Showing results for 
Search instead for 
Did you mean: 
Join Customer Connection to register!
Community Manager

Ask the Expert: Layer 2 Security on Cisco Catalyst Platforms

Layer 2 Security on Cisco Catalyst PlatformsWith Wilson Bonilla

Welcome to the Cisco Support Community Ask the Expert conversation.  This  is an opportunity to learn and ask questions about about issues in designing, planning, and implementing Layer 2 security in your LAN network with expert Wilson Bonilla. 

Wilson will cover topics that network engineers face daily such as Spanning Tree Protocol security, private VLANs, IP source guard, protected ports, dynamic ARP inspection, virtual LAN access-control lists (VLAN ACLs), and Dynamic Host Configuration Protocol (DHCP) snooping over Cisco Catalyst platforms.  With the fast growth of networks, Layer 2 security is even more critical in the LAN to help your network become more reliable, efficient, and secure. Wilson will answer your questions about LAN networks with Cisco Catalyst switches.  

Wilson Bonilla is a technical networking trainer at the Learning and Development Department for Cisco Technical Assistance Center located in Costa Rica. Before joining the Training Department, he worked for the Cisco TAC as a customer support engineer focused on LAN Switching for more than two years. While working on LAN switching, Wilson also had roles such as technical leader and trainer, adding to his area of expertise in Cisco Catalyst Layer 2 switching. He has CCNP routing and switching certification and is currently studying to achieve his CCNA certification in data center.

Remember to use the rating system to let Wilson know if you've received an adequate response. 

Because of the volume expected during this event, Wilson might not be able to answer every question. Remember that you can continue the conversation in the Network Infrastructure community, subcommunity, LAN, Switching and Routing, shortly after the event. This event lasts through November, 2013. Visit this forum often to view responses to your questions and those of other Cisco Support Community members.




Can you explain in which scenarios DHCP snooping is enabled/disabled in the Cisco switches . What are the benefits of enabling the same .

Hello rvg2k

In general:

DHCP snooping is disabled by default in all Catalyst platforms, it some additional configuration.

When should it be enabled?

There are many scenarios but they point is: enabled it when there may be a possibility of a rogue DHCP server.


In a company where employees bring their own devices to connect them to the network; chances are that an employee brings a home router, so that they can have more ports availability for their own benefit, if this router has DHCP capabilities, think of a possibility where this fake DHCP server starts providing IP addresses to other clients trying to connect to the network. As you can suppose the client will end up getting a duplicated ip address or maybe in an invalid ip address for the vlan they are, this will end up in a connectivity issue.

Solution and benefits:

The solution to that scenario is DHCP Snooping. Just like a firewall that inspects traffic, DHCP snooping is a layer 2 solution to protect against rogue DHCP servers. DHCP Snooping keeps track of DHCP messages, if a DHCP Offer message is receive coming in a untrusted interface it will be dropped, protecting clients from getting an ip address from a undesirable source.


Wilson B

Hi, Wilson.
I have some questions considering private vlans. I understand how it had to be configured and how it works in general. But i have some questions considering its functionality in depth.
As i understand during the frame encapsulation process the secondary vlan is injecting to the frame, then when switch considering its CAM table decides to move the frame through uplink(promiscuous port) with primary vlan it removes the tag of secondary vlan from the frame and injects the tag of primary vlan. Am i right? If i am right this technology is very like dot1q tunneling with vlan transation.
If i am not right, please correct me. I need the explanation considering OSI model.
Unfortunatly nobody give me the answer on my question.

Sent from Cisco Technical Support iPad App

CCNA, CCNA Security certified

Hello Alexey.

Please don't mix the concept of double-tag tunneling (QinQ) with Private vlans. QinQ adheres an outer tag to the frames to keep track of where the traffic is source and where is it going.

Your comment:

With primary vlan it removes the tag of secondary vlan from the frame and injects the tag of primary vlan. Am i right?

That's not really how it works. Take in consideration the following topology:


Primary vlan is 10

Isolated vlan is 101

Community vlan is 102

When traffic from the secondary isolated vlan is being forward to the promiscuous port the trunk port in the switch will encapsulate the frame with the source vlan(meaning the secondary vlan), so if it was sourced from the isolated secondary vlan, it will be vlan 100, (if, sourced from the community vlan it will be encapsulated with vlan 101), remember never never double tags the frame, only the secondary vlan is encapsulated. The de-encapsulation process takes place later on.

Now when the traffic comes back from the promiscuous port to the end host, the router will encapsulate the frame with the primary vlan (router or promiscuous port are not pvlan aware), finally is up to the switch to check out the cam table find out the mac address and it's vlan assignment to switch the traffic vlan to the correct secondary vlan. Later on the de-encapsulation process takes place.

Please let me know if the answer is satisfactory.


