Chapter 10 Lab 10-1, Securing Layer 2 Switches

Topology

Objectives
 Prepare the Network.
 Implement Layer 2 network security features.
 Prevent DHCP spoofing attacks.
 Prevent unauthorized access to the network using AAA.

Background
A fellow network engineer that you have known and trusted for many years has invited you to lunch this week.
At lunch, he brings up the subject of network security and how two of his former co-workers had been
arrested for using different Layer 2 attack techniques to gather data from other users in the office for their own
personal gain in their careers and finances. The story shocks you because you have always known your
friend to be very cautious with security on his network. His story makes you realize that your business
network has been cautious with external threats, Layer 3–7 security, firewalls at the borders, and so on, but
insufficient at Layer 2 security and protection inside the local network.
When you get back to the office, you meet with your boss to discuss your concerns. After reviewing the
company’s security policies, you begin to work on a Layer 2 security policy.
First, you establish which network threats you are concerned about and then put together an action plan to
mitigate these threats. While researching these threats, you learn about other potential threats to Layer 2

© 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 1 of 37
 switches that might not be malicious but could threaten network stability. You decide to include these threats
in the policies as well.
Other security measures need to be put in place to further secure the network, but you begin with configuring
the switches against a few specific types of attacks, including MAC flood attacks, DHCP spoofing attacks, and
unauthorized access to the local network. You plan to test the configurations in a lab environment before
placing them into production.
Note: This lab uses Cisco Catalyst 3560 and 2960 switches running Cisco IOS 15.0(2) IP Services and LAN
Base images, respectively. The 3560 and 2960 switches are configured with the SDM templates “dual-ipv4-
and-ipv6 routing” and “lanbase-routing”, respectively. Depending on the switch model and Cisco IOS Software
version, the commands available and output produced might vary from what is shown in this lab. Catalyst
3650 switches (running any Cisco IOS XE release) and Catalyst 2960-Plus switches (running any supported
Cisco IOS image) can be used in place of the Catalyst 3560 switches and the Catalyst 2960 switches.
Note: This lab uses the Cisco WS-C2960-24TT-L switch with the Cisco IOS image c2960-lanbasek9-mz.150-
2.SE6.bin and the Catalyst 3560V2-24PS switch with the Cisco IOS image c3560-ipservicesk9-mz.150-
2.SE6.bin. Other switches and Cisco IOS Software versions can be used if they have comparable capabilities
and features. Depending on the switch model and Cisco IOS Software version, the commands available and
output produced might vary from what is shown in this lab.

Required Resources
 2 switches (Cisco 2960 with the Cisco IOS Release 15.0(2)SE6 C2960-LANBASEK9-M image or
comparable).
 1 switches (Cisco 3560 with the Cisco IOS Release 15.0(2)SE6 C3560-IPSERVICESK9-M image or
comparable).
 3 PC’s with Windows OS. One of the PCs should be equipped Wireshark, WinRadius, and Tftpd32
software.
 Ethernet and console cables

Part 1: Prepare for the Lab

Step 1: Prepare the switches for the lab
Use the reset.tcl script you created in Lab 1 “Preparing the Switch” to set your switches up for this lab.
Then load the file BASE.CFG into the running-config with the command copy flash:BASE.CFG
running-config.

Step 2: Configure basic switch parameters.

a. Loading BASE.CFG should have set the hostname, IP domain name, and shut down all of the interfaces
on each switch.
b. Configure enable secret, and VTY passwords. As with previous labs, if NETLAB compatibility is required,
use class as the enable secret and cisco as the VTY password.
c. Configure interface VLAN 99 on each switch with the management IP address shown in the topology
diagram.
d. Configure the access layer switches (ALS1 and ALS2) to use a default gateway IP address of
172.16.99.1.
e. Configure basic (unauthenticated) NTP in the network. Use DLS1 as the NTP master and have DLS2,
ALS1, and ALS2 synchronize to 172.16.99.3.

Page 2 of 37
f. Configure 802.1q trunking between the switches according to the diagram (Note that there are no
EtherChannels in this topology). Create and then use VLAN 666 as the native VLAN for all trunks. Also
turn off switchport negotiation on all trunks.

