Best Security Practices to Protect Layer 2

23
Root Guard, BPDU Guard and BPDU Filter Network Attackers can launch different types of attacks on Spanning Tree Protocol (STP) . One type of Spanning Tree Protocol (STP) attack is to inject superior BPDUs in Layer 2 network. A superior BPDU is a BPDU which has a lower Bridge ID. In a normal network, superior BPDU's are generated by Root Bridge . If any other switch generate a superior BPDU, Spanning Tree Protocol (STP) recalculations will happen and the switch which generated superior BPDU will become the new Root Bridge . By injecting a superior BPDUs in Layer 2 network, an attacker can cause Spanning Tree Protocol (STP) recalculations and finally result in re- convergence of the Spanning Tree Protocol (STP) . Attackers can achieve Spanning Tree Protocol (STP) attacks by adding a rogue switch configured with lower bridge ID, or by using some software which are available for free download. When a new rogue Root Bridge is introduced inside Spanning Tree Protocol (STP) , all the traffic from other switches start flowing via the new rogueRoot Bridge . Attacker can now start capturing the network traffic for sensitive data. Cisco Switches have different features for protection against Spanning Tree Protocol (STP) attacks. Root Guard , BPDU Guard and BPDU Filter are some features available for protection against Spanning Tree Protocol (STP) related attacks. Root Guard, BPDU Guard and BPDU Filter Root Guard: Root Guard protects the Spanning Tree Protocol (STP) topology attack of replacing the original Root Bridge with a rogue Root Switch. When a Root Guard feature enabled switch port receives a superior BPDU from a rogue switch, the state of the port is changed into a root- inconsistent state, thus enforcing the position of original Root Bridge . Once the port state is changed into root-inconsistent state (similar to STP listening state ), no user data is sent via that port. Visit following link to learn more about Root Guard and how to configure Root Guard in Cisco Switches

description

651654

Transcript of Best Security Practices to Protect Layer 2

Page 1: Best Security Practices to Protect Layer 2

Root Guard, BPDU Guard and BPDU Filter

Network Attackers can launch different types of attacks on Spanning Tree Protocol (STP).

One type of Spanning Tree Protocol (STP) attack is to inject superior BPDUs in Layer 2

network. A superior BPDU is a BPDU which has a lower Bridge ID. In a normal network,

superior BPDU's are generated by Root Bridge. If any other switch generate a superior

BPDU, Spanning Tree Protocol (STP) recalculations will happen and the switch which

generated superior BPDU will become the new Root Bridge.

By injecting a superior BPDUs in Layer 2 network, an attacker can cause Spanning Tree

Protocol (STP) recalculations and finally result in re-convergence of the Spanning Tree

Protocol (STP). Attackers can achieve Spanning Tree Protocol (STP) attacks by adding a

rogue switch configured with lower bridge ID, or by using some software which are

available for free download.

When a new rogue Root Bridge is introduced inside Spanning Tree Protocol (STP), all the

traffic from other switches start flowing via the new rogueRoot Bridge. Attacker can now

start capturing the network traffic for sensitive data.

Cisco Switches have different features for protection against Spanning Tree Protocol

(STP) attacks. Root Guard, BPDU Guard and BPDU Filter are some features available for

protection against Spanning Tree Protocol (STP) related attacks.

Root Guard, BPDU Guard and BPDU Filter

Root Guard: Root Guard protects the Spanning Tree Protocol (STP) topology attack of

replacing the original Root Bridge with a rogue Root Switch. When a Root Guard feature

enabled switch port receives a superior BPDU from a rogue switch, the state of the port

is changed into a root-inconsistent state, thus enforcing the position of original Root

Bridge. Once the port state is changed into root-inconsistent state (similar to STP

listening state), no user data is sent via that port.

Visit following link to learn more about Root Guard and how to configure Root Guard in

Cisco Switches

BPDU Guard: BPDU Guard feature is typically implemented on an access

port configured with PortFast. When a BPDU Guard enabled port receive BPDU from the

connected device, BPDU Guard disables the port and the port state is changed to

Errdisable state.

