cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
570
Views
4
Helpful
7
Replies

L2 Security - Doubt about mixing technologies(DOT1X,DAI,BPDU Guard)

babalao
Spotlight
Spotlight

Hello!

I have this doubt.

If a network uses 802.1x , with host-mode multi-domain for example(only allowing one MAC for DATA and one MAC for VOICE).

Is it worth it (I mean adds security),enabling the following?

-Port Security ? - My answer would be not necesary.

-DHCP Snooping ? I Guess this one yes (and is needed for DAI )

-DAI ? - Here Im not sure, This prevents ARP Spoofing, but with dot1x do I already prevent this attack?

-BPDU Guard ? - Here Im not sure, because If someone plugs a SW ,dot1x is not goint to allow the traffic,right?

I mean what L2 secutity features I do not need to enable when I am already using 802.1x.

Thank you!

Regards.

2 Accepted Solutions

Accepted Solutions

-Friend 
802.1x is L2 security and you dont need DAI (additional l2 security )
MHM 

View solution in original post

@babalao yes in a 802.1X NAC environment DHCP snooping helps with profiling the device and learning the IP address/MAC binding. DHCP snooping will obviously also prevent rogue DHCP servers, less a concern in 802.1X closed mode if all devices connected to the LAN are authenticated and therefore trusted.

https://community.cisco.com/t5/network-access-control/ise-and-dhcp-snooping/td-p/2473425

 

View solution in original post

7 Replies 7

@babalao port security is not supported on the same interface when using 802.1x. DHCP snooping information is used by ISE for profiling if device sensor is also enabled on the switch and also used inconjunction with device tracking feature to learn the IP address (important when using DACLs). DAI is probably pointless if using 802.1X in closed mode and authenticating only known devices, as no untrusted devices that could potentially do harm on the network would be authenticated.

The Cisco ISE wired prescriptive guide covers all the recommended switchport configuration and complimentary features - https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515

 

I will start from STP 
portfast and BPDUguard can work with dot1x and also cisco recommend using portfast for dot1x port

then DAI and port-security NO I dont recommend using two or more L2 security in same port, the issue is one work other not or one add MAC and other not make port active this lead you to more issue. so no need DAI (DHCP snooping also) and port-secuirty

thanks 

MHM

babalao
Spotlight
Spotlight

Hello,

so you all would agree that with dot1x configured I am safe of many L2 attacks and I DO NOT NEED other features like:

DAI

 

Thank you!

@babalao you do not need DAI if using 802.1X

-Friend 
802.1x is L2 security and you dont need DAI (additional l2 security )
MHM 

babalao
Spotlight
Spotlight

Hello,

thank you for the replies.

DHCP snooping would be needed right? Because it guards againts other attack?

So if I have dot1x , is DHCP snooping needed or not? what do you think?

Thank you!

Regards.

@babalao yes in a 802.1X NAC environment DHCP snooping helps with profiling the device and learning the IP address/MAC binding. DHCP snooping will obviously also prevent rogue DHCP servers, less a concern in 802.1X closed mode if all devices connected to the LAN are authenticated and therefore trusted.

https://community.cisco.com/t5/network-access-control/ise-and-dhcp-snooping/td-p/2473425