Networking

Essential lockdowns for Layer 2 switch security

Failing to secure your switch architecture is like sending hackers an engraved invitation to attack your network. Yet security administrators often neglect to lock down Layer 2 of their network infrastructure. This comprehensive guide explains the essential procedures that will enable you to properly configure and secure your switch infrastructure.

Many security administrators don't think of security when it comes to Layer 2 of the network infrastructure (where switches operate), and it's one of the most overlooked aspects of network security and reliability.  In this article, I'll show you how to fix the most common mistakes in switch configuration and architecture.  Although I'll use Cisco in my example, the tactics and lessons discussed here apply to any other vendor.  These security procedures are a must for any data network, especially when IP phones are being used.

Enable SSH and disable Telnet

The most obvious password to set on Cisco equipment is the password and enable secret.  If you leave this blank, your switch is wide open and anyone can see and nuke your VLAN configuration.  When you have multiple switches and multiple administrators, it's best to use AAA authentication mode and use a local user database, centralized TACACS+, or RADIUS server for managing all your switches and administrators.  TACACS+ may be more appropriate because it can log all events so that you have a history of all the changes made and who made them in your switch and router infrastructure.  But the most important thing to remember is to avoid using Telnet at all cost and always implement SSH on all of your switches.  Even if you don't have a crypto-enabled software image on your switch, all the current images will still allow you to SSH into your switch.  Always create a unique username and password for each administrator.  Then, you should enable SSH and kill Telnet.

Enable SSH and disable Telnet on Cisco Native IOS

Command Description
username admin1 privilege 15 password 0 Admin-Password Creates an administrator called admin1.  Repeat for every admin.
aaa new-model Sets to AAA mode using a local database.
aaa authentication login default local
aaa authorization exec default local
aaa authorization network default local
aaa session-id common
ip domain name MyDomain.com Creates a name used for certificate
crypto key generate rsa Generate digital certificate.  Use at least 768 bit Diffie-Hellman key.
line vty 0 4 go in to vty configuration
transport input ssh only permit SSH login

Enable SSH and disable TELNET on Cisco Catalyst OS

Command Description
set crypto key rsa 1024 Generates a 1024 bit RSA key
set ip permit 10.0.10.0 255.255.255.0 ssh Explicitly permit SSH only from specified IP range
set ip enable

Note that the Native IOS commands for Cisco Native IOS switches also work on Cisco IOS routers.  Failure to use SSH can result in password theft and grant full control of switching infrastructure to the attacker.

Lock down VTP and SNMP security

It may be hard to believe, but the vast majority of networks I visited during my consulting days did not have the VTP domain password configured in their Cisco switches.  If you leave this default, you might as well hand over the keys to the kingdom and post your entire switch architecture on the World Wide Web for everyone to see.  Use the following commands in "config t" global configuration mode or in the "vlan data" VLAN Database Mode used in older Cisco software images to lock down your VTP configuration.  Be sure to use your own unique strings and IP addresses in place of the sample arguments.

VTP configuration for Cisco Native IOS

Command Description
vtp domain My-VTP-name set the VTP name
vtp password My-VTP-password set the VTP password
vtp pruning turn on VTP pruning

VTP configuration for Cisco Catalyst OS

Command Description
set vtp domain My-VTP-name Set the VTP name
set vtp passwd My-VTP-password Set the VTP password
set vtp pruning enable turn on VTP pruning

You should also set your SNMP (preferably SNMP version 3) secrets, which are effectively passwords.  Check this document for a full guide to Cisco SNMP management.  Here's an example of how to configure an SNMP read-only and read-write server with the appropriate passwords in "config t" global configuration mode.

SNMP configuration for Cisco Native IOS

Command Description
snmp-server community MY-Read-Only-string ro 50 Set read-only string for SNMP requests coming from ACL 50
snmp-server community MY-Read-Write-string rw 51 Set read-write string for SNMP requests coming from ACL 51
access-list 50 permit IP-address-ro Creates ACL of read-only SNMP servers.  More than one permitted.
access-list 51 permit IP-address-rw Creates ACL of read-write SNMP servers.  More than one permitted.

SNMP configuration for Cisco Catalyst OS

Command Description
set snmp community read-only read-only-string Set read-only string
set snmp community read-write read-write-string Set read-write string
set snmp community read-write-all rwo-string Set read-write-all string

If you don't intend to use SNMP at all, you should turn it off on Native IOS with the "no snmp-server" command in global configuration mode.  You can skip all the previous SNMP commands.

