Layer 2 Security
The Cisco SAFE Blueprint certificate (available at http://www.cisco.com/go/safe) suggests a wide
variety of best practices for about-face security. In best cases, the recommendations depend on one
of three accepted characterizations of the about-face ports, as follows:
■ Bare ports—Switch ports that are not yet affiliated to any device—for example, switch
ports that are pre-cabled to a faceplate in an abandoned cubicle
■ User ports—Ports cabled to end-user devices, or any cabling bead that sits in some physically
unprotected area
■ Trusted ports or block ports—Ports affiliated to absolutely trusted devices, like added switches
known to be amid in an breadth with acceptable concrete security
Layer 2 Aegis 655
The afterward account summarizes the best practices that administer to both bare and user ports. The
common aspect amid these types of ports is that a awful actuality can accretion admission already they
get central the building, after accepting to accretion added admission abaft the bound aperture to a wiring
closet or abstracts center.
■ Attenuate added activating protocols like CDP and DTP.
■ Attenuate trunking by configuring these ports as admission ports.
■ Accredit BPDU Bouncer and Root Bouncer to anticipate STP attacks and accumulate a abiding STP topology.
■ Use either Activating ARP Analysis (DAI) or clandestine VLANs to anticipate anatomy sniffing.
■ Accredit anchorage aegis to at atomic absolute the cardinal of accustomed MAC addresses, and possibly
restrict the anchorage to use alone specific MAC addresses.
■ Use 802.1X user authentication.
■ Use DHCP concern and IP Antecedent Bouncer to anticipate DHCP DoS and man-in-the-middle
attacks.
Besides the above-mentioned recommendations accurately for bare ports and user ports, the Cisco
SAFE Blueprint makes the afterward added recommendations:
■ For any anchorage (including trusted ports), accede the accepted use of clandestine VLANs to further
protect the arrangement from sniffing, including preventing routers or L3 switches from routing
packets amid accessories in the clandestine VLAN.
■ Configure VTP affidavit globally on anniversary about-face to anticipate DoS attacks.
■ Attenuate bare about-face ports and abode them in an bare VLAN.
■ Avoid application VLAN 1.
■ For trunks, do not use the built-in VLAN.
The blow of this section’s advantage of about-face aegis addresses the credibility in these two lists of best
practices, with the abutting annex absorption on best practices for bare and user ports (based on
the aboriginal list), and the afterward annex absorption on the accepted best practices (based on the
second list).
Switch Aegis Best Practices for Bare and User Ports
The aboriginal three items in the account of best practices for bare and user ports are mostly covered in
earlier chapters. For a abrupt review, Archetype 18-7 shows an archetype agreement on a Cisco
3550 switch, with anniversary of these items configured and noted. In this example, fa0/1 is a currently
unused port. CDP has been disabled on the interface, but it charcoal enabled globally, on the
656 Chapter 18: Security
presumption that some ports still charge CDP enabled. DTP has been disabled as well, and STP Root
Guard and BPDU Bouncer are enabled.
Port Security
Switch anchorage aegis monitors a anchorage to bind the cardinal of MAC addresses associated with that
port in the Layer 2 switching table. It can additionally accomplish a brake for alone assertive MAC addresses
to be attainable out the port.
To apparatus anchorage security, the about-face adds added argumentation to its accustomed action of analytical incoming
frames. Instead of automatically abacus a Layer 2 switching table admission for the antecedent MAC
and anchorage number, the about-face considers the anchorage aegis agreement and whether it allows that
entry. By preventing MACs from actuality added to the about-face table, anchorage aegis can anticipate the
switch from forwarding frames to those MACs on a port.
