The campus access layer switching infrastructure must be resilient to attacks including direct, indirect, intentional, and unintentional types of attacks. In addition, they must offer protection to users and devices within the Layer 2 domain. The below terminology is Cisco specific, however similar features are available in products of other brands.
The key measures for providing switching security on the access switches include the following:
•Restrict broadcast domains
•Spanning Tree Protocol (STP) Security
- Rapid Per-VLAN Spanning Tree (Rapid PVST+) (fast convergence)
- BPDU Guard (shuts port down if a BPDU is received, prevents STP manipulation)
- Root Guard to protect against inadvertent loops (prevents other switches from becoming root bridge)
- BPDU filter (stops BPDUs from being broadcast to access ports)
•DHCP Protection
- Implement DHCP snooping on access VLANs to protect against DHCP starvation and rogue DHCP server attacks
•IP Spoofing Protection
- Implement IP Source Guard on access ports to prevent IP spoofing
•ARP Spoofing Protection
- Implement dynamic ARP inspection (DAI) on access VLANs
•MAC Flooding Protection
- Enable Port Security on access ports (to limit number of MAC addresses allowed on a port)
•Broadcast and Multicast Storm Protection
- Enable storm control on access ports
•VLAN Best Common Practices
- Restrict VLANs to a single switch (current design best practice, prevents STP issues)
- Configure separate VLANs for voice and data
- Configure all user-facing ports as non-trunking (DTP off)
- Disable VLAN dynamic trunk negotiation on access ports (prevents VLAN hopping attacks)
- Explicitly configure trunking on infrastructure ports rather than autonegotiation
- Use VTP transparent mode
- Disable unused ports and place in unused VLAN
- Do not use VLAN 1 for anything
- Configure native VLAN on trunk links to an unused VLAN (prevents VLAN hopping using double-tagged frames)
Source: Cisco SAFE Design Reference Guide
Comments
Post a Comment