Router & Switch Device Security

– to encrypt passwords with the following command #service password-encryption
– “#no service password-encryption” – does not automatically decrypt the password. It waits until a new password is added.
– #enable secret – encrypts the password as md5
– #enable password – type 7 password
#username password <pass> – encrypts the password as MD5


AAA – Authentication, Authorization and Accounting

Radius vs Tacacs

Scope of Encryption: Packet Payload or just Password Password Only Entire Payload
 Layer 4 Protocol UDP TCP
 Well Known ports 1812/1645 49/49
 Standard or Cisco Propriety Standard Cisco

AAA authentication Methods
1. Enable AAA with “aaa new-model
2. RADIUS or TACACS, define IP address or Key
3. Define the default set of authentication methods used for all CLI access by: “#aaa authentication login default”
4. Define the default set of authentication methods for enable by using “aaa authentication enable default”
– there is no limit to the number of RADIUS/TACACS servers. The logic of the IOS is to get the 1st one, thennext etc
– you can create group and specify the order of the logging servers


PPP Security

– PPP can use PAP or CHAP
– defaul tauthentication is with #username password Steps
1. Enable AAA “aaa new-model”
2. Configure RADIUS/TACACS
3. Define the set of authentication using #aaa authentication ppp default
4. Create groups with #aaa authentication group ..


Layer2 Security

1. Disable unneeded dynamic protocols like CDP and DTP
2. Disable trunking by configuring these ports as access ports
3. Enable BPDU Guard and Root Guard to prevent STP attacks
4. Use DAI or private VLANs to prevent frame sniffing
5. Enable port security
6. Use 802.1x user authentication
7. Use DHCP snooping and IP Source Guard to prevent DHCP DOS and man-in-the-middle attacks
8. Use private VLANs to protect from sniffing
9. Configurat VTP authentication
10. Disable unused switch ports and place them in an unused VLAN (ex. VLAN 999)
11. Avoid using VLAN1
12. For trunks, do not use native VLAN


Port Security

– requirs that a port is staically set as either access or trunking
#switchport port-security [aging] [violation] { protect|restrict|shutdown}
protect – tells the switch to perform port-security
restrict – tells it to send SNMP traps and issue log message regarding the violation
shutdown – puts the port in err-disable state


Dynamic ARP Inspection (DAI)

-works by sending a GARP
– DAI is used to defeat ARP attacks
DAI determines if an ARP message is inappropiate by using the following logic:
1. If an ARP reply lists a source ARP address that was not DHCP assigned to a device off that port, DAI filters the ARP reply
2. Uses a list of static defined IP/MAC Address
3. For a received ARP reply, DAI compares the source MAC in the Ethenrnet header to the SMAC in the ARP message. If it is not equaled => it is filtered
4. DAI compares the destination Ethernet MAC and the targe MAC listed in the ARP body
5. DAI checks for unexpected IP address like “” pr “”
DHCP snooping must be enabled for DAI to work


Dynamic ARP inspection Commands

 ip arp inspection vlan <vlan-range> Global command to enable DAI on the switch for specific VLANs
 ip arp inspection trust Interface sub-command that enables or disables DAI on the interface. Default is enabled
 ip arp inspect filter <arp-cal-name> vlan <vlan-range> static Global command to refer to an ARP ACL that defines static IP/MAC address to be checked by DAI
 ip arp inspection vlidate {[src-mac][dst-mac][ip]} Enables additional optional checking of ARP messages
* ip arp inspect limit { rate pps [burst interval in seconds|none]} Limits the ARP message rate to prevent DOS attacks carried out by sending a large number of ARPs

* by default DAI automatically sets a limit of 15 ARP messages per port/per second to mitigate that risk; the settings can be changed using the “ip arp inspection limit”


DHCP Snooping

– builds a table of IP addresses and port mapping , called DHCP snooping binding table
– the table is used by DAI and IP Source Guard
-used to prevent DHCP attacks
– DHCP Attack, man-in-the-middle attack, by using bogus DHCP server, giving out the gateway of the attacker.
To not deplete the IP Pool, the DHCP uses the following logic for filtering of packets
1. It filters messages sent exclusively by DHCP servers
2. The switch checks DHCP release and decline messages againsts the DHCP snooping binding table; if the IP

address in those messages is not listed with the port in the DHCP snooping binding table, the messages are

3. Optionally, it compares a DHCP request client HW value with the source address inside the ETH frame

ip dhcp snooping vlan <vlan range>Global command to enable dhcp snooping
ip dhcp trustEnables trust
ip dhcp snooping binding <mac-addr> vlan <id> <ip-address> interface <id> expiry <seconds>Global command to add static entries to the DHCP snooping binding database
ip dhcp snooping limit rate <rate>Sets the maximum number of DHCP messages per second to mitigate DoS attacks



IP source Guard

-if enabled with dhcp snooping, IP Source Guard checks the source IP address of received packet against the DHCP snooping binding database
– is enabled on the interfaces


802.1x Authentication using EAP

– switches use 802.1x to atuenticaticate traffic, before it is allowed to joing the network
– EAP can be used to authenticate the PC, or can be used as a OTP (One Time Paswword)
– EAP messages are incapsulated into the frames, they are called EAP over LAN (EAPoL)
– RADIUS expects the EAP message, as a data structure called RADIUS attribute, with this attributs sitting inside a normal RADIUS message


802.1x roles

1. Supplicant – the PC that asends the message
2. Authentication – the switch that translates froam EAP to RADIUS
3. Authentication Server – stores username/password and verifies that the correct values were submitted before authenticating the user


Storm Control

– supports rate-limiting traffic at LAyer 2 using the #Strom-control commands
– can be configurated for: unicast, multicast, broadcast traffic
– can be configured per port
– it support only physical interfaces and not: suinterface, etherchannels etc