1. Device Security Source:
Chapter 9, Network Security Fundamentals, Thomson
Chapter 6, CCNA Security, Cisco

2. Learning Objectives
Understand the purpose of a network firewall and the kinds of firewall technology available on the market.
Understand the role of routers, switches, and other networking hardware in security.
Determine when VPN or RAS technology works to provide a secure network connection.

3. Firewalls
Hardware or software device that provides a means of securing a computer or network from unwanted intrusion.
Dedicated physical device that protects network from intrusion.
Software feature added to a router, switch, or other device that prevents traffic to or from part of a network.

4. Management Cycle for Firewall Protection
Draft a written security policy
Design the firewall to implement the policy
Implement the design by installing selected hardware and software
Test the firewall
Review new threats, requirements for additional security, and updates to systems and software; repeat process from first step

5. Drafting a Security Policy
What am I protecting?
Who am I protecting it from?
What services does my company need to access over the network?
Who gets access to what resources?
Who administers the network?

6. Available Targets and Who Is Aiming at Them
Common areas of attack
Web servers
Mail servers
FTP servers
Databases
Intruders
Sport hackers (just penetrating your defenses and taking a look around only)
Malicious hackers

7. Which Services Should Be Available?

8. Who Gets Access to Which Resources?
List employees or groups of employees along with files and file servers and databases and database servers they need to access.
List which employees need remote access to the network.

9. Who Administers the Network?
In large networks, there may be more than one person responsible for administering the network.
Determine individual(s) and scope of individual management control.

10. Designing the Firewall to Implement the Policy
Select appropriate technology to deploy the firewall.
When implementing firewalls and firewall policy, organizations must decide whether to implement the firewall as an appliance or on top of a commercial operating system.
Appliance-based firewalls will be more secure than those implemented on top of commercial operating systems.
The advantage of implementing firewalls on top of commercial operating systems is scalability. Most appliances do not offer this level of flexibility or scalability.
The greatest disadvantage of implementing firewalls on top of commercial operating systems is the potential presence of vulnerabilities in the underlying operating system.
Ref:

11. What Do Firewalls Protect Against?
Denial of service (DoS)
Ping of death
Teardrop or Raindrop attacks
SYN flood
LAND attack
Denial of service attack in which a packet with a forged header is sent with the same source and destination data.
For example, identical TCP source and destination ports and/or identical IP source and destination addresses.
Brute force or smurf attacks
IP spoofing

12. How Do Firewalls Work? Network address translation (NAT)
Basic packet filtering
Stateful packet inspection (SPI)
Application gateways
Access control lists (ACL)

13. Network Address Translation (NAT)
Only technique used by basic firewalls.
Enables a LAN to use one set of IP addresses for internal traffic and a second set for external traffic.
Each active connection requires a unique external address for duration of communication.
Port address translation (PAT)
Derivative of NAT.
Using a combination of an IP address and a TCP or UDP port.
Supports thousands of simultaneous connections on a single public IP address.

14. Basic Packet Filtering
Firewall system examines each packet that enters it and allows through only those packets that match a predefined set of rules.
Can be configured to screen information based on many data fields:
Protocol type
IP address
TCP/UDP port
Source routing information

15. Stateful Packet Inspection (SPI)
Controls access to network by analyzing incoming/outgoing packets and letting them pass or not based on IP addresses of source and destination.
Examines a packet based on information in its header
Enhances security by allowing the filter to distinguish on which side of firewall a connection was initiated; essential to blocking IP spoofing attacks.

16. Access Control Lists (ACL)
Packet filtering is made is made possible through the use of access control lists (ACL).
An ACL is a list of rules either allowing or blocking inbound or outbound packets.
For example, on a Cisco router, to deny inbound access to a specific computer with IP address of :
Access-list 101 deny ip any
All 0’s mask on the destination address means that you want to apply the entire address.
Good practice: Begin the list with a command that allows all incoming and outgoing packets and end it with a command that blocks all incoming or outgoing packets.

17. Access Control Lists (ACL)
Standard ACLs
Standard ACLs allow you to permit or deny traffic from source IP addresses. The destination of the packet and the ports involved do not matter.
Extended ACLs
Extended ACLs filter IP packets based on several attributes, for example, protocol type, source and destination IP address, destination IP address, source TCP or UDP ports, destination TCP or UDP ports, and optional protocol type information for finer granularity of control.

