© 2006 Cisco Systems, Inc. All rights reserved.Presentation_ID 1Cisco Public
Layer 2 Security
Eric Vyncke
Distinguished Consulting Engineer
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicSEC-206 2
Caveats
All attacks and mitigation techniques assume a switched Ethernetnetwork running IPv4
All testing was done on Cisco Ethernet SwitchesEthernet switching attack resilience varies widely from vendor to vendor
This is not a comprehensive talk on configuring Ethernet switches for security or NAC or IEEE 802.1x:
the focus is mostly access L2 attacks and their mitigation
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicSEC-206 3
Agenda
Layer 2 Attack Landscape
Attacks and Counter MeasuresMAC AttacksDHCP AttacksARP AttacksSpoofing AttacksGeneral Attacks
Summary
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicSEC-206 4
OSI Was Built to Allow Different Layers to Work Without the Knowledge of Each Other
Why Worry About Layer 2 Security?
Host BHost A
MAC Addresses
Application Stream Application
Presentation
Session
Transport
Network
Data Link
Physical
Application
Presentation
Session
Transport
Network
Data Link
Physical Physical Links
IP Addresses
Protocols/Ports
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicSEC-206 5
Lower Levels Affect Higher LevelsUnfortunately this means if one layer is hacked, communications are compromised without the other layers being aware of the problemSecurity is only as strong as the weakest linkWhen it comes to networking, layer 2 can be a very weak link
MAC Addresses
Application Stream Application
Presentation
Session
Transport
Network
Data Link
Physical
Application
Presentation
Session
Transport
Network
Data Link
Physical
Com
prom
ised
Initial Compromise
POP3, IMAP, IM, SSL, SSH
Physical Links
IP Addresses
Protocols/Ports
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicSEC-206 6
NetOPS/SecOPS, Whose Problem Is It?Most NetOPS Most SecOPSQuestions:
What is your stance on L2 security issues?
Do you use VLANsoften?
Do you ever put different security levels on the same switch using VLANs?
What is the process for allocating addresses for segments?
• I handle security issues at L3 and above
• I have no idea if we are using VLANs
• Why would I care what the networkguy does withthe switch?
• I ask NetOPs for a segment, they give me ports and addresses
• There are L2 security issues?
• I use VLANs all the time
• Routing in and out of the same switch is OK by me! That’s what VLANs are for
• The security guy asks me for a new segment, I create a VLAN and assign him an address space
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicSEC-206 7
Agenda
Layer 2 Attack Landscape
Attacks and Counter MeasuresMAC AttacksDHCP AttacksARP AttacksSpoofing AttacksGeneral Attacks
Summary
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicSEC-206 8
CAM Table Review
CAM table stands for Content Addressable Memory
The CAM table stores information such as MAC addresses available on physical ports with their associated VLAN parameters
CAM tables have a fixed size
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicSEC-206 9
Normal CAM Behavior 1/3
MAC A
MAC B
MAC C
Port 1
Port 2
Port 3
MAC PortA 1
C 3
ARP for BARP for B
ARP for B
B Is Unknown—Flood the Frame
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicSEC-206 10
Normal CAM Behavior 2/3
MAC APort 1
Port 2
Port 3
A Is on Port 1Learn:
B Is on Port 2
I Am M
AC B
I Am MAC B
B 2
MAC PortA 1
C 3 MAC B
MAC C
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicSEC-206 11
Normal CAM Behavior 3/3
MAC APort 1
Port 2
Port 3
Traffic A B
B Is on Port 2
Traffic
A
BMAC B
MAC C
MAC PortA 1B 2C 3
Does Not See Traffic to B
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicSEC-206 12
CAM Overflow 1/2
Macof tool since 1999About 100 lines of perlIncluded in “dsniff”
Attack successful by exploiting the size limit on CAM tables
Yersinia—Flavor of the month attack tool
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicSEC-206 13
CAM Overflow 2/2
I Am MAC Y
MAC APort 1
Port 2
Port 3
Y Is on Port 3
Z Is on Port 3
Traffic A B
I See Traffic to B!
