Mercruiser GM V8 454 cid 7.4L 502 cid 8.2L Service Manual
If you have found this video helpful, and you wish to donate to me, follow this link!! Its easy!!this c. Sep 13, 2021 One Switch is a really good app, and I will not remember to use this app generally because it's in my menu bar, and I only need to switch the actions I need to use, like hide desktop apps, keep awake, etc. One thing I think one switch has down for this app which I think anyone who gives the reviews should know, which is how many times you been switch using One Switch, whether it's the shortcut.
Service Manual Application: Gen. VI Engines Sterndrive (MCM) Models: MCM 454 Mag MPI (Serial Number 0L010029 & Up), MCM 502 Mag MPI (Serial Number 0L017000 & Up). Inboard (MIE) Models: MIE 454 Mag MPI Horizon (Serial Number 0L002200 & Up), MIE 8.2L MPI (Serial Number 0L002450 & Up). L-29 Engines - Sterndrive (MCM) Model: MCM 7.4L MPI (Serial Number 0L010003 & Up). Inboard (MIE) Model: MIE 7.4L MPI (Serial Number 0L002006 & Up).
Cheap Car Switches & Relays, Buy Quality Automobiles & Motorcycles Directly from China Suppliers:NEW Window Switch for Citroen C4 4 Picasso 2008 2013 for Peugeot Regulator Electric Folding O.
Mercury Mercruiser 496 Mag HO 8.1S Horizon HO Service Manual
Service Manual Application: Sterndrive (MCM) Models: 496 Mag HO (Serial Number 0M000000 & Up), 496 Mag (Serial Number 0M000000 & Up), Inboard (MIE) Models, 8.1S HO (Serial Number 0M000000 & Up), 8.1S Horizon (Serial Number 0M000000 & Up)
Mercury Mercruiser 4.3L MPI Alpha and Bravo Service Manual
Service Manual Application: 4.3 liter (262 cid) Sterndrive (MCM), 4.3L MPI Alpha and Bravo (Serial Number 0M300000 and Above)
1990-1997 MerCruiser Mercury 3.0L & 3.0LX Inboard Engine Manual
Service Manual Applications: 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997 MerCruiser GM 3.0L 4-Cylinder Engine, 3.0L/3.0LX Inboard Engine with DDIS & EST Ignition. Models Covered In This Manual :MODEL SERIAL NUMBER MCM 3.0L OC856451 And Above, MCM 3.0L /3.0LX OC868143 And Above.
1
1985-1989 Mercruiser Manual #8 Mercury Marine 4 Cylinder Engines
MODELS COVERED IN THIS MANUAL:
MCM 170 MR Serial Numbers / 6916779 to 0A475151 MCM 170 Alpha One / Serial Numbers 0A475152 to 0B434940 MCM 165 Alpha One / Serial Numbers 0B424941 to 0B774251 MCM 3.7L Alpha One / Serial Numbers0B774252 and Above MCM 190 MR / Serial Numbers 6917368 to 0A475551 MCM 190 Alpha One / Serial Numbers 0A475552 to 0B436390 MCM 180 Alpha One / Serial Numbers 0B436391 to 0B775248 MCM 3.7 Liter LX Alpha One / Serial Numbers 0B775249 and Above
1
1998-2006 MerCruiser Mercury 3.0L Inboard Engine Service Manual
1
Service Repair Manual Application: GM 181 cid 4-Cylinder MCM 3.0L Alpha OL01004 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006 with Model Serial Number OL010042 and Above.
1998-2006 Mercury Mercruiser Manual 305 CID 5.0L 350 CID 5.7L
Service Repair Manual Year Application: 1993 1994 1995 1996 1997 305 CID (5.0L) / 350 CID (5.7L) Boat motor engine.