Basic port lockdown

Switches should subscribe to the concept of least-privilege like everything else in security.  The best way to set up a switch is to turn off every port when deploying it and turn on the ports as you go.  Furthermore, you should put every port on an unused VLAN that goes nowhere and has no default gateway.  You can create a VLAN labeled "unused" with a designated VLAN number such as 333 and put all your ports on that VLAN.  In the following example, we have a typical Cisco IOS-based 48-port switch.

Basic port lockdown for Cisco Native IOS

Command Description
int range FastEthernet0/1 - 48 Go in to interface 1 - 48
switchport access vlan 333 Sets port to VLAN 333
switchport mode access Turns off auto VLAN trunking
shut Turns off port

Basic port lockdown for Cisco Catalyst OS

Command Description
set vlan 333 1/1-2 Sets sup card ports to VLAN 333
set vlan 333 3/1-48 Sets all blade 3 ports to VLAN 333
set trunk 1/1-2 off Disables trunking on all sup card ports
set trunk 3/1-48 off Disables trunking on all blade 3 ports
set port disable 1/1-2 Turns off all ports on blade 1
set port disable 3/1-48 Turns off all ports on blade 3
Repeat "set vlan/trunk/port" commands for all blades and ports on switch

You will need to do this for all your switches, which may vary depending on the model and OS type.  If you're using some sort of stacking, you're going to have to do it for each stack.  Then, as you plug in servers, you "no shut" the port and set it to the proper VLAN or even convert it to a trunking port if it's actually needed.  When you assign VLANs to servers and workstations, NEVER use VLAN 1, which is the default native VLAN on switches, or whatever VLAN number you manually assigned as native VLAN.  Avoiding the use of the native VLAN on servers, workstations, and other devices will defeat VLAN hopping attacks.  If you don't run through this basic lockdown procedure, all switch ports will be enabled by default on VLAN 1. This is how many people use their switches, and it's a horrible mistake. As you go through each port and connect new devices, you should use the "description My-Port-Name" command in Cisco IOS to label each port properly.  Cisco Catalyst OS uses the "set port name 3/43 My-Port-Name" command to label ports.  This is extremely useful with SNMP reporting servers like Solarwinds or HP OpenView because the port descriptions will be picked up in the reporting.  This is the best form of documentation there is because it actually gets used.

Those who fail to use this basic port lockdown procedure are allowing anyone to trunk into their switch network and connect to any VLAN they want.

VLAN trunking lockdown

Whenever VLAN trunking is used on any port, that trunking port should minimize the number of VLANs to just those to be spanned across the switches.  In the following example, we'll configure a trunk port to permit only VLANs 12-14 and 20-22.

VLAN trunking lockdown for Cisco Native IOS

Command Description
interface GigabitEthernet1/0/2 Enter second gigabit port on Cisco 3750
switchport mode trunk Turns on trunking mode
Switchport trunk encapsulation dot1q Sets trunk type to IEEE 802.1q
switchport trunk allow 12-14, 20-22 Only allow VLANs 12-14 and 20-22

VLAN trunking lockdown for Cisco Catalyst OS

Command Description
Clear trunk 1/1-2 1-1005 Sets sup card ports to VLAN 333
Clear trunk 3/1-48 1-1005 Disables trunking on all sup card ports
Repeat "clear trunk" command for every blade and ever port ...
Set trunk 1/2 12-14 Sets port 1/2 to permit vlans 12-14
Set trunk 1/2 20-22 Sets port 1/2 to permit vlans 20-22

Note that it takes a lot more work to clear the permitted VLAN trunks on a Catalyst OS by default because everything is on by default.  The fact that we specified VLANs 12-14 and 20-22 on Catalyst OS doesn't mean anything because it's merely added to the bigger pool of 1-1005, which is on by default.  On Cisco Native IOS, every VLAN is blocked until otherwise specified.

Failure to lock down the permitted VLANs on a trunk means it's possible for connected devices to connect to more VLANs than you may want.

STP BPDU and Root guard

Hackers can play all sorts of nasty tricks by sending BPDU traffic, which can force VLAN STP (spanning tree protocol) recalculations that take at least 30 seconds to clear. This allows them to perform DoS (denial of service) attacks indefinitely.  They can also hijack traffic by pretending to be the STP root.  BPDU guard and Root guard can prevent these sorts of attacks.