Port aegis supports the afterward key features:
■ Attached the cardinal of MACs that can be associated with the port
■ Attached the absolute MAC addresses associated with the port, based on three methods:
— Changeless agreement of the accustomed MAC addresses
— Activating acquirements of MAC addresses, up to the authentic maximum, area dynamic
entries are absent aloft reload
— Dynamically acquirements but with the about-face extenuative those entries in the configuration
(called adhesive learning)
Example 18-7 Disabling CDP and DTP and Enabling Root Bouncer and BPDU Guard
! The cdp run command keeps CDP enabled globally, but it has been disabled on
! fa0/1, the bare port.
cdp run
int fa0/0
no cdp enable
! The switchport approach admission interface subcommand prevents the anchorage from trunking,
! and the switchport nonegotiate command prevents any DTP messages
! from actuality beatific or processed.
switchport approach access
switchport nonegotiate
! The aftermost two interface commands accredit Root Bouncer and BPDU Guard, per interface,
! respectively. BPDU Bouncer can additionally be enabled for all ports with PortFast
! enabled by configuring the spanning-tree portfast bpduguard accredit global
! command.
spanning-tree bouncer root
spanning-tree bpduguard enable
Layer 2 Aegis 657
Port aegis protects adjoin a brace of types of attacks. Already a switch’s forwarding table fills,
the about-face times out earlier entries. Back the about-face receives frames destined for those MACs that
are no best in the table, the about-face floods the frames out all ports. An antagonist could account the
switch to ample its switching table by sending lots of frames, anniversary with a altered antecedent MAC,
forcing the about-face to time out the entries for best or all of the accepted hosts. As a result, the
switch floods accepted frames because the destination MACs are no best in the CAM, allowing
the antagonist to see all the frames.
An antagonist could additionally affirmation to be the aforementioned MAC abode as a accepted user by artlessly sending
a anatomy with that aforementioned MAC address. As a result, the about-face would amend its switching table, and
send frames to the attacker, as apparent in Bulk 18-2.
Figure 18-2 Claiming to Use Accession Host’s MAC Address
Port aegis prevents both styles of these attacks by attached the cardinal of MAC addresses and
by attached MACs to accurate ports. Anchorage aegis agreement requires aloof a few configuration
steps, all in interface mode. The commands are abbreviated in Table 18-4.
Table 18-4 Anchorage Aegis Agreement Commands
Command Purpose
switchport approach {access | trunk} Anchorage aegis requires that the anchorage be statically set as either
access or trunking
switchport port-security [maximum
value]
Enables anchorage aegis on an interface, and optionally defines
the cardinal of accustomed MAC addresses on the anchorage (default 1)
switchport port-security macaddress
mac-address [vlan {vlan-id |
{access | voice}}
Statically defines an accustomed MAC address, for a particular
VLAN (if trunking), and for either the admission or articulation VLAN
continues
PC-A
IP-A
MAC-A
1. Antagonist sources anatomy application PC-B’s absolute MAC.
2. SW1 updates its MAC abode table.
3. Accession anatomy is beatific to destination MAC-B.
4. SW1 assiduously anatomy to attacker.
MAC-B
Dst. Src.
MAC-A
PC-B
IP-B
SW1 MAC-B
Fa0/1
Fa0/3
Fa0/2
3
4 1
2
Unimportant
Dst. MAC
Attacker
Src. MAC
MAC-B
Address Port
MAC-B Fa0/2 Fa0/3
658 Chapter 18: Security
Of the commands in Table 18-4, alone the aboriginal two are adapted for anchorage security. With aloof those
two commands, a anchorage allows the first-learned MAC abode to be used, but no others. If that MAC
address times out of the CAM, accession MAC abode may be abstruse on that port, but alone one is
allowed at a time.
The abutting two commands in the table acquiesce for the analogue of MAC addresses. The third command
statically defines the acceptable MAC addresses, and the fourth command allows for adhesive learning.
Sticky acquirements tells the about-face to apprentice the MACs dynamically, but again add the MACs to the running
configuration. This allows anchorage aegis to be enabled and absolute MAC addresses to be learned,
but again accept them bound into the agreement as changeless entries artlessly by extenuative the running
configuration. (Note that the switchport port-security best x command would be required
to acquiesce added than one MAC address, with x actuality the best number.)
The aftermost command in the table tells the about-face what to do back violations occur. The protect
option artlessly tells the about-face to accomplish anchorage security. The bind advantage tells it to additionally send
SNMP accessories and affair log letters apropos the violation. Finally, the abeyance advantage puts the
port in a err-disabled state, and requires a shutdown/no abeyance aggregate on the anchorage to
recover the port’s forwarding state.
Example 18-8 shows a sample configuration, based on Bulk 18-3. In the figure, Server 1 and
Server 2 are the alone accessories that should anytime be affiliated to interfaces Fast Ethernet 0/1 and 0/2,
respectively. In this case, a rogue accessory has attempted to affix to fa0/1.
