Solved: L2 Security - Doubt about mixing technologies(DOT1X,DAI,BPDU Guard)

babalao · ‎01-25-2024

Hello!

I have this doubt.

If a network uses 802.1x , with host-mode multi-domain for example(only allowing one MAC for DATA and one MAC for VOICE).

Is it worth it (I mean adds security),enabling the following?

-Port Security ? - My answer would be not necesary.

-DHCP Snooping ? I Guess this one yes (and is needed for DAI )

-DAI ? - Here Im not sure, This prevents ARP Spoofing, but with dot1x do I already prevent this attack?

-BPDU Guard ? - Here Im not sure, because If someone plugs a SW ,dot1x is not goint to allow the traffic,right?

I mean what L2 secutity features I do not need to enable when I am already using 802.1x.

Thank you!

Regards.

MHM Cisco World · ‎01-26-2024

-Friend
802.1x is L2 security and you dont need DAI (additional l2 security )
MHM

View solution in original post

Rob Ingram · ‎01-29-2024

@babalao yes in a 802.1X NAC environment DHCP snooping helps with profiling the device and learning the IP address/MAC binding. DHCP snooping will obviously also prevent rogue DHCP servers, less a concern in 802.1X closed mode if all devices connected to the LAN are authenticated and therefore trusted.

https://community.cisco.com/t5/network-access-control/ise-and-dhcp-snooping/td-p/2473425

View solution in original post

Rob Ingram · ‎01-25-2024

@babalao port security is not supported on the same interface when using 802.1x. DHCP snooping information is used by ISE for profiling if device sensor is also enabled on the switch and also used inconjunction with device tracking feature to learn the IP address (important when using DACLs). DAI is probably pointless if using 802.1X in closed mode and authenticating only known devices, as no untrusted devices that could potentially do harm on the network would be authenticated.

The Cisco ISE wired prescriptive guide covers all the recommended switchport configuration and complimentary features - https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515

MHM Cisco World · ‎01-25-2024

I will start from STP
portfast and BPDUguard can work with dot1x and also cisco recommend using portfast for dot1x port

then DAI and port-security NO I dont recommend using two or more L2 security in same port, the issue is one work other not or one add MAC and other not make port active this lead you to more issue. so no need DAI (DHCP snooping also) and port-secuirty

thanks

MHM

babalao · ‎01-26-2024

Hello,

so you all would agree that with dot1x configured I am safe of many L2 attacks and I DO NOT NEED other features like:

DAI

Thank you!

Rob Ingram · ‎01-26-2024

@babalao you do not need DAI if using 802.1X

MHM Cisco World · ‎01-26-2024

-Friend
802.1x is L2 security and you dont need DAI (additional l2 security )
MHM

babalao · ‎01-29-2024

Hello,

thank you for the replies.

DHCP snooping would be needed right? Because it guards againts other attack?

So if I have dot1x , is DHCP snooping needed or not? what do you think?

Thank you!

Regards.

Rob Ingram · ‎01-29-2024

@babalao yes in a 802.1X NAC environment DHCP snooping helps with profiling the device and learning the IP address/MAC binding. DHCP snooping will obviously also prevent rogue DHCP servers, less a concern in 802.1X closed mode if all devices connected to the LAN are authenticated and therefore trusted.

https://community.cisco.com/t5/network-access-control/ise-and-dhcp-snooping/td-p/2473425