Cisco® CCNA Security Exam Notes : Vlan Security

4. Secure Routing and Switching

4.6 VLAN Security

Describe the security implications of a native VLAN

1. Avoid using native VLAN (VLAN1) for management traffic.

2. Limit the number of MAC addresses learned on a given port with the port security feature.

3. Use BPDU guard and root guard to prevent attackers from controlling STP

4. Turn off Cisco Discovery Protocol (CDP) on ports facing untrusted or unknown networks

5. On a new switch, shut down all ports and assign them to a VLAN that is not used for anything else other than a parking lot.

Describe Security implication of PVLAN

PVLAN: Private VLAN Edge is a feature that may also be referred to as PVLAN Edge or protected switchport. It is a very simple configuration that restricts the direct layer 2 communications between any two devices that has it enabled.

Assume, that a 20 port switch connects ports 23, and 24 to the printer and router respectively. The ports 1-22 are used for connecting to the user workstations. Further, you want all workstations to use resources on ports 23-24 but not communicate with one another. The resulting configuration is one that prevents communications between user workstations, but permits communication with the resources that are required for the users to do their day to day functions.

Typical configuration commands on the switch are as given below:

//the host ports

Switch(config)#spanning-tree portfast default
Switch(config)#interface range
fa0/1 - 22
Switch(config-if-range)#switchport mode access
Switch(config-if-range)#switchport protected

//the resource ports

//note the absence of "switchport protected"

Switch(config)#interface range fa0/23 - 24
Switch(config-if-range)#switchport mode access

This is a switch based solution and needs to be implemented on individual switches.

VLAN Trunking best practices:

1. Setting the native vlan to anything other than vlan 1. Setting the native vlan is important because it doesn't tag packets over the trunk link.

2. Disable trunk negotiation. Dynamic Trunking Protocol (DTP) is useful when the status of a switch on the opposite side may be changing over time, but can also be a security issue because it can allow an attacker to connect to a port and auto-negotiate as a trunk port and see more traffic. You use the command switchport nonnegotiate for this purpose.

3. Allow VLANs that need to communicate down the trunk link. Use the command "switchport trunk allow vlan X,Y,Z" to allow only desired VLANS. Otherwise, it allows ALL VLANs to traverse that pipe. By restricting the number of VLANs, you are cutting down on security risks.

Previous   Contents   Next