Specifications
CHAPTER 7
Campus Network Security
Table 7-2 Configuring 802.1x Port Authentication
Command Description
(config-if)#dot1x port- control Enables 802.1x authentication on an interface of the switch and sets default port state
[auto | force-authorized |
force-unauthorized]
show dot1x Verifies 802.1x authentication
VLAN-Based Attacks
VLAN-based attacks include VLAN hopping, in which a station can access a VLAN other than its own. This can be done
with switch spoofing or with 802.1Q double-tagging.
Switch Spoofing
Switch spoofing involves a station configured to negotiate a trunk link between itself and the switch. By default, switches
dynamically negotiate trunking status using Dynamic Trunking Protocol (DTP). If a computer can use DTP to establish a
trunk link to the switch, it receives all traffic bound for every VLAN allowed on that trunk. By default, all VLANs are
allowed on a trunk.
You can mitigate this by turning off DTP on all ports that should not become trunks, such as most access ports, using the
interface command switchport nonegotiate. If the port should be an access port, configure it as such with the interface
command switchport mode access and turn off CDP on that port. Additionally, shut down all unused ports and assign
them to an unused VLAN. The commands to do this are:
Switch(config)# interface interface
Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan vlan
Switch(config-if)# shutdown
[ 83 ]
© 2010 Pearson Education, Inc. All rights reserved. This publication is protected by copyright. Please see page 112 for more details.
CCNP SWITCH 642-813 Quick Reference by Denise Donohue
9781587140112.qxd 11/23/09 11:35 AM Page 83
www.CareerCert.info