1985-1988 Mercruiser GM V8 ENGINES 305-350-454-482-540 CID Manual
MODELS COVERED IN THIS SERVICE MANUAL:
ENGINES 305-350-454-482-540
MCM 200 5.0L MCM 230 5.0L MCM 230 TR 5.0L MCM 260 5.7L MCM 260 TR 5.7L MCM 350 MAGNUM SRX 5.7L MCM 454 MAGNUM SRX 7.4L SRX 7.4L-H MCM 330 B/W MIE 230 MIE 260 MIE 340 5M7 SKI MCM 300 TEMPEST MCM 320 EFIMCM 370 MCM 400 MCM 420 MCM 440 MCM 460 MCM 575
1
1978-1982 MerCruiser Manual Stern Drive Units MCM 120 To 260
MODELS COVERED IN THIS MANUAL: Transom Assemblies MCM 120/ 140/ 165/ 470/ 485/ 898/228/260 With Serial Numbers 4891650 To 6216686 ... MCM 120-260 Stern Drive Units Ratio 1.98:1 - Serial Numbers - 4893635 to 6237860 / 1.84:1 - Serial Numbers - 4893835 to 6225576 / 1.65:1 - Serial Numbers - 4890460 to 6268064 / 1.50:1 - Serial Numbers - 4898730 to 6229157 1978 1979 1980 1981 1982
1
2001-2006 Mercury MerCruiser 5.0L, 5.7L, 6.2L Service Manual
1
Service Manual Applications: 2001, 2002, 2003, 2004, 2005 and 2006 Mercury MerCruiser 5.0L, 5.7L, 6.2L MPI Gasoline Multiport Injection Engine. Service Manual #31 Part Number 90-864260. Art studio pro 2 3 16 x 2. Exact model application: Models Application: Sterndrive (MCM) starting with serial number OM300000 and above, 5.0L MPI Alpha and Bravo, 350 MAG MPI Alpha and Bravo, 350 MAG MPI Alpha and Bravo Horizon, MX 6.2 MPI, MX 6.2 MPI Horizon, Inboard and Dow Sports (MIE) starting with serial number OM310000, 350 MAG MPI Inboard, 350 MAG MPI Horizon Inboard, MX 6.2 MPI Inboard, MX 6.2 MPI Horizon Inboard and 350 MAG MPI Tow Sports.
1983-1990 MerCruiser R MR Alpha One & Alpha SS Sterndrive Manual
Service Manual Application: 1983, 1984, 1985, 1986, 1987, 1988, 1989, 1990 MerCruiser #6 Service Manual for Sterndrive Units R-MR-Alpha One & Alpha One SS, MC 120R/140B/185R/488R/898R/228R/260R Serieal Number - 6216687 6849289, MC 120MR/140MR/170MR/185MR/190MR/200MR/230MR/260MR/300 Tempest MR Serieal Number - 6849290 0A471374, MC Alpha One/Alpha One SS Serieal Number 0A471375 and Above.
1988-1998 MerCruiser Bravo Sterndrives Service Manual Sterndrive
Service Manual Application: 1988, 1989, 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997 & 1998 MerCruiser #11 Bravo Sterndrives, Bravo One Sterndrive Unit Serial # B664190 and Above, Bravo Two Sterndrive Unit Serial # B892613 and Above, Bravo Three Sterndrive Unit Serial # D763691 and Above, Bravo Transom Assembly (Standard) Serial # * B673048 and Above, Bravo Transom Assembly (High Performance) Serial # D796083 and Above, Bravo Transom Assembly (Magnum) Serial # K104738 and Above. Some Standard Bravo Transom Assemblies could have been converted to High Performance Transom Assemblies by use of a High Performance Gimbal Ring Kit (822374A2). Refer to Transom Assembly sections of this manual for identification information.
1991 2007 MerCruiser ALPHA 1 Gen 2 Sterndrive Service Manual
Service Manual Application: Mercury Mercruiser Service Manual #14 (#-14, Number 14) 1991, 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006 & 2007 Alpha 1 Generations II (Gen 2, Gen II, Gen Two) Outdrive, Sterndrive (Stern Drive) Unit.
Mercury Mercruiser Bravo + Sport Master Service Repair Manual
Service Manual Application: All Bravo Models (Serial Number 0M100000 and Above) + Sport Master Models (Serial Number 0M052945 and Above).
