Layer 2 Aegis Best Practices
To achieve this chapter, a account of best practices is presented actuality for implementing, managing, and maintaining
secure Layer 2 network:
Manage the switches in a defended manner. For example, use SSH, affidavit mechanism, admission list,
and set advantage levels.
Restrict administration admission to the about-face so that untrusted networks are not able to accomplishment management
interfaces and protocols such as SNMP.
Always use a committed VLAN ID for all block ports.
Be skeptical; abstain application VLAN 1 for anything.
Disable DTP on all non-trunking admission ports.
Deploy the Anchorage Aegis affection to anticipate crooked admission from switching ports.
Use the Private VLAN affection area applicative to choose arrangement cartage at Layer 2.
Use MD5 affidavit area applicable.
Disable CDP area possible.
Prevent denial-of-service attacks and added corruption by disabling bare casework and protocols.
Shut bottomward or attenuate all bare ports on the switch, and put them in a VLAN that is not acclimated for normal
operations.
Use anchorage aegis mechanisms to accommodate aegis adjoin a MAC calamity attack.
Use port-level aegis appearance such as DHCP Snooping, IP Source Guard, and ARP aegis where
applicable.
Enable Spanning Tree Protocol appearance (for example, BPDU Guard, Loopguard, and Root Guard).
Use About-face IOS ACLs and Wire-speed ACLs to clarify abominable cartage (IP and non-IP).
Summary
This affiliate presents a basal overview of Layer 2 security. The affiliate gives you agreement examples and
brings calm the integrated-security appearance accessible on Cisco switches, such as port-level controls, port
blocking, anchorage aegis Private VLAN (PVLAN), and abounding more. The affiliate discusses the assorted configurable
ACLs that can be acclimated on the switches, including the wire-speed ACLs. The affiliate takes a quick attending at the
Spanning Tree Protocol appearance and aegis mechanisms accessible to anticipate STP attacks. Cisco switches
offer different appearance to abate accepted attacks on the casework such as DHCP, DNS, and ARP-cache poisoning
attacks. The affiliate briefly outlines some platform-specific chip aegis appearance accessible on the highend
switch platforms. The affiliate concludes with the arbitrary of Layer 2 aegis best practices to implement,
manage, and advance a defended Layer 2 network.
References
http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note09186a008013565f.shtml
http://www.cisco.com/en/US/products/hw/switches/ps5528/products_configuration_guide_chapter09186a00802b7c35.html
http://www.cisco.com/en/US/products/hw/switches/ps5528/products_configuration_guide_chapter09186a00803a9a88.html
http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration_guide_chapter09186a00804357b1.html
http://www.cisco.com/en/US/products/hw/switches/ps5528/products_configuration_guide_chapter09186a00803a9a24.html
http://www.cisco.com/en/US/products/hw/switches/ps5528/products_configuration_guide_chapter09186a00803a9a23.html
http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration_guide_chapter09186a0080435872.html
http://www.cisco.com/en/US/products/ps6642/products_white_paper0900aecd804fa16a.shtml