5.7 - Layer 2 Security Features

Greetings, Tech Talkers!

This is Tor, your trusted network engineering uplink! Today, we're delving into the essential Layer 2 Security Features that help protect your network at the data link layer. While securing Layer 3 and above is crucial, vulnerabilities at Layer 2 can be exploited to compromise the entire network.

In this article, we'll explore common Layer 2 threats, key security features to mitigate them, and how to implement these features on Cisco switches. By the end, you'll have a solid understanding of how to fortify your network against Layer 2 attacks.

Let's get started!

Understanding Layer 2 Threats

Common Layer 2 Attacks:

1. MAC Address Spoofing:

• Attackers impersonate a legitimate device by changing their MAC address, potentially intercepting traffic or gaining unauthorized access.

2. MAC Flooding (CAM Table Overflow):

• Attackers flood the switch's CAM (Content Addressable Memory) table with fake MAC addresses, causing the switch to broadcast traffic to all ports.

3. DHCP Spoofing:

• Malicious DHCP servers provide incorrect IP configurations to clients, redirecting traffic or launching man-in-the-middle attacks.

4. ARP Spoofing/Poisoning:

• Attackers send forged ARP messages to associate their MAC address with the IP address of a legitimate device, intercepting traffic.

5. Spanning Tree Protocol (STP) Manipulation:

• Attackers manipulate STP to alter the network topology, causing disruptions or redirecting traffic.

6. VLAN Hopping:

• Exploiting switch configurations to send traffic to unauthorized VLANs.

Key Layer 2 Security Features

1. Port Security:

• Controls access to a switch port based on MAC addresses.

• Limits the number of MAC addresses that can connect to a port.

2. DHCP Snooping:

• Monitors DHCP messages and filters untrusted DHCP traffic.

• Prevents rogue DHCP servers from providing IP configurations.

3. Dynamic ARP Inspection (DAI):

• Intercepts and validates ARP packets.

• Prevents ARP spoofing attacks by ensuring ARP requests and replies are legitimate.

4. IP Source Guard:

• Filters IP traffic on untrusted Layer 2 ports.

• Uses DHCP snooping binding table to verify IP-MAC bindings.

5. Storm Control:

• Monitors traffic levels and prevents broadcast, multicast, or unicast storms.

6. BPDU Guard and BPDU Filtering:

• Protects the Spanning Tree Protocol (STP) topology.

• BPDU Guard disables ports that receive unexpected BPDU packets.

7. Root Guard:

• Prevents switches from becoming the root bridge in STP.

• Maintains network topology integrity.

8. VLAN Access Control Lists (VACLs):

• Filters traffic within VLANs.

• Controls inter-VLAN communication.

Configuring Port Security

Example Scenario:

Objective: Configure port security on interface `FastEthernet0/1` to allow only one specific MAC address and shut down the port if a violation occurs.

Configuration Steps:

1. Enter Interface Configuration Mode:

Switch(config)# interface FastEthernet0/1

2. Enable Port Security:

 Switch(config-if)# switchport mode access

 Switch(config-if)# switchport port-security

3. Specify Allowed MAC Address:

Static MAC Address:

Switch(config-if)# switchport port-security mac-address [MAC Address]

Example:

Switch(config-if)# switchport port-security mac-address 0050.56BE.ABCD

Alternatively, Set the Port to Learn the MAC Address Dynamically:

Switch(config-if)# switchport port-security mac-address sticky

4. Set Maximum Number of MAC Addresses:

Switch(config-if)# switchport port-security maximum 1

5. Configure Violation Action:

Shutdown the Port on Violation:

	Switch(config-if)# switchport port-security violation shutdown

Other Options:

protect: Discards offending traffic without notification.

restrict: Discards traffic and generates a log message.

6. Verify Configuration:

Switch# show port-security interface FastEthernet0/1

Configuring DHCP Snooping

Example Scenario:

Objective: Enable DHCP snooping on VLAN 10 to prevent rogue DHCP servers.