Mercury Mercruiser Bravo One,Two,Three + Transom Service Manual
Service Manual Application: Bravo One, Bravo One X, Bravo One X Diesel, (Serial Number 0M198373 and Above). Bravo One XR (Serial Number 0W240000 and Above). Bravo Two, Bravo Two X, Bravo Two X Diesel, Bravo Three, Bravo Three X, Bravo Three X Diesel (Serial Number 0M198373 and Above). Bravo Three XR (Serial Number 0W240000 and Above). Transom Standard (Serial Number 0W173658 and Above) Transom High Performance(Serial Number 0W150260 and Above)
Mercury Mercruiser D1.7L DTI Service Repair Manual
Service Manual Application: D1.7L DTI ( Serial Number OM055001 and Above)
Mercury Mercruiser In-ine Diesel D2.8L D4.2L D-Tronic Manual
Service Manual Applicaiton: Sterndrive (MCM) Models: D2.8L D-Tronic (Serial Number 0K000001 and Above), D4.2L D-Tronic (Serial Number 0K000001 and Above). Inboard (MIE) Models: D2.8L D-Tronic (Serial Number 0K000001 and Above), D4.2L D-Tronic (Serial Number 0K000001 and Above).
1
1983-1993 Mercruiser Mercury GM 6-Cylinder Engines
1
This manual only covers Engine Repair and does not cover stern drive unit repair or transom assembly.
MODELS COVERED IN THIS SERVICE MANUAL:
MCM 185R 229 CID (3.8L) - Serial Numbers 6289593 to 6919655
MCM 185MR 262 CID (4.3L) - Serial Numbers 6919656 to OA483580
MCM 185 Alpha One - Serial Numbers OA483581 to OB455459
MCM 175 Alpha One - Serial Numbers OB455460 to OB773242
MCM 4.3 Liter Alpha One - Serial Numbers OB773243 to OF000000
Sea Ray (Note 1) 4.3L - 2 Alpha One - Serial Numbers OB785483 to B921276
MCM 205 MR - Serial Numbers 6919687 to OA483776
MCM 205 Alpha One - Serial Numbers OA483777 to OB775129
MCM 4.3 Liter LX Alpha One - Serial Numbers OB775130 to OF000000
Sea Ray (Note 1) 4.3L - 4 Alpha One - Serial Numbers OB785981 to B922330
Note 1: Sea Ray to MerCruiser cross references are;
4.3L-2 same as MCM 4.3L
4.3L-4 same as MCM 4.3L LX
1
1985-1989 Mercruiser Mercury 4-Cylinder Engines Manual #10
MODELS COVERED IN THIS SERVICE MANUAL:
MCM 120MR - Serial Numbers 6853914 to 0A492055
MCM 120 Alpha 1 - Serial Numbers 0A492056 to 0B531853
One Switch 1 6 2006 Full
MCM 2.5L - Serial Numbers 0C856450 and Above
One Switch 1 6 2006 Download
MCM 140 MR - Serial Numbers 6852270 to 0A484072
MCM 140 Alpha 1 - Serial Numbers 0A484073 to 0B450800
MCM 3.0L - Serial Numbers 0C856450 and Above
Sea Ray 3.0L - Serial Numbers 0B787205 to B917530
NOTICE:
MCM 2.5L Same as MCM 120
MCM 3.0L
Sea Ray 3.0L Same as MCM 140 (Later Models are rated at 130HP and have 9.2:1 Compression Ratio)
1 © 2006 Cisco Systems, Inc. All rights reserved. SND v Securing LAN and WLAN Devices Mitigating Layer 2 Attacks
2 © 2006 Cisco Systems, Inc. All rights reserved. SND v Outline Overview Mitigating VLAN Hopping Attacks Preventing STP Manipulation Migrating DHCP Server Spooting with DHCP Snooping Mitigating ARP Spoofing with DAI CAM Table Overflow Attacks MAC Address Spoofing Attacks Using Port Security to Prevent Attacks Configuring Cisco Catalyst Switch Port Security Layer 2 Best Practices Summary
3 © 2006 Cisco Systems, Inc. All rights reserved. SND v VLAN Hopping by Switch Spoofing Trunk Port Rogue Trunk Port An attacker tricks a network switch into believing that it is a legitimate switch on the network needing trunking. Auto trunking allows the rogue station to become a member of all VLANs. Note: There is no way to execute switch spoofing attacks unless the switch is misconfigured.
