cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7608
Views
139
Helpful
33
Replies

Ask the Expert: Layer 2 Security on Cisco Catalyst Platforms

ciscomoderator
Community Manager
Community Manager

Layer 2 Security on Cisco Catalyst PlatformsWith Wilson Bonilla

Welcome to the Cisco Support Community Ask the Expert conversation.  This  is an opportunity to learn and ask questions about about issues in designing, planning, and implementing Layer 2 security in your LAN network with expert Wilson Bonilla. 

Wilson will cover topics that network engineers face daily such as Spanning Tree Protocol security, private VLANs, IP source guard, protected ports, dynamic ARP inspection, virtual LAN access-control lists (VLAN ACLs), and Dynamic Host Configuration Protocol (DHCP) snooping over Cisco Catalyst platforms.  With the fast growth of networks, Layer 2 security is even more critical in the LAN to help your network become more reliable, efficient, and secure. Wilson will answer your questions about LAN networks with Cisco Catalyst switches.  

Wilson Bonilla is a technical networking trainer at the Learning and Development Department for Cisco Technical Assistance Center located in Costa Rica. Before joining the Training Department, he worked for the Cisco TAC as a customer support engineer focused on LAN Switching for more than two years. While working on LAN switching, Wilson also had roles such as technical leader and trainer, adding to his area of expertise in Cisco Catalyst Layer 2 switching. He has CCNP routing and switching certification and is currently studying to achieve his CCNA certification in data center.

Remember to use the rating system to let Wilson know if you've received an adequate response. 

Because of the volume expected during this event, Wilson might not be able to answer every question. Remember that you can continue the conversation in the Network Infrastructure community, subcommunity, LAN, Switching and Routing, shortly after the event. This event lasts through November, 2013. Visit this forum often to view responses to your questions and those of other Cisco Support Community members.

      

33 Replies 33

Hello ShanilKumar2003

Just a side note:

It's important to mention that every network is different; the behavior, design and implementation vary based on configuration and expectations.

Examples:

Features like: STP enhancements, for example; knowing that BPDU Guard can stop a layer 2 loop and protect your network from a high profile spanning-tree loop is a life savior.

Features like DHCP snooping, IP source guard and Dynamic ARP inspection protect your network from malicious people. However think of the possibility when an employee innocently brings a home router and plugs it into the LAN network, there are many possible problems it can cause:

Consequences:

  • Rogue DHCP server, invalid ip assignments.
  • Layer 2 STP loops.
  • Layer 3 routing loops.
  • STP topology recalculation.

Recommendations:

  • Configure DHCP Snooping to protect the end users from getting an ip address from a rogue DHCP server.
  • Configure Ip source guard to prevent malicious host from impersonating a legitimate host by assuming the legitimate host’s Ip address.
  • Besides DHCP Snooping provides valuable function to support Ip source guard.
  • Configure Dynamic ARP inspection to prevent arp spoofing attacks.
  • Configure STP BPDU Guard along with STP portfast to shut down a portfast enabled port if it receives a BPDU.
  • For stable connections (meaning ports that always connects to the same devices, as in an office environment: devices like ip phones, pc) configure port-security. 
  • Limit the communication between devices on a single VLAN. For example in a DMZ, if one of the servers is compromised, It can be used as back door to compromised other servers, use Private Vlans to limit the range an attacker can compromise.

I would like to share this document; very important and informative regarding what are the best recommendations for LAN networks in general.

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/best/practices/recommendations.html#wp1246590

Regards.

Wilson B.

Thanks Wilson,

Can you please tell realtime scenario requirements to use private vlans

Thanks
Shanil

Sent from Cisco Technical Support iPhone App

Hello Shanil.

The configuration takes place on the edge switchports where the hosts are connected. The only requirement is to have the proper switch/equipment to support that configuration.

Here is the compatibiltiy matrix where you can see what switches can take advantage of this feature:

http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a0080094830.shtml

Regards.

Wilson B.

darylbrown2005
Level 1
Level 1

Hi Wilson,

I wan to know more about MACSEC and what is the best practice on implementing this kind of security.

May we also request for a deeper explaination about PRIVATE VLAN.

Thank you so much

Regards,

NetNavi

Hello NetNavi.