Configuration Steps:

1. Enable DHCP Snooping Globally:

Switch(config)# ip dhcp snooping

2. Enable DHCP Snooping for VLAN 10:

Switch(config)# ip dhcp snooping vlan 10

3. Configure Trusted Interfaces:

Trust the Interface Connected to the DHCP Server:

     Switch(config)# interface GigabitEthernet0/1
     Switch(config-if)# ip dhcp snooping trust
     Switch(config-if)# exit

All Other Interfaces Remain Untrusted by Default.

4. (Optional) Limit DHCP Rate:

Switch(config)# interface FastEthernet0/1
Switch(config-if)# ip dhcp snooping limit rate 10
Switch(config-if)# exit

5. Verify Configuration:

   Switch# show ip dhcp snooping
   Switch# show ip dhcp snooping binding

Configuring Dynamic ARP Inspection (DAI)

Prerequisites:

• DHCP Snooping Must Be Enabled: DAI relies on the DHCP snooping binding table.

Example Scenario:

Objective: Enable DAI on VLAN 10 to prevent ARP spoofing attacks.

Configuration Steps:

1. Enable DAI for VLAN 10:

Switch(config)# ip arp inspection vlan 10

2. Configure Trusted Interfaces:

Trust Uplink Interfaces:

Switch(config)# interface GigabitEthernet0/1
Switch(config-if)# ip arp inspection trust
Switch(config-if)# exit

All Other Interfaces Remain Untrusted by Default.

3. (Optional) Configure ARP Rate Limiting:

Switch(config)# interface FastEthernet0/1
Switch(config-if)# ip arp inspection limit rate 15
Switch(config-if)# exit

4. Verify Configuration:

Switch# show ip arp inspection
Switch# show ip arp inspection interfaces

Configuring IP Source Guard

Prerequisites:

• DHCP Snooping Must Be Enabled.

Example Scenario:

• Objective: Enable IP Source Guard on interface `FastEthernet0/1`.

Configuration Steps:

1. Enter Interface Configuration Mode:

Switch(config)# interface FastEthernet0/1

2. Enable IP Source Guard:

• Based on Source IP and MAC Address:

Switch(config-if)# ip verify source port-security

• Based on Source IP Only:

Switch(config-if)# ip verify source

3. Verify Configuration:

Switch# show ip verify source

Configuring BPDU Guard

Example Scenario:

• Objective: Enable BPDU Guard on access ports to protect STP topology.

Configuration Steps:

1. Enable BPDU Guard Globally:

Switch(config)# spanning-tree portfast bpduguard default

Applies BPDU Guard to all interfaces with PortFast enabled.

2. Alternatively, Enable BPDU Guard on Specific Interface:

Switch(config)# interface FastEthernet0/1
Switch(config-if)# spanning-tree bpduguard enable

3. Verify Configuration:

Switch# show spanning-tree interface FastEthernet0/1 detail

Best Practices for Layer 2 Security

1. Disable Unused Ports:

• Shut down unused interfaces and place them in an unused VLAN, sometimes called a "Blackhole" VLAN.

A blackhole suspended VLAN can be created for this purpose using the commands below:

Switch(config)#Vlan 999
Switch(config-vlan)#name BLACKHOLE
Switch(config-vlan)#state suspend

2. Implement Port Security:

• Limit the number of MAC addresses per port.

• Use sticky MAC addresses for dynamic learning.

3. Enable DHCP Snooping, DAI, and IP Source Guard:

• Protect against DHCP spoofing and ARP attacks.

4. Secure STP:

• Use BPDU Guard, Root Guard, and Loop Guard to maintain topology integrity.

5. Use VLANs Appropriately:

• Segment the network to limit broadcast domains and enhance security.

6. Regularly Update Switch Firmware:

• Patch vulnerabilities and improve performance.

7. Monitor and Log Activities:

• Use syslog and SNMP traps to monitor security events.

8. Educate Network Users:

• Promote security awareness among staff and users.

Wrapping It Up

Securing Layer 2 is a critical aspect of network defense. By understanding common threats and implementing Layer 2 security features, you can protect your network from various attacks that exploit vulnerabilities at the data link layer.

Until next time, Tech Talkers, keep your networks secure from the ground up!

Thanks,

Tor – Your trusted network engineering uplink