■ Disable unneeded dynamic protocols like CDP and DTP.

example:

int fa0/0
   no cdp enable

   switchport nonegotiate
■ Disable trunking by configuring these ports as access ports.

example:

int fa0/0

    switchport mode access
■ Enable BPDU Guard and Root Guard to prevent STP attacks and keep a stable STP topology, normal on access-layer switches

example:

int fa0/0

    spanning-tree guard root
    spanning-tree bpduguard enable
■ Enable port security to at least limit the number of allowed MAC addresses, and possibly restrict the port to use only specific MAC addresses.

example:

interface FastEthernet0/1
   switchport mode access
   switchport port-security
   switchport port-security mac-address 0200.1111.1111
■ Use 802.1X user authentication.

example:

aaa new-model
aaa authentication dot1x default group radius
dot1x system auth-control

radius-server host 10.1.1.1 key cisco

! The server ports (fa0/1 and fa0/2), inside a secure datacenter, do not require 802.1x authentication.
int fa0/1
   dot1x port-control force-authorized
int fa0/2
   dot1x port-control force-authorized
! The client ports (fa0/3 and fa0/4) require 802.1x authentication.
int fa0/3
   dot1x port-control auto
int fa0/4
   dot1x port-control auto
! The unused port (fa0/5) is configured to be in a permanently unauthorized
! state until the dot1x port-controlcommand is reconfigured for this port. As such, the port will only allow CDP, STP, and EAPoL frames.
int fa0/5
   dot1x port-control force-unauthorized

Note:

• Using 802.1X (auto)
• Not using 802.1X, but the interface is automatically authorized (force-authorized) (default)
• Not using 802.1X, but the interface is automatically unauthorized (force-unauthorized)

■ Using storm-control to imply rate limit on Layer 2 interfaces

example:

Cat3560(config)# interface FastEthernet0/10
Cat3560(config-if)# storm-control broadcast level pps 100 50
Cat3560(config-if)# storm-control multicast level 0.50 0.40
Cat3560(config-if)# storm-control unicast level 80.00
Cat3560(config-if)# storm-control action trap
■ Use DHCP snooping and IP Source Guard to prevent DHCP DoS and man-in-the-middle attacks.

example:

建议在接入层交换机上设置

Switch(config)# ip dhcp snooping   开启dhcp snooping

Switch(config)# ip dhcp snooping vlan 104  开启vlan 104 dhcp snooping
Switch(config)# ip dhcp snooping database tftp://192.168.1.1/dhcp-snooping.db      将绑定表保存在flash中

Switch(config)# interface range fastethernet 0/35 – 36  nontrust端口设置
Switch(config-if)# ip dhcp snooping limit rate 3

Switch(config-if)# ip dhcp snooping verify mac-address   --optional
Switch(config-if)# ip verify source   只需在nontrust端口上设置

IP Source Guard针对静态地址的机器:
Switch(config)# ip source binding mac-address vlan vlan-id ip-address interface type mod/num
例如:Switch(config)# ip source binding 0016.d49f.4866 vlan 104 192.168.10.3 interface fa0/2

Switch(config-if)# interface gigabitethernet 0/1  trust端口,连接DHCP服务器或者上联端口
Switch(config-if)# ip dhcp snooping trust
 

■ Use either Dynamic ARP Inspection (DAI) or private VLANs to prevent frame sniffing.

example:

Switch(config)# ip arp inspection vlan 104  开启arp inspect
Switch(config)# ip arp inspection limit rate 15
Switch(config)# ip arp inspection validate src-mac dst-mac ip
Switch(config)# ip arp inspection log-buffer entries 1024
Switch(config)# ip arp inspection log-buffer logs 1024 interval 300

Switch(config)# errdisable recovery cause arp-inspection
Switch(config)# errdisable recovery interval 30

Switch(config)# arp access-list StaticARP   针对静态地址的机器配置arp inspect
Switch(config-acl)# permit ip host 192.168.1.10 mac host 0006.5b02.a841
Switch(config)# ip arp inspection filter StaticARP vlan 104

Switch(config)# interface gigabitethernet 0/1   对于上联端口开启trust
Switch(config-if)# ip arp inspection trust
 

■ For any port (including trusted ports), consider the general use of private VLANs to further protect the network from sniffing, including preventing routers or L3 switches from routing packets between devices in the private VLAN. If private VLANs are used, Cisco also recommends additional protection against a trick by which an attacker can use the default gateway to overcome the protections provided by private VLANs.

To solve such a problem, the router simply needs an inbound ACL on its LAN interface that denies traffic whose source and destination IP addresses are in the same local connected subnet. For example, an access-list 101 deny ip 10.1.1.0. 0.0.0.255 10.1.1.0 0.0.0.255 command would prevent this attack.
■ Configure VTP authentication globally on each switch to prevent DoS attacks.
■ Disable unused switch ports and place them in an unused VLAN.
■ Avoid using VLAN 1.
■ For trunks, do not use the native VLAN, suggest using a different native VLAN for each trunk