Assume CAM Table Now Full
I Am MAC Z
Traffic A B
Traffic
A
BMAC B
MAC C
MAC PortA 1B 2C 3
Y 3Z 3
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicSEC-206 14
CAM Table Full
Once the CAM table is full, traffic without a CAM entry is flooded out every port on that VLAN
but NOT traffic with an existing CAM entry
This will turn a VLAN on a switch basicallyinto a hubThis attack will also fill the CAM tables of adjacent switchesBTW Cisco switches never overwrites an existing entry
Idle entries are removed10.1.1.22 -> (broadcast) ARP C Who is 10.1.1.1, 10.1.1.1 ?10.1.1.22 -> (broadcast) ARP C Who is 10.1.1.19, 10.1.1.19 ?10.1.1.26 -> 10.1.1.25 ICMP Echo request (ID: 256 Sequence number: 7424) OOPS10.1.1.25 -> 10.1.1.26 ICMP Echo reply (ID: 256 Sequence number: 7424) OOPS
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicSEC-206 15
Port Security Limits the Amount of MAC’s on an Interface
Countermeasures for MAC Attacks
Port security limits MAC flooding attack and locks down port and sends an SNMP trap
00:0e:00:aa:aa:aa00:0e:00:bb:bb:bb
132,000 Bogus MACs
Only One MAC Addresses
Allowed on the Port: Shutdown
Solution:
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicSEC-206 16
Building the Layers
Port Security preventsCAM attacks and DHCP starvation attacks
Port Security
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicSEC-206 17
Agenda
Layer 2 Attack Landscape
Attacks and Counter MeasuresMAC AttacksDHCP AttacksARP AttacksSpoofing AttacksGeneral Attacks
Summary
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicSEC-206 18
DHCP: quick overview
DHCP Defined by RFC 2131
DHCP Server
Client
DHCP Discover (Broadcast)
DHCP Request (Broadcast)
DHCP Ack (Unicast)
DHCP Offer (Unicast) IP Address: 10.10.10.101Default Routers: 10.10.10.1DNS Servers: 192.168.10.4,
192.168.10.5
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicSEC-206 19
DHCP Attack TypesDHCP Starvation Attack
Gobbler/DHCPx looks at the entire DHCP scope and tries to lease all of the DHCP addresses available in the DHCP scopeThis is a Denial of Service DoS attack using DHCP leases
DHCP Discovery) x (Size of Scope)
DHCP Offer x (Size of DHCPScope)
DHCP Request x (Size of Scope)
DHCP Ack x (Size of Scope)
Client
Gobbler DHCPServer
Denial of Service
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicSEC-206 20
Countermeasures for DHCP AttacksDHCP Starvation Attack = Port Security
Gobbler uses a new MAC address to request a new DHCP leaseRestrict the number of MAC addresses on an port with port securityElse use option 82option 82 of DHCP
DHCP server can track which port has already got one IP address
Client
Gobbler DHCPServer
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicSEC-206 21
DHCP Attack TypesRogue DHCP Server Attack
Client
DHCPServerRogue Server
DHCP Discovery (Broadcast)
2 DHCP Offers (Unicast) (1 from Rogue, 1 genuine)
DHCP Request (Broadcast) to 1st offer
DHCP Ack (Unicast) from Rogue Sever
Vlan 5
Vlan 5
Vlan 165
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicSEC-206 22
DHCP Attack TypesRogue DHCP Server Attack
What can the attacker do if he is the DHCP server?IP Address: 10.10.10.101
Subnet Mask: 255.255.255.0Default Routers: 10.10.10.1
DNS Servers: 192.168.10.4, 192.168.10.5Lease Time: 10 days
Here is Your Configuration
What do you see as a potential problem with incorrect information?
