Layer 2 Security Best Practices
Multiple security zones, one user group, multiple physical switches

This design, shown in Figure , represents a large data center within a single enterprise. However, the need to segregate traffic as well as data for various groups or departments within the enterprise is reflected by the separation of the data center into security zones. This can be accomplished securely through the use of VLANs within the data center, however, there are considerations which must be evaluated regarding some of the potential vulnerabilities. In Figure , the two switches have a trunk between them represented by the solid green line carrying all of the VLAN traffic between the switches.

Vulnerabilities
The primary layer 2 vulnerabilities of this design include the following:

  • MAC spoofing, within VLANs
  • CAM table overflow, through per VLAN traffic flooding
  • VLAN hopping
  • STP attacks

Mitigation
If the security zones are small enough, use port security to help mitigate CAM table overflow vulnerabilities as well as the MAC spoofing vulnerability. Additionally, mitigation of VLAN hopping can be accomplished by following the VLAN best practices outlined in this module. If necessary, deploy 802.1x authentication to prevent unauthorized access to each of the security zones from an attacker who may physically connect to a switch in the design. Another possible mitigation method would be to add a firewall within the design, or add a Layer 3 switch with an integrated firewall as shown in Figure . The firewall enforces additional Layer 3 traffic segregation. As with the previous cases, the switches must be managed as securely as possible and tested on a regular basis.