Check the post above about MacSec for more information and let me know if you need further clarification, if so I will do my best,

In regards to best practices there is a Cisco document; it describes deployments and best practices in every scenario; Supplicants, authenticator, authentication services and other configurations. Please check it out:

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/deploy_guide_c17-663760.html

In regards to Private VLANS:

What is a Private Vlan?

  • A private Vlan is a way to isolate hosts within the same Vlan or broadcast domain. So even when you might have devices sharing the same broadcast domain they can be isolated, this isolated is configured based on sub-domains also most often called primary and secondary Vlans.

What is a primary Vlan?

  • The primary Vlan is representation of the private Vlan, a primary Vlan has one or more secondary Vlans, a switch uses the primary Vlan to present traffic from the secondary Vlans to its neighboring devices.

What is a secondary Vlan?

  • A secondary Vlan is a sub-domain of the primary Vlan. We could say that the secondary Vlans belongs to the primary. The must be associated to a primary Vlan. There are two types of secondary vlans: Isolated and Community secondary Vlans.


What does it happen to host within a secondary isolated Vlan?

  • Host within the isolated vlan; can’t communicate to neither other host in the same isoalted vlan nor host in a community vlan.

What does it happen to host within the secondary community Vlan?

  • Host within the community Vlan can communicate with other host assigned to the same community vlan, but they can’t talk to host in other community vlans.

What are the benefits of implementing private Vlans?

  • Scalability: The most common scenario is a service provider. Imagine all customers of a service provider connected through DSL, cable modem… it’s very likely that all customers belong to the same broadcast domain, however if that’s the case why is it that I can’t use my neighbor’s printer, or maybe why is it that I can’t access the files he has store in his computer, (security) we are in the same broadcast shouldn’t I be able to at least ping his ip address?. Well that’s because the ISP must guarantee some type of security for their customers, and because put every single customer that they have in a single Vlan is not scalable they use private Vlans.

Examples:

  • ISP use private vlans to protect from security bridges, Private vlans and isolated Vlans are used to protect personal information for example from one customer to another.
  • DMZ; Many implementations utilizes private vlans in a DMZ to limt or minimize that risk of a compromised server.

I would like to share this documentation with you for further information and configuration guidelines

http://www.cisco.com/en/US/tech/tk389/tk814/technologies_configuration_example09186a008017acad.shtml#hw

This document explains what Cisco Catalyst switches support Private Vlans. 

http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a0080094830.shtml

Let me know if you have further questions.

Regards

Wilson B.

Take my great apologies for annoying you, but i still haven't get the answer for my question.

I am familiar with the information that you  provided with the hot links. But this infomation does not answer my question. I am already know how to configure and to maintain private vlans and i know all this theory also. This information describes  the  process of exchanging  the frames between switches and between different types of ports inside a switch. But i want to know how the process of tagging works with private vlans inside the switch from the OSI model perspective by steps:

- frame coming from host to port with secondary vlan (which tag will be add?)

- frame moving from host port of switch to the promiscuous(private nontrunk vlan) port(what happens with the tag?)

- frame moving from promiscuous(private nontrunk vlan) port to the uplink port connected to other device(which tag will be in the frame header?)

Take my previouse picture as a scheme, please.

P.S.:or if you want and can, contact  with me through e-mail, if you don't want to flood here.

CCNA, CCNA Security certified

CCNA, CCNA Security certified

belorusandrey
Level 1
Level 1

Hi,

can you explain about portsecurity feature on the voice-port? How many mac-addresses is allow on the port after enable port-security on the port which is configured as voice port.

On my opinion it would be correct to set 2 maximum mac-addresses configured by default in this case. It makes sense, one for PC and one for the Phone.

But show port-security int fa 0/3 command shows that it is 1 mac address.

I tried to check this on Catalyst 2950 and Cisco 7912. But Cisco 7912 has only one port and I can not connect it with PC to Catalyst at the same time.

Example Port Security configuration for a Voice Port (on a 3750 switch):

switchport mode access

switchport access vlan 101

switchport voice vlan 201

switchport port-security maximum 2

switchport port-security maximum 1 vlan access

switchport port-security maximum 1 vlan voice

switchport port-security

This allows 1 MAC for the Phone and 1 MAC address for a PC connected behind the phone.

Thanks for your reply.

