Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

Ask the Expert: Layer 2 Security on Cisco Catalyst Platforms

Layer 2 Security on Cisco Catalyst PlatformsWith Wilson Bonilla

Welcome to the Cisco Support Community Ask the Expert conversation.  This  is an opportunity to learn and ask questions about about issues in designing, planning, and implementing Layer 2 security in your LAN network with expert Wilson Bonilla. 

Wilson will cover topics that network engineers face daily such as Spanning Tree Protocol security, private VLANs, IP source guard, protected ports, dynamic ARP inspection, virtual LAN access-control lists (VLAN ACLs), and Dynamic Host Configuration Protocol (DHCP) snooping over Cisco Catalyst platforms.  With the fast growth of networks, Layer 2 security is even more critical in the LAN to help your network become more reliable, efficient, and secure. Wilson will answer your questions about LAN networks with Cisco Catalyst switches.  

Wilson Bonilla is a technical networking trainer at the Learning and Development Department for Cisco Technical Assistance Center located in Costa Rica. Before joining the Training Department, he worked for the Cisco TAC as a customer support engineer focused on LAN Switching for more than two years. While working on LAN switching, Wilson also had roles such as technical leader and trainer, adding to his area of expertise in Cisco Catalyst Layer 2 switching. He has CCNP routing and switching certification and is currently studying to achieve his CCNA certification in data center.

Remember to use the rating system to let Wilson know if you've received an adequate response. 

Because of the volume expected during this event, Wilson might not be able to answer every question. Remember that you can continue the conversation in the Network Infrastructure community, subcommunity, LAN, Switching and Routing, shortly after the event. This event lasts through November, 2013. Visit this forum often to view responses to your questions and those of other Cisco Support Community members.

      

33 REPLIES
Community Member

Layer 2 Security on Cisco Catalyst Platforms

Hi,

Can you explain in which scenarios DHCP snooping is enabled/disabled in the Cisco switches . What are the benefits of enabling the same .

Layer 2 Security on Cisco Catalyst Platforms

Hello rvg2k

In general:

DHCP snooping is disabled by default in all Catalyst platforms, it some additional configuration.

When should it be enabled?

There are many scenarios but they point is: enabled it when there may be a possibility of a rogue DHCP server.

Example:

In a company where employees bring their own devices to connect them to the network; chances are that an employee brings a home router, so that they can have more ports availability for their own benefit, if this router has DHCP capabilities, think of a possibility where this fake DHCP server starts providing IP addresses to other clients trying to connect to the network. As you can suppose the client will end up getting a duplicated ip address or maybe in an invalid ip address for the vlan they are, this will end up in a connectivity issue.

Solution and benefits:

The solution to that scenario is DHCP Snooping. Just like a firewall that inspects traffic, DHCP snooping is a layer 2 solution to protect against rogue DHCP servers. DHCP Snooping keeps track of DHCP messages, if a DHCP Offer message is receive coming in a untrusted interface it will be dropped, protecting clients from getting an ip address from a undesirable source.

Regards.

Wilson B

Community Member

Re: Layer 2 Security on Cisco Catalyst Platforms

Hi, Wilson.
I have some questions considering private vlans. I understand how it had to be configured and how it works in general. But i have some questions considering its functionality in depth.
As i understand during the frame encapsulation process the secondary vlan is injecting to the frame, then when switch considering its CAM table decides to move the frame through uplink(promiscuous port) with primary vlan it removes the tag of secondary vlan from the frame and injects the tag of primary vlan. Am i right? If i am right this technology is very like dot1q tunneling with vlan transation.
If i am not right, please correct me. I need the explanation considering OSI model.
Unfortunatly nobody give me the answer on my question.

Sent from Cisco Technical Support iPad App

CCNA, CCNA Security certified

Layer 2 Security on Cisco Catalyst Platforms

Hello Alexey.

Please don't mix the concept of double-tag tunneling (QinQ) with Private vlans. QinQ adheres an outer tag to the frames to keep track of where the traffic is source and where is it going.

Your comment:

With primary vlan it removes the tag of secondary vlan from the frame and injects the tag of primary vlan. Am i right?

That's not really how it works. Take in consideration the following topology:

Where:

Primary vlan is 10

Isolated vlan is 101

Community vlan is 102

When traffic from the secondary isolated vlan is being forward to the promiscuous port the trunk port in the switch will encapsulate the frame with the source vlan(meaning the secondary vlan), so if it was sourced from the isolated secondary vlan, it will be vlan 100, (if, sourced from the community vlan it will be encapsulated with vlan 101), remember never never double tags the frame, only the secondary vlan is encapsulated. The de-encapsulation process takes place later on.

