31c8/html5/thumbnails/23.jpg)
23Ali Nezhad
Routing and SwitchingCNET 311
MAC Address Flooding Attack
![Page 24: 4, Ch2- Switch Security](https://reader034.fdocuments.us/reader034/viewer/2022051300/577cceb81a28ab9e788e31c8/html5/thumbnails/24.jpg)
24Ali Nezhad
Routing and SwitchingCNET 311
DHCP Spoofing Attack
� Attacker acts as a legitimate DHCP server.
� If on the same segment as a DHCP client, its
responses to DHCP requests reach the client sooner
than those from a valid server.
� The client uses the rogue device as its default
gateway and DNS server.
� Prevention: Port security and DHCP snooping
![Page 25: 4, Ch2- Switch Security](https://reader034.fdocuments.us/reader034/viewer/2022051300/577cceb81a28ab9e788e31c8/html5/thumbnails/25.jpg)
25Ali Nezhad
Routing and SwitchingCNET 311
DHCP Snooping Technique
![Page 26: 4, Ch2- Switch Security](https://reader034.fdocuments.us/reader034/viewer/2022051300/577cceb81a28ab9e788e31c8/html5/thumbnails/26.jpg)
26Ali Nezhad
Routing and SwitchingCNET 311
DHCP Snooping Technique
� Determines which ports can respond to DHCP requests.
� Ports are identified as trusted or untrusted.
� Trusted Ports
� Can send all kinds of DHCP messages.
� Can host a DHCP server or be connected to one.
� Untrusted Ports
� Can only send DHCP requests.
![Page 27: 4, Ch2- Switch Security](https://reader034.fdocuments.us/reader034/viewer/2022051300/577cceb81a28ab9e788e31c8/html5/thumbnails/27.jpg)
27Ali Nezhad
Routing and SwitchingCNET 311
DHCP Snooping Technique
� A port is deemed untrusted if not
explicitly configured as trusted.
� If a DHCP response message is
detected from an untrusted port,
that port is disabled.
![Page 28: 4, Ch2- Switch Security](https://reader034.fdocuments.us/reader034/viewer/2022051300/577cceb81a28ab9e788e31c8/html5/thumbnails/28.jpg)
28Ali Nezhad
Routing and SwitchingCNET 311
Configuring DHCP Snooping
1. Enable Snooping.
(config)# ip dhcp snooping
2. Enable DHCP snooping for a VLAN.
(config)# ip dhcp snooping vlan number <no.>
3. Define a port as trusted.
(config-if)# ip dhcp snooping trust
4. Do Rate Limiting. (Optional)- see next slide.
![Page 29: 4, Ch2- Switch Security](https://reader034.fdocuments.us/reader034/viewer/2022051300/577cceb81a28ab9e788e31c8/html5/thumbnails/29.jpg)
29Ali Nezhad
Routing and SwitchingCNET 311
DHCP Starvation Attack
� Attacker bombards the DHCP server with
many DHCP requests with fake SRC
addresses.
� It depletes the available leases. (DoS)
� Prevention: Rate Limiting
� For the DHCP requests from untrusted ports
(config)# ip dhcp snooping limit rate <rate>
![Page 30: 4, Ch2- Switch Security](https://reader034.fdocuments.us/reader034/viewer/2022051300/577cceb81a28ab9e788e31c8/html5/thumbnails/30.jpg)
30Ali Nezhad
Routing and SwitchingCNET 311
CDP Attack
� Cisco Discovery Protocol is targeted.
� CDP is a Cisco proprietary L2 protocol.
� It discovers other directly connected Cisco devices. Simplifies network configuration.
� CDP messages are not encrypted.
� They are broadcasted periodically.
� These messages contain info. such as SW version, IP_add, platform, capabilities, …
![Page 31: 4, Ch2- Switch Security](https://reader034.fdocuments.us/reader034/viewer/2022051300/577cceb81a28ab9e788e31c8/html5/thumbnails/31.jpg)
31Ali Nezhad
Routing and SwitchingCNET 311
CDP Attack
� This info. can be used by an
attacker for attacks such as DoS.