18. Routers
Network management device that sits between network segments and routes traffic from one network to another.
Allows networks to communicate with one another.
Allows Internet to function.
Act as digital traffic cop (with addition of packet filtering).

19. How a Router Moves Information
Examines electronic envelope surrounding a packet; compares address to list of addresses contained in router’s lookup tables.
Determines which router to send the packet to next, based on changing network conditions.

20. How a Router Moves Information

21. Beyond the Firewall Demilitarized zone (DMZ)
Bastion hosts (potentially)

22. Demilitarized Zone
Area set aside for servers that are publicly accessible or have lower security requirements.
Sits between the Internet and internal network’s line of defense.
Stateful device fully protects other internal systems
Packet filter allows external traffic only to services provided by DMZ servers
Allows a company to host its own Internet services without sacrificing unauthorized access to its private network.
DMZ is commonly home to public Web, FTP, and DNS servers that need to be accessed by the public.

24. Bastion Hosts (堡壘主機)
Bastion hosts are typically designed with one function in mind: to allow information to flow securely between the Internet and the internal network without directly exchanging packets.
Reside in a DMZ and that host Web, mail, DNS, and/or FTP services.
Gateway between an inside network and an outside network.
Defends against attacks aimed at the inside network; used as a security measure.
Unnecessary programs, services, and protocols are removed; unnecessary network ports are disabled.
Do not share authentication services with trusted hosts within the network.

25. Application Gateways Also known as proxy servers.
Monitor specific applications (FTP, HTTP, Telnet).
Allow packets accessing those services to go to only those computers that are allowed.
Good backup to packet filtering.

26. Application Gateways Security advantages Disadvantage
Information hiding
Robust authentication and logging
Simpler filtering rules
Disadvantage
Two steps are required to connect inbound or outbound traffic; can increase processor overhead.

27. Introduction to Layer 2 Security
Network security professionals must mitigate attacks within the Layer 2 infrastructure. These attacks include:
MAC address spoofing
STP manipulation
MAC address table overflows
LAN storms
VLAN attacks.
Layer 2 can be a very weak link to the higher OSI Layers because if Layer 2 is compromised, hackers can work their way up.

28. Introduction to Layer 2 Security
It is important for the network security professional to remember that Layer 2 attacks typically require internal access, either from an employee or visitor.
Another fundamental consideration is buffer overflows. Buffer overflows are often the source of a DoS attack.
Buffer overflows can be used to enable the execution of arbitrary code into a program and unauthorized privilege escalation (權限擴大).

29. Introduction to Layer 2 Security

30. MAC Address Spoofing Attack
Switches maintain MAC address tables, also known as content-addressable memory (CAM) lookup tables, to track the source MAC addresses associated with each switch port.
If a switch receives an incoming data frame and the destination MAC address is not in the table, the switch forwards the frame out all ports, except for the port on which it was received.
When the destination node responds, the switch records the MAC address of the node in the address table from the frame source address field.
Switches populate the MAC address table by recording the source MAC address of a frame, and associating that address with the port on which the frame is received.

31. MAC Address Spoofing (欺騙) Attack
The method used by switches to populate the MAC address table leads to a vulnerability known as MAC spoofing.
Spoofing attacks occur when one host masquerades (偽裝) as another to receive otherwise inaccessible data or to circumvent (智取) security configurations.

32. MAC Address Spoofing Attack
MAC spoofing attacks occur when an attacker alters the MAC address of their host to match another known MAC address of a target host.
The attacking host then sends a frame throughout the network with the newly configured MAC address. When the switch receives the frame, it examines the source MAC address. The switch overwrites the current MAC address table entry and assigns the MAC address to the new port.
It then inadvertently (不慎地) forwards frames destined for the target host to the attacking host.
When the switch changes the MAC address table, the target host does not receive any traffic until it sends traffic. When the target host sends traffic, the switch receives and examines the frame, resulting in the MAC address table being rewritten once more, realigning the MAC address to the original port.

33. MAC Address Spoofing Attack

34. MAC Address Table Overflow Attack
The MAC address tables are limited in size. MAC flooding takes advantage of this limitation by bombarding the switch with fake source MAC addresses until the switch MAC address table is full.
If enough entries are entered into the MAC address table before older entries expire, the table fills up to the point that no new entries can be accepted.
When this occurs, the switch begins to flood all incoming traffic to all ports because there is no room in the table to learn any legitimate MAC addresses. The switch, in essence, acts like a hub.
As a result, the attacker can see all of the frames sent from one host to another. Traffic is flooded only within the local VLAN, so the intruder sees only traffic within the local VLAN to which the intruder is connected.

