Skip Links

Layer 2 Best Practices, and Protecting Layer 2 using Cisco Catalyst Switches

By on Mon, 08/04/08 - 12:39pm.

The Data Link layer (Layer 2 of the OSI model) is the most complex of all the layers, as it provides the primary functional interface to transfer data between network entities with interoperability and interconnectivity to other layers, thus; being most vulnerable and most important layer to be secured from a network perspective. As we commonly say; "Network security is only as strong as the weakest link" - and Layer 2 is no exception.

Most experts design and implement top-class security solutions for the upper layers (OSI Layers 3 and above), however, it does not help if Layer 2 is compromised. I strongly recommend all to revisit your Layer 2 security posture and assess your Layer 2 network to ensure it is well protected. Having said that, if you are using Cisco switches, you can take advantage of the wide range of security features available to protect Layer 2.

I am providing a snip of Layer 2 Security Best Practices from my recent Cisco Press book "Network Security Technologies and Solutions". Here is a list of best practices for implementing, managing, and maintaining a secure Layer 2 network: "Snip from my book, Chapter 4 - Network Security Technologies and Solutions"

Layer 2 Security Best Practices

• Manage the switches in a secure a manner. For example, use SSH, authentication mechanism, access list, and set privilege levels.

• Restrict management access to the switch so that untrusted networks are not able to exploit management interfaces and protocols such as SNMP.

• Always use a dedicated VLAN ID for all trunk ports.

• Be skeptical; avoid using VLAN 1 for anything.

• Disable DTP on all non-trunking access ports.

• Deploy the Port Security feature to prevent unauthorized access from switching ports.

• Use the Private VLAN feature where applicable to segregate network traffic at Layer 2.

• Use MD5 authentication where applicable.

• Disable CDP where possible.

• Prevent denial-of-service attacks and other exploitation by disabling unused services and protocols.

• Shut down or disable all unused ports on the switch, and put them in a VLAN that is not used for normal operations.

• Use port security mechanisms to provide protection against a MAC flooding attack.

• Use port-level security features such as DHCP Snooping, IP Source Guard, and ARP security where applicable.

• Enable Spanning Tree Protocol features (for example, BPDU Guard, Loopguard, and Root Guard).

• Use Switch IOS ACLs and Wire-speed ACLs to filter undesirable traffic (IP and non-IP).

In addition, below is a quick summary list of some of the security features available on Cisco Catalyst switches to protect Layer 2.

- Port-Level Traffic Controls

- Storm Control

- Protected Ports (PVLAN Edge)

- Private VLAN (PVLAN) - Port Blocking - Port Security

- Access-lists on Switches (Router ACL, Port ACL, VLAN ACL (VACL) & MAC ACL)

- Spanning-Tree Protocol Features (BPDU Guard, Root Guard, EtherChannel Guard & Loop Guard)

- DHCP Snooping - IP Source Guard

- Dynamic ARP Inspection (DAI) - Rate Limiting Incoming ARP Packets

- ARP Validation Checks

- Control plane policing (CoPP) Feature - CPU Rate Limiters

You can either read Chapter 4 of my book for more details or visit the Cisco technical documentation website below to get more details of these features and how to configure them;

Homepage: http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_44_se/configuration/guide/scg.html

Configuring PVLAN (Private VLANs) http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_44_se/configuration/guide/swpvlan.html

Switch-Based Authentication http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_44_se/configuration/guide/swauthen.html

IEEE 802.1x Port-Based Authentication http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_44_se/configuration/guide/sw8021x.html

Configuring DHCP Features and IP Source Guard http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_44_se/configuration/guide/swdhcp82.html

Configuring Dynamic ARP Inspection http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_44_se/configuration/guide/swdynarp.html

Configuring Port-Based Traffic Control http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_44_se/configuration/guide/swtrafc.html

Configuring Network Security with ACLs http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_44_se/configuration/guide/swacl.html

Hope that helps you with kick-start information for protecting your Layer 2 network security.

All the best!

Regards,

Yusuf Bhaiji