Version 1.

0
January 30, 2007
Essential lockdowns for Layer 2 switch security
By George Ou
Many security administrators don't think of security when it comes to Layer 2 of the network infrastructure (where
switches operate), and it's one of the most overlooked aspects of network security and reliability. In this article, I'll
show you how to fix the most common mistakes in switch configuration and architecture. Although I'll use Cisco in
my example, the tactics and lessons discussed here apply to any other vendor. These security procedures are a
must for any data network, especially when IP phones are being used.
Enable SSH and disable Telnet
The most obvious password to set on Cisco equipment is the password and enable secret. If you leave this blank,
your switch is wide open and anyone can see and nuke your VLAN configuration. When you have multiple
switches and multiple administrators, it's best to use AAA authentication mode and use a local user database,
centralized TACACS+, or RADIUS server for managing all your switches and administrators. TACACS+may be
more appropriate because it can log all events so that you have a history of all the changes made and who made
them in your switch and router infrastructure. But the most important thing to remember is to avoid using Telnet at
all cost and always implement SSH on all of your switches. Even if you don't have a crypto-enabled software
image on your switch, all the current images will still allow you to SSH into your switch. Always create a unique
username and password for each administrator. Then, you should enable SSH and kill Telnet.
Enable SSH and disable Telnet on Cisco Native IOS
Command Description
username admin1 privilege 15
password 0 Admin-Password
Creates an administrator called admin1.
Repeat for every admin.
aaa new-model
aaa authentication login default local
aaa authorization exec default local
aaa authorization network default local
aaa session-id common
Sets to AAA mode using a local
database.
ip domain name MyDomain.com Creates a name used for certificate
crypto key generate rsa
Generate digital certificate. Use at least
768 bit Diffie-Hellman key.
line vty 0 4 go in to vty configuration
transport input ssh only permit SSH login

Page 1
Copyright 2007 CNET Networks, Inc. All rights reserved.
For more downloads and a free TechRepublic membership, please visit http://techrepublic.com.com/2001-6240-0.html
Essential lockdowns for Layer 2 switch security

Enable SSH and disable TELNET on Cisco Catalyst OS
Command Description
set crypto key rsa 1024 Generates a 1024 bit RSA key
set ip permit 10.0.10.0 255.255.255.0 ssh
set ip enable
Explicitly permit SSH only from
specified IP range
Note that the Native IOS commands for Cisco Native IOS switches also work on Cisco IOS routers. Failure to use
SSH can result in password theft and grant full control of switching infrastructure to the attacker.
Lock down VTP and SNMP security
It may be hard to believe, but the vast majority of networks I visited during my consulting days did not have the
VTP domain password configured in their Cisco switches. If you leave this default, you might as well hand over
the keys to the kingdom and post your entire switch architecture on the World Wide Web for everyone to see. Use
the following commands in "config t" global configuration mode or in the "vlan data" VLAN Database Mode used in
older Cisco software images to lock down your VTP configuration. Be sure to use your own unique strings and IP
addresses in place of the sample arguments.
VTP configuration for Cisco Native IOS
Command Description
vtp domain My-VTP-name set the VTP name
vtp password My-VTP-password set the VTP password
vtp pruning turn on VTP pruning

VTP configuration for Cisco Catalyst OS
Command Description
set vtp domain My-VTP-name Set the VTP name
set vtp passwd My-VTP-password Set the VTP password
set vtp pruning enable turn on VTP pruning
You should also set your SNMP (preferably SNMP version 3) secrets, which are effectively passwords. Check this
document for a full guide to Cisco SNMP management. Here's an example of how to configure an SNMP read-only
and read-write server with the appropriate passwords in "config t" global configuration mode.
Page 2
Copyright 2007 CNET Networks, Inc. All rights reserved.
For more downloads and a free TechRepublic membership, please visit http://techrepublic.com.com/2001-6240-0.html
Essential lockdowns for Layer 2 switch security

SNMP configuration for Cisco Native IOS
Command Description
snmp-server community MY-Read-Only-
string ro 50
Set read-only string for SNMP requests
coming from ACL 50
snmp-server community MY-Read-
Write-string rw 51
Set read-write string for SNMP
requests coming from ACL 51
access-list 50 permit IP-address-ro
Creates ACL of read-only SNMP
servers. More than one permitted.
access-list 51 permit IP-address-rw
Creates ACL of read-write SNMP
servers. More than one permitted.

SNMP configuration for Cisco Catalyst OS
Command Description
set snmp community read-only read-only-string Set read-only string
set snmp community read-write read-write-string Set read-write string
set snmp community read-write-all rwo-string Set read-write-all string
If you don't intend to use SNMP at all, you should turn it off on Native IOS with the " no snmp-server" command
in global configuration mode. You can skip all the previous SNMP commands.
Basic port lockdown
Switches should subscribe to the concept of least-privilege like everything else in security. The best way to set up
a switch is to turn off every port when deploying it and turn on the ports as you go. Furthermore, you should put
every port on an unused VLAN that goes nowhere and has no default gateway. You can create a VLAN labeled
"unused" with a designated VLAN number such as 333 and put all your ports on that VLAN. In the following
example, we have a typical Cisco IOS-based 48-port switch.
Basic port lockdown for Cisco Native IOS
Command Description
int range FastEthernet0/1 - 48 Go in to interface 1 - 48
switchport access vlan 333 Sets port to VLAN 333
switchport mode access Turns off auto VLAN trunking
shut Turns off port

Page 3
Copyright 2007 CNET Networks, Inc. All rights reserved.
For more downloads and a free TechRepublic membership, please visit http://techrepublic.com.com/2001-6240-0.html
Essential lockdowns for Layer 2 switch security
Basic port lockdown for Cisco Catalyst OS
Command Description
set vlan 333 1/1-2 Sets sup card ports to VLAN 333
set vlan 333 3/1-48 Sets all blade 3 ports to VLAN 333
set trunk 1/1-2 off Disables trunking on all sup card ports
set trunk 3/1-48 off Disables trunking on all blade 3 ports
set port disable 1/1-2 Turns off all ports on blade 1
set port disable 3/1-48 Turns off all ports on blade 3
Repeat "set vlan/trunk/port" commands for all blades and ports on switch
You will need to do this for all your switches, which may vary depending on the model and OS type. If you're using
some sort of stacking, you're going to have to do it for each stack. Then, as you plug in servers, you "no shut" the
port and set it to the proper VLAN or even convert it to a trunking port if it's actually needed. When you assign
VLANs to servers and workstations, NEVER use VLAN 1, which is the default native VLAN on switches, or
whatever VLAN number you manually assigned as native VLAN. Avoiding the use of the native VLAN on servers,
workstations, and other devices will defeat VLAN hopping attacks. If you don't run through this basic lockdown
procedure, all switch ports will be enabled by default on VLAN 1. This is how many people use their switches, and
it's a horrible mistake.
As you go through each port and connect new devices, you should use the "description My-Port-Name"
command in Cisco IOS to label each port properly. Cisco Catalyst OS uses the "set port name 3/43 My-Port-
Name" command to label ports. This is extremely useful with SNMP reporting servers like Solarwinds or HP
OpenView because the port descriptions will be picked up in the reporting. This is the best form of documentation
there is because it actually gets used.
Those who fail to use this basic port lockdown procedure are allowing anyone to trunk into their switch network
and connect to any VLAN they want.
VLAN trunking lockdown
Whenever VLAN trunking is used on any port, that trunking port should minimize the number of VLANs to just
those to be spanned across the switches. In the following example, we'll configure a trunk port to permit only
VLANs 12-14 and 20-22.
VLAN trunking lockdown for Cisco Native IOS
Command Description
interface GigabitEthernet1/0/2 Enter second gigabit port on Cisco 3750
switchport mode trunk Turns on trunking mode
Switchport trunk encapsulation dot1q Sets trunk type to IEEE 802.1q
switchport trunk allow 12-14, 20-22 Only allow VLANs 12-14 and 20-22