Wrong Default Gateway—Attacker is the gateway
Wrong DNS server—Attacker is DNS server
Wrong IP Address—Attacker does DOS with incorrect IP
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicSEC-206 23
Countermeasures for DHCP AttacksRogue DHCP Server = DHCP Snooping
By default all ports in the VLAN are untrusted
Client
DHCPServerRogue Server
Trusted
Untrusted
Untrusted
DHCP Snooping Enabled
DHCP Snooping Untrusted Client
Interface Commandsno ip dhcp snooping trust (Default)ip dhcp snooping limit rate 10 (pps)
IOSGlobal Commandsip dhcp snooping vlan 4,104no ip dhcp snooping information optionip dhcp snooping
DHCP Snooping Trusted Serveror Uplink
OK DHCP Responses:
offer, ack, nak
Interface Commandsip dhcp snooping trust
BAD DHCP Responses:
offer, ack, nak
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicSEC-206 24
Countermeasures for DHCP AttacksRogue DHCP Server = DHCP Snooping
Table is built by “Snooping” the DHCP reply to the client
Entries stay in table until DHCP lease time expires
Client
DHCPServerRogue Server
Trusted
Untrusted
Untrusted
DHCP Snooping Enabled
BAD DHCP Responses:
offer, ack, nak
OK DHCP Responses:
offer, ack, nak
DHCP Snooping Binding Tablesh ip dhcp snooping bindingMacAddress IpAddress Lease(sec) Type VLAN Interface------------------ --------------- ---------- ------------- ---- --------------------00:03:47:B5:9F:AD 10.120.4.10 193185 dhcp-snooping 4 FastEthernet3/18
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicSEC-206 25
DHCPSnooping
Building the Layers
Port security preventsCAM attacks and DHCP starvation attacks
DHCP snooping prevents rogue DHCP server attacks Port Security
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicSEC-206 26
Agenda
Layer 2 Attack Landscape
Attacks and Counter MeasuresMAC AttacksDHCP AttacksARP AttacksSpoofing AttacksGeneral Attacks
Summary
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicSEC-206 27
ARP Function Review
Before a station can talk to another station it must do an ARP request to map the IP address to the MAC addressAll computers on the subnet will receive and process the ARP request; the station that matches the IP address in the request will send an ARP reply
Who Is 10.1.1.4?
I Am 10.1.1.4MAC A
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicSEC-206 28
ARP Function Review
According to the ARP RFC, a client is allowed to send an unsolicited ARPunsolicited ARP reply; this is called a gratuitous gratuitous ARPARP; other hosts on the same subnet can store this information in their ARP tablesAnyone can claim to be the owner of any IP/MAC address they likeARP attacks use this to redirect traffic
I Am 10.1.1.1MAC A
You Are 10.1.1.1MAC A
You Are 10.1.1.1MAC A
You Are 10.1.1.1MAC A
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicSEC-206 29
ARP Attack in Action
Attacker “poisons”the ARP tables
10.1.1.1MAC A
10.1.1.2MAC B
10.1.1.3MAC C
10.1.1.2 Is Now MAC C
10.1.1.1 Is Now MAC C
ARP 10.1.1.1 Saying
10.1.1.2 is MAC CARP 10.1.1.2
Saying 10.1.1.1 is MAC C
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicSEC-206 30
ARP Attack in Action
All traffic flowsthrough the attacker
10.1.1.1MAC A
10.1.1.2MAC B
10.1.1.3MAC C
10.1.1.2 Is Now MAC C
10.1.1.1 Is Now MAC C
Transmit/Receive Traffic to
10.1.1.2 is MAC CTransmit/Receive
Traffic to10.1.1.1 is MAC C
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicSEC-206 31
Is This Is My Binding Table?NO!None
Matching ARP’s in the Bit Bucket
Countermeasures to ARP Attacks: Dynamic ARP Inspection
Uses the DHCP Snooping Binding table informationDynamic ARP Inspection
All ARP packets must match the IP/MAC Binding table entriesIf the entries do not match, throw them in the bit bucket
10.1.1.1MAC A
10.1.1.2MAC B
10.1.1.3MAC C
ARP 10.1.1.1 Saying
10.1.1.2 is MAC C
ARP 10.1.1.2 Saying
10.1.1.1 is MAC C
DHCP Snooping Enabled Dynamic ARP Inspection Enabled
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicSEC-206 32