4 © 2006 Cisco Systems, Inc. All rights reserved. SND v VLAN Hopping by Double Tagging The attacker sends double-encapsulated 802.1Q frames. The switch performs only one level of decapsulation. Only unidirectional traffic is passed. The attack works even if the trunk ports are set to off. Attacker (VLAN 10) Victim (VLAN 20) Frame Note: This attack works only if the trunk has the same native VLAN as the attacker Q, 802.1Q The first switch strips off the first tag and sends it back out Q, Frame Trunk (Native VLAN = 10) Note: There is no way to execute these attacks unless the switch is misconfigured.
5 © 2006 Cisco Systems, Inc. All rights reserved. SND v Mitigating VLAN Hopping Network Attacks Router(config-if)# switchport mode access Example 1: If no trunking is required on an interface Router(config-if)# switchport mode trunk Router(config-if)# switchport nonegotiate Example 2: If trunking is required Example 3: If trunking is required Router(config-if)# switchport trunk native vlan vlan number Disable trunking on the interface. Enable trunking but prevent DTP frames from being generated. Set the native VLAN on the trunk to an unused VLAN.
6 © 2006 Cisco Systems, Inc. All rights reserved. SND v STP Attack On booting the switch, STP identifies one switch as a root bridge and blocks other redundant data paths. STP uses BPDUs to maintain a loop-free topology. X FF F F B F F F A Root B F = Forwarding Port B = Blocking Port
7 © 2006 Cisco Systems, Inc. All rights reserved. SND v F STP Attack (Cont.) The attacker sends spoofed BPDUs to change the STP topology. Access Switches F The attacker now becomes the root bridge. Access Switches Root F F F F B X F F F F B F STP X
8 © 2006 Cisco Systems, Inc. All rights reserved. SND v Mitigating STP Attacks with bpdu-guard and guard root Commands Mitigates STP manipulation with bpduguard command IOS(config)#spanning-tree portfast bpduguard Mitigates STP manipulation with guard root command IOS(config-if)#spanning-tree guard root
9 © 2006 Cisco Systems, Inc. All rights reserved. SND v Spoofing the DHCP Server 1. An attacker activates a DHCP server on a network segment. 2. The client broadcasts a request for DHCP configuration information. 3. The rogue DHCP server responds before the legitimate DHCP server can respond, assigning attacker-defined IP configuration information. 4. Host packets are redirected to the attacker address as it emulates a default gateway for the erroneous DHCP address provided to the client. ClientRogue DHCP Attacker Legitimate DHCP Server
10 © 2006 Cisco Systems, Inc. All rights reserved. SND v DHCP Snooping DHCP snooping allows the configuration of ports as trusted or untrusted. –Trusted ports can send DHCP requests and acknowledgements. –Untrusted ports can forward only DHCP requests. DHCP snooping enables the switch to build a DHCP binding table that maps a client MAC address, IP address, VLAN, and port ID. Use the ip dhcp snooping command. ClientRogue DHCP Attacker Legitimate DHCP Server
11 © 2006 Cisco Systems, Inc. All rights reserved. SND v ARP Spoofing: Man-in-the-Middle Attacks = MAC C.C.C.C ARP Table in Host A IP MAC A.A.A.A A B = MAC C.C.C.C ARP Table in Host B = MAC B.B.B.B = MAC A.A.A.A ARP Table in Host C C IP MAC C.C.C.C 1. IP ? MAC for Legitimate ARP reply = MAC B.B.B.B 3. Subsequent gratuitous ARP replies overwrite legitimate replies bound to C.C.C.C bound to C.C.C.C Attacker IP MAC B.B.B.B AB C A = host A B = host B C = host C
12 © 2006 Cisco Systems, Inc. All rights reserved. SND v Mitigating Man-in-the-Middle Attacks with DAI MAC or IP Tracking Built on DHCP Snooping DHCP Server DHCP Discovery (BCAST) DHCP Offer (UCAST) DAI provides protection against attacks such as ARP poisoning using spoofing tools such as ettercap, dsniff, and arpspoof. DAI Function: Track Discovery Track DHCP Offer MAC or IP Track Subsequent ARPs for MAC or IP
