Enable port security: (config-if) switchport port-security Port security modes: shutdown (default): error-disables port and triggers

SNMP trap protect: drops frames from unknown MAC addresses restrict: same as protect, but also increments SecurityViolation counter VACLs: -------Create standard ACL(s) defining source IPs to be permitted Create list of match/action statements: vlan access-map <name> [seq. num] To apply to a VLAN or VLANs vlan filter <access-map> vlan-list <vlan id/'all'>
Private VLANs: ---------------Not compatible with VTP - VTP must be in Transparent mode to configure PVLANs switchport mode private-vlan host switchport private-vlan host-association <primary> <secondary> switchport mode private-vlan promiscuous switchport private-vlan mapping <primary> <secondaries> PVLAN Edge (or 'Private VLAN lite'): ---------------------------------------Sometimes can be used on switches that don't support full PVLANs switchport protected protected ports are isolated from each other

DHCP Snooping: -----------------Required for dynamic ARP inspection and dynamic IP Source guard DHCP snooping feature must be enabled on the switch itself: ip dhcp snooping In addition, must be enabled on VLANs you want to monitor: ip dhcp snooping [vlan <vlan id(s)>] To trust a port that leads to a DHCP server directly or via another switch: (config-if) ip dhcp snooping trust Rate limit DHCP requests (e.g. to mitigate DHCP pool starvation attacks):

(config-if) ip dhcp snooping limit rate <max requests per second>

ARP inspection: ----------------ARP responses or GARP messages will only be forwarded for legitimate IP and MAC combinations (for DAI, determined by DHCP snooping database) ip arp inspection vlan <vlan id> To trust a port (any non-DHCP clients, do this before enabling DAI): (config-if) ip arp inspection trust Alternative to port trusting: use an ARP ACL to statically map IPs to MACs: arp access-list <acl name> permit ip host <ip> mac <mac> ip arp inspection filter <ARP ACL> vlan <vlan ID>

IP Source guard: ------------------Initially permits only DHCP traffic Creates a dynamic PACL when an IP address is discovered through DHCP snooping permitting regular traffic only from the detected IP port-security option also enables MAC address filtering (config-if) ip verify source [port-security] To add a static ip source entry (for a host that doesn't use DHCP): ip source binding <MAC> vlan <vlan id> <ip> interface <interface>

Identity-Based Network Security (802.1x): ----------------------------------------------AAA new-model must be enabled in order to enable IBNS Globally enable: dot1x system-auth-control (config-if) dot1x port-control auto Useful informational commands: show dot1x [all] [summary] show dot1x interface <interface> [detail]