Page 4
Copyright 2007 CNET Networks, Inc. All rights reserved.
For more downloads and a free TechRepublic membership, please visit http://techrepublic.com.com/2001-6240-0.html
Essential lockdowns for Layer 2 switch security
VLAN trunking lockdown for Cisco Catalyst OS
Command Description
Clear trunk 1/1-2 1-1005 Sets sup card ports to VLAN 333
Clear trunk 3/1-48 1-1005 Disables trunking on all sup card ports
Repeat "clear trunk" command for every blade and ever port ...
Set trunk 1/2 12-14 Sets port 1/2 to permit vlans 12-14
Set trunk 1/2 20-22 Sets port 1/2 to permit vlans 20-22
Note that it takes a lot more work to clear the permitted VLAN trunks on a Catalyst OS by default because
everything is on by default. The fact that we specified VLANs 12-14 and 20-22 on Catalyst OS doesn't mean
anything because it's merely added to the bigger pool of 1-1005, which is on by default. On Cisco Native IOS,
every VLAN is blocked until otherwise specified.
Failure to lock down the permitted VLANs on a trunk means it's possible for connected devices to connect to more
VLANs than you may want.
STP BPDU and Root guard
Hackers can play all sorts of nasty tricks by sending BPDU traffic, which can force VLAN STP (spanning tree
protocol) recalculations that take at least 30 seconds to clear. This allows them to perform DoS (denial of service)
attacks indefinitely. They can also hijack traffic by pretending to be the STP root. BPDU guard and Root guard
can prevent these sorts of attacks.
STP BPDU and Root guard for Cisco Native IOS
Command Description
spanning-tree portfast bpduguard Enables BPDU guard on the switch
spanning-tree guard root Enables Root guard on the switch
spanning-tree rootguard Alternative command for some IOS versions

STP BPDU and Root guard for Cisco Catalyst OS
Command Description
set spantree portfast bpdu-guard enable Enables BPDU guard on the switch
set spantree guard root 1/1-2 Enables Root guard on blade 1
set spantree guard root 3/1-48 Enables Root guard on blade 3
Repeat "set spantree guard root" command for every blade/port ...
Page 5
Copyright 2007 CNET Networks, Inc. All rights reserved.
For more downloads and a free TechRepublic membership, please visit http://techrepublic.com.com/2001-6240-0.html
Essential lockdowns for Layer 2 switch security
Note that you must disable root guard and BPDU guard on ports that connect to other switches. Failure to
implement this security feature will permit hackers to run BPDU denial of service on the entire switch
infrastructure and to possibly intercept switch traffic.
Prevent CAM table and DHCP bombing
Hackers can take advantage the fact that there's a finite number of MAC and IP addresses that switches and
DHCP servers can hold. The hacker can change his MAC address to request multiple DHCP addresses from a
DHCP server and use up every single IP address in the DHCP pool. The hacker can also change his MAC
address very rapidly to quickly fill up the CAM table on any Ethernet switch. Once the CAM table fills up on an
Ethernet switch, it's effectively converted to an Ethernet hub. Besides massive performance degradation, the
switch is forced to broadcast every network transaction on every port, which allows the hacker to eavesdrop on
every device on the switch as if he were on a hub. To prevent CAM table and DHCP starvation attacks, you must
configure port security like the following example.
Prevent CAM table and DHCP bombing on Cisco Native IOS
Command Description
int range FastEthernet 0/1 - 48 Go in to interface 1 - 48
switchport port-security Turns on port security
switchport port-security maximum 5 Allow up to 5 MAC addresses
switchport port-security violation protect
Drop packets beyond 5 MAC
addresses.
switchport port-security aging time 2
switchport port-security aging type inactivity
Repeat these steps for all other ports and all other switches

Prevent CAM table and DHCP bombing on Cisco Catalyst OS
Command Description
set port security 1/1-2 enable Enables port security on all blade 1 ports
set port security 3/1-48 enable Enables port security on all blade 3 ports
set port security 1/1-2 port max 5 Allow 5 MAC addresses on blade 1
set port security 3/1-48 port max 5 Allow 5 MAC addresses on blade 3
set port security 1/1-2 violation
protect
Drop packets beyond 5 MAC addresses.
set port security 3/1-48 violation
protect
Drop packets beyond 5 MAC addresses.
Page 6
Copyright 2007 CNET Networks, Inc. All rights reserved.
For more downloads and a free TechRepublic membership, please visit http://techrepublic.com.com/2001-6240-0.html
Essential lockdowns for Layer 2 switch security
set port security 1/1-2 age 2
set port security 3/1-48 age 2
set port security 1/1-2 timer-type
inactivity

