CCIE Security

Advanced Technologies Class

Layer 2 Security

http://www.InternetworkExpert.com

Port Security

Used to limit access to a port based on

MAC address
Violation modes
Shutdown (default)
Send port to err-disable
Protect
Violators cannot send traffic in
Restrict
Violators cannot send traffic in
Generate SNMP / Syslog
Copyright 2007 Internetwork Expert, Inc
www.InternetworkExpert.com

1
 Port Security

Once port goes into err-disable it doesnt

come out unless
Shut / no shut
Err-disable recovery configured
errdisable recovery {bpduguard | psecure-
violation | all | ...}
errdisable recovery interval [seconds]

Copyright 2007 Internetwork Expert, Inc

www.InternetworkExpert.com

Static CAM Entries

Layer 2 switching table

Associates destination MAC address with
outgoing port
Can be used to null route a MAC
address

Copyright 2007 Internetwork Expert, Inc

www.InternetworkExpert.com

2
 Storm Control

Limit the amount of unicast / broadcast /

multicast accepted in a port
Traffic above multicast rate suppresses
unicast, broadcast, and multicast
storm-control {broadcast | multicast |
unicast} level {level [level-low] | pps pps
[pps-low]}
Level is a % of interface bandwidth
10/100/1000 issue

Copyright 2007 Internetwork Expert, Inc

www.InternetworkExpert.com

Port Protection

Used to prevent devices on the same

VLAN from communicating at layer 3
Example:
Prevent compromised WWW server from
launching DoS at servers on the same VLAN
Circumvention via unknown unicast /
multicast flooding

Copyright 2007 Internetwork Expert, Inc

www.InternetworkExpert.com

3
 VLAN Access Lists (VACLs)

Used to apply layer 3 filter to layer 2 transit

network
Uses route-map logic to permit (forward)
or deny (drop) traffic
Never end in implicit deny
IP ARP
CLNS

Copyright 2007 Internetwork Expert, Inc

www.InternetworkExpert.com

CCIE Security
Advanced Technologies Class

IOS Passwords & Privileges

http://www.InternetworkExpert.com

4
 Local Authorization

Privilege levels used to control access to

exec commands
Default privilege levels
0 no access
1 user mode access
15 privilege (enable) mode access
User defined privilege levels
Levels 2 14 available for assignment

Copyright 2007 Internetwork Expert, Inc

www.InternetworkExpert.com

Local Authorization

Moving command privilege down

Allow privilege 1 to
Run extended ping
Show running config
Only see what you can configure

Moving command privilege up

Revoke privilege 1 from
Running show commands
Using the enable command

Copyright 2007 Internetwork Expert, Inc

www.InternetworkExpert.com

5
 Local Authorization

privilege command
Exec | Configure | Interface | Router | etc
Configuration mode determines what option of
privilege command to do
Example:
Exec command
router#
Configure command
router(config)#
Interface command
router(config-if)#

Copyright 2007 Internetwork Expert, Inc

www.InternetworkExpert.com