Wilson B

Thank you for your explanation, but it seems to me you don't understand my question.
I strongly realise that private vlan technology differs from double tagging.
By the way in your explanation you take 10, 101(isolated) and 102(comm) as example but later you change them to 100 isolated and 101 community it confused me a little.
I have attached my little drawing :) to this message to illustrate how i understand the private vlan technology is working. In this example the promiscuous port does not configured as trunk private vlan. It is just a private primary vlan promiscuous port.
So the questions are:
Does the tag changing while moving inside the switch from host port to promiscuous port?
And what tag will be the frame encapsulated with when it comes to uplink connected switch? 10 or 101(in my picture)?

Sent from Cisco Technical Support iPad App

CCNA, CCNA Security certified

Hello Alexey.

Thank you for your question.

Does the tag changing while moving inside the switch from host port to promiscuous port?

Never; an access port never tags traffic.

And what tag will be the frame encapsulated with when it comes to uplink connected switch? 10 or 101(in my picture)?

If the frame is incoming to the uplink connected to the switch it will come in the primary vlan the same if the frame is outgoing to the uplink it goes out with the primary vlan tag.

When the traffic arrives to the switchport, it's up to the mac address table what interface will it be destined.

Please let me know if that clarifies your question.


Wilson B.

Hi Wilson,

Nice forum going on here. I just want to ask why VLAN replication takes some time from a switch in VTP server mode to a switch in VTP client mode.

I made a recent change in my network environment wherein I added a VLAN on the VTP server but I had to check and troubleshoot on the VTP client since the VLAN wasn't stil there. It popped up I'm assuming after less than a minute.

I did a Google search but wasn't able to find any solid technical explanation on this. Would you be able to explain this phenomena?

Sent from Cisco Technical Support iPad App

Hello John.

By default, Catalyst switches issue summary advertisements in five-minute increments. Summary advertisements inform adjacent Catalysts of the current VTP domain name and the configuration revision number.

When the switch receives a summary advertisement packet, the switch compares the VTP domain name to its own VTP domain name. If the name is different, the switch simply ignores the packet. If the name is the same, the switch then compares the configuration revision to its own revision. If its own configuration revision is higher or equal, the packet is ignored. If it is lower, an advertisement request is sent. If you add a new switch in the network it takes 5 minutes so that it hears any advertisement from the server.

If you want the VLAN propagated immediately (means before the advertisements are generated and send again) then you need to create a vlan so that the revision number will change and the new switch will be updated, once the control checkpoints I just described passed.


Wilson B.


thanks for this info! the 5 mins is way too long and i thought i was going crazy!

sorry my switching is not that advanced, is there a command on the switch to shorten the 5 min VTP advertisement?

is this the hello time/BDPU?

Hello John.

Actually BDPU timer is 2 seconds, BPDUs are sent used to calculate the layer 2 topology of spanning-tree. When talking about VTP packets like VTP advertisements, subsets and summary are the ones that comes into play.


WIlson B.


I want to know more about MACSEC and how it was being implemented on a large environment .

Hello Daryl.

I also want to be honest with you I don't have too much experience with MacSec troubleshooting in real troubleshotting scenarios; but let me share my knowledge about what I have studied about it.

MacSec is the standard for authenticating and encrypting packets between two MacSec capable devices.

MacSec implementation:

        • Basically and the main function of MacSec is in any scenario where you want to encrypt end user’s traffic to avoid a spoofing attack, In a large environment you need to make sure the access layer switch supports MacSec,
        • 2960, 3550, 3750G and 3750E access layer switches do not support MacSec.
        • 3750x and 3560x switches with the addition of C3KX-SM-10G module, notice that only interface in the module are the ones that support macsec, not the onboard interfaces.
        • 4900m and 4948E switches don't support MacSec.
        • Non 6500-e chassis don't support MacSec.
        • 4500 switches only support MacSec with supervisor Sup7E, Sup7LE.
        • 4500x does support MacSec.
        • Only 6500e chassis with VS-S2T-10GE and in WS-X6908 supports MacSec.

NOTE: In a large environment it is very important that you have knowledge of the hardware capabilities, pay attention that not all the Catalyst series switches supports this feature so there is some limitations.

Where should you use MacSec?

  • MacSec is often used in the access layer, where end users have direct access to the switchport itself, now it doesn’t mean that it cannot be used between the access and distribution/core layers. (See the picture above for reference)

What do you need to implement MacSec?

  • A supplicant: who is end client, it must be running an application (cisco anyconnect) to manage encryption and MacSec negotiation.
  • Authenticator/Switch: this is the intermediate device that relays the client credentials to the authentication server.
  • Authentication server: Just like a ACS.

What protocols does MacSec run?

  • EAP(Extensible authentication protocol): defines authentication between the supplicant and the Authenticator.
  • EAP over LAN: Encapsulation to transport EAP messages.
  • Key agreement / Security association protocol: Discovers peers and negotiates MacSec keys.
  • Radius/Tacacs: for communication between the switch and the authentication server.

Here is another example of how it works

Best regards.

Wilson B.


Hi wilson

Can you please advice the recommended configurations to harden secure a switch in production network


Sent from Cisco Technical Support iPhone App