set port security 3/1-48 timer-type
inactivity

Repeat these commands on all other blades and ports
Note that you must disable port security on ports that connect to other switches.
Prevent DHCP, MAC, and IP spoofing
ARP and IP spoofing allow the hacker to pose as someone else in order to hijack traffic. DHCP spoofing allows
an attacker to put unsuspecting clients on an Ethernet segment under a bogus IP range that must flow through
the attacker to get to the rest of the network. All three methods are designed to hijack the flow of network traffic so
that the attacker can sniff out all sorts of secrets on the internal LAN. You can prevent these attacks by
implementing DHCP snooping, Dynamic ARP inspection, and IP Source Guard.
Prevent DHCP, ARP, and IP spoofing on Cisco Native IOS
Global Commands Description
ip dhcp snooping vlan 1-1000
Turn on DHCP snooping for VLANs 1-
1000
ip dhcp snooping Turn on DHCP snooping
no ip dhcp snooping information option
ip arp inspection vlan 1-1000 ARP inspection on VLAN 1-1000
ip arp inspection log-buffer entries 1024
ip arp inspection log-buffer logs 1024
interval 10

Host Interface Commands Description
int range FastEthernet 0/1 - 48 Go in to interface 1 - 48
no ip arp inspection trust Locks down host ports for ARP
ip arp inspection limit rate 15 Sets ARP pps inspection rate
ip verify source vlan dhcp-snooping Turns on IP Source Guard
DHCP client Interface Commands Description
Page 7
Copyright 2007 CNET Networks, Inc. All rights reserved.
For more downloads and a free TechRepublic membership, please visit http://techrepublic.com.com/2001-6240-0.html
Essential lockdowns for Layer 2 switch security
no ip dhcp snooping trust Don't allow DHCP server
ip dhcp snooping limit rate 10 Limits rate of DHCP requests
Only use the following commands for trusted DHCP ports and ports that link to
other trusted switches. The commands below will reverse some of the commands
above. Failure to run the following commands for valid switch interconnects and
DHCP servers will break the network and DHCP.
DHCP servers Interface Commands Description
ip dhcp snooping trust This port allows DHCP servers
Switch Interface Commands Description
ip arp inspection trust
Unlocks port used to connect to trusted
switches
Note that Cisco Catalyst OS does not support these anti-spoofing features, so it's a good idea to migrate your big
CAT OS switches to Native IOS. This does mean that you will have to merge your MSFC router with the CAT OS
switch into a single Native IOS image.
Anti-spoofing is an extremely important component in Layer 2 defenses and hardens the switch infrastructure
from internal LAN threats. Internal threats should be taken just as seriously as external threats because a single
workstation that's compromised by malware and rootkit turns an external threat into an internal threat.
Limit the size of STP domains
This is one aspect of switch architecture that is often overlooked. A single STP (spanning tree protocol) domain
should never be permitted to grow too large or get overly complex. I have been on campuses where a single user
took down an entire campus with thousands of computers and IP telephones just by accidentally plugging in a
small desktop switch and then accidentally looping a CAT-5 cable back into itself. The same network had
mysterious campus-wide VLAN disruptions whenever something in the STP domain issued a BPDU request that
caused an STP recalculation, which locked up the entire campus for 30 seconds at a time throughout the entire
day. The disruptions to the data network were bad enough, but it took the IP telephony infrastructure down as
well. Hundreds of people couldn't do their jobs because they had no data or phone access.
To avoid oversized and overly complicated STP topologies, you must route traffic instead of switching traffic.
Realistically, this means you must use Layer 3 capable switches instead of Layer 2 switches that only know how
to switch traffic and not route traffic. This also means that VLANs can't span across switches that don't belong in
the same STP switching domain. These kinds of architectural changes may mean a fundamental redesign of the
entire campus LAN, and it's not something to be taken lightly, but these issues must be considered before the
deployment of any IP telephony system.
Maintain the switch software to the latest stable build
One of the biggest and most common sins in network security is that people assume the switch and routing
infrastructure is the same as plumbing and that you never need to touch it. But if you're running a Cisco switch or
router on a software image that is more than half a year old, you probably have some kind of security vulnerability
on your router or switch. It's sad to say, but I've seen people run three- or four-year-old software images on their
Cisco equipment and think nothing of it.
ALWAYS update your networking equipment just like your client and server computers with the latest stable