Page 2: Best Security Practices to Protect Layer 2

Visit following link to learn more about BPDU Guard and how to configure BPDU Guard in

Cisco Switches

BPDU Filter: BPDU Filter feature is also typically implemented on an access

port configured with PortFast. BPDU Filter feature allows you to stop generating BPDUs

on an access port configured with PortFast.

Visit following link to learn more about BPDU Filter and how to configure BPDU Filter in

Cisco Switches

Root Guard protects the Spanning Tree Protocol (STP) topology attack of replacing the

original Root Bridge with a rogue Root Bridge. When a Root Guard feature enabled switch

port receives a superior BPDU from a rogue switch, the state of the port is changed into

a root-inconsistent state, thus enforcing the position of original Root Bridge. Once the

port state is changed into root-inconsistent state (similar to STP listening state), no user

data is sent via that port. However, after the flow of superior BPDUs is stopped, the port

state will change back to the forwarding state. In other words, Root Guard feature of

Cisco Switches prevents a Designated Port from becoming a Root Port. 

Root Guard feature can be enabled on switch ports that is connected to other switches

that should never become a Root Bridge. For example, a port on the distribution layer

switch which is connected to an access layer switch can be Root Guard enabled, because

the access layer switch should never become the Root Bridge.

 

How to configure Root Guard in Cisco Switches

To enable Root Guard, use following commands.

OmniSecuSW1#configure terminal

OmniSecuSW1(config)#interface giga 0/0

OmniSecuSW1(config-if)#spanning-tree guard root

OmniSecuSW1(config-if)#exit

OmniSecuSW1(config)#exit

OmniSecuSW1#

 

Page 3: Best Security Practices to Protect Layer 2

To disable Root Guard, use following commands.

OmniSecuSW1#configure terminal

OmniSecuSW1(config)#interface giga 0/0

OmniSecuSW1(config-if)#no spanning-tree guard root

OmniSecuSW1(config-if)#exit

OmniSecuSW1(config)#exit

OmniSecuSW1#

 

What is BPDU Guard and how to configure BPDU Guard in Cisco Switches

BPDU Guard feature is used to protect the Layer 2 Spanning Tree Protocol (STP) Topology

from BPDU related attacks. BPDU Guard feature must be enabled on a port that should

never receive a BPDU from its connected device. If a switch port which is configured

with Spanning Tree Protocol (STP) PortFast feature, it must be connected to an end device

(For exampe: workstation, server, printer etc). The PortFast is enabled only on access

ports to speed the transition of access port to STP forwarding state. End devices are not

supposed to generate BPDUs, because in a normal network environment, BPDU

messages are exchanged by network switches.

BPDU Guard feature can be enabled globally at Global configuration mode or per

interface at Interface configuration mode. When a BPDU Guard enabled port

receive BPDU from the connected device, BPDU Guard disables the port and the port

state is changed to Errdisable state.

How to configure BPDU Guard Globally at Global Configuration Mode

Below configuration commands enable BPDU Guard by default on all PortFast edge

ports.

OmniSecuSW1#configure terminal

OmniSecuSW1(config)#spanning-tree portfast edge bpduguard default

OmniSecuSW1(config)#exit

Page 4: Best Security Practices to Protect Layer 2

OmniSecuSW1#

Below configuration commands disable BPDU Guard on all PortFast edge ports.

OmniSecuSW1#configure terminal

OmniSecuSW1(config)#no spanning-tree portfast edge bpduguard default

OmniSecuSW1(config)#exit

OmniSecuSW1#

 

How to configure BPDU Guard per interface at Interface Configuration Mode

Below configuration commands enable BPDU Guard for an interface.

OmniSecuSW1#configure terminal

OmniSecuSW1(config)#interface giga 0/0

OmniSecuSW1(config-if)#spanning-tree bpduguard enable

OmniSecuSW1(config-if)#exit

OmniSecuSW1(config)#exit

OmniSecuSW1#

 

Below configuration commands disable BPDU Guard for an interface.

