Layer 2 Security

Layer 2 Security

Feeling satisfied with securing access to the physical switch and cables as well as access to the Catalyst switch IOS, our next step on our secure ladder is to get to the core of our switching functions and secure the possible vulnerabilities that occur at the Data Link layer. The transparent functions that our switches perform, such as MAC address learning and forwarding, as well as VLAN broadcast domain segmentation, are taken for granted because they are just that: transparent.

Consequently, these are the most overlooked aspects of switch security today, because we naturally assume that the default behavior of the switch’s design is how it should be. Any thought of securing that behavior goes against the switch’s basic operations. In the following sections, you will see that although the extra configuration steps might involve slightly more work, the end result is that you won’t lose sleep wondering when the next attack might cause your cell phone to go off.

Port Security


  • Implement basic switch security (including: port security, unassigned ports, trunk access, management vlan other than vlan1, etc.)

Anybody who has physical access to the ports of your switches can easily attach another switch or hub to enable more devices to be on the switched network. If you want to limit the number of MAC addresses that can be dynamically learned on a switch port (for environments such as college campuses and hotels), you can enable the port security feature on your switch ports that are accessible to end users. With the switchport port-security commands, you can define the maximum number of MAC addresses to be learned on an access port.

If this maximum number is exceeded, the switch port is put in an error-disabled state (by default) in which you have to reenable the interface by administratively shutting it down (with the shutdown command) and reenabling the port with the no shutdown command. Although this is a bit drastic, it is a surefire way to ensure that switch administrators know where the violation occurred and help identify the users who might be responsible.

To configure this port security functionality, you must enable this port security on each interface, followed by the maximum MAC count allowed on the interface (the default is 1). For example, if you wanted to restrict the number of MAC addresses allowed to 10, you would use the following configuration on the port:

Furthermore, you can change the default action when a violation occurs on the secured port with the switchport port-security violation command:
Switch(config-if)# switchport port-security violation {protect | restrict | shutdown}
The default action is shutdown, which puts the port in the error-disabled state, as mentioned earlier. You can also choose to have the port increase a violation counter and alert an administrator using an SNMP trap with the restrict keyword. The protect keyword only allows traffic from the secure port; it drops packets from other MAC addresses until the number of MAC addresses drops below the maximum.

The switchport port-security maximum command restricts how many MAC addresses can be learned on a switch interface. The switchport port-security violation shutdown com mand instructs the switch to disable the port when a violation occurs.

Static MAC with Port Security
The default state of Cisco Catalyst switches is to learn MAC addresses dynamically. For security purposes, you can assign static MAC addresses to an interface to ensure that a MAC address is recognized on only a specific interface. For instance, if you want to make sure that no one tries to connect to your switch and spoof (falsely assume the identity of) your server’s MAC address of FA23.239B.2349, you could use the following port security command to statically assign that MAC address to the Fast Ethernet 0/2 interface:

This configuration leaves the maximum secure MAC address at its default of 1. If the switch receives another MAC address on Fast Ethernet 0/2, or the MAC address FA23.239B.2349 is seen entering a port other than Fast Ethernet 0/2, the port is disabled. Port security also can save you some configuration by learning sticky secure MAC addresses. With the command switchport port-security mac-address sticky, the switch automatically configures the addresses already dynamically learned on the interface, as well as any new MAC addresses (up to the maximum) to be secure MAC addresses. These sticky addresses actually get added as sticky secure MAC configuration line entries in the running configuration. If you save the configuration and reboot the switch, those secure MAC addresses won’t need to be relearned.

Sticky addresses are secure MAC addresses that are dynamically learned on the interface.

Verifying Port Security


  • Interpret the output of various show and debug commands to verify the operational status of a Cisco switched network

To verify the port security configuration parameters on the interface, as well as the number of security violations that have occurred on that interface, use the show port-security interface interface command:

Based on this output, you can see that port security is enabled and is not in a disabled state. The default actions for violations (shutdown) and maximum MAC addresses are configured on Fast Ethernet 0/2, with a configured MAC address of fa23.239b.2349. To verify your configured port security addresses, use the show port-security address command:

Here you can see that your statically configured secure MAC address is configured on Fast Ethernet 0/2. Compare that output to a dynamically learned sticky MAC address, which shows the type as SecureDynamic as opposed to SecureConfigured:

VLAN Security


  • Implement basic switch security (including: port security, unassigned ports, trunk access, management vlan other than vlan1, etc.)