STP BPDU and Root guard for Cisco Native IOS

Command Description
spanning-tree portfast bpduguard Enables BPDU guard on the switch
spanning-tree guard root Enables Root guard on the switch
spanning-tree rootguard Alternative command for some IOS versions

STP BPDU and Root guard for Cisco Catalyst OS

Command Description
set spantree portfast bpdu-guard enable Enables BPDU guard on the switch
set spantree guard root 1/1-2 Enables Root guard on blade 1
set spantree guard root 3/1-48 Enables Root guard on blade 3
Repeat "set spantree guard root" command for every blade/port ...

Note that you must disable root guard and BPDU guard on ports that connect to other switches. Failure to implement this security feature will permit hackers to run BPDU denial of service on the entire switch infrastructure and to possibly intercept switch traffic.

Prevent CAM table and DHCP bombing

Hackers can take advantage the fact that there's a finite number of MAC and IP addresses that switches and DHCP servers can hold.  The hacker can change his MAC address to request multiple DHCP addresses from a DHCP server and use up every single IP address in the DHCP pool.  The hacker can also change his MAC address very rapidly to quickly fill up the CAM table on any Ethernet switch.  Once the CAM table fills up on an Ethernet switch, it's effectively converted to an Ethernet hub.  Besides massive performance degradation, the switch is forced to broadcast every network transaction on every port, which allows the hacker to eavesdrop on every device on the switch as if he were on a hub.  To prevent CAM table and DHCP starvation attacks, you must configure port security like the following example.

Prevent CAM table and DHCP bombing on Cisco Native IOS

Command Description
int range FastEthernet 0/1 - 48 Go in to interface 1 - 48
switchport port-security Turns on port security
switchport port-security maximum 5 Allow up to 5 MAC addresses
switchport port-security violation protect Drop packets beyond 5 MAC addresses.
switchport port-security aging time 2  
switchport port-security aging type inactivity  
Repeat these steps for all other ports and all other switches

Prevent CAM table and DHCP bombing on Cisco Catalyst OS

Command Description
set port security 1/1-2 enable Enables port security on all blade 1 ports
set port security 3/1-48 enable Enables port security on all blade 3 ports
set port security 1/1-2 port max 5 Allow 5 MAC addresses on blade 1
set port security 3/1-48 port max 5 Allow 5 MAC addresses on blade 3
set port security 1/1-2 violation protect Drop packets beyond 5 MAC addresses.
set port security 3/1-48 violation protect Drop packets beyond 5 MAC addresses.
set port security 1/1-2 age 2  
set port security 3/1-48 age 2  
set port security 1/1-2 timer-type inactivity  
set port security 3/1-48 timer-type inactivity  
Repeat these commands on all other blades and ports

Note that you must disable port security on ports that connect to other switches.

Prevent DHCP, MAC, and IP spoofing

ARP and IP spoofing allow the hacker to pose as someone else in order to hijack traffic.  DHCP spoofing allows an attacker to put unsuspecting clients on an Ethernet segment under a bogus IP range that must flow through the attacker to get to the rest of the network.  All three methods are designed to hijack the flow of network traffic so that the attacker can sniff out all sorts of secrets on the internal LAN.  You can prevent these attacks by implementing DHCP snooping, Dynamic ARP inspection, and IP Source Guard.

Prevent DHCP, ARP, and IP spoofing on Cisco Native IOS

Global Commands Description
ip dhcp snooping vlan 1-1000 Turn on DHCP snooping for VLANs 1-1000
ip dhcp snooping Turn on DHCP snooping
no ip dhcp snooping information option  
ip arp inspection vlan 1-1000 ARP inspection on VLAN 1-1000
ip arp inspection log-buffer entries 1024  
ip arp inspection log-buffer logs 1024 interval 10  
Host Interface Commands Description
int range FastEthernet 0/1 - 48 Go in to interface 1 - 48
no ip arp inspection trust Locks down host ports for ARP
ip arp inspection limit rate 15 Sets ARP pps inspection rate
ip verify source vlan dhcp-snooping Turns on IP Source Guard
DHCP client Interface Commands Description
no ip dhcp snooping trust Don't allow DHCP server
ip dhcp snooping limit rate 10 Limits rate of DHCP requests
Only use the following commands for trusted DHCP ports and ports that link to other trusted switches.  The commands below will reverse some of the commands above.  Failure to run the following commands for valid switch interconnects and DHCP servers will break the network and DHCP.
DHCP servers Interface Commands Description
ip dhcp snooping trust This port allows DHCP servers
Switch Interface Commands Description
ip arp inspection trust Unlocks port used to connect to trusted switches