Now when the traffic comes back from the promiscuous port to the end host, the router will encapsulate the frame with the primary vlan (router or promiscuous port are not pvlan aware), finally is up to the switch to check out the cam table find out the mac address and it's vlan assignment to switch the traffic vlan to the correct secondary vlan. Later on the de-encapsulation process takes place.

Please let me know if the answer is satisfactory.

Regards.

Wilson B

Community Member

Re: Layer 2 Security on Cisco Catalyst Platforms

Thank you for your explanation, but it seems to me you don't understand my question.
I strongly realise that private vlan technology differs from double tagging.
By the way in your explanation you take 10, 101(isolated) and 102(comm) as example but later you change them to 100 isolated and 101 community it confused me a little.
I have attached my little drawing :) to this message to illustrate how i understand the private vlan technology is working. In this example the promiscuous port does not configured as trunk private vlan. It is just a private primary vlan promiscuous port.
So the questions are:
Does the tag changing while moving inside the switch from host port to promiscuous port?
And what tag will be the frame encapsulated with when it comes to uplink connected switch? 10 or 101(in my picture)?

Sent from Cisco Technical Support iPad App

CCNA, CCNA Security certified

Re: Layer 2 Security on Cisco Catalyst Platforms

Hello Alexey.

Thank you for your question.

Does the tag changing while moving inside the switch from host port to promiscuous port?

Never; an access port never tags traffic.

And what tag will be the frame encapsulated with when it comes to uplink connected switch? 10 or 101(in my picture)?

If the frame is incoming to the uplink connected to the switch it will come in the primary vlan the same if the frame is outgoing to the uplink it goes out with the primary vlan tag.

When the traffic arrives to the switchport, it's up to the mac address table what interface will it be destined.

Please let me know if that clarifies your question.

Regards.

Wilson B.

Re: Layer 2 Security on Cisco Catalyst Platforms

Hi Wilson,

Nice forum going on here. I just want to ask why VLAN replication takes some time from a switch in VTP server mode to a switch in VTP client mode.

I made a recent change in my network environment wherein I added a VLAN on the VTP server but I had to check and troubleshoot on the VTP client since the VLAN wasn't stil there. It popped up I'm assuming after less than a minute.

I did a Google search but wasn't able to find any solid technical explanation on this. Would you be able to explain this phenomena?

Sent from Cisco Technical Support iPad App

Layer 2 Security on Cisco Catalyst Platforms

Hello John.

By default, Catalyst switches issue summary advertisements in five-minute increments. Summary advertisements inform adjacent Catalysts of the current VTP domain name and the configuration revision number.

When the switch receives a summary advertisement packet, the switch compares the VTP domain name to its own VTP domain name. If the name is different, the switch simply ignores the packet. If the name is the same, the switch then compares the configuration revision to its own revision. If its own configuration revision is higher or equal, the packet is ignored. If it is lower, an advertisement request is sent. If you add a new switch in the network it takes 5 minutes so that it hears any advertisement from the server.

If you want the VLAN propagated immediately (means before the advertisements are generated and send again) then you need to create a vlan so that the revision number will change and the new switch will be updated, once the control checkpoints I just described passed.

Regards.

Wilson B.

Layer 2 Security on Cisco Catalyst Platforms

wilson,

thanks for this info! the 5 mins is way too long and i thought i was going crazy!

sorry my switching is not that advanced, is there a command on the switch to shorten the 5 min VTP advertisement?

is this the hello time/BDPU?

Layer 2 Security on Cisco Catalyst Platforms

Hello John.

Actually BDPU timer is 2 seconds, BPDUs are sent used to calculate the layer 2 topology of spanning-tree. When talking about VTP packets like VTP advertisements, subsets and summary are the ones that comes into play.

Regards.

WIlson B.

Community Member

Re: Layer 2 Security on Cisco Catalyst Platforms

Community Member

Layer 2 Security on Cisco Catalyst Platforms

I want to know more about MACSEC and how it was being implemented on a large environment .

Re: Layer 2 Security on Cisco Catalyst Platforms

Hello Daryl.

I also want to be honest with you I don't have too much experience with MacSec troubleshooting in real troubleshotting scenarios; but let me share my knowledge about what I have studied about it.

MacSec is the standard for authenticating and encrypting packets between two MacSec capable devices.


