a word from an earlier post:
http://insearchofthecert.blogspot.com/2012/07/quote-of-day-attack-mitigation.html
CAM table overflow— In a CAM table overflow attack, an attacker sends thousands of bogus MAC addresses from one port, which looks like valid hosts' communication to the switch. You can mitigate CAM table overflow attacks in several ways. One of the primary ways is to configure port security on the switch. You can apply port security in three ways: static secure MAC addresses, dynamic secure MAC addresses, and sticky secure MAC addresses.
and
MAC address spoofing— MAC address spoofing involves the use of a known MAC address of another host authorized to access the network. The attacker attempts to make the target switch forward frames destined for the actual host to the attacker device instead. Another way to spoof MAC addresses is by using ARP.
Use the port-security command described in the "Mitigating CAM Table Overflow Attacks" section to specify MAC addresses connected to particular ports. DHCP snooping could be used as a method to mitigate MAC address spoofing. Another method of mitigating MAC address spoofing is DAI.
as stated above, cam table overflow is mitigated by port security... mac spoofing is also mitigated by port security, but it would also be helpful to use dhcp snooping and/or dai...
the attack is different...
vlan hopping is mitigated by limiting the impact of dtp in the network, ie making unused ports access and placing them in a dysfunctional vlan, et al...
these kind of gray areas kill me... like loop guard and udld, that exhibit a similar behavior when preventing loops... the big difference in loop guard and udld, as i see it is media... udld for fiber and loop guard for ethernet... both freak out when bpdu's suddenly go missing...
from : http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a0080094640.shtml
The STP loop guard feature provides additional protection against Layer 2 forwarding loops (STP loops). An STP loop is created when an STP blocking port in a redundant topology erroneously transitions to the forwarding state. This usually happens because one of the ports of a physically redundant topology (not necessarily the STP blocking port) no longer receives STP BPDUs. In its operation, STP relies on continuous reception or transmission of BPDUs based on the port role. The designated port transmits BPDUs, and the non-designated port receives BPDUs.
When one of the ports in a physically redundant topology no longer receives BPDUs, the STP conceives that the topology is loop free. Eventually, the blocking port from the alternate or backup port becomes designated and moves to a forwarding state. This situation creates a loop.
The loop guard feature makes additional checks. If BPDUs are not received on a non-designated port, and loop guard is enabled, that port is moved into the STP loop-inconsistent blocking state, instead of the listening / learning / forwarding state. Without the loop guard feature, the port assumes the designated port role. The port moves to the STP forwarding state and creates a loop.
then this:
Loop guard and Unidirectional Link Detection (UDLD) functionality overlap, partly in the sense that both protect against STP failures caused by unidirectional links. However, these two features differ in functionality and how they approach the problem. This table describes loop guard and UDLD functionality:
Functionality | Loop Guard | UDLD |
---|---|---|
Configuration | Per-port | Per-port |
Action granularity | Per-VLAN | Per-port |
Autorecover | Yes | Yes, with err-disable timeout feature |
Protection against STP failures caused by unidirectional links | Yes, when enabled on all root and alternate ports in redundant topology | Yes, when enabled on all links in redundant topology |
Protection against STP failures caused by problems in the software (designated switch does not send BPDU) | Yes | No |
Protection against miswiring. | No | Yes |
Based on the various design considerations, you can choose either UDLD or the loop guard feature. In regards to STP, the most noticeable difference between the two features is the absence of protection in UDLD against STP failures caused by problems in software. As a result, the designated switch does not send BPDUs. However, this type of failure is (by an order of magnitude) more rare than failures caused by unidirectional links. In return, UDLD might be more flexible in the case of unidirectional links on EtherChannel. In this case, UDLD disables only failed links, and the channel should remain functional with the links that remain. In such a failure, the loop guard puts it into loop-inconsistent state in order to block the whole channel.
Additionally, loop guard does not work on shared links or in situations where the link has been unidirectional since the link-up. In the last case, the port never receives BPDU and becomes designated. Because this behaviour could be normal, this particular case is not covered by loop guard. UDLD provides protection against such a scenario.
As described, the highest level of protection is provided when you enable UDLD and loop guard.
No comments:
Post a Comment