Note that Cisco Catalyst OS does not support these anti-spoofing features, so it's a good idea to migrate your big CAT OS switches to Native IOS.  This does mean that you will have to merge your MSFC router with the CAT OS switch into a single Native IOS image.

Anti-spoofing is an extremely important component in Layer 2 defenses and hardens the switch infrastructure from internal LAN threats.  Internal threats should be taken just as seriously as external threats because a single workstation that's compromised by malware and rootkit turns an external threat into an internal threat.

Limit the size of STP domains

This is one aspect of switch architecture that is often overlooked.  A single STP (spanning tree protocol) domain should never be permitted to grow too large or get overly complex.  I have been on campuses where a single user took down an entire campus with thousands of computers and IP telephones just by accidentally plugging in a small desktop switch and then accidentally looping a CAT-5 cable back into itself.  The same network had mysterious campus-wide VLAN disruptions whenever something in the STP domain issued a BPDU request that caused an STP recalculation, which locked up the entire campus for 30 seconds at a time throughout the entire day.  The disruptions to the data network were bad enough, but it took the IP telephony infrastructure down as well. Hundreds of people couldn't do their jobs because they had no data or phone access.

To avoid oversized and overly complicated STP topologies, you must route traffic instead of switching traffic.  Realistically, this means you must use Layer 3 capable switches instead of Layer 2 switches that only know how to switch traffic and not route traffic.  This also means that VLANs can't span across switches that don't belong in the same STP switching domain.  These kinds of architectural changes may mean a fundamental redesign of the entire campus LAN, and it's not something to be taken lightly, but these issues must be considered before the deployment of any IP telephony system.

Maintain the switch software to the latest stable build

One of the biggest and most common sins in network security is that people assume the switch and routing infrastructure is the same as plumbing and that you never need to touch it.  But if you're running a Cisco switch or router on a software image that is more than half a year old, you probably have some kind of security vulnerability on your router or switch.  It's sad to say, but I've seen people run three- or four-year-old software images on their Cisco equipment and think nothing of it.

ALWAYS update your networking equipment just like your client and server computers with the latest stable software from your hardware vendor and keep an eye out for updates.  All network and security engineers should be asking themselves "When was the last time I upgraded the software on my network equipment?"  Work out a plan of action that includes an immediate and a longterm plan and present it to management.  Be proactive and don't wait for an incident to occur before acting.

Final thoughts

Layer 2 security is one of the most overlooked aspects of information security and is often missed in security audits, especially when those audits focus more on policy rather than actual implementation.  Hackers don't care about policies, and they will take advantage of any security hole available to them.  Layer 2 attacks are one of the first things a hacker will deploy after getting root of a single computer inside the network.  One other aspect of Layer 2 attacks that's often overlooked are companies that implement VPN-based Wireless LAN security.  Once unauthenticated, anonymous clients are allowed onto an access point, which is typically connected directly to an internal switch and segmented by VLAN, you can forget about Layer 2 security. It's very difficult to limit the number of MAC addresses coming from an access point.  For this reason it is highly recommended that VPN-based wireless LAN security should be shunned for 802.1x-based wireless LAN security.  TechRepublic offers its "Ultimate guide to enterprise wireless LAN security" in the form of 10 free articles.  The guide is also available in a downloadable PDF format, which requires free registration.

Beyond these lockdown procedures is the next step in Layer 2 Switch security, which is the wired version of wireless LAN 802.1x security.  Fortunately, the same infrastructure used for wireless LAN authentication also works for wired authentication.  Port-based security basically says that we won't let you on our Layer 2 switch infrastructure, even if you plug into a port, until you prove who you are and that you're authorized to get onto the network.  Although many corporations have implemented 802.1x wireless LAN security, not many have implemented the wired version of 802.1x.  Windows XP automated wireless LAN 802.1x configuration but did not automate wired LAN 802.1x configuration.  This is about to change with Vista, which automates wired and wireless LAN 802.1x configurations.