MacSec implementation:

        • Basically and the main function of MacSec is in any scenario where you want to encrypt end user’s traffic to avoid a spoofing attack, In a large environment you need to make sure the access layer switch supports MacSec,
        • 2960, 3550, 3750G and 3750E access layer switches do not support MacSec.
        • 3750x and 3560x switches with the addition of C3KX-SM-10G module, notice that only interface in the module are the ones that support macsec, not the onboard interfaces.
        • 4900m and 4948E switches don't support MacSec.
        • Non 6500-e chassis don't support MacSec.
        • 4500 switches only support MacSec with supervisor Sup7E, Sup7LE.
        • 4500x does support MacSec.
        • Only 6500e chassis with VS-S2T-10GE and in WS-X6908 supports MacSec.

NOTE: In a large environment it is very important that you have knowledge of the hardware capabilities, pay attention that not all the Catalyst series switches supports this feature so there is some limitations.



Where should you use MacSec?

  • MacSec is often used in the access layer, where end users have direct access to the switchport itself, now it doesn’t mean that it cannot be used between the access and distribution/core layers. (See the picture above for reference)

What do you need to implement MacSec?

  • A supplicant: who is end client, it must be running an application (cisco anyconnect) to manage encryption and MacSec negotiation.
  • Authenticator/Switch: this is the intermediate device that relays the client credentials to the authentication server.
  • Authentication server: Just like a ACS.

What protocols does MacSec run?

  • EAP(Extensible authentication protocol): defines authentication between the supplicant and the Authenticator.
  • EAP over LAN: Encapsulation to transport EAP messages.
  • Key agreement / Security association protocol: Discovers peers and negotiates MacSec keys.
  • Radius/Tacacs: for communication between the switch and the authentication server.

Here is another example of how it works

Best regards.

Wilson B.

Community Member

Re: Layer 2 Security on Cisco Catalyst Platforms

Hi wilson

Can you please advice the recommended configurations to harden secure a switch in production network

Thanks
Shanil

Sent from Cisco Technical Support iPhone App

Layer 2 Security on Cisco Catalyst Platforms

Hello ShanilKumar2003

Just a side note:

It's important to mention that every network is different; the behavior, design and implementation vary based on configuration and expectations.

Examples:

Features like: STP enhancements, for example; knowing that BPDU Guard can stop a layer 2 loop and protect your network from a high profile spanning-tree loop is a life savior.

Features like DHCP snooping, IP source guard and Dynamic ARP inspection protect your network from malicious people. However think of the possibility when an employee innocently brings a home router and plugs it into the LAN network, there are many possible problems it can cause:

Consequences:

  • Rogue DHCP server, invalid ip assignments.
  • Layer 2 STP loops.
  • Layer 3 routing loops.
  • STP topology recalculation.

Recommendations:

  • Configure DHCP Snooping to protect the end users from getting an ip address from a rogue DHCP server.
  • Configure Ip source guard to prevent malicious host from impersonating a legitimate host by assuming the legitimate host’s Ip address.
  • Besides DHCP Snooping provides valuable function to support Ip source guard.
  • Configure Dynamic ARP inspection to prevent arp spoofing attacks.
  • Configure STP BPDU Guard along with STP portfast to shut down a portfast enabled port if it receives a BPDU.
  • For stable connections (meaning ports that always connects to the same devices, as in an office environment: devices like ip phones, pc) configure port-security. 
  • Limit the communication between devices on a single VLAN. For example in a DMZ, if one of the servers is compromised, It can be used as back door to compromised other servers, use Private Vlans to limit the range an attacker can compromise.

I would like to share this document; very important and informative regarding what are the best recommendations for LAN networks in general.

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/best/practices/recommendations.html#wp1246590

Regards.

Wilson B.

Community Member

Re: Layer 2 Security on Cisco Catalyst Platforms

Thanks Wilson,

Can you please tell realtime scenario requirements to use private vlans

Thanks
Shanil

Sent from Cisco Technical Support iPhone App

Layer 2 Security on Cisco Catalyst Platforms

Hello Shanil.

The configuration takes place on the edge switchports where the hosts are connected. The only requirement is to have the proper switch/equipment to support that configuration.

Here is the compatibiltiy matrix where you can see what switches can take advantage of this feature:

http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a0080094830.shtml

Regards.

Wilson B.

Community Member

Re: Layer 2 Security on Cisco Catalyst Platforms

Hi Wilson,

I wan to know more about MACSEC and what is the best practice on implementing this kind of security.

May we also request for a deeper explaination about PRIVATE VLAN.

Thank you so much

Regards,

NetNavi

Layer 2 Security on Cisco Catalyst Platforms

Hello NetNavi.

Check the post above about MacSec for more information and let me know if you need further clarification, if so I will do my best,

In regards to best practices there is a Cisco document; it describes deployments and best practices in every scenario; Supplicants, authenticator, authentication services and other configurations. Please check it out:

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/deploy_guide_c17-663760.html

In regards to Private VLANS:

What is a Private Vlan?

