Campus Network Security
Attention has traditionally been paid to network perimeter security, such as
firewall, and to mitigating Layer 3 attacks. However, networks must be
protected against Layer 2 attacks, also. These are launched from devices
inside the network by either a rogue device or a legitimate device that has
been compromised. Rogue devices might be placed maliciously or might just
be connected to an access switch by an employee wanting more switch port
or wireless access. They include:
■ Wireless routers or hubs
■ Access switches
■ Hubs
A switch might become the Spanning Tree root bridge, and disrupt user
traffic. Use root guard and bpdu guard commands to prevent this.
(Spanning tree security is discussed later in this chapter.)
There are four typical types of attacks against a switched network:
■ MAC-based attacks, such as MAC address flooding
■ VLAN-based attacks, such as VLAN hopping and attacks against
devices on the same VLAN
■ Spoofing attacks, such as DHCP spoofing, MAC spoofing, Address
Resolution Protocol (ARP) spoofing, and Spanning Tree attacks
■ Attacks against the switch, such as Cisco Discovery Protocol (CDP)
manipulation, Telnet attacks, and Secure Shell (SSH) attacks