� Prevention
� Disable CDP on devices that do not
use it.
![Page 32: 4, Ch2- Switch Security](https://reader034.fdocuments.us/reader034/viewer/2022051300/577cceb81a28ab9e788e31c8/html5/thumbnails/32.jpg)
32Ali Nezhad
Routing and SwitchingCNET 311
Telnet Attacks� Password Attacks
� vty password is not enough.� They can be disabled using brute force.
� Prevention:� strong frequently changed passwords.
� Still the attacker may use MAC address flooding and a packet capture software to obtain the passwords.
� ACLs on vty lines.
� SSH instead of Telnet!
� DoS Attacks
� Exploiting flaws in the telnet SW to render it unavailable.
![Page 33: 4, Ch2- Switch Security](https://reader034.fdocuments.us/reader034/viewer/2022051300/577cceb81a28ab9e788e31c8/html5/thumbnails/33.jpg)
33Ali Nezhad
Routing and SwitchingCNET 311
Security Tools
![Page 34: 4, Ch2- Switch Security](https://reader034.fdocuments.us/reader034/viewer/2022051300/577cceb81a28ab9e788e31c8/html5/thumbnails/34.jpg)
34Ali Nezhad
Routing and SwitchingCNET 311
Network Security Tools
� Help verify security configurations.
� Test the network for weaknesses.
� Mimic attacks.
� Also test for application level
vulnerabilities.
� Email clients, browsers, missing patches, …
![Page 35: 4, Ch2- Switch Security](https://reader034.fdocuments.us/reader034/viewer/2022051300/577cceb81a28ab9e788e31c8/html5/thumbnails/35.jpg)
35Ali Nezhad
Routing and SwitchingCNET 311
Network Security Tools
Basic Functions
� Security Audit
� Reveals what kind of information an attacker
can gather by traffic monitoring.
� Ex: MAC address flooding is used to audit
switches on what kind of info they broadcast.
� Penetration Tests
� Identify weaknesses within the configuration of
networking devices.
![Page 36: 4, Ch2- Switch Security](https://reader034.fdocuments.us/reader034/viewer/2022051300/577cceb81a28ab9e788e31c8/html5/thumbnails/36.jpg)
36Ali Nezhad
Routing and SwitchingCNET 311
Network Security Tools
Common Features
� Service Identification� Identify services running on a host.
� Identify services running on non-standard transport layer ports e.g FTP on 210 (not 21)
� Support of SSL Services� Testing services that use SSL-level security such as
HTTPS, SMTPS, …
� Destructive Testing� Pressure testing. Done occasionally.
� Non-destructive Testing� Done routinely. Little impact on network performance.
� Up-to-date Database of Vulnerabilities
![Page 37: 4, Ch2- Switch Security](https://reader034.fdocuments.us/reader034/viewer/2022051300/577cceb81a28ab9e788e31c8/html5/thumbnails/37.jpg)
37Ali Nezhad
Routing and SwitchingCNET 311
Port Security
![Page 38: 4, Ch2- Switch Security](https://reader034.fdocuments.us/reader034/viewer/2022051300/577cceb81a28ab9e788e31c8/html5/thumbnails/38.jpg)
38Ali Nezhad
Routing and SwitchingCNET 311
Configuring Port Security
� Limit the number of valid MAC addresses allowed
on a port.
� A secure port forwards only the frames with a
source MAC-address from among its assigned
secure MAC addresses.
� The limit can be one.
� If the port is assigned to a particular MAC address, only
that host can use the port.
� Any attempt by another host results in a violation.
![Page 39: 4, Ch2- Switch Security](https://reader034.fdocuments.us/reader034/viewer/2022051300/577cceb81a28ab9e788e31c8/html5/thumbnails/39.jpg)
39Ali Nezhad
Routing and SwitchingCNET 311
Implementing Port Security
� Do it for all interfaces.
� Specify a group of valid MAC addresses on
each port. (secure MAC addresses table)
� Allow only one MAC address to access the
port at a time.