Countermeasures to ARP Attacks: Dynamic ARP Inspection
Uses the information from the DHCP snooping binding table
Looks at the MacAddress and IpAddress fields to see if the ARP from the interface is in the binding, it not, traffic is blocked
sh ip dhcp snooping bindingMacAddress IpAddress Lease(sec) Type VLAN Interface------------------ --------------- ---------- ------------- ---- --------------------00:03:47:B5:9F:AD 10.120.4.10 193185 dhcp-snooping 4 FastEthernet3/1800:03:47:c4:6f:83 10.120.4.11 213454 dhcp-snooping 4 FastEthermet3/21
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicSEC-206 33
Dynamic ARPInspection
Building the Layers
Port security prevents CAM attacks and DHCPstarvation attacks
DHCP snooping prevents rogue DHCP server attacks
Dynamic ARP inspection prevents current ARP attacks
DHCPSnooping
Port Security
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicSEC-206 34
Agenda
Layer 2 Attack Landscape
Attacks and Counter MeasuresMAC AttacksDHCP AttacksARP AttacksSpoofing AttacksGeneral Attacks
Summary
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicSEC-206 35
Spoofing Attacks
MAC spoofing If MACs are used for network access an attacker can gain access to the networkAlso can be used to take over someone’s identity already on the network
IP spoofingPing of deathICMP unreachable stormSYN floodTrusted IP addresses can be spoofed
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicSEC-206 36
Is This Is My Binding Table?NO!
Non Matching Traffic
Dropped
Countermeasures to Spoofing Attacks:IP Source Guard
Uses the DHCP snooping binding table information
IP source guardOperates just like dynamic ARP inspection, but looks at every packet, not just ARP packet
10.1.1.1MAC A
10.1.1.2MAC B
10.1.1.3MAC C
Received Traffic Source IP 10.1.1.2Mac B
Traffic Sent withIP 10.1.1.3
Mac B
Traffic Sent with IP 10.1.1.2
Mac C
DHCP Snooping Enabled Dynamic ARP Inspection Enabled IP Source Guard Enabled
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicSEC-206 37
Countermeasures to Spoofing Attacks:IP Source Guard
Uses the information from the DHCP Snooping Binding table
Looks at the MacAddress and IpAddress fields to see if the traffic from the interface is in the binding table, it not, traffic is blocked
sh ip dhcp snooping bindingMacAddress IpAddress Lease(sec) Type VLAN Interface------------------ --------------- ---------- ------------- ---- --------------------00:03:47:B5:9F:AD 10.120.4.10 193185 dhcp-snooping 4 FastEthernet3/1800:03:47:c4:6f:83 10.120.4.11 213454 dhcp-snooping 4 FastEthermet3/21
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicSEC-206 38
IP SourceGuard
Building the Layers
Port security preventsCAM attacks and DHCP starvation attacks
DHCP snooping prevents rogue DHCP server attacks
Dynamic ARPinspection preventscurrent ARP attacks
IP source guard prevents IP/MAC spoofing
Dynamic ARPInspection
DHCPSnooping
Port Security
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicSEC-206 39
Agenda
Layer 2 Attack Landscape
Attacks and Counter MeasuresMAC AttacksDHCP AttacksARP AttacksSpoofing AttacksGeneral Attacks
Summary
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicSEC-206 40
Spanning Tree Basics
STP Purpose: To maintain loop-free topologies in a redundant Layer 2 infrastructure
STP is very simple; messages are sent using Bridge Protocol Data Units (BPDUs); basic messages include: configuration, topology change notification/acknowledgment (TCN/TCA); most haveno “payload”
Avoiding loops ensures broadcast traffic does not become storms
A ‘Tree-Like’Loop-Free Topology Is Established from the
Perspective of the Root Bridge
A Switch Is Elected as Root
Root Selection Is Based on the Lowest Configured Priority of Any Switch 0–65535
X
Root
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicSEC-206 41
Spanning Tree Attack Example
