The best practices for securing switches;
- Select an unused VLAN (other than VLAN1) and use for the native VLAN on all trunks
- Avoid using VLAN1 anywhere because it is the default
- Admin configure access ports as access ports so users cannot negotiate a trunk and disable the negotiation of trunking (no DTP)
- Limit the number of MAC addresses learned on a given port with the port security feature
- Turn of CDP on ports facing untrusted or unknown networks that do not require CDP for anything positive
- Shut down all unused ports and assign them to a VLAN that is not used for anything. Bring the ports up and assign to the correct VLAN as the ports are allocated and needed.
Locking down switch ports, 1) Access port configuration
int gig0/1 switchport mode access switchport access vlan 10 switchport nonegotiate !Disables DTP
- trunk port configuration
int gig0/1 switchport trunk encapsulation dot1q switchport mode trunk switchport trunk native vlan 5 switchport nonegotiate !Disables DTP
So why is it a bad idea to leave the interface to negotiation when it comes to trunking (DTP)?
It opens the network to a number of attack vectors, the main being – if you dont and a user connects to one of the DTP enabled ports and has custom software installed (couple of different tools exist) to allow it to send and receive both dot1q tagged frames can perform ‘VLAN hopping’. This allows acces to any VLAN desired by just tagging frames with the VLAN of choice.
Layer 2 security toolkit
A number of tools exist to help protect and secure layer 2, the following are some (key ones for CCNA security include port security, BPDU guard, root guard, DHCP Snooping and ACL);
[table id=19 /]