OmniSecuSW1#configure terminal

OmniSecuSW1(config)#interface giga 0/0

OmniSecuSW1(config-if)#spanning-tree bpduguard disable

OmniSecuSW1(config-if)#exit

OmniSecuSW1(config)#exit

OmniSecuSW1#

 

Page 5: Best Security Practices to Protect Layer 2

What is BPDU Filter and how to configure BPDU Filter in Cisco Switches

BPDU Filter feature also can be enabled on an access port that should never receive a

BPDU (Example: an end device like a workstation or a server). If a switch port which is

configured with Spanning Tree Protocol (STP) PortFast feature, it must be connected to an

end device. The Spanning Tree Protocol (STP) PortFast is enabled only on access ports to

speed up the transition of access port to STP forwarding state. End devices are not

supposed to generate BPDUs, because in a normal network environment, BPDU

messages are exchanged by network switches.

BPDU Filter feature can be enabled globally at Global configuration mode or per interface

at Interface configuration mode.

BPDU Filter feature act in two different ways when it is configured on Global level or

Interface level. If BPDU Filter feature is enabled on a Global level, BPDU Filter is applied

to all Spanning Tree Protocol (STP) PortFast enabled ports. If any BPDUs are received on

that port, the PortFast feature is disabled and the port will become a normal STP port.

When BPDU Filter is enabled on Interface level, BPDU Filter will not send out BPDUs and

avoid the processing of received BPDUs. This behaviour can completely disable Spanning

Tree Protocol (STP) on that interface. Beware... This can potentially create damage to the

network by forming alayer 2 switching loop, if switches are connected to BPDU Filter

enabled port (at interface level) accidently.

 

How to configure BPDU Filter Globally at Global Configuration Mode

Below configuration commands enable BPDU Filter by default on all PortFast edge ports.

OmniSecuSW1#configure terminal

OmniSecuSW1(config)#spanning-tree portfast edge bpdufilter default

OmniSecuSW1(config)#exit

OmniSecuSW1#

Below configuration commands disable BPDU Filter on all PortFast edge ports.

OmniSecuSW1#configure terminal

Page 6: Best Security Practices to Protect Layer 2

OmniSecuSW1(config)#no spanning-tree portfast edge bpdufilter default

OmniSecuSW1(config)#exit

OmniSecuSW1#

 

How to configure BPDU Filter per interface at Interface Configuration Mode

Below configuration commands enable BPDU Filter for an interface.

OmniSecuSW1#configure terminal

OmniSecuSW1(config)#interface giga 0/0

OmniSecuSW1(config-if)#spanning-tree bpdufilter enable

OmniSecuSW1(config-if)#exit

OmniSecuSW1(config)#exit

OmniSecuSW1#

 

Below configuration commands disable BPDU Filter for an interface.

OmniSecuSW1#configure terminal

OmniSecuSW1(config)#interface giga 0/0

OmniSecuSW1(config-if)#spanning-tree bpdufilter disable

OmniSecuSW1(config-if)#exit

OmniSecuSW1(config)#exit

OmniSecuSW1#

DHCP Starvation attacks and DHCP spoofing attacks

Another type of network attack which is targeted to DHCP servers is known as DHCP

starvation attack. In a DHCP starvation attack, an attackerbroadcasts large number

of DHCP REQUEST messages with spoofed source MAC addresses. If the legitimate

DHCP Server in the network start responding to all these bogus DHCP

Page 7: Best Security Practices to Protect Layer 2

REQUEST messages, available IP Addresses in the DHCP server scope will be depleted

within a very short span of time.

Once the available number of IP Addresses in the DHCP server is depleted, network

attackers can then set up a rogue DHCP server and respond to new DHCP requests

from network DHCP clients. By setting up a rogue DHCP server, the attacker can now

launch DHCP spoofing attack.

What is DHCP spoofing attack

After a DHCP starvation attack and setting up a rogue DHCP server, the attacker can

start distributing IP addresses and other TCP/IP configuration settings to the network

DHCP clients. TCP/IP configuration settings include Default Gateway and DNS Server IP

addresses. Network attackers can now replace the original legitimate Default Gateway

IP Address and DNS Server IP Address with their own IP Address.

Once the Default Gateway IP Address of the network devices are is changed, the

network clients start sending the traffic destined to outside networks to the attacker's

computer. The attacker can now capture sensitive user data and launch a man-in-the-

middle attack. This is called as DHCP spoofing attack. Attacker can also set up a rogue

DNS server and deviate the end user traffic to fake web sites and launch phishing

attacks.

