Specifications
CHAPTER 7
Campus Network Security
Chapter 7
Campus Network Security
Attention has traditionally been paid to network perimeter security, such as firewall, and to mitigating Layer 3 attacks.
However, networks must be protected against Layer 2 attacks, too. These are launched from devices inside the network by
either a rogue device or a legitimate device that has been compromised. Rogue devices might be placed maliciously or
might just be connected to an access switch by an employee wanting more switch port or wireless access. They include:
n Wireless routers or hubs
n Access switches
n Hubs
A switch might become the Spanning Tree root bridge and disrupt user traffic. Use root guard and bpdu guard
commands to prevent this. (Spanning Tree security is discussed later in this chapter.)
The following are four typical types of attacks against a switched network:
n MAC address-based attacks: MAC address flooding
n VLAN-based attacks: VLAN hopping and attacks against devices on the same VLAN
n Spoofing attacks: DHCP spoofing, MAC spoofing, Address Resolution Protocol (ARP) spoofing, and Spanning
Tree attacks
n Attacks against the switch: Cisco Discovery Protocol (CDP) manipulation, Telnet attacks, and Secure Shell (SSH)
attacks
[ 79 ]
© 2010 Pearson Education, Inc. All rights reserved. This publication is protected by copyright. Please see page 112 for more details.
CCNP SWITCH 642-813 Quick Reference by Denise Donohue
9781587140112.qxd 11/23/09 11:35 AM Page 79
www.CareerCert.info