|
|
|
|
|
MAC Address Flooding Causing CAM Overflow and
Subsequent DOS and Traffic Analysis Attacks |
|
|
|
|
|
Example |
|
Set port security 2/1 enable |
|
Set port security 2/1 00-90-2b-03-34-08 |
|
Set port security 3/2 maximum 1 |
|
|
|
|
|
Example |
|
Set ip permit enable |
|
Set ip permit 172.16.0.0 255.255.0.0 telnet |
|
Set ip permit 172.20.52.2 255.255.255.255 snmp |
|
Set ip permit 172.20.52.3 all |
|
|
|
|
|
|
|
Example |
|
Set port broadcast 2/1-6 75% |
|
|
|
|
Restricts intra VLAN traffic on a per port basis |
|
Solves ARP spoofing |
|
|
|
|
|
|
Provides authentication of devices connecting to
a physical port on a layer 2 switch or a logical port on a wireless access
point |
|
|
|
|
|
|
|
|
Supplicant:
a device (eg. Laptop) that needs to access the LAN |
|
Authenticator:
a device that initiates the authentication process between the supplicant and the authentication server |
|
Authentication server: a device (eg. Cisco ACS) that can authenticate a user on
behalf of an authenticator |
|
|
|
|
|
Uses Extensible Authentication Protocol (EAP)
described in RFC 3748 |
|
Authentication data is transmitted in EAP
packets |
|
encapsulated in EAPOL frames between supplicant
and authenticator |
|
encapsulated TACACS+ or RADIUS packets between
authenticator and authentication server |
|
|
|
|
Carries authentication data between two entities that wish to set up an
authenticated channel for communication |
|
Supports one-time password, MD5 hashed username
and password, and transport layer security |
|
|
|
|
|
|
|
|
Code: identifies EAP packet type such as
request, response, success, or failure |
|
Identifier: used to match responses with
requests |
|
Length: length of EAP packet |
|
|
|
|
Identity message |
|
Notification message |
|
NAK message |
|
MD-5 challenge message |
|
One-time password message |
|
Transport-Layer Security (TLS) message |
|
|
|
|
|
|
|
|
|
Notes