software from your hardware vendor and keep an eye out for updates. All network and security engineers should
be asking themselves "When was the last time I upgraded the software on my network equipment?" Work out a
plan of action that includes an immediate and a longterm plan and present it to management. Be proactive and
don't wait for an incident to occur before acting.
Page 8
Copyright 2007 CNET Networks, Inc. All rights reserved.
For more downloads and a free TechRepublic membership, please visit http://techrepublic.com.com/2001-6240-0.html
Essential lockdowns for Layer 2 switch security
Final thoughts
Layer 2 security is one of the most overlooked aspects of information security and is often missed in security
audits, especially when those audits focus more on policy rather than actual implementation. Hackers don't care
about policies, and they will take advantage of any security hole available to them. Layer 2 attacks are one of the
first things a hacker will deploy after getting root of a single computer inside the network. One other aspect of
Layer 2 attacks that's often overlooked are companies that implement VPN-based Wireless LAN security. Once
unauthenticated, anonymous clients are allowed onto an access point, which is typically connected directly to an
internal switch and segmented by VLAN, you can forget about Layer 2 security. It's very difficult to limit the
number of MAC addresses coming from an access point. For this reason it is highly recommended that VPN-
based wireless LAN security should be shunned for 802.1x-based wireless LAN security. TechRepublic offers its
"Ultimate guide to enterprise wireless LAN security" in the form of 10 free articles. The guide is also available in a
downloadable PDF format, which requires free registration.
Beyond these lockdown procedures is the next step in Layer 2 switch security, which is the wired version of
wireless LAN 802.1x security. Fortunately, the same infrastructure used for wireless LAN authentication also
works for wired authentication. Port-based security basically says that we won't let you on our Layer 2 switch
infrastructure, even if you plug into a port, until you prove who you are and that you're authorized to get onto the
network. Although many corporations have implemented 802.1x wireless LAN security, not many have
implemented the wired version of 802.1x. Windows XP automated wireless LAN 802.1x configuration but did not
automate wired LAN 802.1x configuration. This is about to change with Vista, which automates wired and wireless
LAN 802.1x configurations.
In addition to the 802.1x enhancements made, Vista also adds a NAP (Network Access Protection) client, which is
Microsoft's version of the NAC (Network Access Control) standard. NAP or NAC takes the concept of 802.1x port-
based security one step further by not only demanding authentication and authorization from the client before
they're allowed on the network, but also by assessing the health of the client. If a client can prove who they are
and that they're authorized on the network, they must still prove that they are healthy. NAC health is usually
defined as fully patched for security vulnerabilities, proper host-based firewall implementation, and up-to-date
antivirus definitions. If an authorized client computer fails the health test, they are put into quarantine on an
isolated network until they remediate themselves with the proper updates.
The ideal network of today implements all of the lockdown procedures mentioned in this article. The ideal network
of tomorrow will implement everything in this article in addition to NAP/NAC.
Page 9
Copyright 2007 CNET Networks, Inc. All rights reserved.
For more downloads and a free TechRepublic membership, please visit http://techrepublic.com.com/2001-6240-0.html
Essential lockdowns for Layer 2 switch security

Additional resources
TechRepublic's Downloads RSS Feed
Sign up for TechRepublic's Downloads Weekly Update newsletter
Sign up for our Cisco Routers and Switches newsletter
Sign up for our Network Security NetNote
Check out all of TechRepublic's free newsletters
"Ultimate guide to enterprise wireless LAN security" (TechRepublic download)
"Build a fast, reliable, and affordable switch infrastructure for your datacenter" (TechRepublic download)
Version history
Version: 1.0
Published: J anuary 30, 2007
Tell us what you think
TechRepublic downloads are designed to help you get your job done as painlessly and effectively as possible.
Because we're continually looking for ways to improve the usefulness of these tools, we need your feedback.
Please take a minute to drop us a line and tell us how well this download worked for you and offer your
suggestions for improvement.
Thanks!
The TechRepublic Downloads Team

Page 10
Copyright 2007 CNET Networks, Inc. All rights reserved.
For more downloads and a free TechRepublic membership, please visit http://techrepublic.com.com/2001-6240-0.html