35. MAC Address Table Overflow Attack
The most common way of implementing a MAC address table overflow attack is using the macof tool. This tool floods a switch with frames containing randomly generated source and destination MAC and IP addresses.
When the MAC address table is full of invalid source MAC addresses, the switch begins to flood all frames that it receives. As long as macof is left running, the table on the switch remains full, and the switch continues to flood all received frames out of every port.
Both MAC spoofing and MAC address table overflow attacks can be mitigated (降低) by configuring port security on the switch.

36. MAC Address Table Overflow Attack
With port security, the administrator can either statically specify the MAC addresses on a particular switch port or allow the switch to dynamically learn a fixed number of MAC addresses for a switch port.
To statically specify the MAC addresses is not a manageable solution for a production environment. Allowing the switch to dynamically learn a fixed number of MAC addresses is an administratively scalable solution.

37. MAC Address Table Overflow Attack

38. STP Manipulation Attack
Spanning tree protocol operates by electing a root bridge
STP builds a tree topology
STP manipulation changes the topology of a network—the attacking host appears to be the root bridge

39. STP Manipulation Attack
To conduct an STP manipulation attack, the attacking host broadcasts STP configuration and topology change BPDUs to force spanning-tree recalculations.
The BPDUs sent by the attacking host announce a lower bridge priority in an attempt to be elected as the root bridge. If successful, the attacking host becomes the root bridge and sees a variety of frames that otherwise are not accessible.
This attack can be used to usurp (奪取) all three of the security objectives: confidentiality, integrity, and availability.
Mitigation techniques for STP manipulation include enabling PortFast as well as root guard and BPDU guard.

40. STP Manipulation Attack
Root Bridge Priority = 8192 F B F F F F F F F B F F
STP BPDU Priority = 0
STP BPDU Priority = 0
Root Bridge
Attacker
The attacking host broadcasts out STP configuration and topology change BPDUs.
This is an attempt to force spanning tree recalculations.

41. LAN Storm Attack
A LAN storm occurs when packets flood the LAN, creating excessive traffic and degrading network performance.
Errors in the protocol stack implementation, mistakes in network configurations, or users issuing a DoS attack can cause a storm.
Broadcast storms can also occur on networks. Switches always forward broadcasts out all ports.
Some necessary protocols, such as Address Resolution Protocol (ARP) and Dynamic Host Configuration Protocol (DHCP), use broadcasts; therefore, switches must be able to forward broadcast traffic.

42. LAN Storm Attack
Broadcast
Broadcast
Broadcast
Broadcast
Broadcast
Broadcast
Broadcast
Broadcast
Broadcast
Broadcast
Broadcast
Broadcast
Broadcast, multicast, or unicast packets are flooded on all ports in the same VLAN.
These storms can increase the CPU utilization on a switch to 100%, reducing the performance of the network.

43. LAN Storm Attack - Storm Control
While it is not possible to prevent all types of packet storms and excessive broadcasts, it is possible to suppress them using storm control.
Storm control prevents traffic on a LAN from being disrupted by a broadcast, multicast, or unicast storm on one of the physical interfaces.
Storm control (or traffic suppression) monitors packets passing from an interface to the switching bus and determines if the packet is unicast, multicast, or broadcast.
The switch counts the number of packets of a specified type received within a certain time interval and compares the measurement with a predefined suppression-level threshold.
Storm control then blocks traffic when the rising threshold is reached.

44. LAN Storm Attack - Storm Control

45. VLAN Attacks
A VLAN is a logical broadcast domain that can span multiple physical LAN segments. Within the switched internetwork, VLANs provide segmentation and organizational flexibility.
A VLAN structure can be designed to enable grouping of stations logically by function, project team, or application without regard to the physical location of the users. Each switch port can be assigned to only one VLAN, thereby adding a layer of security.
Ports in a VLAN share broadcasts; ports in different VLANs do not share broadcasts. Containing broadcasts within a VLAN improves the overall performance of the network.
There are a number of different types of VLAN attacks prevalent in modern switched networks. Rather than list all the types of attacks, it is important to understand the general methodology behind these attacks and the primary approaches to mitigate them.