� Specify that the port automatically shut
down if a violation is detected.
![Page 40: 4, Ch2- Switch Security](https://reader034.fdocuments.us/reader034/viewer/2022051300/577cceb81a28ab9e788e31c8/html5/thumbnails/40.jpg)
40Ali Nezhad
Routing and SwitchingCNET 311
Secure MAC Address Types
� Static: stored in the address table and added to
the running config.(config-if)# switchport port-security mac-address <mac>
� Dynamic: learned dynamically and added to
the address table.
� Removed if switch restarts.
� Sticky: learned dynamically, added to the
address table and saved to the running config.
![Page 41: 4, Ch2- Switch Security](https://reader034.fdocuments.us/reader034/viewer/2022051300/577cceb81a28ab9e788e31c8/html5/thumbnails/41.jpg)
41Ali Nezhad
Routing and SwitchingCNET 311
Sticky Secure MAC AddressesCharacteristics� (config-if)# switchport port-security mac-address sticky
� Enables sticky learning on an interface.
� The port converts all dynamic secure MAC addresses, including those learned before, to sticky and adds all of them to the running config.
� If disabled, the sticky addresses remain in the running config but are removed from the table.
� Addresses that were removed can be dynamically learned again and added to the address table dynamically.
![Page 42: 4, Ch2- Switch Security](https://reader034.fdocuments.us/reader034/viewer/2022051300/577cceb81a28ab9e788e31c8/html5/thumbnails/42.jpg)
42Ali Nezhad
Routing and SwitchingCNET 311
Sticky Secure MAC Addresses
� (config-if)# switchport port-security mac-address sticky <mac>
� Configures a sticky secure MAC address.
� Addresses are added to the address table and the
running config.
� If port security is disabled, the sticky MAC
addresses remain in the running config.
![Page 43: 4, Ch2- Switch Security](https://reader034.fdocuments.us/reader034/viewer/2022051300/577cceb81a28ab9e788e31c8/html5/thumbnails/43.jpg)
43Ali Nezhad
Routing and SwitchingCNET 311
Sticky Secure MAC Addresses
� If the sticky addresses are saved to the
config file, when the switch restarts or the
port is shut down, the port does not need to
relearn these addresses.
� If not saved, they are lost.
� If sticky learning is disabled, sticky addresses
are converted to dynamic addresses and
removed from the running config.
![Page 44: 4, Ch2- Switch Security](https://reader034.fdocuments.us/reader034/viewer/2022051300/577cceb81a28ab9e788e31c8/html5/thumbnails/44.jpg)
44Ali Nezhad
Routing and SwitchingCNET 311
Sticky Secure MAC Addresses
� If you disable sticky learning and then issue:
(config-if)# switchport port-security mac-address sticky <mac>
� An error message appears.
� The sticky MAC address is not added to the
running config.
![Page 45: 4, Ch2- Switch Security](https://reader034.fdocuments.us/reader034/viewer/2022051300/577cceb81a28ab9e788e31c8/html5/thumbnails/45.jpg)
45Ali Nezhad
Routing and SwitchingCNET 311
Security Violations
� The max. number of secure MAC addresses
have been added to the address table and:
� A station whose address is not in the address
table attempts to access the interface.
� An address learned or configured on one
secure interface is seen on another secure
interface in the same VLAN.
![Page 46: 4, Ch2- Switch Security](https://reader034.fdocuments.us/reader034/viewer/2022051300/577cceb81a28ab9e788e31c8/html5/thumbnails/46.jpg)
46Ali Nezhad
Routing and SwitchingCNET 311
Violation Modes
� The action that a port is configured to
perform if a violation occurs.
� 3 Modes
� Protect
� Restrict
� Shutdown
![Page 47: 4, Ch2- Switch Security](https://reader034.fdocuments.us/reader034/viewer/2022051300/577cceb81a28ab9e788e31c8/html5/thumbnails/47.jpg)
47Ali Nezhad
Routing and SwitchingCNET 311
Violation ModesProtect
� When the number of secure addresses reaches
the limit allowed on the port:
� Packets with unknown SRC addresses are
dropped until a sufficient number of secure
MACs are removed or the limit is increased.