Configure all four switches. An example of DLS1 and ALS1 configuration follows:

Page 3 of 37
Page 4 of 37
Page 5 of 37
Page 6 of 37
ALS1(config)# enable secret class

Page 7 of 37
Page 8 of 37
Page 9 of 37
Step 3: Configure VTP on DLS2, ALS1, and ALS2.
a. Change the VTP mode of ALS1 and ALS2 to client. An example from ALS1:

Page 10 of 37
b. Change the VTP mode of DLS2 to server with no further configuration:

Page 11 of 37
Step 3: Configure VTP on DLS1.
Create the VTP domain on DLS1, and create VLANs 99, 100, and 200 for the domain.

Page 12 of 37
Page 13 of 37
Step 4: Configure host PCs.
Configure PCs Host A, B, and C with the IP address and subnet mask shown in the topology. Host A is in
VLAN 100 with a default gateway of 172.16.100.1. Host B is in VLAN 200 with a default gateway of
172.16.200.1. Host C is in VLAN 99 with a default gateway of 172.16.99.1.

Page 14 of 37
Step 5: Configure access ports.
Configure the host ports for the appropriate VLANs according to the diagram. Configure this on DLS1, ALS1,
and ALS2. An example from ALS1 is below (all ports on ALS1 should be in VLAN 100, all ports on ALS2
should be in VLAN 200):

Page 15 of 37
 .

Step 6: Configure Spanning-Tree Root switches

Configure DLS1 to be the primary root for VLANs 99 and 100 and secondary root for VLAN 200. Configure
DLS2 to be the primary root for VLAN 200 and the secondary root for VLANs 99 and 100.

Page 16 of 37
Step 7: Configure Routing and HSRP on DLS1 and DLS2.
On the DLS switches, create the SVIs for VLANs 100 and 200 using the addresses specified in the topology
diagram. Further, configure HSRP with preemption on all three networks. Configure DLS1 with a priority of
150 for VLAN 99 and 100, and DLS2 with a priority of 150 for VLAN 200. Configure this on DLS1 and DLS2.
An example from DLS1 is below:

Page 17 of 37
Page 18 of 37
Verify the configuration using the show vlan brief, show vtp status, show standby brief, and show ip
route command on DLS1. Output from DLS1 is shown here.
DLS1# show vlan brief

Page 19 of 37
DLS1# show vtp status

Page 20 of 37
DLS1# show standby brief

Page 21 of 37
DLS1# show ip route | begin Gateway

Page 22 of 37
Part 2: Implement Layer 2 network security features.
Step 1: Storm Prevention
When packets flood the local area network, a traffic storm occurs. This could degrade network performance.
Storm control features help to protect against such an attack. Storm control is typically implemented at the
access layer switch ports to mitigate the effects of a traffic storm before propagating to the network. Storm
control can also be implemented on trunk interfaces, including port-channel interfaces, to protect distribution-
layer devices from traffic saturation, which could have a much broader impact on the network.

Storm Control Command Options

0-100 0-100 Omitt Falling and Rising

Rising Threshold Falling Threshold is the high/low mark

storm-control [unicast | broadcast | 0-10,000,000,000 [k|m|g] 0-10,000,000,000 [k|m|g]

multicast ] level bps
Rising Threshold Falling Threshold

0-10,000,000,000 [k|m|g] 0-10,000,000,000 [k|m|g]

pps
Rising Threshold Falling Threshold

To accurately configure these levels, you must know the amount of these traffic types flowing in your network
during peak hours.