Send BPDU messagesto become root bridge
Access SwitchesRootRootRoot
XSTP
STP
Blocked
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicSEC-206 42
Spanning Tree Attack Example
Send BPDU messages to become root bridgeThe attacker then sees frames he shouldn’t
MITM, DoS, etc. all possibleAlthough STP takes link speed into consideration, it is always done from the perspective of the root bridge. Taking a Gb backbone to half-duplex 10 Mb was verified Requires attacker is dual homed to two different switches
Access SwitchesRootRoot
Root
XBlocked
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicSEC-206 43
STP Attack Mitigation
Try to design loop-free topologies where ever possible, so you do not need STP
Don’t disable STP, introducing a loop would become another attack
Except in loop-free topologies (like layer 3 at access switch)
BPDU guard
Should be run on all user facing ports and infrastructure facingports
Disables ports using portfast upon detection of a BPDU message on the port
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicSEC-206 44
Cisco Discovery Protocol
Useful protocol but could lead to information leakage
Enabled:Enabled: in the coreDisabled:Disabled: on host facing interface (except phones)
There was a DoS attack against CDP but it has been fixed for years
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicSEC-206 45
Basic Trunk Port Defined
Trunk ports have access to all VLANS by default
Used to route traffic for multiple VLANS across the same physical link (generally between switches or phones)
Encapsulation can be 802.1q or ISL
VLAN 10
VLAN 20
Trunk with:Native VLAN
VLAN 10VLAN 20
VLAN 20
VLAN 10
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicSEC-206 46
Dynamic Trunk Protocol (DTP)
What is DTP?Automates 802.1x/ISL trunk configurationOperates between switches (Cisco IP phone is a switch)Does not operate on routersSupport varies, check your device
DTP synchronizes the trunking mode on end links
DTP state on 802.1q/ISL trunking port can be set to “Auto”, “On”, “Off”, “Desirable”, or “Non-Negotiate”
DynamicTrunk
Protocol
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicSEC-206 47
Basic VLAN Hopping Attack
An end station can spoof as a switch with ISL or 802.1q
The station is then a member of all VLANs
VLAN 10
Trunk with:Native VLAN
VLAN 10VLAN 20
VLAN 20
VLAN 10
Trunk With:Native VLAN
VLAN 10VLAN 20
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicSEC-206 48
Double 802.1q Encapsulation VLAN Hopping Attack
Send 802.1q double encapsulated frames
Switch performs only one level of decapsulation
Unidirectional traffic only
Works even if trunk ports are set to off
802.1q,802.1q
Strip Off First, and Send Back Out
802.1q FrameFrame
Note: Only Works if Trunk Has the Same VLAN as the Attacker
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicSEC-206 49
Security Best Practices for VLANsand Trunking
Always use a dedicated VLAN ID for all trunk ports
Disable unused ports and put them in an unused VLAN
Be paranoid: Do not use VLAN 1 for anything
Disable auto-trunking on user facing ports (DTP off)
Explicitly configure trunking on infrastructure ports
Use all tagged mode for the native VLAN on trunks
Use PC voice VLAN Access on phones thatsupport it
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicSEC-206 50
VLAN Hopping
Attacker sends frames to another VLANBut is unable to receive back traffic
Counter MeasuresCounter MeasuresDisable trunking on all host ports (except phones)Never use VLAN 1 anywhereSpecific VLAN for trunk native VLANDisable VLAN tag on access portsEnforce VLAN tag on trunk ports
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicSEC-206 51
Control Plane Protection
Even on HW switches, some frames always go to main CPUARPPackets addressed to the switch: OSPF, ICMP, BPDU
DoSDoS happens when too many packets go to the CPU100% of CPU => loss of adjacencies, no more ARP, ...