13 © 2006 Cisco Systems, Inc. All rights reserved. SND v DAI in Action A binding table containing IP-address and MAC-address associations is dynamically populated using DHCP snooping GARP is sent to attempt to change the IP address to MAC bindings. Gateway is Attacker is not gateway according to this binding table I am your gateway:
B MACPort A1 C3 The CAM table is incomplete. MAC B is unknown, so the switch will flood the frame. MAC C sees traffi'> 14 © 2006 Cisco Systems, Inc. All rights reserved. SND v Learns by Flooding the Network MAC A MAC B MAC C Port 1 Port 2 Port 3 A->B MACPort A1 C3 The CAM table is incomplete. MAC B is unknown, so the switch will flood the frame. MAC C sees traffic to MAC B. B MACPort A1 C3 The CAM table is incomplete. MAC B is unknown, so the switch will flood the frame. MAC C sees traffi'> B MACPort A1 C3 The CAM table is incomplete. MAC B is unknown, so the switch will flood the frame. MAC C sees traffic to MAC B.'> B MACPort A1 C3 The CAM table is incomplete. MAC B is unknown, so the switch will flood the frame. MAC C sees traffi'> B MACPort A1 C3 The CAM table is incomplete. MAC B is unknown, so the switch will flood the frame. MAC C sees traffi'>
A MAC A MAC B MAC C Port 1 MACPort A1 C3 Port 2 Port 3 B2B2 Host C drops the packet addressed to host B. CAM learns that MAC B is on Port 2. CAM Learns MAC B Is on Port 2 MAC A = host A '> 15 © 2006 Cisco Systems, Inc. All rights reserved. SND v B->A MAC A MAC B MAC C Port 1 MACPort A1 C3 Port 2 Port 3 B2B2 Host C drops the packet addressed to host B. CAM learns that MAC B is on Port 2. CAM Learns MAC B Is on Port 2 MAC A = host A MAC B = host B MAC C = host C A MAC A MAC B MAC C Port 1 MACPort A1 C3 Port 2 Port 3 B2B2 Host C drops the packet addressed to host B. CAM learns that MAC B is on Port 2. CAM Learns MAC B Is on Port 2 MAC A = host A '> A MAC A MAC B MAC C Port 1 MACPort A1 C3 Port 2 Port 3 B2B2 Host C drops the packet addressed to host B. CAM learns that MAC B is on Port 2. CAM Learns MAC B Is on Port 2 MAC A = host A MAC B = host B MAC C = host C'> A MAC A MAC B MAC C Port 1 MACPort A1 C3 Port 2 Port 3 B2B2 Host C drops the packet addressed to host B. CAM learns that MAC B is on Port 2. CAM Learns MAC B Is on Port 2 MAC A = host A '> A MAC A MAC B MAC C Port 1 MACPort A1 C3 Port 2 Port 3 B2B2 Host C drops the packet addressed to host B. CAM learns that MAC B is on Port 2. CAM Learns MAC B Is on Port 2 MAC A = host A '>
B MAC A MAC B MAC C Port 1 MACPort A 1 C 3 Port 2 Port 3 B 2 CAM has learned MAC B is on Port 2. MAC C does not see traffic to MAC B anymore. CAM tables are limited in size. CAM Table Is'> 16 © 2006 Cisco Systems, Inc. All rights reserved. SND v A->B MAC A MAC B MAC C Port 1 MACPort A 1 C 3 Port 2 Port 3 B 2 CAM has learned MAC B is on Port 2. MAC C does not see traffic to MAC B anymore. CAM tables are limited in size. CAM Table Is UpdatedFlooding Stops MAC A = host A MAC B = host B MAC C = host C B MAC A MAC B MAC C Port 1 MACPort A 1 C 3 Port 2 Port 3 B 2 CAM has learned MAC B is on Port 2. MAC C does not see traffic to MAC B anymore. CAM tables are limited in size. CAM Table Is'> B MAC A MAC B MAC C Port 1 MACPort A 1 C 3 Port 2 Port 3 B 2 CAM has learned MAC B is on Port 2. MAC C does not see traffic to MAC B anymore. CAM tables are limited in size. CAM Table Is UpdatedFlooding Stops MAC A = host A MAC B = host B MAC C = host C'> B MAC A MAC B MAC C Port 1 MACPort A 1 C 3 Port 2 Port 3 B 2 CAM has learned MAC B is on Port 2. MAC C does not see traffic to MAC B anymore. CAM tables are limited in size. CAM Table Is'> B MAC A MAC B MAC C Port 1 MACPort A 1 C 3 Port 2 Port 3 B 2 CAM has learned MAC B is on Port 2. MAC C does not see traffic to MAC B anymore. CAM tables are limited in size. CAM Table Is'>
