52. Countermeasures
• Enable VRRP message digest with key-chain
• Per interface: vrrp group_id authentication md5 key-chain
key_chain_name
• Set VRRP priority to highest (254)
• Per interface: vrrp group_id priority priority_number
• Set HSRP interface IP to highest
• Per interface: ip address ip_address subnet_mask
• Setup VRRP explicitly active router
• Per interface: vrrp group_id ip ip_of_physical_interface
• Per interface: vrrp group_id ipv6 ip_of_physical_interface
55. Countermeasures
• Show Port-Security status
• show port-security interface interface_type interface_id
• Enable Port-Security
• Per interface: switchport mode port-security
• Limit the number of MAC address learn on interface
• Per interface: switchport port-security maximum
number_of_mac_address
• Set Port-Security violation mode
• Per interface: switchport port-security violation violation_mode
56. Countermeasures
• Address Resolution Protocol (ARP)
• Enable Dynamic ARP Inspection
• Global: ip arp inspection vlan vlan_id
• Enable DHCP Snooping
• Global: ip dhcp snooping
• Per interface: ip dhcp snooping vlan vlan_id
• Enable IP Source Guard with DHCP Snooping
• Per interface: ip verify source vlan dhcp-snooping
• Binding MAC address and static IP address for IP Source
Guard
• Global: ip source binding mac_address vlan vlan_id ip_address
interface interface_name