How to configure DHCP Snooping

Page 8: Best Security Practices to Protect Layer 2

DHCP snooping is a DHCP security feature which provides protection from DHCP

starvation attacks by filtering untrusted DHCP messages.

DHCP snooping feature identifies Switch Ports as "trusted" and "untrusted". DHCP

snooping feature can be used to differentiate between untrusted interfaces (where

DHCP clients are connected) and trusted interfaces (where a DHCP server or another

switches are connected).

Trusted ports (where a DHCP server or other switches are connected) can source all

types of DHCP messages, including DHCP OFFER message.

Untrusted ports are the ports where DHCP clients are connected. Untrusted switch

ports cannot source DHCP messages like : DHCPOFFER,DHCPACK, DHCPNAK, which are

normally generated by a DHCP server. By default, all switch ports are untrusted.

When DHCP snooping is enabled, Cisco switches build a table known as DHCP

snooping binding database (known as DHCP snooping binding table).

DHCP snooping binding table is used to identify and filter untrusted DHCP messages

from the network. DHCP snooping binding table keeps track of DHCP addresses that

are assigned to switch ports. DHCP snooping binding table includes the client MAC

address, IP address, DHCP lease time, binding type, VLAN number, and interface

information on untrusted switch ports.

When a switch receives a packet on an untrusted switch port where DHCP snooping is

enabled, with the help of information stored on DHCP snooping binding table the

switch will be permitted or denied.

The packet is denied when

• DHCP server related messages (Example: DHCPOFFER, DHCPACK, DHCPNAK) are

received on an untrusted switch port.

• The source MAC address does not match MAC address in the DHCP binding table

entry.

 

How to enable DHCP snooping globally

Page 9: Best Security Practices to Protect Layer 2

 

OmniSecuSW1#configure terminal

OmniSecuSW1(config)#ip dhcp snooping

OmniSecuSW1(config)#exit

OmniSecuSW1#

 

How to enable DHCP snooping on a specific VLAN

 

OmniSecuSW1#configure terminal

OmniSecuSW1(config)#ip dhcp snooping vlan 500

OmniSecuSW1(config)#exit

OmniSecuSW1#

 

How to configure a switch port as trusted

 

OmniSecuSW1#configure terminal

OmniSecuSW1(config)#interface gigabitethernet 0/0

OmniSecuSW1(config-if)#ip dhcp snooping trust

OmniSecuSW1(config-if)#exit

OmniSecuSW1(config)#exit

OmniSecuSW1#

 

How to view the DHCP snooping database

Page 10: Best Security Practices to Protect Layer 2

 

OmniSecuSW1#show ip dhcp snooping binding

MacAddress IpAddress Lease(sec) Type VLAN Interface

------------------ --------------- ---------- ------------- ---- --------------------

00:00:AB:19:C6:00 172.16.10.183 690515 dhcp-snooping 500 Gigabitethernet0/1

00:00:AB:34:CB:00 172.16.10.184 690518 dhcp-snooping 500 Gigabitethernet0/2

00:00:AB:2A:FE:00 172.16.10.182 690512 dhcp-snooping 500 Gigabitethernet0/3

00:00:AB:F7:D0:00 172.16.10.181 690512 dhcp-snooping 500 Gigabitethernet0/4

00:00:AB:93:82:00 172.16.10.185 690518 dhcp-snooping 500 Gigabitethernet0/5

Total number of bindings: 5

 

How to view the DHCP Snooping configuration

 

OmniSecuSW1#show ip dhcp snooping

Switch DHCP snooping is enabled

DHCP snooping is configured on following VLANs:

500

DHCP snooping is operational on following VLANs:

500

DHCP snooping is configured on the following L3 Interfaces:

Page 11: Best Security Practices to Protect Layer 2

Insertion of option 82 is enabled

circuit-id default format: vlan-mod-port

remote-id: aabb.cc00.0100 (MAC)

Option 82 on untrusted port is not allowed

Verification of hwaddr field is enabled

Verification of giaddr field is enabled

DHCP snooping trust/rate is configured on the following Interfaces:

Interface Trusted Allow option Rate limit (pps)

----------------------- ------- ------------ ----------------

Ethernet0/0 yes yes unlimited

Custom circuit-ids:

OmniSecuSW1#

ARP Spoofing attack

Address Resolution Protocol (ARP) spoofing attack is a type of network attack where an

attacker sends fake Address Resolution Protocol (ARP) messages inside a Local Area

Network (LAN), with an aim to deviate and intercept network traffic.