? MAC A MAC B Port 1 MACPort A1 B2 C3 Port 2 Port 3 MACPort X3 B2 C3 MACPort X3 Y3 C3 MAC C X->? Macof starts sending unknown bogus MAC addresses. Intruder runs macof on MAC C. Y is on P'> 17 © 2006 Cisco Systems, Inc. All rights reserved. SND v Y->? MAC A MAC B Port 1 MACPort A1 B2 C3 Port 2 Port 3 MACPort X3 B2 C3 MACPort X3 Y3 C3 MAC C X->? Macof starts sending unknown bogus MAC addresses. Intruder runs macof on MAC C. Y is on Port 3 and CAM is updated. X is on Port 3 and CAM is updated. Bogus addresses are added to the CAM table. Intruder Launches macof Utility ? MAC A MAC B Port 1 MACPort A1 B2 C3 Port 2 Port 3 MACPort X3 B2 C3 MACPort X3 Y3 C3 MAC C X->? Macof starts sending unknown bogus MAC addresses. Intruder runs macof on MAC C. Y is on P'> ? MAC A MAC B Port 1 MACPort A1 B2 C3 Port 2 Port 3 MACPort X3 B2 C3 MACPort X3 Y3 C3 MAC C X->? Macof starts sending unknown bogus MAC addresses. Intruder runs macof on MAC C. Y is on Port 3 and CAM is updated. X is on Port 3 and CAM is updated. Bogus addresses are added to the CAM table. Intruder Launches macof Utility'> ? MAC A MAC B Port 1 MACPort A1 B2 C3 Port 2 Port 3 MACPort X3 B2 C3 MACPort X3 Y3 C3 MAC C X->? Macof starts sending unknown bogus MAC addresses. Intruder runs macof on MAC C. Y is on P'> ? MAC A MAC B Port 1 MACPort A1 B2 C3 Port 2 Port 3 MACPort X3 B2 C3 MACPort X3 Y3 C3 MAC C X->? Macof starts sending unknown bogus MAC addresses. Intruder runs macof on MAC C. Y is on P'>
B MACPort X3 Y3 C3 MAC B is unknown, so the s'> 18 © 2006 Cisco Systems, Inc. All rights reserved. SND v The CAM table is full, so Port 3 is closed. The CAM Table OverflowsSwitch Crumbles Under the Pressure MAC A MAC B MAC C Port 1 Port 2 Port 3 A->B MACPort X3 Y3 C3 MAC B is unknown, so the switch floods the frame looking for MAC B. MAC A = host A MAC B = host B MAC C = host C B MACPort X3 Y3 C3 MAC B is unknown, so the s'> B MACPort X3 Y3 C3 MAC B is unknown, so the switch floods the frame looking for MAC B. MAC A = host A MAC B = host B MAC C = host C'> B MACPort X3 Y3 C3 MAC B is unknown, so the s'> B MACPort X3 Y3 C3 MAC B is unknown, so the s'>
19 © 2006 Cisco Systems, Inc. All rights reserved. SND v MAC Address Spoofing Attack AA AA BB (Attacker) B Switch Port Table B DEST MAC: A Switch Port Table A B C A,B C Host Spoofed Switch Port Table Updated Switch Port Table SRC: MAC (A) SRC = Source DEST = Destination
20 © 2006 Cisco Systems, Inc. All rights reserved. SND v Using Port Security to Mitigate Attacks Port security can mitigate attacks by these methods: Blocking input to a port from unauthorized MAC addresses Filtering traffic to or from a specific host based on the host MAC address Port security mitigates these: CAM table overflow attacks MAC address spoofing attacks
21 © 2006 Cisco Systems, Inc. All rights reserved. SND v Port Security Fundamentals This feature restricts input to an interface by limiting and identifying MAC addresses of end devices. Secure MAC addresses are included in an address table in one of these ways: –Use the switchport port-security mac-address mac_address interface configuration command to configure all secure MAC addresses –Allow the port to dynamically configure secure MAC addresses with the MAC addresses of connected devices –Configure some addresses and allow the rest to be configured dynamically Configure restrict or shutdown violation rules.
