Results 1 to 4 of 4

Thread: Layer 2 security with Cisco switches

  1. #1
    Senior Member
    Join Date
    Sep 2001
    Posts
    1,027

    Layer 2 security with Cisco switches

    Hey guys,

    We're currently in the process of upgrading our access layer switches to Catalysts 3560s, which offer the folowing layer 2 security features:

    BPDUguard
    BPDUfilter
    port security
    dhcp snooping
    arp inspection
    ip source guard

    With those features implemented, it, at least on paper, makes for pretty secure segments...

    One of the main motivations for the upgrade being the use of those features, and so I'm in the process of testing prior to rollout and I was wondering if anyone else here has experience using those features... Any advice?


    Ammo
    Credit travels up, blame travels down -- The Boss

  2. #2
    Junior Member
    Join Date
    Jun 2006
    Posts
    10
    In regards to port security, I have seen companies (or more commonly government agencies) go down the road of specifically defining the "secure MACs" for each port and only allowing those MACs. This might be OK for server networks, but for access switches for general users it quickly becomes such an administrative nightmare the admins quickly give it up or look for a real NAC solution. Using port security against CAM table exhaustion attacks by specifying some maximum dynamically learned number is not a bad idea though. I would add you can set the number pretty high depending on port count and max support CAM table entries for your switch and still achieve security against that attack.

    A layer two security measure I use quite a bit but you don't mention (although generally only in server access layers, not general user) are private vlans. It takes some planning since you must allocate "blocks" of ports to a pvlan once configured on most platforms, but its proven invaluable in many situations.

  3. #3
    Senior Member
    Join Date
    Sep 2001
    Posts
    1,027
    Our intent with port-security is mostly to prevent users from uplinking hubs or switches of their own. We'll limit each switchport to a single mac address (dynamicaly learned).

    Indeed, we also do have some private vlans in use already. Quite usefull in DMZ segments for example...


    Ammo
    Credit travels up, blame travels down -- The Boss

  4. #4
    I totally agree. I used to work for a gov't agency that had port security turned on at every port. Every time we'd rearrange the office, or even plug in a laptop to test something, the port would shut off. Well, don't try and do something in a lab at 2 in the morning when the LAN guy isn't in the building.

    I hated it. It was so annoying. Maybe have port security turned on everywhere, but turn it off in labs, conference rooms, common areas. That kind of thing. That way people have at least a limited area where to plug in their devices.

    However, you can also implement some type of tool to monitor the network for unauthroized machines. Mcafee has one, Sourcefire's Realtime Network Awareness (RNA), or other passive awareness technology.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •