L2 Security

  • Interface command “switchport port-security” allows a single MAC to be learned on that port.
  • Interface command “switchport port-security maximum x” to allow ‘x’ mac to learn on that port.
  • To define static sticky MAC on an interface, use “switchport port-security mac-address x:x:x
  • Violation action:
    • ‘switchport port-security violation shutdown’ : Port is moved to errdisabled state
    • ‘switchport port-security violation restrict’ : Port stays UP. Packets from violated mac-address are dropped and switch keeps a record of how many packets are violated.
    • ‘switchport port-security violation protect’ : Port stays UP. Packets from violated mac-address are dropped and no records are saved.
    • ‘clear port-security dynamic’ command clears the violated mac-address from the cache so that the PC can reuse the port.
    • ‘show port-security interface’ to view the port-security status on an interface.

Port-based authentication:

  • IEEE 802.1x standard
  • Combination of AAA authentication and port security.
  • Both switch and host needs to support 802.1x using Extensible Authentication Protocol over LANs (EAPOL), a L2 protocol. Default state of a switch port: unauthenticated.
  • Configuration:
    • Enable AAA:
      • aaa new-model
    • Configure RADIUS server:
      • radius-server host key xxxx’
    • Configure dot1x to use radius host for authentication:
      • aaa authentication dot1x default group radius’
    • Enable dot1x:
      • ‘dot1x system-auth-control;
    • Configure ports to use dot1x:
      • By default, when we enable dot1x, all ports are set to “forced-authorized” means any PC can start communication with network.
      • Configure, ‘dot1x port-control auto’ to make PC to negotiate with switch
    • To allow multiple host on a switch port;
      • ‘dot1x host-mode multihost’
    • Show dotx all

Spoofing attack:

  • DHCP snooping:
    • When DHCP snooping is enabled, switch ports are categorized as trusted or untrusted.
    • DHCP servers are connected to trusted ports and all hosts are in untrusted port.
    • If the switch receives DHCP reply on untrusted ports, the switch drops the packet and moves the port to errdisable state. Hence, avoiding replies from rouge servers
    • Configuration:
      • Enable DHCP snooping:
        • ‘ip dhcp snooping’
        • VLANs where snooping has to be enabled;
          • ‘ip dhcp snooping vlan x’
        • Configure the port connected to server as trust
          • By default, all ports are untrusted.
          • (config-if)# ip dhcp snooping trust
        • Optional: Rate limit the DHCP request on untrusted port
          • (config-if)# ip dhcp snooping limit rate x
        • DHCP option-82 is enabled by default
          • [no] ip dhcp snooping information option
        • show ip dhcp snooping [binding]
  • IP Source Guard:
    • To avoid address spoofing attack. Check made on end user packets that Source IP is same as assigned by DHCP server. Uses DHCP snooping binding table/static entry.
    • Check on:
      • Source IP should be same as in DHCP snooping table. Checked via IP ACL.
      • Source MAC should be same as learned and in snooping table using Port security
    • Configuration:
      • Static IP source binding:
        • ‘ip source binding <mac> vlan <id> <ip> interface <>’
        • Enable IP source guard on interface mode:
          • ‘(config-if)# ip verify source [port-security]’
          • By default, only source IP is checked.
          • For source MAC to check, use ‘port-security’ keyword.
        • ‘show ip verify source’
        • ‘show ip source binding’
  • Dynamic ARP Inspection (DAI)
    • To avoid ARP spoofing by rouge host in same vlan.
    • The switch intercepts and inspects all ARP packets that arrive on an untrusted port; no inspection is done on trusted ports (which connects to another switch)
    • When an ARP reply is received on an untrusted port, the switch checks the MAC and IP addresses reported in the reply packet against DHCP snooping table or static entry.
    • By default, no check is done on ethernet MAC of the ARP packet.
    • Configuration:
      • Enable DAI on VLAN:
        • ‘(config)# ip arp inspection vlan x’
        • To configure trusted port:
          • ‘(config-if)# ip arp inspection trust’
        • To statically configure IP-MAC pair use ARP ACL:
          • ‘(config)#arp access-list <name>’
            • ‘permit ip host <ip> mac host <mac>’
            • ‘(config)# ip arp inspection filter <name> vlan <vlan> [static]’
          • By default, check is first done on ARP ACL table. If no hit, then DHCP binding table is checked. Add keyword ‘static’ to check only ARP ACL.
        • To validate the ethernet MAC of the ARP packet:
          • ‘(config)# ip arp inspection validate …’

VLAN Access list: (VACL)

  • VACL are filters that directly can affect how packets are handled within a VLAN.
  • Configured similar to route-map with match conditions and action items.
  • Merged into TCAM table.
  • Configuration:
    • ‘(config)# vlan access-map <name>
      • match {ip | mac } address <acl name>
      • action {drop | forward | redirect}
    • (config)# vlan filter <name> vlan-list <vlan>

Private VLAN

Securing VLAN trunks:

  • Avoid DTP messages to be exchanged with end host. Configure ‘switchport mode access’ .
  • VLAN hopping:
    • Crafted packet from one vlan can be passed to another VLAN provided following conditions occurs;
      • The host is connected to access port of a switch which can accept tagged packet
      • The switch has 802.1Q trunk with the host vlan as native vlan
    • Double tagged packet from the attacker is accepted by the switch and passes via trunk to another switch with outer native tag removed. This packet on reaching another switch can pass to the inner tagged vlan.
    • VLAN hopping cannot happen in new platform where access port blocks tagged packets.
    • VLAN hopping can be avoided by;
      • Set native vlan to unused vlan ID.
      • Prune native vlan from the trunk or configure switch to send native vlan packets tagged with native vlan ID. Command: ‘(config)#vlan dot1q tag native’


This entry was posted in L2 switch. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s