In normal Address Resolution Protocol (ARP) operation, when a network device sends

a ARP request (as broadcast) to find a MAC addresscorresponding to an IPv4

address, ARP reply comes from the legitimate network device which is configured with

the IPv4 address which matches the ARP request. The ARP reply is cached by the

requesting device in its ARP table.

A network attacker can abuse Address Resolution Protocol (ARP) operation by

responding ARP request, posing that it has the requested IPv4 address. Once the

attacker's MAC address is mapped to a authentic legitimate IPv4 address, the attacker

will begin receiving any data that is intended for that legitimate IPv4 address. Now the

attacker can launch a man-in-the-middle attack can start capturing the network traffic

for any sensitive user data.

Page 12: Best Security Practices to Protect Layer 2

Attacker can also broadcast Gratuitous ARP message with the IPv4 address of default

gateway. Gratuitous ARP is a broadcast packet is used by network devices to announce

any change in their IPv4 address or MAC address . By sending Gratuitous ARP

message with the IPv4 address of default gateway, attacker can pose as default

gateway and capture all the network traffic moving outside the Local Area Network

(LAN).

Preventing ARP spoofing attacks with Dynamic ARP inspection (DAI)

Dynamic ARP Inspection (DAI) is a feature which can be used to prevent ARP spoofing

attacks. Dynamic ARP Inspection (DAI) can be enabled on switches. When enabled,

Dynamic ARP Inspection (DAI) verifies IPv4 address to MAC address bindings. If a

mismatch happened on an untrusted port, Dynamic ARP Inspection (DAI) will discard

spoofed ARP packets. DAI uses the DHCP snooping binding database to validate

bindings. Dynamic ARP Inspection (DAI) only inspects ARP packets from untrusted

ports.

Dynamic ARP Inspection (DAI) can be enabled globally per VLAN using the command

"ip arp inspection vlan <vlan-id>" By default, all ports are untrusted. To to configure a

port as trusted, use the command "ip arp inspection trust", at the interface level.

How to enable Dynamic ARP Inspection (DAI) on a specific VLAN

 

OmniSecuSW1#configure terminal

OmniSecuSW1(config)#ip arp inspection vlan 500

OmniSecuSW1(config)#exit

OmniSecuSW1#

 

How to configure a switch port as trusted

 

Page 13: Best Security Practices to Protect Layer 2

OmniSecuSW1#configure terminal

OmniSecuSW1(config)#interface gigabitethernet 0/0

OmniSecuSW1(config-if)#ip arp inspection trust

OmniSecuSW1(config-if)#exit

OmniSecuSW1(config)#exit

IP spoofing attacks and IP Source Guard (IPSG) External Resources

IP address spoofing attack is a type of attack when an attacker assumes the

source Internet Protocol (IP) address of IP datagram packets to make it appear

as though the packet is coming from another valid IP address. In IP address

spoofing, IP packets are generated with fake source IP addresses in order to

impersonate other systems or to protect the identity of the sender.

When enabled, the IP Source Guard (IPSG) feature can mitigate IP spoofing

attacks. IP Source Guard (IPSG) feature can help ensure that the network

devices utilize only their assigned IP addresses.

IP Source Guard (IPSG) feature uses the information in the DHCP Snooping

binding database to dynamically create Port ACL's. IP Source Guard (IPSG)

can use static IP binding entries also. The IP Source Guard (IPSG) feature

permits only Internet Protocol (IP) traffic which has a source IP address

matching the entry in the DHCP Snooping binding database. Thus IP Source

Guard (IPSG) feature prevents a network device from transmitting an IP

datagram using a different source IP address other than which it was

assigned via Dynamic Host Configuration Protocol (DHCP).

Make sure that you have configured DHCP snooping feature properly

before these configuration steps. Click the following link to learn how to

configure DHCP snooping.

