Securing Cisco Switch Data Plane

This tutorial will show you how to secure your Cisco Switches from Internal attacks like MAC Spoofing, CAM Table Overflow, MITM, and DHCP Spoofing Attacks.

1. Configure Endpoint Devices to Access ports to avoid trunking auto-negotiation. Only configure trunk ports that are going to other Switches or Routers.

2. Configure aging time for MAC addresses (in minutes). The port-security violation modes consist of three modes which are: protect, restrict, and shutdown. It is not recommended to use protect because it does not send logs.

3. Next is to configure DHCP Snooping in order to prevent DHCP Starvation and DHCP Spoofing attacks. Take note that we only trust the port where DHCP Server is connected.

4. If you are using Router as a DHCP Server, additional configuration to the router is necessary.