Page 23 of 37
When a traffic storm is detected and storm control is configured, the default response is to silently filter the
traffic. Storm control can optionally be configured to either shutdown the interface receiving the traffic storm or
to send an SNMP trap to the NMS.
a. Enable broadcast storm control on ports 0/6 and 0/15 - 0/24 on ALS1 with the parameters listed below. If
any storm is detected, an SNMP trap will be sent.
1) Unicast storms will be noted at 65% bandwidth usage, and abated at 35% bandwidth
2) Broadcast storms will be noted at 1000 pps and abated at 300pps
3) Multicast storms will be noted at 40% bandwidth usage and abated at 25% bandwidth

Page 24 of 37
Step 2: Demonstrate Storm Control Operation
To demonstrate the effects of storm control, configure unicast storm control on DLS1 interfaces F0/7 and F0/8
with purposely low numbers and then generate traffic from ALS1 that will cause the threshold to be exceeded.
a. At DLS1, configure F0/7 and F0/8 with the following:

b. Within a few seconds you will see a SYSLOG message on DLS1 indicating that a storm had been
detected and the interfaces shut down.

c. Reset the storm control configuration on DLS1 F0/7 and F0/8. Because the interfaces are now shutdown
due to an ERR-DISABLE, you have to manually reset them by issuing the shutdown and no shutdown
commands. While you do this, remove the storm control from the interfaces.

Page 25 of 37
Step 3: Configure Basic Port Security.
To protect against MAC flooding or spoofing attacks, configure port security on the VLAN 100 and 200 access
ports. Because the two VLANs serve different purposes—one for staff and one for students—configure the
ports to meet the different requirements.
The student VLAN must allow MAC addresses assigned to a port to change, because most of the students
use laptops and move around within the network. Set up port security so that only one MAC address is
allowed on a port at a given time. This type of configuration does not work on ports that need to service IP
phones with PCs attached or PC’s running virtual machines. In this case, there would be two allowed MAC
addresses. To enable security on a port, you must first issue the switchport port-security command by
itself.
The staff MAC addresses do not change often, because the staff uses desktop workstations provided by the
IT department. In this case, you can configure the staff VLAN so that the MAC address learned on a port is
added to the configuration on the switch as if the MAC address were configured using the switchport port-
security mac-address command. This feature, which is called sticky learning, is available on some switch
platforms. It combines the features of dynamically learned and statically configured addresses. The staff ports
also allow for a maximum of two MAC addresses to be dynamically learned per port.
a. Enter the configuration for the student access ports on ALS2. To enable basic port security, issue the
switchport port-security command.
Note: By default, issuing the switchport port-security command by itself sets the maximum
number of MAC addresses to 1, and the violation mode to shutdown. It is not necessary to specify the
maximum number of addresses, unless it is greater than 1.

Page 26 of 37
b. Verify the configuration for ALS2 using the show port-security interface command.

Page 27 of 37
Step 4: Configure Additional Port Security Parameters.
a. Enter the configuration of the staff ports on ALS1. First, enable port security with the switchport
port-security command. Use the switchport port-security maximum
#_of_MAC_addresses command to change the maximum number of MAC addresses to 2, and use the
switchport port-security mac-address sticky command to allow the two dynamically learned
addresses to be added to the running configuration.

b. Verify the configuration using the show port-security interface command.

Step 5: Configure Error Disabled Port Automatic Recovery

Once a violation occurs on a port, the port will transition to an error disabled state. The only way to clear a
port that has been error disabled is to perform a shutdown command and then a no shutdown on the
interface. This method, of course, requires manual intervention by an administrator.

Page 28 of 37
Error disabled ports can be configured to automatically recover from port security violations with the use of
the errdisable recovery cause command. An interval can be configured so that after a specified time the
port will automatically clear the violation.
The command to verify the error disable configuration is the show errdisable recovery.
Configure the switch to automatically recover an error disabled port caused from a port security violation.
Notice there are many different options for which you can configure error disable recovery. However, we will
configure it only for port-security violation.

Page 29 of 37
Page 30 of 37
Part 2: Configure IPv4 DHCP snooping
DHCP spoofing is a type of attack primarily where an unauthorized device assigns IP addressing and
configuration information to hosts on the network.
IPv4 DHCP servers reply to DHCPDISCOVER frames. These frames are generally BROADCAST, which
means they are seen all over the network. The attacker replies to a DHCP request, claiming to have valid
gateway and DNS information. A valid DHCP server might also reply to the request, but if the attacker’s reply
reaches the requestor first, the invalid information from the attacker is used. This can lead to a denial of
service or traffic interception.
The process we will use to see this work is to first verify that the DHCP DISCOVER is broadcast everywhere,
and then enable DHCP snooping to see this being stopped.
To do this, we will use Tftpd32's DHCP server function.

Page 31 of 37
Step 1: Verify DHCP Broadcast Operation

On Host C, configure the DHCP server

settings in Tftpd32 to support DHCP for
VLAN 200. The screenshot details the
settings:

a. On DLS1, issue the ip helper-address 172.16.99.50 command under interface VLAN 200.
b. Reassign interface f0/6 on ALS1 to VLAN 200.
c. On Host A, run Wireshark and have it collect on its ethernet interface. In the filter bar, type bootp and
press enter (this filters the output to show only packets related to DHCP).

d. On Host B, reconfigure the network interface to use DHCP. You should see that Host B receives an IP
address and other DHCP information.
Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . : GOOD-DHCP.SRV

Link-local IPv6 Address . . . . . : fe80::b8ee:7ffd:e885:8423%10
IPv4 Address. . . . . . . . . . . : 172.16.200.150
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 172.16.200.1
e. Return to Host A and you should see the DHCP traffic in the capture window.

Page 32 of 37
 If Host A were an attacker, it could craft DHCP server OFFER messages or other DHCP sever messages to
respond to Host B’ s DHCP request.
To help protect the network from such an attack, you can use DHCP snooping.

Step 2: Configure DHCP Snooping

DHCP snooping is a Cisco Catalyst feature that determines which switch ports are allowed to respond to
DHCP requests. Ports are identified as trusted or untrusted. Trusted ports permit all DHCP messages, while
untrusted ports permit (ingress) DHCP requests only. Trusted ports can host a DHCP server or can be an
uplink toward a DHCP server. If a rogue device on an untrusted port attempts to send a DHCP response
packet into the network, the port is disabled. From a DHCP snooping perspective, untrusted access ports
should not send any DHCP server responses, such as a DHCPOFFER, DHCPACK, or DHCPNAK.
Configuring DHCP Snooping on a single switch is very simple. There are additional considerations when
configuring DHCP Snooping at the access layer of a multi-layer enterprise network. By default switches that
pass DHCP requests on to another switch will insert option-82 information, which can be used for various
management functions.
When a switch receives a DHCP frame that has option-82 information on an untrusted interface, the frame will
be dropped. The ip dhcp relay information trust-all command is one way to work around this
default behavior. It is not necessary to enable DHCP snooping on the distribution layer switches, although this
would allow DLS1 and DLS2 to trust ALS1 and ALS2 as relay agents.
a. Configure DLS1 and DLS2 to trust relayed DHCP requests (Option 82 preset with giaddr field equal to
0.0.0.0). Configure this on DLS1 and DLS2. An example from DLS1 is below:
DLS1(config)# ip dhcp relay information trust-all

b. Configure ALS1 and ALS2 to trust DHCP information on the trunk ports only, and limit the rate that
requests are received on the access ports. Configuring DHCP snooping on the access layer switches
involves the following steps:
 Turn snooping on globally using the ip dhcp snooping command.
 Configure the trusted interfaces with the ip dhcp snooping trust command. By default, all ports
are considered untrusted unless statically configured to be trusted. * Very Important * : The topology
used for this lab is not using EtherChannels. Remember that when an EtherChannel created, the
virtual port channel interface is used by the switch to pass traffic; the physical interfaces (and
importantly their configuration) is not referenced by the switch. Therefore, if this topology was using
EtherChannels, the ip dhcp snooping trust command would need to be applied to the Port
Channel interfaces and not to the physical interfaces that make up the bundle.
 Configure a DHCP request rate limit on the user access ports to limit the number of DHCP requests
that are allowed per second. This is configured using the ip dhcp snooping limit rate
rate_in_pps. This command prevents DHCP starvation attacks by limiting the rate of the DHCP
requests on untrusted ports.
 Configure the VLANs that will use DHCP snooping. In this scenario, DHCP snooping will be used on
both the student and staff VLANs.
Configure this on ALS1 and ALS2. An example from ALS1 is below:
ALS1(config)# ip dhcp snooping
ALS1(config)# interface range fastethernet 0/7 - 12
ALS1(config-if-range)# ip dhcp snooping trust
ALS1(config-if-range)# exit
ALS1(config)# interface range fastethernet 0/6, f0/15 - 24
ALS1(config-if-range)# ip dhcp snooping limit rate 20