 

How to enable IP Source Guard (IPSG) feature with IP source check

Page 14: Best Security Practices to Protect Layer 2

 

OmniSecuSW1#configure terminal

OmniSecuSW1(config)#interface gigabitethernet 0/0

OmniSecuSW1(config-if)#ip verify source

OmniSecuSW1(config-if)#exit

OmniSecuSW1(config)#exit

OmniSecuSW1#

 

How to verify IP Source Guard (IPSG) with the IP source check

 

OmniSecuSW1#show ip verify source

Interface Filter-type Filter-mode IP-address Mac-address Vlan

--------- ----------- ----------- --------------- ----------------- ----

Et0/0 ip active 172.16.10.175 1

 

How to enable IP Source Guard (IPSG) feature with IP and MAC source check

 

OmniSecuSW1#configure terminal

OmniSecuSW1(config)#interface gigabitethernet 0/0

OmniSecuSW1(config-if)#switchport port-security

OmniSecuSW1(config-if)#ip verify source port-security

Page 15: Best Security Practices to Protect Layer 2

OmniSecuSW1(config-if)#exit

OmniSecuSW1(config)#exit

OmniSecuSW1#

 

How to verify IP Source Guard (IPSG) with the IP and MAC source check

 

OmniSecuSW1#show ip verify source

Interface Filter-type Filter-mode IP-address Mac-address Vlan

--------- ----------- ----------- --------------- ----------------- ----

Et0/0 ip-mac active 172.16.10.175 00:00:AB:5E:C9:00 1

 

How to view the IP source bindings

 

OmniSecuSW1#show ip source binding

MacAddress IpAddress Lease(sec) Type VLAN Interface

------------------ --------------- ---------- ------------- ---- --------------------

00:00:AB:99:88:00 172.16.10.178 689555 dhcp-snooping 1 Ethernet0/3

00:00:AB:9D:BC:00 172.16.10.176 689549 dhcp-snooping 1 Ethernet0/1

00:00:AB:5E:C9:00 172.16.10.175 689539 dhcp-snooping 1 Ethernet0/0

00:00:AB:D4:02:00 172.16.10.177 689555 dhcp-

Page 16: Best Security Practices to Protect Layer 2

snooping 1 Ethernet0/2

Total number of bindings: 4

What are PVLANs (Private VLANs) - Promiscous, Isolated and Community PVLAN ports

Virtual LANs (VLANs) are used to create separate broadcast domains within a Local Area

Network (LAN). A Virtual LAN (VLAN) is a broadcast domain and is also a separate IP

subnet. Virtual LANs limit broadcasts to specified devices.

Private VLANs (PVLANs) divide the broadcast domain into multiple broadcast sub-

domains. The Private VLANs (PVLANs) feature allows further isolating different devices

within the same VLAN. Private VLANs (PVLANs) provide layer 2 isolation between ports

within the same broadcast domain.

Private VLANs (PVLANs) feature can be used to create Secondary VLANs inside a

Primary VLAN. Primary VLANs are just normal VLANs. Secondary VLANs are also

created as normal VLANs, but it is later associated with a Primary VLAN.

Secondary VLANs can be in any one of the following modes.

• Isolated VLAN: The network devices attached to the ports associated with an

Isolated private VLAN cannot communicate with one another. They can communicate

with a Promiscuous port within the same Private VLAN (PVLAN).

• Community VLAN: The network devices attached to the ports associated with

Community VLAN can communicate with one another. They can also communicate

with a Promiscuous port within the Private VLAN (PVLAN).

Following are the three types of Private VLAN (PVLAN) ports.

• Promiscuous Port: A promiscuous port can communicate with all interfaces inside

the Private VLAN (PVLAN), including the isolated and community ports.

• Isolated Port: An Isolated port cannot communicate with other ports within the

same PVLAN, except the promiscuous ports. PVLANs block all traffic to isolated ports

Page 17: Best Security Practices to Protect Layer 2

except traffic from promiscuous ports.

• Community Port: Community ports can communicate among themselves and with

the promiscuous ports. Community ports cannot communicate with interfaces in other

communities or isolated ports.

Note: Only one secondary Isolated type VLAN can be associated to a Primary VLAN.

Multiple secondary type Community VLANs can be associated to a Primary VLAN.

How to configure PVLAN (Private VLANs)

Change the VTP mode to transparent mode.