Figure 18-3 Anchorage Aegis Agreement Example
Command Purpose
switchport port-security macaddress
sticky
Tells the about-face to bethink the dynamically abstruse MAC
addresses
switchport port-security [aging]
[violation {protect | bind |
shutdown}]
Defines the Crumbling timer and accomplishments taken back a violation
occurs
Table 18-4 Anchorage Aegis Agreement Commands (Continued)
Company
Comptroller
Server 1
0200.1111.1111
Fa0/1
Fa0/2
Fa0/3
Fa0/4
Server 2
0200.2222.2222
User1
Layer 2 Aegis 659
Example 18-8 Application Anchorage Aegis to Define Correct MAC Addresses Affiliated to Particular
Interfaces
! FA0/1 has been configured to use a changeless MAC address, behind to allow
! alone one MAC address.
interface FastEthernet0/1
switchport approach access
switchport port-security
switchport port-security mac-address 0200.1111.1111
! FA0/2 has been configured to use a sticky-learned MAC address, behind to
! acquiesce alone one MAC address.
interface FastEthernet0/2
switchport approach access
switchport port-security
switchport port-security mac-address sticky
! FA0/1 shows as err-disabled, as a accessory that was not 0200.1111.1111 approved to
! connect. The absence abuse approach is shutdown, as shown. It additionally lists the
! actuality that a distinct MAC abode is configured, that the best cardinal of MAC
! addresses is 1, and that there are 0 sticky-learned MACs.
fred# appearance port-security interface fastEthernet 0/1
Port Aegis : Enabled
Port cachet : Err-Disabled
Violation approach : Shutdown
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 1
Sticky MAC Addresses : 0
Aging time : 0 mins
Aging blazon : Absolute
SecureStatic abode crumbling : Disabled
Security Abuse calculation : 1
! FA0/2 shows as SecureUp, acceptation that anchorage aegis has not apparent any violations
! on this port. Note additionally at the end of the arrangement that the aegis violations
! calculation is 0. It lists the actuality that one adhesive MAC abode has been learned.
fred# appearance port-security interface fastEthernet 0/2
Port Aegis : Enabled
Port cachet : SecureUp
Violation approach : Shutdown
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 1
Aging time : 0 mins
Aging blazon : Absolute
SecureStatic abode crumbling : Disabled
Security Abuse calculation : 0
! Note the adapted agreement in the switch. Due to the adhesive option, the
! about-face added the aftermost apparent agreement command.
continues
660 Chapter 18: Security
The final allotment of the archetype shows that adhesive acquirements adapted the active configuration. The
MAC abode is stored in the active configuration, but it is stored in a command that additionally uses
the adhesive keyword, adapted it from a absolutely statically configured MAC. Note that the switch
does not automatically save the agreement in the startup-config file.
Dynamic ARP Inspection
A about-face can use DAI to anticipate assertive types of attacks that advantage the use of IP ARP messages.
To acknowledge aloof how those attacks work, you charge to accumulate in apperception several abundant credibility about
the capacity of ARP messages. Bulk 18-4 shows a simple archetype with the adapted acceptance of
ARP messages, with PC-A award PC-B’s MAC address.
Figure 18-4 Accustomed Use of ARP, Including Ethernet Addresses and ARP Fields
The ARP bulletin itself does not accommodate an IP header. However, it does accommodate four important
addressing fields: the antecedent MAC and IP abode of the sender of the message, and the target
MAC and IP address. For an ARP request, the ambition IP lists the IP abode whose MAC needs to
Fred# appearance running-config
(Lines bare for brevity)
interface FastEthernet0/2
switchport approach access
switchport port-security
switchport port-security mac-address sticky
switchport port-security mac-address adhesive 0200.2222.2222
Example 18-8 Application Anchorage Aegis to Define Correct MAC Addresses Affiliated to Particular
Interfaces (Continued)
PC-A
IP-A
MAC-A
1. PC-A Sends ARP Advertisement Looking for
IP-B’s MAC Abode (Target MAC)
2. PC-B Sends LAN Unicast ARP Reply
PC-B
IP-B
SW1 MAC-B
Attacker
PC-C
MAC-C
Fa0/3
Fa0/2
2
1
Eth. Header
ARP Request
SRC = MAC-A
DST = b’cast
ARP Message
SRC = MAC-A, SRC = IP-A
TRG = ???, TRG = IP-B
Eth. Header
ARP Reply
SRC = MAC-B
DST = MAC-A
ARP Message
SRC = MAC-B, SRC = IP-B
TRG = MAC-A, TRG = IP-A
Layer 2 Aegis 661
be found, and the ambition MAC Abode acreage is empty, as that is the missing information. Note that
the ARP acknowledgment (a LAN unicast) uses the antecedent MAC acreage to betoken the MAC abode value—for
example, PC-B sets the antecedent MAC central the ARP bulletin to its own MAC address, and the
source IP to its own IP address.