In addition to the 802.1x enhancements made, Vista also adds a NAP (Network Access Protection) client, which is Microsoft's version of the NAC (Network Access Control) standard.  NAP or NAC takes the concept of 802.1x port-based security one step further by not only demanding authentication and authorization from the client before they're allowed on the network, but also by assessing the health of the client.  If a client can prove who they are and that they're authorized on the network, they must still prove that they are healthy.  NAC health is usually defined as fully patched for security vulnerabilities, proper host-based firewall implementation, and up-to-date antivirus definitions.  If an authorized client computer fails the health test, they are put into quarantine on an isolated network until they remediate themselves with the proper updates.

The ideal network of today implements all of the lockdown procedures mentioned in this article.  The ideal network of tomorrow will implement everything in this article in addition to NAP/NAC.

17 comments
wratholix
wratholix

This is a great article, covers some of the essential points on how to standardize your port configuration securely.

speculatrix
speculatrix

excellent article, I think the cisco rune "switchport nonegotiate" is what you need to stop a connected device attempt to flip the port into a .1q "trunk"

ez_evb
ez_evb

The Great tool! Thanks ! Edina Zecevic

paul.stephenson
paul.stephenson

I'm struggling to discover exactly what the network command covers, i know it's network services, but is that to or through the switch? ie why do i need this command? curerntly i have: aaa authentication login default group admins group radius aaa authentication login aaa-fallback enable aaa authentication dot1x default group lan group radius aaa authorization exec default group radius if-authenticated this prompts me for auth if i login via telnet (ssh is my next job), so what does network do?

PScottC
PScottC

You suggest using a maximum of 5 in the port-security configuration. Realistically, you would want to set the number to 1 (default). In a cisco VOIP network, you set it to 3, because the cisco IP phones have 2 MAC addresses (computer + phone = 3) Doing this will prevent users from attaching inexpensive hubs or switches without administrative assistance. In addition, for offices where there is a potential for rogue users you can use the "sticky-mac" feature. Instead of having to manually acquire the MAC address of each device and then typing it into the switch, the switch will automatically record the MAC of the first device to connect to the switch and restrict the port to only that device. switchport port-security mac-address sticky PSC

JodyGilbert
JodyGilbert

Has Layer 2 security been overlooked in your network protection scheme or have you implemented the necessary measures to eliminate risks? Has your organization been guilty of any of the security sins described here?

marcolinsan
marcolinsan

Great info, well explained, just what I was looking to secure my switches!!

cousintroy
cousintroy

I am studying for my CCNA: Security exam and they recommend that, along with what the author said here, to explicitly tell all access ports to never allow negotiation with the command you mentioned speculatrix.

georgeou
georgeou

Using 3 is fine if you want to be that restrictive about it. It all depends on your management policy. As for sticky MACs, I don't want the management headache and all the tickets that need to be open because of this. If I want to restrict rogue users, I'd much rather implement 802.1x for superior security and less of a management burden. MAC addresses can easily be faked; 802.1x can't.

georgeou
georgeou

I've seen a lot of network implementations in my last career as an IT consultant. I would estimate based on what I've seen that the better enterprise networks implement 30% of these recommendations while most other networks implement 5% of the recommendations.

PScottC
PScottC

In the main article, you suggest creating a login. I agree with that, but disagree with using password option instead of the secret. Level 7 passwords are easily cracked, in fact there are several web based ones available. Using the secret option makes the password significantly more difficult to crack, if a sufficiently complex password is chosen. username admin1 privilege 15 secret T#is1s@HardPassw0rd This is a really good article. We actually implemented about 99% of your suggestions last year when we rebuilt our WAN.

IT cowgirl
IT cowgirl

I have spent the last year learning what all these security measures are used for and how to implement them on new switches at our environment. Our company has been using these secure practices long before I came along as a Network apprentice over a year ago. This is a Handy guide to keep and use when setting up any switch. Thanks for the Great tool!

georgeou
georgeou

I'll review that password issue. If you've implemented 99% of the recommendations here, then your network team deserves a bit pat on the back. I've encountered too many networks large or small that don't implement most of these things.

georgeou
georgeou

Thanks, I'm glad it's handy for you. Your company is unfortunately the exception when it should be the rule. Every network I came across didn't implement most of these lock down procedures. Many security audits I've seen didn't even check this.