Considering that the default VLAN assigned to every interface is VLAN 1, and that the default management VLAN that houses CDP, VTP, and the switch’s IP address is also VLAN 1, what VLAN would you choose if you wanted to attack a switched network? All you would essentially have to do is get connected to an unconfigured interface and start determining the
switch’s IP address and gaining access to that switch. The way to mitigate this is actually simple and can be achieved in three ways:

  1. Administratively shut down all unused interfaces. Even though this would be an administrative pain, it would ensure that no one gets access to the switched network unless you or another authorized administrator grants them access.
  2. Configure a different VLAN to act solely as the management VLAN and remain separate from user data. VLAN 1 is typically used because older switches could only assign an IP to this interface. Newer IOS versions allow you to configure any VLAN you choose as the management VLAN by configuring the IP address on another created VLAN such as this:
    Switch(config)# interface vlan 99
    Switch(config-if)# ip address
    Switch(config-if)# no shutdown
    This VLAN should be assigned only to access ports that have management stations connected to them that require remote connectivity to the switch.
  3. Assign all unused ports to an unused VLAN other than VLAN 1. If you create a dummy VLAN and assign it to all interfaces, anyone who gains access won’t be able to gain access to VLAN 1.

Remember that the three ways to secure unassigned ports are to shut them down, change the management VLAN, and assign another VLAN besides VLAN 1 to them

These steps will secure your access ports with VLANs assigned to them, but what about the interfaces that carry all the VLAN traffic? To this point, you have to consider trunk links a prime target for attacks as well, because they carry all the VLAN traffic. In essence, why buy the cow when you can break into the dairy farm?

To secure the trunk links, you can manually configure which VLANs are allowed to traverse the trunk links. Specifically, if you have changed your management VLAN, as mentioned previously, you can be sure that only switches that need access to that management VLAN receive that traffic over their trunks. Recall that by default, all VLANs are allowed over trunk links. By manually configuring which VLANs are allowed over each trunk, you limit the amount of data an attacker has access to.

The command switchport trunk allowed vlan vlan_list on a trunk interface manually specifies which VLANs are allowed to traverse the trunk. The vlan_list is similar to the interface range command, where the list is either a single VLAN, a comma-separated list of VLANs, or a hyphenated list of VLANs. For example, to allow only VLANs 1 to 50 and VLANs 60 and 70, the configuration would look like this:

Notice that the first section of the output does not specify the VLANs that are specifically allowed. That is because this first output illustrates which VLANs are allowed on the trunk. The management domain and spanning tree VLANs actually reflect the specific VLANs that we configured to traverse the link.

Cisco has also made these configurations simpler by adding some keywords that might simplify the VLAN list. For example, with the add and remove keywords, you can specify if you want to append or delete any VLANs in the current list of allowed VLANs. For example, if you wanted to add VLAN 75 to the preceding configuration and remove VLAN 70 from the allowed list, you would configure it like the following:

Notice how this change affects the VLAN list when we enter the show interfaces trunk command now:

Finally, Cisco also added the keyword except, which can be translated as “all VLANs except the VLANs in this list.” For example, if you wanted all VLANs except VLANs 60 to 70, you would enter this command:

Again, notice the changed VLAN list when you enter the show interfaces trunk command now:

VTP Passwords

In our discussions of routing protocols in earlier chapters, we discussed how to authenticate the updates sent by other routers so that attackers cannot inject false routes into a routing table and hijack traffic or disrupt normal routing. This is just as important with VTP updates between switches. An attacker can inject false VLAN information in VTP updates and bring down a switched network quite easily as long as he or she knows the VTP domain and has the highest revision number in the VTP update. To keep this from happening, be sure you take the extra step and configure passwords for switches participating in the VTP domain with the vtp password command:


This might sound like Cisco sacrilege, but you should consider disabling CDP on switch interfaces that do not need it, such as edge ports connected to end devices. If you consider the information someone can learn from CDP, you’ll realize the major security liability it can be. From just a single CDP multicast, an attacker could learn the hostname, the local port on the switch that sent the CDP message, and the switch’s IP address. With this information and strong motivation, it is only a matter of time before your switch and its networks are infiltrated. Recall that to disable CDP on individual interfaces, you must configure no cdp enable on each interface. If you have no need for CDP, disable it globally on the switch with the no cdp run command.

About the author


Leave a Comment