46. VLAN Attacks
Segmentation
Flexibility
Security

47. VLAN Attacks
VLAN hopping enables traffic from one VLAN to be seen by another VLAN with the aid of a router. Under certain circumstances, attackers can sniff data and extract passwords and other sensitive information.
The attack works by taking advantage of an incorrectly configured trunk port. By default, trunk ports have access to all VLANs and pass traffic for multiple VLANs across the same physical link, generally between switches. The data moving across these links might be encapsulated with IEEE 802.1Q or inter-switch link (ISL).
In a basic VLAN hopping attack, the attacker takes advantage of the default automatic trunking configuration on most switches. The network attacker configures a system to spoof itself as a switch.

48. VLAN Attacks
This spoofing requires that the network attacker be capable of emulating either ISL or 802.1Q signaling along with Cisco-proprietary Dynamic Trunking Protocol (DTP) signaling.
By tricking a switch into thinking it is another switch that needs to trunk, an attacker can gain access to all the VLANs allowed on the trunk port.
This attack requires a configuration on the port that supports trunking with auto or dynamic mode to succeed.
The best way to prevent a basic VLAN hopping attack is to turn off trunking on all ports, except the ones that specifically require trunking.
On the required trunking ports, disable DTP (auto trunking) negotiations and manually enable trunking.

49. VLAN Attacks A VLAN hopping attack can be launched in two ways:
802.1Q
VLAN 10
Trunk
Trunk
VLAN 20
Server
802.1Q
Attacker sees traffic destined for servers
Server
A VLAN hopping attack can be launched in two ways:
Spoofing DTP Messages from the attacking host to cause the switch to enter trunking mode
Introducing a rogue switch and turning trunking on

50. Configuring Switch Security
Configuring Port Security
Verifying Port Security
BPDU Guard and Root Guard
Storm Control
VLAN Configuration
Cisco Switched Port Analyzer
Cisco Remote Switched Port Analyzer
Best Practices for Layer 2

51. Configuring Port Security
Port security allows an administrator to statically specify MAC addresses for a port or to permit the switch to dynamically learn a limited number of MAC addresses.
By limiting the number of permitted MAC addresses on a port to one, port security can be used to control unauthorized expansion of the network.
When MAC addresses are assigned to a secure port, the port does not forward frames with source MAC addresses outside the group of defined addresses.
If a MAC address of a device attached to the port differs from the list of secure addresses, the port either shuts down until it is administratively enabled (default mode) or drops incoming frames from the insecure host (restrict option).

52. Configuring Port Security
Allows an administrator to statically specify MAC
Addresses for a port or to permit the switch to dynamically learn a limited number of MAC
addresses

53. Configuring Port Security CLI Commands
Switch(config-if)#
switchport mode access
Sets the interface mode as access
Switch(config-if)#
switchport port-security
Enables port security on the interface
Switch(config-if)#
switchport port-security maximum value
Sets the maximum number of secure MAC addresses for the interface (optional)

54. Switchport Port-Security Parameters

55. Switchport Port-Security Parameters

56. Port Security Violation Configuration
Switch(config-if)#
switchport port-security violation {protect | restrict | shutdown}
Sets the violation mode (optional)
Switch(config-if)#
switchport port-security mac-address mac-address
Enters a static secure MAC address for the interface (optional)
Switch(config-if)#
switchport port-security mac-address sticky
Enables sticky learning on the interface (optional)

57. Switchport Port-Security Violation Parameters
Description
protect
(Optional) Set the security violation protect mode. When the number of secure MAC addresses reaches the limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses or increase the number of maximum allowable addresses. You are not notified that a security violation has occurred.
restrict
(Optional) Set the security violation restrict mode. When the number of secure MAC addresses reaches the limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses or increase the number of maximum allowable addresses. In this mode, you are notified that a security violation has occurred.
shutdown
(Optional) Set the security violation shutdown mode. In this mode, a port security violation causes the interface to immediately become error-disabled and turns off the port LED. It also sends an SNMP trap, logs a syslog message, and increments the violation counter. When a secure port is in the error-disabled state, you can bring it out of this state by entering the errdisable recovery cause psecure-violation global configuration command, or you can manually re-enable it by entering the shutdown and no shut down interface configuration commands.
shutdown vlan
Set the security violation mode to per-VLAN shutdown. In this mode, only the VLAN on which the violation occurred is error-disabled.