Page 33 of 37
 ALS1(config-if-range)# exit
ALS1(config)# ip dhcp snooping vlan 100,200

c. Verify the configurations on ALS1 and ALS2 using the show ip dhcp snooping command.
ALS2# show ip dhcp snooping
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
100,200
DHCP snooping is operational on following VLANs:
100,200
DHCP snooping is configured on the following L3 Interfaces:

Insertion of option 82 is enabled

circuit-id default format: vlan-mod-port
remote-id: 5017.ff84.0a80 (MAC)
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Verification of giaddr field is enabled
DHCP snooping trust/rate is configured on the following Interfaces:

Interface Trusted Allow option Rate limit (pps)

----------------------- ------- ------------ ----------------
FastEthernet0/6 no no 20
Custom circuit-ids:
FastEthernet0/7 yes yes unlimited
Custom circuit-ids:
FastEthernet0/8 yes yes unlimited
Custom circuit-ids:
Interface Trusted Allow option Rate limit (pps)
----------------------- ------- ------------ ----------------
FastEthernet0/9 yes yes unlimited
Custom circuit-ids:
FastEthernet0/10 yes yes unlimited
Custom circuit-ids:
FastEthernet0/11 yes yes unlimited
Custom circuit-ids:
FastEthernet0/12 yes yes unlimited
Custom circuit-ids:
<...OUTPUT OMITTED...>

Step 3: Verify IPv4 DHCP Snooping Operation

To verify DHCP Snooping is working, re-run the test conducted to observe DHCP operation without DHCP
snooping configured. Ensure WIRESHARK is still running on HOST_A. Issue the ipconfig /renew
command on HOST_B. In this case, the DHCPDISCOVER should NOT be seen at HOST_A.
Once validated, change ALS1 f0/6 back to VLAN 100 and make sure HOSTA and HOSTB have valid static IP
addresses assigned.

Page 34 of 37
Part 3: Configure AAA
AAA stands for Authentication, Authorization, and Accounting. The authentication portion of AAA is concerned
with the user being positively identified. Authentication is configured by defining a list of authentication
methods and applying that list to specific interfaces. If lists are not defined, a default list is used.
To demonstrate this we will use AAA to validate users attempting to log into the VTY lines of our network
devices. The AAA server will be a radius server on Host C (172.16.99.50) connected to DLS1's F0/6 . There
are many different radius server alternatives, but for this lab the program WinRadius is used.

Step 1: Configure Switches to use AAA to secure VTY line access

As it stands, all of the switches should have a statically assigned password of cisco on the VTY lines. This is
not a scalable configuration. It requires a single known password, and manual modification of each switch
individually as well as controlled dissemination of that single known password. Using centralized
authentication is a much simpler method, where each user uses their own unique username and password.
Ensure that Host C has connectivity to the gateway and all four switches.
Make the following configuration changes to all four switches:
a. Issue the aaa new-model global configuration command to enable AAA

Page 35 of 37
Configure the radius server to use authentication port 1812, accounting port 1813 and the shared key
WinRadius

b. Configure the VTY lines to use the REMOTE-CONTROL authentication method

Page 36 of 37
Step 2: Configure WinRadius
Use the instructions in Appendix A to setup, test, and run WinRadius. As a part of the configuration, you
should have the user account remote with the password cisco123.

Step 3: Test centralized VTY line authentication

Now from a host on the network, attempt to telnet to one of the switches. You should be required to enter a
username and password . Use the username of remote and the password of cisco123. Authentication
should be successful.

Step 4: End of Lab

Do not save your configurations. The equipment will be reset for the next lab.

Page 37 of 37