Page 18: Best Security Practices to Protect Layer 2

If the VTP mode is not transparent mode, you may get an error message as shown below.

OmniSecuSW1(config)#vlan 150

OmniSecuSW1(config-vlan)#private-vlan community

%Private VLANs can only be configured when VTP is in transparent/off modes in VTP version 1 or 2 and in server/transparent/off modes in VTP version 3 when pruning is turned off

To change the VTP mode to transparent mode, follow these steps.

OmniSecuSW1#configure terminal

OmniSecuSW1(config)#vtp mode transparent

OmniSecuSW1(config)#exit

OmniSecuSW1#

 

Create Secondary and Primary PVLANs and define the type of PVLANs.

• To create a Secondary PVLAN and define it as Community type, follow these steps.

OmniSecuSW1#configure terminal

OmniSecuSW1(config)#vlan 150

OmniSecuSW1(config-vlan)#private-vlan community

OmniSecuSW1(config-vlan)#exit

OmniSecuSW1(config)#exit

OmniSecuSW1#

 

• To create a Secondary VLAN and define it as Isolated type, follow these steps.

OmniSecuSW1#configure terminal

OmniSecuSW1(config)#vlan 250

OmniSecuSW1(config-vlan)#private-vlan isolated

Page 19: Best Security Practices to Protect Layer 2

OmniSecuSW1(config-vlan)#exit

OmniSecuSW1(config)#exit

OmniSecuSW1#

 

• To create a Primary PVLAN and associate Secondary PVLANs with Primary PVLAN, follow

these steps.

OmniSecuSW1#configure terminal

OmniSecuSW1(config)#vlan 50

OmniSecuSW1(config-vlan)#private-vlan primary

OmniSecuSW1(config-vlan)#private-vlan association 150,250

OmniSecuSW1(config-vlan)#exit

OmniSecuSW1(config)#exit

OmniSecuSW1#

 

Place switch ports in different PVLANs created in previous steps

• To configure a port as Promiscuous port, follow these steps.

OmniSecuSW1#configure terminal

OmniSecuSW1(config)#interface gigabitethernet 0/0

OmniSecuSW1(config-if)#switchport mode private-vlan promiscuous

OmniSecuSW1(config-if)#switchport private-vlan mapping 50 150,250

OmniSecuSW1(config-if)#exit

OmniSecuSW1(config)#exit

OmniSecuSW1#

 

Page 20: Best Security Practices to Protect Layer 2

• To configure a port as Community PVLAN port, follow these steps. Remember we had

configured PVLAN 150 as Community type in previous steps.

OmniSecuSW1#configure terminal

OmniSecuSW1(config)#interface gigabitethernet 0/1

OmniSecuSW1(config-if)#switchport mode private-vlan host

OmniSecuSW1(config-if)#switchport private-vlan host-association 50 150

OmniSecuSW1(config-if)#exit

OmniSecuSW1(config)#exit

OmniSecuSW1#

 

• To configure a port as Isolated PVLAN port, follow these steps. Remember we have

configured PVLAN 250 as Isolated type in previous steps.

OmniSecuSW1#configure terminal

OmniSecuSW1(config)#interface gigabitethernet 0/2

OmniSecuSW1(config-if)#switchport mode private-vlan host

OmniSecuSW1(config-if)#switchport private-vlan host-association 50 250

OmniSecuSW1(config-if)#exit

OmniSecuSW1(config)#exit

Best Security practices to protect layer 2

 Hardcode access ports as "switchport mode access" and trunk ports as "switchport

mode trunk".

• Administratively shutdown all the unused switch interfaces, using "shutdown"

interface command. Never enable a switchport which is not in use.

• Assign unused interfaces to a VLAN which is not in use.

• Disable DTP on every trunk using "switchport nonegotiate" command.

Page 21: Best Security Practices to Protect Layer 2

• Use any VLAN which is not used for user traffic or management traffic as the native

VLAN for all trunk links.

• Do not use VLAN 1 anywhere, because it is a default VLAN and default native VLAN.

• Use port security feature to protect the switch from CAM Table Overflow attacks.

• Use BPDU guard and Root guard features to protect Spanning Tree topology.

• Turn on Cisco Discovery Protocol (CDP) only on interfaces facing trusted devices.