58. Port Security Aging Configuration
Switch(config-if)#
switchport port-security aging {static | time time | type {absolute | inactivity}}
Enables or disables static aging for the secure port or sets the aging time or type

59. Switchport Port-Security Aging Parameters
Description
static
Enable aging for statically configured secure addresses on this port.
time time
Specify the aging time for this port. The range is 0 to 1440 minutes. If the time is 0, aging is disabled for this port.
type absolute
Set absolute aging type. All the secure addresses on this port age out exactly after the time (minutes) specified and are removed from the secure address list.
type inactivity
Set the inactivity aging type. The secure addresses on this port age out only if there is no data traffic from the secure source address for the specified time period.

60. Configuring Port Security Example
A typical port security configuration for a voice port requires two secure MAC addresses.
The addresses are usually learned dynamically.
One MAC address is for the IP phone, and the other address is for the PC connected to the IP phone.
Violations of this policy result in the port being shut down.
The aging timeout for the learned MAC addresses is set to two hours.

61. Verifying Port Security
sw-class# show port-security
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
(Count) (Count) (Count)
Fa0/ Shutdown
Total Addresses in System (excluding one mac per port) : 0
Max Addresses limit in System (excluding one mac per port) : 1024
sw-class# show port-security interface f0/12
Port Security : Enabled
Port status : Secure-down
Violation mode : Shutdown
Maximum MAC Addresses : 2
Total MAC Addresses : 1
Configured MAC Addresses : 0
Aging time : 120 mins
Aging type : Absolute
SecureStatic address aging : Disabled
Security Violation Count : 0

62. Verifying Port Security
sw-class# show port-security address
Secure Mac Address Table
Vlan Mac Address Type Ports Remaining Age
(mins)
ffff.aaaa SecureConfigured Fa0/
Total Addresses in System (excluding one mac per port) : 0
Max Addresses limit in System (excluding one mac per port) : 1024

63. Verifying Port Security MAC Address Notification
MAC B
SNMP traps sent to NMS when new MAC addresses appear or when old ones time out.
NMS
F1/2
F1/1
Switch CAM Table
F2/1
F1/1 = MAC A
F1/2 = MAC B
F2/1 = MAC D (address ages out)
MAC A
MAC D is away from the network.
MAC address notification allows monitoring of the MAC addresses, at the module and port level, added by the switch or removed from the CAM table for secure ports.

64. Configuring BPDU Guard and Root Guard
To mitigate STP manipulation the PortFast, root guard, and BPDU guard STP enhancement commands can be enabled.
These features enforce the placement of the root bridge in the network and enforce the STP domain borders.

65. Configuring BPDU Guard and Root Guard Configure Portfast
The spanning-tree PortFast feature causes an interface configured as a Layer 2 access port to transition from the blocking to the forwarding state immediately, bypassing the listening and learning states.
PortFast can be used on Layer 2 access ports that connect to a single workstation or server to allow those devices to connect to the network immediately, instead of waiting for STP to converge.
Because the purpose of PortFast is to minimize the time that access ports must wait for STP to converge, it should be used only on access ports.
If PortFast is enabled on a port connecting to another switch, there is a risk of creating a spanning-tree loop.

66. Configuring BPDU Guard and Root Guard Configure Portfast

67. Configuring BPDU Guard and Root Guard BPDU Guard
BPDU guard is used to protect the switched network from the problems caused by receiving BPDUs on ports that should not be receiving them.
The receipt of unexpected BPDUs might be accidental or part of an unauthorized attempt to add a switch to the network.
If a port that is configured with PortFast receives a BPDU, STP can put the port into the disabled state by using BPDU guard.
BPDU guard is best deployed toward user-facing ports to prevent rogue switch network extensions by an attacking host.

68. Configuring BPDU Guard and Root Guard BPDU Guard

69. Configuring BPDU Guard and Root Guard Display the State of Spanning Tree
Switch# show spanning-tree summary totals
Root bridge for: none.
PortFast BPDU Guard is enabled
UplinkFast is disabled
BackboneFast is disabled
Spanning tree default pathcost method used is short
Name Blocking Listening Learning Forwarding STP Active
1 VLAN
<output omitted>

70. Configuring BPDU Guard and Root Guard Root Guard
With root guard, if an attacking host sends out spoofed BPDUs in an effort to become the root bridge, the switch, upon receipt of a BPDU, ignores the BPDU and puts the port in a root-inconsistent state. The port recovers as soon as the offending BPDUs cease.
A root-inconsistent state, which is effectively equal to an STP listening state, and no data traffic is forwarded across that port.
Root guard is best deployed toward ports that connect to switches that should not be the root bridge.

