CCIE: Jun 5, 2012

unused ports: which are not connected to any device
user ports: ports cabled to end user devices
trusted ports or trunk ports: ports connected to fully trusted devices, like connected other known secured switches.

Disable unneeded dynamic protocols like CDP & DTP.
Disable trunking by configuring these ports as access ports.
Enable BPDU Guard & Root Guard to prevent STP attacks & keep a stable STP technology.
Use either dynamic ARP inspection (DAI) or private VLANs to prevent frame sniffing.
Enable port security to at least limit the number of allowed MAC addresses, & possibly restrict the port to use only specific MAC addresses
Use 802.1X user authentication.
Use DHCP snooping & IP source Guard to prevent DHCP DoS & man in the middle attacks.

For any port (including trusted ports), consider the general use of private VLANs to further protect the network from sniffing, including preventing routers or L3switches from routing packets between devices in the private VLAN.
Configure VTP authentication globally on each switch to prevent Dos attacks.
Disable unused switch ports & place them in an unused VLAN.
Avoid using VLAN 1.
For trunks, do not use the native VLAN.
Limiting the actual MAC address associated with the port, based on three methods:

Static configuration of the allowed MAC addresses
Dynamic learning of MAC addresses, up to the defined maximum, where dynamic entries are lost upon reload.
Dynamically learning but with the switch saving those entries in the configuration( called sticky learning)

PPP: Point to Point Protocol is a network protocol that allow data communication between two network points or entities.
PPP provides the capability to use PAP & CHAP for authentication.
Which is particularly useful for dial applications.
The default authentication method for CHAP/PAP is depend upon a locally configured set of username name password password commands.
Cisco ios supports the use of AAA authentication for PPP using the same general set of commands used for login authentication.
The configuration steps are:

The console, vty & aux (routers only) lines can override the use of the default login authentication methods.
To do this, in line configuration mode, the login authentication name command

By default, Cisco ios automatically groups RADIUS & TACACS+ servers configured with the radius-server host & tacacs-server host commands into groups
The aaa authentication command includes the keyword group radius or group tacacs+ to refer to these default groups.
By default, all defined RADIUS servers end up in the radius group, and all defined TACACS+ servers end up in the tacacs+ group.
In case of large servers, make different sets of RADIUS or TACACS+ servers.
servers can be grouped by name using the command

METHODE	MEANING
Group radius	Use the configured RADIUS servers
Group tacacs+	Use the configured TACACS+ servers
Group name	Use a defined group of either RADIUS or TACACS+ servers
Enable	Use the enable password, based on *enable secret* or enable password commands
Line	Use the password defined by the *password* command in *line* configuration mode
Local	Use *username* commands in the local configuration (username is case insensitive but password is case sensitive)
Local-case	Use *username* commands in the local configuration (both username & password are case sensitive)
None	No authentication required, user automatically authenticated

AAA authentication allow multiple servers & multiple authentication methods.
So user can be authenticated even if one authentication method is not working.
The aaa authentication command supports up to four methods on a single command.
No limit to the number of RADIUS or TACACS+ servers that can be referenced.
Logic used by IOS when using these methods are:

Based on the 1st listed method first, if that methode not respond, move to the next & then next & so on until a method responds. Use the first- responding-server's decision (allow or reject).
If no response occurs for any method, reject the request.

Tuesday, June 5, 2012