  • A private Vlan is a way to isolate hosts within the same Vlan or broadcast domain. So even when you might have devices sharing the same broadcast domain they can be isolated, this isolated is configured based on sub-domains also most often called primary and secondary Vlans.

What is a primary Vlan?

  • The primary Vlan is representation of the private Vlan, a primary Vlan has one or more secondary Vlans, a switch uses the primary Vlan to present traffic from the secondary Vlans to its neighboring devices.

What is a secondary Vlan?

  • A secondary Vlan is a sub-domain of the primary Vlan. We could say that the secondary Vlans belongs to the primary. The must be associated to a primary Vlan. There are two types of secondary vlans: Isolated and Community secondary Vlans.


What does it happen to host within a secondary isolated Vlan?

  • Host within the isolated vlan; can’t communicate to neither other host in the same isoalted vlan nor host in a community vlan.

What does it happen to host within the secondary community Vlan?

  • Host within the community Vlan can communicate with other host assigned to the same community vlan, but they can’t talk to host in other community vlans.

What are the benefits of implementing private Vlans?

  • Scalability: The most common scenario is a service provider. Imagine all customers of a service provider connected through DSL, cable modem… it’s very likely that all customers belong to the same broadcast domain, however if that’s the case why is it that I can’t use my neighbor’s printer, or maybe why is it that I can’t access the files he has store in his computer, (security) we are in the same broadcast shouldn’t I be able to at least ping his ip address?. Well that’s because the ISP must guarantee some type of security for their customers, and because put every single customer that they have in a single Vlan is not scalable they use private Vlans.

Examples:

  • ISP use private vlans to protect from security bridges, Private vlans and isolated Vlans are used to protect personal information for example from one customer to another.
  • DMZ; Many implementations utilizes private vlans in a DMZ to limt or minimize that risk of a compromised server.

I would like to share this documentation with you for further information and configuration guidelines

http://www.cisco.com/en/US/tech/tk389/tk814/technologies_configuration_example09186a008017acad.shtml#hw

This document explains what Cisco Catalyst switches support Private Vlans. 

http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a0080094830.shtml

Let me know if you have further questions.

Regards

Wilson B.

Community Member

Layer 2 Security on Cisco Catalyst Platforms

Take my great apologies for annoying you, but i still haven't get the answer for my question.

I am familiar with the information that you  provided with the hot links. But this infomation does not answer my question. I am already know how to configure and to maintain private vlans and i know all this theory also. This information describes  the  process of exchanging  the frames between switches and between different types of ports inside a switch. But i want to know how the process of tagging works with private vlans inside the switch from the OSI model perspective by steps:

- frame coming from host to port with secondary vlan (which tag will be add?)

- frame moving from host port of switch to the promiscuous(private nontrunk vlan) port(what happens with the tag?)

- frame moving from promiscuous(private nontrunk vlan) port to the uplink port connected to other device(which tag will be in the frame header?)

Take my previouse picture as a scheme, please.

P.S.:or if you want and can, contact  with me through e-mail, if you don't want to flood here.

CCNA, CCNA Security certified

CCNA, CCNA Security certified
Community Member

Layer 2 Security on Cisco Catalyst Platforms

Hi,

can you explain about portsecurity feature on the voice-port? How many mac-addresses is allow on the port after enable port-security on the port which is configured as voice port.

On my opinion it would be correct to set 2 maximum mac-addresses configured by default in this case. It makes sense, one for PC and one for the Phone.

But show port-security int fa 0/3 command shows that it is 1 mac address.

I tried to check this on Catalyst 2950 and Cisco 7912. But Cisco 7912 has only one port and I can not connect it with PC to Catalyst at the same time.

Bronze

Layer 2 Security on Cisco Catalyst Platforms

Example Port Security configuration for a Voice Port (on a 3750 switch):

switchport mode access

switchport access vlan 101

switchport voice vlan 201

switchport port-security maximum 2

switchport port-security maximum 1 vlan access

switchport port-security maximum 1 vlan voice

switchport port-security

This allows 1 MAC for the Phone and 1 MAC address for a PC connected behind the phone.

Community Member

Layer 2 Security on Cisco Catalyst Platforms

Thanks for your reply.

Can you explain how many MAC-addresses is allowed in the case with this config?

switchport mode access

switchport access vlan 101

switchport voice vlan 201

switchport port-security

Does the "switchport voice vlan 201" command change default number of alowed mac-addresses to 2?

Community Member

Re: Layer 2 Security on Cisco Catalyst Platforms

Dear Andriy,

"switchport voice vlan command will not change the default to 2, it will be 1 only

if want 2 mac need to configure switchport port-security maximum 2

Thanks

Shanil

Community Member

Re: Layer 2 Security on Cisco Catalyst Platforms

Dear Andriy,

In addition to above if you want to configure port security for data and voice vlan on the same port you can use the below config

Switch(config-if)# switchport port-security

Switch(config-if)# switchport port-security mac-address sticky

Switch(config-if)# switchport port-security maximum 1 vlan voice

Switch(config-if)# switchport port-security maximum 1 vlan access


This will allow 1 secure mac for voice and one for data.

Thanks
Shanil

Layer 2 Security on Cisco Catalyst Platforms

Hello Andriy.

Regarding to your questions:

Can you explain about port-security feature on the voice-port?

  • When you enable port security on an interface that is also configured with a voice VLAN, you must set the maximum allowed secure addresses on the port to two plus the maximum number of secure addresses allowed on the access VLAN. When the port is connected to a Cisco IP Phone, the phone requires up to two MAC addresses. The phone address is learned on the voice VLAN and might also be learned on the access VLAN, this behavior is due when the ip phone starts (after a reboot), it sends DHCP requests on the data VLAN.  Once the phone completes its boot process, only then it gets to know the voice VLAN ID to use for voice packets.

  • It’s also possible that the phone is exchanging CDP or LLDP packets with the switch on the data VLAN so we have the same results and with Cisco IP phones that would be expected. This won't affect the devices or services at all. Connecting a PC to the phone requires additional MAC addresses.

  1. This same restriction applies to 3750s, 3560s, 3550s, 2960s and 2950.
  2. There are exceptions for example in 4500 switches this restriction only applies to Cisco IOS versions prior to 12.2(31)SG.
  3. In 6500 switches this restrictions only applies to Cisco IOS version prior to SHX.

Regards.

Wilson B.

Community Member

Layer 2 Security on Cisco Catalyst Platforms

Hello Wilson,

I have 500 ME 3750 switch with multiple clients on the same VLAN per switch (About 4-7 clients on each switch).

What is the best way to secure these ports so that no client is using another one's IP address?

Port security is out of the question as clients mac address change a lot.

I tried L2 Port ACL but sometimes it is not working like it is supposed to.

Can you please explain L2 Port ACLs?

Thanks,

-Ahmad

Layer 2 Security on Cisco Catalyst Platforms

Hello Ahmad.

What is the best way to secure these ports so that no client is using another one's IP address?

I understand you have about 4 to 7 clients in several ME3750 Switches, and you are concerned about these users assuming others pc's IP addresses.

That scenario is described in IP source guard layer 2 security. The best way how to secure these ports is implementing IP source guard prevents a malicious host from impersonating a legitimate host by assuming the legitimate host's IP address. IP source guard checks DHCP bindings table, to make sure that hosts IP address is the one assigned as per the DHCP server. It is important to mention that Ip source guard can works together with DHCP snooping, however if you are planning to implementing IP source guard only for 4 or 5 users per switch then you may want to manually configure the bindings table for cross reference with IP source guard. Now I also understand you mentioned the mac address of the users changes a lot, in that case you would like to enable DHCP snooping for a more dynamic filtering without administrator intervention.

Find in the following link more information about IP source guard

http://www.cisco.com/en/US/docs/switches/metro/catalyst3750m/software/release/12.2_52_se/configuration/guide/swdhcp82.html

About Port-ACLs

  • Port-access list are used to provide access control just like a regular acl.
  • Configurationwise is similar to regular ACL.

Difference between PACL(l2) and ACL(l3)

  • PACL is applied to switchports(access/trunk ports).
  • Besides a PACL is applied to bridge traffic, so let's say traffic within the same vlan, remember that traffic with source/destination in different vlans is routed.

Based on what I have said: An instance of ACL applied to a layer 2 port is a PACL, the same instance of ACL applied to a layer 3 port is a regular ACL.


I don't think a PACL is the best choice to prevents a malicious host from impersonating a legitimate host by

assuming the legitimate host's IP address, I would suggest you to implement IP source guard.

Regards.

Wilson B.

Purple

Layer 2 Security on Cisco Catalyst Platforms

Hi Wilson,

another difference between a PACL and a RACL that you forgot to mention : PACL is only ingress  feature and RACL is ingress/egress.

Can you provide a link where it is stated that PACL will have no effect on routed traffic?

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
3977
Views
139
Helpful
33
Replies
CreatePlease to create content