� No violation notification is generated.
![Page 48: 4, Ch2- Switch Security](https://reader034.fdocuments.us/reader034/viewer/2022051300/577cceb81a28ab9e788e31c8/html5/thumbnails/48.jpg)
48Ali Nezhad
Routing and SwitchingCNET 311
Violation ModesRestrict
� When the number of secure addresses
reaches the limit allowed on the port:
� Packets with unknown SRC addresses are
dropped until a sufficient number of secure
MACs are removed or the limit is increased.
� A violation notification is generated.
� An SNMP trap is sent, a syslog message is
logged and the violation counter is incremented.
![Page 49: 4, Ch2- Switch Security](https://reader034.fdocuments.us/reader034/viewer/2022051300/577cceb81a28ab9e788e31c8/html5/thumbnails/49.jpg)
49Ali Nezhad
Routing and SwitchingCNET 311
Violation ModesShutdown
� Default mode on Cisco switches.
� A violation causes the port to immediately
shut down.
� The port becomes err-disabled.
� LED turns off.
� Notification and logging similar to Restrict.
� To resolve: shutdown and no shutdown.
![Page 50: 4, Ch2- Switch Security](https://reader034.fdocuments.us/reader034/viewer/2022051300/577cceb81a28ab9e788e31c8/html5/thumbnails/50.jpg)
50Ali Nezhad
Routing and SwitchingCNET 311
Violation Modes
![Page 51: 4, Ch2- Switch Security](https://reader034.fdocuments.us/reader034/viewer/2022051300/577cceb81a28ab9e788e31c8/html5/thumbnails/51.jpg)
51Ali Nezhad
Routing and SwitchingCNET 311
Default Port Security ConfigCatalyst Switches
![Page 52: 4, Ch2- Switch Security](https://reader034.fdocuments.us/reader034/viewer/2022051300/577cceb81a28ab9e788e31c8/html5/thumbnails/52.jpg)
52Ali Nezhad
Routing and SwitchingCNET 311
Configuring Port Security
Note: Violation mode is not specified here. Defaults to shutdown.
![Page 53: 4, Ch2- Switch Security](https://reader034.fdocuments.us/reader034/viewer/2022051300/577cceb81a28ab9e788e31c8/html5/thumbnails/53.jpg)
53Ali Nezhad
Routing and SwitchingCNET 311
Enabling Sticky Port Security
Note: Violation mode is not specified here. Defaults to shutdown.
![Page 54: 4, Ch2- Switch Security](https://reader034.fdocuments.us/reader034/viewer/2022051300/577cceb81a28ab9e788e31c8/html5/thumbnails/54.jpg)
54Ali Nezhad
Routing and SwitchingCNET 311
Verifying Port Security� Check all interfaces.
� Check that any static MAC addresses are set correctly.
![Page 55: 4, Ch2- Switch Security](https://reader034.fdocuments.us/reader034/viewer/2022051300/577cceb81a28ab9e788e31c8/html5/thumbnails/55.jpg)
55Ali Nezhad
Routing and SwitchingCNET 311
Verify Secure MAC Addresses
� Display all secure addresses on all ports or a
specific one.
![Page 56: 4, Ch2- Switch Security](https://reader034.fdocuments.us/reader034/viewer/2022051300/577cceb81a28ab9e788e31c8/html5/thumbnails/56.jpg)
56Ali Nezhad
Routing and SwitchingCNET 311
Securing Unused Ports
� Disable them!
� (config-if)# shutdown
� Can use the range option:
(config)# int range fa0/3 – 24
(config-if-range)# shutdown
� Make them members of the black hole vlan.
![Page 57: 4, Ch2- Switch Security](https://reader034.fdocuments.us/reader034/viewer/2022051300/577cceb81a28ab9e788e31c8/html5/thumbnails/57.jpg)
57Ali Nezhad
Routing and SwitchingCNET 311
Questions?