Summary 330

　　Review Questions 331

　　Chapter 6 Securing the Campus Infrastructure 333

　　Switch Security Fundamentals 334

　　Security Infrastructure Services 334

　　Unauthorized Access by Rogue Devices 336

　　Layer 2 Attack Categories 337

　　Understanding and Protecting Against MAC Layer Attack 339

　　Suggested Mitigation for MAC Flooding Attacks 341

　　Port Security 341

　　Port Security Scenario 1 341

　　Port Security Scenario 2 342

　　Configuring Port Security 343

　　Caveats to Port Security Configuration Steps 344

　　Verifying Port Security 345

　　Port Security with Sticky MAC Addresses 347

　　Blocking Unicast Flooding on Desired Ports 348

　　Understanding and Protecting Against VLAN Attacks 349

　　VLAN Hopping 349

　　VLAN Hopping with Double Tagging 350

　　Mitigating VLAN Hopping 351

　　VLAN Access Control Lists 352

　　Configuring VACL 353

　　Understanding and Protecting Against Spoofing Attacks 355

　　Catalyst Integrated Security Features 355

　　DHCP Spoofing Attack 356

　　DHCP Snooping 358

　　ARP Spoofing Attack 361

　　Preventing ARP Spoofing Through Dynamic

　　ARP Inspection 362

　　IP Spoofing and IP Source Guard 368

　　Configuring IPSG 370

　　Securing Network Switches 372

　　Neighbor Discovery Protocols 372

　　Cisco Discovery Protocol 373

　　Configuring CDP 373

　　Configuring LLDP 375

　　CDP Vulnerabilities 375

　　Securing Switch Access 376

　　Telnet Vulnerabilities 377

　　Secure Shell 377

　　VTY ACLs 378

　　HTTP Secure Server 379

　　Authentication Authorization Accounting (AAA) 380

　　Security Using IEEE 802.1X Port-Based Authentication 387

　　Configuring 802.1X 389

　　Switch Security Considerations 390

　　Organizational Security Policies 391

　　Securing Switch Devices and Protocols 391

　　Configuring Strong System Passwords 392

　　Restricting Management Access Using ACLs 392

　　Securing Physical Access to the Console 393

　　Securing Access to vty Lines 393

　　Configuring System Warning Banners 393

　　Disabling Unneeded or Unused Services 394

　　Trimming and Minimizing Use of CDP/LLDP 395

　　Disabling the Integrated HTTP Daemon 395

　　Configuring Basic System Logging 396

　　Securing SNMP 396

　　Limiting Trunking Connections and Propagated VLANs 396

　　Securing the Spanning-Tree Topology 396

　　Mitigating Compromises Launched Through a Switch 397

　　Troubleshooting Performance and Connectivity 398

　　Techniques to Enhance Performance 398

　　Monitoring Performance with SPAN and VSPAN 400

　　Using SPAN to Monitor the CPU Interface of Switches 403

　　Monitoring Performance with RSPAN 404

　　Monitoring Performance with ERSPAN 408

　　Monitoring Performance Using VACLs with the Capture Option 410

　　Troubleshooting Using L2 Traceroute 412

　　Enhancing Troubleshooting and Recovery Using Cisco IOS Embedded Event Manager 413

　　Performance Monitoring Using the Network Analysis Module in the Catalyst 6500 Family of Switches 414

　　Summary 415

　　Review Questions 416