Use control plane policingcontrol plane policingRate limit those packets, done in HW and transparently in most switches
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicSEC-206 52
Switch Management
Management can be your weakest linkAll the great mitigation techniques we talked about aren’t worth much if the attacker telnets into your switch and disables them
Most of the network management protocols we know and love are insecure (syslog, SNMP, TFTP, Telnet, FTP, etc.)Consider secure variants of these protocols as they become available (SSH, SCP, SSL, OTP etc.), where impossible, consider Out- of-Band (OOB) management
Put the management VLAN into a dedicated non-standard VLAN where nothing but management traffic residesConsider physically back-hauling this interface to your management network
When OOB management is not possible, at least limit access to the management protocols using the “set ip permit” lists on the management protocolsSSH is available on Catalyst 6K with Catalyst OS 6.1 and Catalyst 4K/29XXG with Catalyst OS 6.3; 3550 in 12.1(11)EA1; 2950 in 12.1(12c)EA1; Cisco IOS 6K 12.1(5c)E12; IOS 4K in 12.1(13)EW
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicSEC-206 54
Matrix for Security Features 1 of 3
12.1(19)EW**
N/A12.2(18)SXD28.3(1)*IP Source Guard
DAI
DHCP Snooping
Dynamic Port Security
Feature/ Platform
8.3(1)
8.3(1)
7.6(1)
6500/Catalyst OS
12.2(18)SXE*
12.2(18)SXE*
12.1(13)E
6500/Cisco IOS
12.1(19)EW**
N/A
12.1(12c)EW**
N/A
12.1(13)EW5.1(1)
4500/Cisco IOS4500/Catalyst OS
* Requires Sup720—Support for Sup32 DHCP Snooping and DAI Q3CY05** For the Catalyst 4500/IOS-Based Platforms, This Requires Sup2+, Sup3, Sup4, Sup 5. These Sups Are Supported on the Catalyst 4006, 4503, 4506, and 4507R ChassisNOTE: There Are No Plans to Support These Features for any Catalyst 4000/4500 Platform Running Catos, or Any 2900 Platform
For yourreference
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicSEC-206 55
Matrix for Security Features 2 of 3
N/AN/AN/A12.2(25)SEA12.2(25)SEIP Source Guard
DAI
DHCP Snooping
Dynamic Port Security
Feature/ Platform
N/A
N/A
12.0(5.2)WC1
2950 SI
N/AN/A12.2(25)SEA12.2(25)SE
12.1(19)EA112.1(19)EA112.2(25)SEA12.1(25)SE
12.0(5.2)WC112.1(11)AX12.2(25)SEA12.1(25)SE
2950 EI2970 EI3550 EMI3750/3560 EMI
Note: Old Names of the Cisco IOS for the 3000 Series Switches CiscoIOS Feature Finder— http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp
For yourreference
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicSEC-206 56
Matrix for Security Features 3 of 3
12.2(25)SEA12.1(25)SE12.2(25)SEA12.2(25)SEIP Source Guard
DAI
DHCP Snooping
Dynamic Port Security
Feature/ Platform
12.2(25)SEA12.1(25)SE12.2(25)SEA12.2(25)SE
12.2(25)SEA12.1(25)SE12.2(25)SEA12.1(25)SE
12.2(25)SEA12.1(25)SE12.2(25)SEA12.1(25)SE
3550IP Base
3750/3560IP Base
3550 Advanced IP
3750/3560Advance IP
Note: Old Names of the Cisco IOS for the 3000 Series Switches CiscoIOS Feature Finder— http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp
For yourreference
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicSEC-206 57
Conclusion
Layer 2 is not only dumb pipes
You need to secure those pipes
Easy and freePort securityDHCP snoopingARP inspectionSource GuardBPDU Guard
IP SourceGuard
Dynamic ARP
InspectionDHCP
Snooping
Port Security
Top Related