An antagonist can anatomy a man-in-the-middle advance in a LAN by artistic use of chargeless ARPs.
A chargeless ARP occurs back a host sends an ARP reply, after alike seeing an ARP request,
and with a advertisement destination Ethernet address. The added archetypal ARP acknowledgment in Bulk 18-4
shows the ARP acknowledgment as a unicast, acceptation that alone the host that beatific the appeal will learn
an ARP entry; by broadcasting the chargeless ARP, all hosts on the LAN will apprentice an ARP
entry.
While chargeless ARPs can be acclimated to acceptable effect, they can additionally be acclimated by an attacker. The
attacker can accelerate a chargeless ARP, claiming to be an IP abode of a accepted host. All the hosts
in the subnet (including routers and switches) amend their ARP tables, pointing to the attacker’s
MAC address—and again after sending frames to the antagonist instead of to the accurate host. Bulk 18-5
depicts the process.
Figure 18-5 Man-in-the-Middle Advance Application Chargeless ARPs
The accomplish apparent in Bulk 18-5 can be explained as follows:
1. The antagonist broadcasts chargeless ARP advertisement IP-B, but with MAC-C as the antecedent IP and MAC.
2. PC-A updates its ARP table to account IP-B’s associated abode as MAC-C.
3. PC-A sends a anatomy to IP-B, but with destination MAC MAC-C.
4. SW1 assiduously the anatomy to MAC-C, which is the attacker.
The advance after-effects in added hosts, like PC-A, sending frames meant for IP-B to MAC address
MAC-C—the attacker’s PC. The antagonist again artlessly assiduously accession archetype of anniversary anatomy to
PC-A
IP-A
MAC-A
MAC-C
Dst. MAC Dst. IP
IP-B
PC-B
IP-B
SW1 MAC-B
Fa0/3
Fa0/2
3
4 1
2
Attacker
PC-C
MAC-C
Address Port
MAC-B Fa0/2
MAC-C Fa0/3
SW1 Forwarding Table
IP Abode MAC
IP-B MAC-B MAC-C
PC-A ARP Table
Eth. Header
ARP Acknowledgment (Gratuitous)
SRC = MAC-C
DST = B’cast
ARP Message
SRC = MAC-C, SRC = IP-B
TRG = MAC-A, TRG = IP-A
662 Chapter 18: Security
PC-B, acceptable a man in the middle. As a result, the user can abide to work, and the attacker
can accretion a abundant beyond bulk of data.
Switches use DAI to defeat ARP attacks by analytical the ARP letters and again filtering
inappropriate messages. DAI considers anniversary about-face anchorage to be either untrusted (the default) or
trusted, assuming DAI letters alone on untrusted ports. DAI examines anniversary ARP appeal or
reply (on untrusted ports) to adjudge if it is inappropriate; if inappropriate, the about-face filters the ARP
message. DAI determines if an ARP bulletin is inappropriate by application the afterward logic:
1. If an ARP acknowledgment lists a antecedent IP abode that was not DHCP-assigned to a accessory off that port,
DAI filters the ARP reply.
2. DAI uses added argumentation like Step 1, but uses a account of statically authentic IP/MAC address
combinations for comparison.
3. For a accustomed ARP reply, DAI compares the antecedent MAC abode in the Ethernet advance to
the antecedent MAC abode in the ARP message. These MACs should be according in accustomed ARP
replies; if they are not, DAI filters the ARP message.
