Cisco layer 2 protection

In order to follow along with this you should know what VLAN’s, trunking, DHCP, ARP, and cisco layer 2 protection such as sticky macs.

Change native VLAN

By default most switches use VLAN 1 as the native. One of the reasons you should change the default is VLAN hopping. I have posted about this attack before; what can basically happen is with the native VLAN it becomes easier to get packets to go to other VLAN’s and back to you. Wiki has a pretty good article on this

One VLAN hopping attack is switch spoofing. Where a device pretends to be a switch trunk, allowing the device to talk to any VLAN’s. This is easily stopped by explicitly setting a port to trunk. And disabling any auto negotiate for trunking. Cisco has DTP enabled by default so to disable either issue switchport nonegotiate or preferably if an access port just issue switchport mode access.

Other VLAN hopping attack is double tagging which can easily be fixed by changing the native VLAN. However keep in mind that dumb switches may actually cause you problems, since they may be using VLAN 1 as native. You could also set trunk ports to tag, however preferred method is to change native VLAN.

Third one which I mention in another article is adding a interface to a device and setting the VLAN to use. This is possible nowadays with all the virtualization. You can add a VM to a computer and set that NIC to a specific VLAN. In Linux you can create virtual interfaces and assign those to specific VLAN’s. And if your switchport allows a phone and computer network VLAN. The linux machine could tag a virtual interface as voice and later on do an attack such as a MITM listen to your phones conversations. This is easier to do on linux, however it is possible on Windows. Mitigation is limiting the amount of MAC’s that can connect to a device. Cisco has the port security feature where you can limit the amount of devices that can be on a port.

set access ports to access

Reason being we don’t want DTP dynamic trunking to be negotiated by access ports.

Use port security

The amount of MAC address’s needs to be limited on a port. Most environments will have 2-3. One for phone, computer, and another device such as a printer going to the same ethernet jack in the wall. By default cisco shuts down port. You can set to protect where future MAC address’s are denied.

prevent STP and RSTP manipulation

spanning tree is used to prevent loops. to prevent other devices from messing with it use BDPU gaurd and root guard features

turn off CDP on untrusted or unknown networks

Cisco discovery protocol sends all kinds of info about devices. These can be used to find out version info to make attacking other devices easier. I understand this may need to be on for devices such as phones to connect them easily to specific VLAN, ISE policy, or DHCP assignment. If that’s the case atleast disable CDP on ports that won’t use that feature.

shut down all unused ports and assign to VLAN not used

One of the reasons to do this is in case someone physically inserts a malicious device into an unused port on the switch.

DHCP snooping

This feature allows you to set a trusted source where you DHCP server is connected at. This prevents rogue DHCP servers from attacking the network. It is enabled globally and set per VLAN.

Dynamic ARP Inspection

ARP is a map of layer 2 MAC address to IP. This feature prevents spoofing of ARP traffic for man in the middle attacks MITM. This feature is enabled with DHCP snooping, where it uses the DHCP snooping database to verify valid devices. You can configure DAI to drop ARP packets when the IP addresses in the packets are invalid
or when the MAC addresses in the body of the ARP packets do not match the addresses
specified in the Ethernet header

Keep in mind that DHCP snooping and dynamic ARP won’t prevent an attack where a device crafts multiple fake MAC address devices, overloading your DHCP server with requests. Thus overloading your DHCP pool, causing a denial of service attack. You will still need to use port security to limit amount of MAC address’s a port can have.

Leave a Reply

Your email address will not be published. Required fields are marked *