Can you explain how many MAC-addresses is allowed in the case with this config?

switchport mode access

switchport access vlan 101

switchport voice vlan 201

switchport port-security

Does the "switchport voice vlan 201" command change default number of alowed mac-addresses to 2?

Dear Andriy,

"switchport voice vlan command will not change the default to 2, it will be 1 only

if want 2 mac need to configure switchport port-security maximum 2

Thanks

Shanil

Dear Andriy,

In addition to above if you want to configure port security for data and voice vlan on the same port you can use the below config

Switch(config-if)# switchport port-security

Switch(config-if)# switchport port-security mac-address sticky

Switch(config-if)# switchport port-security maximum 1 vlan voice

Switch(config-if)# switchport port-security maximum 1 vlan access


This will allow 1 secure mac for voice and one for data.

Thanks
Shanil

Hello Andriy.

Regarding to your questions:

Can you explain about port-security feature on the voice-port?

  • When you enable port security on an interface that is also configured with a voice VLAN, you must set the maximum allowed secure addresses on the port to two plus the maximum number of secure addresses allowed on the access VLAN. When the port is connected to a Cisco IP Phone, the phone requires up to two MAC addresses. The phone address is learned on the voice VLAN and might also be learned on the access VLAN, this behavior is due when the ip phone starts (after a reboot), it sends DHCP requests on the data VLAN.  Once the phone completes its boot process, only then it gets to know the voice VLAN ID to use for voice packets.

  • It’s also possible that the phone is exchanging CDP or LLDP packets with the switch on the data VLAN so we have the same results and with Cisco IP phones that would be expected. This won't affect the devices or services at all. Connecting a PC to the phone requires additional MAC addresses.

  1. This same restriction applies to 3750s, 3560s, 3550s, 2960s and 2950.
  2. There are exceptions for example in 4500 switches this restriction only applies to Cisco IOS versions prior to 12.2(31)SG.
  3. In 6500 switches this restrictions only applies to Cisco IOS version prior to SHX.

Regards.

Wilson B.

ahalwani
Level 1
Level 1

Hello Wilson,

I have 500 ME 3750 switch with multiple clients on the same VLAN per switch (About 4-7 clients on each switch).

What is the best way to secure these ports so that no client is using another one's IP address?

Port security is out of the question as clients mac address change a lot.

I tried L2 Port ACL but sometimes it is not working like it is supposed to.

Can you please explain L2 Port ACLs?

Thanks,

-Ahmad

Hello Ahmad.

What is the best way to secure these ports so that no client is using another one's IP address?

I understand you have about 4 to 7 clients in several ME3750 Switches, and you are concerned about these users assuming others pc's IP addresses.

That scenario is described in IP source guard layer 2 security. The best way how to secure these ports is implementing IP source guard prevents a malicious host from impersonating a legitimate host by assuming the legitimate host's IP address. IP source guard checks DHCP bindings table, to make sure that hosts IP address is the one assigned as per the DHCP server. It is important to mention that Ip source guard can works together with DHCP snooping, however if you are planning to implementing IP source guard only for 4 or 5 users per switch then you may want to manually configure the bindings table for cross reference with IP source guard. Now I also understand you mentioned the mac address of the users changes a lot, in that case you would like to enable DHCP snooping for a more dynamic filtering without administrator intervention.

Find in the following link more information about IP source guard

http://www.cisco.com/en/US/docs/switches/metro/catalyst3750m/software/release/12.2_52_se/configuration/guide/swdhcp82.html

About Port-ACLs

  • Port-access list are used to provide access control just like a regular acl.
  • Configurationwise is similar to regular ACL.

Difference between PACL(l2) and ACL(l3)

  • PACL is applied to switchports(access/trunk ports).
  • Besides a PACL is applied to bridge traffic, so let's say traffic within the same vlan, remember that traffic with source/destination in different vlans is routed.

Based on what I have said: An instance of ACL applied to a layer 2 port is a PACL, the same instance of ACL applied to a layer 3 port is a regular ACL.


I don't think a PACL is the best choice to prevents a malicious host from impersonating a legitimate host by

assuming the legitimate host's IP address, I would suggest you to implement IP source guard.

Regards.

Wilson B.

Hi Wilson,

another difference between a PACL and a RACL that you forgot to mention : PACL is only ingress  feature and RACL is ingress/egress.

Can you provide a link where it is stated that PACL will have no effect on routed traffic?

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: