Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Securing access layer

Hi,

I am looking for ways to secure the access layer. So far, I have port-sec, DTP disabled, unused ports shut, and other ports in a vlan that is not trunked.

Obvioulsy, spoofing MAC's to overcome Port-sec is not that difficult, so what else can be done to secure the access layer? I read something related to using PVLAN's???

Any other tips/advice is appreciated.

Thanks.

9 REPLIES
New Member

Re: Securing access layer

Hi sudip,
Private vlan is used to restrict communication within a vlan(subnet).
We will configure subvlans inside the main(primary vlan).
There are 3 points
community -- ports assigned to community vlan can talk each other
Isolated -- cannot talk to any other ports except promiscous port
Promiscous --port connected to the router
Community and isolated vlan can talk to promiscous port

If you have dhcp server you can have dhcp snooping to protect from rouge dhcp servers. Also you ca opt to configure bpduguard ,loopguard , root guard to kepp the integrity of STP. Udld also good feature to avoid loops if you have fiber links.

Hopes this helps

Thanks
Shanil



Sent from Cisco Technical Support iPhone App

New Member

Re: Securing access layer

In addition to the above you can have 802.1x authentication for users for secure access layer
Regrads
Shanil

Sent from Cisco Technical Support iPhone App

New Member

Securing access layer

Thanks Shanil.

How would using PVLAN at the access layer help protext my network from access layer attacks if someone were to bypass Port-sec?

I am a bit confused with the PVLAN concept.

Bronze

Securing access layer

I don't know that you would need PVLANs to be honest.  They will prevent hosts on the same subnet from talking (unless using the router) ie network printers talking to hosts, etc.  PVLANs are doable but may cause issues unless you need to isolated everyhost.

What is the purpose of the network you are building and securing?

- Be sure to rate all helpful posts

- Be sure to rate all helpful posts
New Member

Re: Securing access layer

Dear sudip,

as Schaef mentioned private vlans are used to restrict , isolate traffic within a vlan. Why would anyone need Private VLANs?
Commonly, this kind of configurations arise in “shared” environments, say ISP co-location, where it’s beneficial to put multiple customers into the same IP subnet, yet provide a good level of isolation between them.
For securing access layer you can have lot of features as mentioned before

Please go through the below link for more on provate vlan config
http://blog.ine.com/2008/01/31/understanding-private-vlans/
http://blog.internetworkexpert.com/2008/07/14/private-vlans-revisited/

Please rate helpful posts..

Thanks
Shanil

Sent from Cisco Technical Support iPhone App

New Member

Re: Securing access layer

Guys,

Correct, thats what my understanding of PVLANS was but I heard a network engineer with one of the company's we are hiring to do a sec audit ask if we used PVLAN to further increase security on ports (beyond port-sec) available  to non-employees/guests.

What are some ways to secure ports if someone were to spoof mac's and fool port-sec?

Bronze

Re: Securing access layer

If you use 802.1X you don't have to count on mac addresses and could use a more advanced method of authentication.  Mac auth bypass is the  802.1x method that is succeptable to mac spoofing as I understand it.  Thats typically not the default method anyhow...

You could issue certificates to users and/or computers and know who is on what port for sure then.  Username / password authentication would be and option as well.  I'm not an 802.1x expert though unfortinatly.

- Be sure to rate all helpful posts

- Be sure to rate all helpful posts
New Member

Re: Securing access layer

Thanks guys for your inputs.

Re: Securing access layer

At the company I work for we use 802.1x on all of our access layer switches. We use machine certificates that authenticate back to a RADIUS server.

We the. Use MAC auth bypass to authentication non 802.1x capable machines such as printers and other random devices.

It works pretty well but takes some time
To get right and keep it maintained.

Sent from Cisco Technical Support iPhone App

164
Views
20
Helpful
9
Replies
CreatePlease to create content