Cisco provides several Layer 2 security technologies to secure the network infrastructure against various types of attacks. These include Spanning Tree Protocol (STP) security, port security, and VLAN Access Control List (VACL) security.
- STP Security
- STP Security: STP is a Layer 2 protocol that is used to prevent loops in the network topology by blocking redundant paths. However, attackers can exploit this protocol by introducing fake bridge protocol data units to manipulate the STP topology and create a denial-of-service (DoS) attack. To prevent this, Cisco provides STP security mechanisms such as BPDU Guard, Root Guard, and Loop Guard. Although they were covered in a previous section, they are included here for completeness:
- BPDU Guard: This feature disables the port if any BPDU from an unauthorized switch is received, preventing the attacker from manipulating the STP topology. If a BPDU is received in a PortFast-enabled port, the port is disabled.
- Root Guard: This feature prevents unauthorized switches from becoming the root bridge by configuring a trusted root bridge for the network.
- Loop Guard: This feature detects and prevents loops in the network by monitoring the arrival of BPDUs.
- Port Security
- Port Security: Port security is a feature that restricts the access of devices to the network by binding the MAC addresses of authorized devices to the switch ports. This helps prevent unauthorized devices from accessing the network and protect against MAC spoofing attacks. Cisco provides various port security mechanisms such as
- Static MAC address: This feature allows the switch to learn the MAC address of a device connected to a port and restricts other devices from accessing that port.
- Sticky MAC address: This feature allows the switch to dynamically learn the MAC address of a device connected to a switchport and save it in the configuration. When a device is connected and the MAC address is dynamically learned for the switchport, it is permanently assigned to that port. Now when a new device is attached to this switchport, it will be denied by the switch.
- MAC address limit: This feature limits the number of MAC addresses that can be learned on a port. By default, at least one MAC address per port can be secured. In addition to this default, a global resource of up to 1024 MAC addresses is available to be shared by the ports.
- Port security age time: This feature specifies how long all addresses on that port will be secured. After the age time expires for a MAC address, the entry for that MAC address on the port is removed from the secure address list.
- Port Security: Port security is a feature that restricts the access of devices to the network by binding the MAC addresses of authorized devices to the switch ports. This helps prevent unauthorized devices from accessing the network and protect against MAC spoofing attacks. Cisco provides various port security mechanisms such as
- VACL Security
- VACL Security: VACLs are similar to access control lists (ACLs) but are applied to VLANs instead of interfaces. VACLs are used to filter traffic based on Layer 2, 3, or 4 criteria and can be used to protect against various types of attacks, such as MAC flooding, VLAN hopping, and DHCP spoofing. Cisco provides various VACL security mechanisms such as:
- VLAN access lists and maps: This feature allows the switch to filter traffic based on VLANs and provide granular control over the traffic. VACLs can provide access control for all packets that are bridged within a VLAN or that are routed into or out of a VLAN or a WAN interface for VACL capture. Unlike Cisco IOS ACLs that are applied on routed packets only, VACLs apply to all packets and can be applied to any VLAN or WAN interface. VLAN maps allow the switch to map-specific VLANs to different actions such as permit or deny, based on the MAC or IP addresses. Each VLAN access map can consist of one or more map sequences; each sequence has a match clause and an action clause. The match clause specifies IP or MAC ACLs for traffic filtering, and the action clause specifies the action to be taken when a match occurs. When a flow matches a permit ACL entry, the associated action is taken, and the flow is not checked against the remaining sequences. When a flow matches a deny ACL entry, it is checked against the next ACL in the same sequence or the next sequence. If a flow does not match any ACL entry and at least one ACL is configured for that packet type, the packet is denied.
In summary, Cisco provides several Layer 2 security technologies, such as STP security, port security, and VACL security, which can be used to protect the network infrastructure against various types of attacks. These features can be configured on Cisco switches to enhance the security posture of the network.