Chapter 11 - Switch Security Configuration

Port security cannot be enabled on a trunk and trunks are the only types of ports that have a native VLAN. Even though turning DTP off on a trunk is a best practice, it does not have anything to do with native VLAN risks. To prevent security breaches that take advantage of the native VLAN, place the native VLAN in an unused VLAN other than VLAN 1. The management VLAN should also be an unused VLAN that is different from the native VLAN and something other than VLAN 1.

PortFast will immediately bring an interface configured as an access or trunk port to the forwarding state from a blocking state, bypassing the listening and learning states. If configured on a trunk link, immediately transitioning to the forwarding state could lead to the formation of Layer 2 loops.

Unlike router Ethernet ports, switch ports are enabled by default. Cisco recommends disabling any port that is not used. The ip dhcp snooping command globally enables DHCP snooping on a switch. Further configuration allows defining ports that can respond to DHCP requests. The switchport port-security command is used to protect the network from unidentified or unauthorized attachment of network devices.

In DHCP starvation attacks, an attacker floods the DHCP server with DHCP requests to use up all the available IP addresses that the DHCP server can issue. In DHCP spoofing attacks, an attacker configures a fake DHCP server on the network so that it provides clients with false DNS server addresses. The port security feature can limit the number of dynamically learned MAC addresses per port or allow only known valid NICs to be connected via their specific MAC addresses. The DHCP snooping feature can identify the legitimate DHCP servers and block fake DHCP servers from issuing IP address information. These two features can help fight against DHCP attacks.

VLAN hopping attacks rely on the attacker being able to create a trunk link with a switch. Disabling DTP and configuring user-facing ports as static access ports can help prevent these types of attacks. Disabling the Spanning Tree Protocol (STP) will not eliminate VLAN hopping attacks.

To mitigate the chances of ARP spoofing, these procedures are recommended:

Implement protection against DHCP spoofing by enabling DHCP snooping globally.

Enable DHCP snooping on selected VLANs.

Enable DAI on selected VLANs.

Configure trusted interfaces for DHCP snooping and ARP inspection. Untrusted ports are configured by default.​

DHCP snooping recognizes two types of ports on Cisco switches:

Trusted DHCP ports – switch ports connecting to upstream DHCP servers

Untrusted ports – switch ports connecting to hosts that should not be providing DHCP server messages