22 © 2006 Cisco Systems, Inc. All rights reserved. SND v Port Security Configuration Secure MAC addresses are these types: Static secure MAC addresses Dynamic secure MAC addresses Sticky secure MAC addresses Security violations occur in these situations: A station whose MAC address is not in the address table attempts to access the interface when the table is full. An address is being used on two secure interfaces in the same VLAN.
23 © 2006 Cisco Systems, Inc. All rights reserved. SND v Port Security Defaults FeatureDefault Setting Port securityDisabled on a port Maximum number of secure MAC addresses 1 Violation modeShutdown (The port shuts down when the maximum number of secure MAC addresses is exceeded, and an SNMP trap notification is sent.)
24 © 2006 Cisco Systems, Inc. All rights reserved. SND v Configuring Port Security on a Cisco Catalyst Switch 1. Enter global configuration mode. 2. Enter interface configuration mode for the port that you want to secure. 3. Enable basic port security on the interface. 4. Set the maximum number of MAC addresses allowed on this interface. 5. Set the interface security violation mode. The default is shutdown. For mode, select one of these keywords: shutdown restrict protect 6. Return to privileged EXEC mode. 7. Verify the entry.
25 © 2006 Cisco Systems, Inc. All rights reserved. SND v Port Security Configuration Script Switch# configure terminal Switch(config)# interface fastethernet0/1 Switch(config-if)# switchport mode access Switch(config-if)# switchport port-security Switch(config-if)# switchport port-security maximum 50 Switch(config-if)# switchport port-security mac-address sticky Switch(config-if)# switchport port-security aging time 20 Switch(config-if)# end Use these configuration parameters: Enable port security on Fast Ethernet port 1 Set the maximum number of secure addresses to 50 Set violation mode to default No static secure MAC addresses needed Enable sticky learning
26 © 2006 Cisco Systems, Inc. All rights reserved. SND v Verify the Configuration Switch# show port-security interface fastethernet0/1 Port Security: Enabled Port status: SecureUp Violation mode: Shutdown Maximum MAC Addresses :50 Total MAC Addresses: 11 Configured MAC Addresses: 0 Sticky MAC Addresses :11 Aging time: 20 mins Aging type: Inactivity SecureStatic address aging: Enabled Security Violation count: 0
27 © 2006 Cisco Systems, Inc. All rights reserved. SND v Layer 2 Best Practices Restrict management access to the switch so that parties on nontrusted networks cannot exploit management interfaces and protocols such as SNMP. Avoid using clear text management protocols on a hostile network. Turn off unused and unneeded network services. Use port security mechanisms to limit the number of allowed MAC addresses to provide protection against a MAC flooding attack. Use a dedicated native VLAN ID for all trunk ports. Shut down unused ports in the VLAN. Prevent denial-of-service attacks and other exploits by locking down the Spanning Tree Protocol and other dynamic protocols. Avoid using VLAN 1, where possible, for trunk and user ports. Use DHCP snooping and DAI to mitigate man-in-the-middle attacks.
28 © 2006 Cisco Systems, Inc. All rights reserved. SND v Summary Disabling auto trunking mitigates VLAN hopping attacks. The guard root command and the bpduguard command mitigate STP attacks. DAI can protect against man-in-the-middle attacks. To prevent DHCP attacks, use the DHCP snooping and the port security feature on the Cisco Catalyst switches. Mitigate CAM table overflow attacks with Cisco IOS software commands. Configuring port security can prevent MAC address spoofing attacks. Limiting the number of valid MAC addresses allowed on a port provides many benefits. Configure port security with Cisco IOS software commands. Following best practices mitigates Layer 2 attacks.
29 © 2006 Cisco Systems, Inc. All rights reserved. SND v