71. Configuring BPDU Guard and Root Guard Root Guard
Root Bridge Priority = 0 MAC Address = c45.1a5d F F F F
Root Guard Enabled F B F
STP BPDU Priority = 0 MAC Address = c
Attacker
Switch(config-if)#
spanning-tree guard root
Enables root guard on a per-interface basis

72. Configuring BPDU Guard and Root Guard Verify Root Guard
Switch# show spanning-tree inconsistentports
Name Interface Inconsistency
VLAN FastEthernet3/ Port Type Inconsistent
VLAN FastEthernet3/ Port Type Inconsistent
VLAN FastEthernet3/ Port Type Inconsistent
VLAN FastEthernet3/ Port Type Inconsistent
VLAN FastEthernet3/ Port Type Inconsistent
VLAN FastEthernet3/ Port Type Inconsistent
VLAN FastEthernet3/ Port Type Inconsistent
VLAN FastEthernet3/ Port Type Inconsistent
VLAN FastEthernet3/ Port Type Inconsistent
VLAN FastEthernet3/ Port Type Inconsistent
Number of inconsistent ports (segments) in the system :10

73. Configuring Storm Control Storm Control Methods
Bandwidth as a percentage of the total available bandwidth of the port that can be used by the broadcast, multicast, or unicast traffic
Traffic rate in packets per second at which broadcast, multicast, or unicast packets are received
Traffic rate in bits per second at which broadcast, multicast, or unicast packets are received
Traffic rate in packets per second and for small frames. This feature is enabled globally. The threshold for small frames is configured for each interface.

74. Configuring Storm Control Storm Control Configuration
Switch(config-if)# storm-control broadcast level 75.5
Switch(config-if)# storm-control multicast level pps k 1k
Switch(config-if)# storm-control action shutdown
Enables storm control
Specifies the level at which it is enabled
Specifies the action that should take place when the threshold (level) is reached, in addition to filtering traffic

75. Configuring Storm Control Storm Control Parameters
Description
broadcast
This parameter enables broadcast storm control on the interface.
multicast
This parameter enables multicast storm control on the interface.
unicast
This parameter enables unicast storm control on the interface.
level level [level-low]
Rising and falling suppression levels as a percentage of total bandwidth of the port.
level: Rising suppression level. The range is 0.00 to Block the flooding of storm packets when the value specified for level is reached.
level-low: (Optional) Falling suppression level, up to two decimal places. This value must be less than or equal to the rising suppression value.
level bps bps [bps-low]
Specify the rising and falling suppression levels as a rate in bits per second at which traffic is received on the port.
bps: Rising suppression level. The range is 0.0 to Block the flooding of storm packets when the value specified for bps is reached.
bps-low: (Optional) Falling suppression level, up to one decimal place. This value must be equal to or less than the rising suppression value.
level pps pps [pps-low]
Specify the rising and falling suppression levels as a rate in packets per second at which traffic is received on the port.
pps: Rising suppression level. The range is 0.0 to Block the flooding of storm packets when the value specified for pps is reached.
pps-low: (Optional) Falling suppression level, up to one decimal place. This value must be equal to or less than the rising suppression value.
action {shutdown|trap}
The action taken when a storm occurs on a port. The default action is to filter traffic and to not send an SNMP trap.
The keywords have these meanings:
shutdown: Disables the port during a storm
trap: Sends an SNMP trap when a storm occurs

76. Configuring Storm Control Verify Storm Control Settings
Switch# show storm-control
Interface   Filter State Upper Lower Current
   Gi0/   Forwarding     20 pps      10 pps     5 pps
Gi0/   Forwarding     50.00%      40.00%     0.00%
<output omitted>

77. Configuring VLAN Trunk Security Mitigating VLAN Attacks
Trunk (Native VLAN = 10)
Disable trunking on all access ports.
Disable auto trunking and manually enable trunking
Be sure that the native VLAN is used only for trunk lines and no where else

78. Configuring VLAN Trunk Security Controlling Trunking
Switch(config-if)#
switchport mode trunk
Specifies an interface as a trunk link .
Switch(config-if)#
switchport nonegotiate
Prevents the generation of DTP frames.
Switch(config-if)#
switchport trunk native vlan vlan_number
Set the native VLAN on the trunk to an unused VLAN