Summary 330
Review Questions 331
Chapter 6 Securing the Campus Infrastructure 333
Switch Security Fundamentals 334
Security Infrastructure Services 334
Unauthorized Access by Rogue Devices 336
Layer 2 Attack Categories 337
Understanding and Protecting Against MAC Layer Attack 339
Suggested Mitigation for MAC Flooding Attacks 341
Port Security 341
Port Security Scenario 1 341
Port Security Scenario 2 342
Configuring Port Security 343
Caveats to Port Security Configuration Steps 344
Verifying Port Security 345
Port Security with Sticky MAC Addresses 347
Blocking Unicast Flooding on Desired Ports 348
Understanding and Protecting Against VLAN Attacks 349
VLAN Hopping 349
VLAN Hopping with Double Tagging 350
Mitigating VLAN Hopping 351
VLAN Access Control Lists 352
Configuring VACL 353
Understanding and Protecting Against Spoofing Attacks 355
Catalyst Integrated Security Features 355
DHCP Spoofing Attack 356
DHCP Snooping 358
ARP Spoofing Attack 361
Preventing ARP Spoofing Through Dynamic
ARP Inspection 362
IP Spoofing and IP Source Guard 368
Configuring IPSG 370
Securing Network Switches 372
Neighbor Discovery Protocols 372
Cisco Discovery Protocol 373
Configuring CDP 373
Configuring LLDP 375
CDP Vulnerabilities 375
Securing Switch Access 376
Telnet Vulnerabilities 377
Secure Shell 377
VTY ACLs 378
HTTP Secure Server 379
Authentication Authorization Accounting (AAA) 380
Security Using IEEE 802.1X Port-Based Authentication 387
Configuring 802.1X 389
Switch Security Considerations 390
Organizational Security Policies 391
Securing Switch Devices and Protocols 391
Configuring Strong System Passwords 392
Restricting Management Access Using ACLs 392
Securing Physical Access to the Console 393
Securing Access to vty Lines 393
Configuring System Warning Banners 393
Disabling Unneeded or Unused Services 394
Trimming and Minimizing Use of CDP/LLDP 395
Disabling the Integrated HTTP Daemon 395
Configuring Basic System Logging 396
Securing SNMP 396
Limiting Trunking Connections and Propagated VLANs 396
Securing the Spanning-Tree Topology 396
Mitigating Compromises Launched Through a Switch 397
Troubleshooting Performance and Connectivity 398
Techniques to Enhance Performance 398
Monitoring Performance with SPAN and VSPAN 400
Using SPAN to Monitor the CPU Interface of Switches 403
Monitoring Performance with RSPAN 404
Monitoring Performance with ERSPAN 408
Monitoring Performance Using VACLs with the Capture Option 410
Troubleshooting Using L2 Traceroute 412
Enhancing Troubleshooting and Recovery Using Cisco IOS Embedded Event Manager 413
Performance Monitoring Using the Network Analysis Module in the Catalyst 6500 Family of Switches 414
Summary 415
Review Questions 416
① 凡本网注明稿件来源为"原创"的所有文字、图片和音视频稿件,版权均属本网所有。任何媒体、网站或个人转载、链接转贴或以其他方式复制发表时必须注明"稿件来源:我考网",违者本网将依法追究责任;
② 本网部分稿件来源于网络,任何单位或个人认为我考网发布的内容可能涉嫌侵犯其合法权益,应该及时向我考网书面反馈,并提供身份证明、权属证明及详细侵权情况证明,我考网在收到上述法律文件后,将会尽快移除被控侵权内容。