4. Like Step 3, but DAI compares the destination Ethernet MAC and the ambition MAC listed in
the ARP body.
5. DAI checks for abrupt IP addresses listed in the ARP message, such as 0.0.0.0,
255.255.255.255, multicasts, and so on.
Table 18-5 lists the key Cisco 3550 about-face commands acclimated to accredit DAI. DAI charge aboriginal be
enabled globally. At that point, all ports are advised to be untrusted by DAI. Some ports,
particularly ports affiliated to accessories in defended areas (ports abutting servers, added switches,
and so on), charge to be absolutely configured as trusted. Then, added agreement is required
to accredit the altered argumentation options. For example, DHCP concern needs to be enabled before
DAI can use the DHCP concern bounden database to accomplish the argumentation in Step 1 in the preceding
list. Optionally, you can configure changeless IP addresses, or accomplish added validation (per the last
three credibility in the above-mentioned list) application the ip arp analysis validate command.
Table 18-5 Cisco IOS About-face Activating ARP Analysis Commands
Command Purpose
ip arp analysis vlan vlan-range All-around command to accredit DAI on this about-face for the
specified VLANs.
[no] ip arp analysis assurance Interface subcommand that enables (with no option) or
disables DAI on the interface. Defaults to enabled already the
ip arp analysis all-around command has been configured.
ip arp analysis clarify arp-acl-name
vlan vlan-range [static]
Global command to accredit to an ARP ACL that defines static
IP/MAC addresses to be arrested by DAI for that VLAN
(Step 2 in the above-mentioned list).
Layer 2 Aegis 663
Because DAI causes the about-face to accomplish added work, an antagonist could advance a DoS advance on
a about-face by sending ample numbers of ARP messages. DAI automatically sets a absolute of 15 ARP
messages per anchorage per added to abate that risk; the settings can be afflicted application the ip arp
inspection absolute interface subcommand.
DHCP Snooping
DHCP concern prevents the accident inflicted by several attacks that use DHCP. DHCP snooping
causes a about-face to appraise DHCP letters and clarify those advised to be inappropriate. DHCP
snooping additionally builds a table of IP abode and anchorage mappings, based on accepted DHCP messages,
called the DHCP concern bounden table. The DHCP concern bounden table can again be acclimated by
DAI and by the IP Antecedent Bouncer feature.
Figure 18-6 shows a man-in-the-middle advance that leverages DHCP. The accepted DHCP server
sits at the capital site, admitting the antagonist sits on the bounded LAN, acting as a DHCP server.
Figure 18-6 Man-in-the-Middle Advance Application DHCP
Command Purpose
ip arp analysis validate {[src-mac]
[dst-mac] [ip]}
Enables added alternative blockage of ARP letters (per
Steps 3–5 in the above-mentioned list).
ip arp analysis absolute {rate pps [burst
interval seconds] | none}
Limits the ARP bulletin amount to anticipate DoS attacks carried
out by sending a ample cardinal or ARPs.
Table 18-5 Cisco IOS About-face Activating ARP Analysis Commands (Continued)
PC-B
IP-B
MAC-B
4
2
3
1
Attacker
Acting as DHCP Server
10.1.1.2
DHCP Reply: Use IP-B,
Gateway 10.1.1.2
Web Server DHCP Server
R2 10.1.1.1
R1
DHCP Request
(Broadcast)
DHCP Message
Data Message
664 Chapter 18: Security
The afterward accomplish explain how the attacker’s PC can become a man in the average in Bulk 18-6:
1. PC-B requests an IP abode application DHCP.
2. The antagonist PC replies, and assigns a acceptable IP/mask, but application its own IP abode as the
default gateway.
3. PC-B sends abstracts frames to the attacker, cerebration that the antagonist is the absence gateway.
4. The antagonist assiduously copies of the packets, acceptable a man in the middle.
DHCP concern defeats such attacks for ports it considers to be untrusted. DHCP concern allows
all DHCP letters on trusted ports, but it filters DHCP letters on untrusted ports. It operates
based on the apriorism that alone DHCP audience should abide on untrusted ports; as a result, the switch
filters admission DHCP letters that are alone beatific by servers. So, from a architecture perspective,
unused and apart user ports would be configured as untrusted to DHCP snooping.