Layer 2 Security Best Practices
Layer 2 security best practices

Although security attacks on networks are not new events, attacks that use Layer 2 to bypass VLAN restrictions are quickly gaining sophistication and popularity. To mitigate the effects of these attacks as much as possible, the following precautions are recommended:

  • Manage switches as securely as possible. Use SSH if possible, or an out-of-band management system. Avoid the use of clear text management protocols such as Telnet or SNMP Version 1.
  • Use IP-permit lists to restrict access to management ports.
  • Selectively use SNMPv3 and treat community strings like root passwords.
  • When SNMPv3 is used as a management protocol, restrict management access to the VLAN so that entities on untrusted networks cannot access management interfaces or protocols. Consider using DHCP snooping and IP source guard to mitigate DHCP starvation attacks.
  • Always use a dedicated VLAN ID for all trunk ports.
  • Avoid using VLAN 1.
  • Set all user ports to non-trunking mode.
  • Deploy port security where possible for user ports. When feasible, configure each port to associate a limited number of MAC addresses. Approximately two to three MAC addresses should be adequate in most situations. This will mitigate MAC flooding and other network attacks. Alternatively, deploy dynamic port security using DHCP snooping along with Dynamic ARP Inspection (DAI).
  • Have a plan for the ARP security issues in the network. Consider using DHCP Snooping along with Dynamic ARP Inspection and IP source guard to protect against MAC spoofing and IP spoofing on the network.
  • Use VLAN ACLs (VACLs) to prevent rogue DHCP servers by limiting replies to DHCP clients to valid DHCP servers on the network. A more flexible approach would be to use DHCP snooping to block unauthorized DHCP servers from responding to DHCP Request packets.
  • Enable STP attack mitigation with BPDU Guard and Root Guard.
  • Use private VLANs where appropriate to further divide Layer 2 networks.
  • Use Cisco Discovery Protocol (CDP) only where appropriate.
  • Disable all unused ports and put them in an unused VLAN. This setup prevents network intruders from plugging into unused ports and communicating with the rest of the network.
  • Use Cisco IOS Software ACLs on IP-forwarding devices to protect Layer 2 proxy on private VLANs.
  • Eliminate native VLANs from 802.1q trunks.
  • Use VTP passwords to authenticate VTP advertisements.
  • Consider using Layer 2 port authentication, such as 802.1x, to authenticate clients attempting connectivity to a network.
  • Procedures for change control and configuration analysis must be in place to ensure that changes result in a secure configuration. This is especially valuable in cases where several organizational groups may control the same switch, and even more valuable in network security deployments where even greater care must be taken.

Many of the above features are available in Cisco Catalyst switches. Figure details the availability of some the features discussed in this lesson in the switches listed across the top row.


Web Links