cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
913
Views
20
Helpful
10
Replies

Hotel Layer 2 Security questions

jkay18041
Level 3
Level 3

We are replacing our HP switches in a hotel to Cisco 3750x-48p-s for all access ports. I have requested some security steps to be taken as this hotel has a host of high tech guest and Layer 2 security is a concern. The company who manages the guest network doesn't seem to concerned with it so I was hoping to get some suggestions. On the switch ports that are located in each room that a guest can use for a hard wired connection I am proposing this

 

switchport mode access

switchport access vlan x

switchport protected 

switchport port-security maximum 1 (set the aging to type to inactivity of 60 seconds)

no vtp

no cdp

spanning-tree bpduguard (would set the reset timer to 120 seconds or so)

Should we add an ip arp inspection of some sort?

 

My vendor just wants to do switch mode access and switchport protected. I've always been told not doing spanning tree on a access port is asking for issues. They say they'd like to turn spanning tree off entirely on the switch.

 

Thank you

 

 

1 Accepted Solution

Accepted Solutions

Hello

You are correct in your concerns, L2 security is my opinion is mostly always overlooked.

I wouldn't turn off spanning-tress that's for sure and would even consider applying some additional security for the guest user vlan such as dhcp snooping/dynamic arp inspection/ip source guard and even storm control but it all depends on your network.

Error recovery is okay but i wouldn't suggest enabling it for bpduguard and arp inspection.

 

FYI -a protected port only negates communication to only another protected port so any unprotected ports are accessible.


example:

errdisable recovery cause udld
errdisable recovery cause bpduguard
errdisable recovery cause psecure-violation
errdisable recovery cause storm-control
errdisable recovery interval x

ip dhcp snooping vlan x    < remember to trust ports you dont wont to be snooped
ip arp inspection vlan 10    < remember to trust ports you dont wont to be inspected

interface GigabitEthernet1/0/1
description Data_Vlan
switchport access vlan x
switchport mode access
switchport nonegotiate
switchport port-security maximum x
switchport port-security
switchport port-security aging time x
switchport port-security violation restrict
switchport port-security aging type inactivity
switchport protected 
storm-control broadcast level x.00
storm-control multicast level x.00
storm-control unicast level x.00
storm-control action shutdown
spanning-tree portfast
spanning-tree bpduguard enable
ip arp inspection limit xx  <default 15>
udld port aggressive
no cdp enable


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

10 Replies 10

balaji.bandi
Hall of Fame
Hall of Fame

if the end device is always customer device, setting up access port is best option with maximum allows MAC Address in that port.

 

if high profile customer you know which room and which port, then make 2 VLAN seperatly for best security.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Hotel security is an area in which I do not have much expertise. I did find this link from Cisco which I hope might point you toward some recommendations

https://www.cisco.com/c/en/us/solutions/industries/hospitality.html

 

HTH

 

Rick

HTH

Rick

Hello

You are correct in your concerns, L2 security is my opinion is mostly always overlooked.

I wouldn't turn off spanning-tress that's for sure and would even consider applying some additional security for the guest user vlan such as dhcp snooping/dynamic arp inspection/ip source guard and even storm control but it all depends on your network.

Error recovery is okay but i wouldn't suggest enabling it for bpduguard and arp inspection.

 

FYI -a protected port only negates communication to only another protected port so any unprotected ports are accessible.


example:

errdisable recovery cause udld
errdisable recovery cause bpduguard
errdisable recovery cause psecure-violation
errdisable recovery cause storm-control
errdisable recovery interval x

ip dhcp snooping vlan x    < remember to trust ports you dont wont to be snooped
ip arp inspection vlan 10    < remember to trust ports you dont wont to be inspected

interface GigabitEthernet1/0/1
description Data_Vlan
switchport access vlan x
switchport mode access
switchport nonegotiate
switchport port-security maximum x
switchport port-security
switchport port-security aging time x
switchport port-security violation restrict
switchport port-security aging type inactivity
switchport protected 
storm-control broadcast level x.00
storm-control multicast level x.00
storm-control unicast level x.00
storm-control action shutdown
spanning-tree portfast
spanning-tree bpduguard enable
ip arp inspection limit xx  <default 15>
udld port aggressive
no cdp enable


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Leo Laohoo
Hall of Fame
Hall of Fame
The reason why the company is disenchanted about doing something about it is because of wireless.
How many hotel guest(s) actually use the wired network?

Each guest room has at least 1 wired connection. It gets used more than you would think, especially from government employees. 

How many access layer switches are you replacing? I defnitely wouldnt turn off STP

Someone mentioned DHCP snooping as well, would recommend this in addition to your suggested config.

Why would you turn off STP? I'm not trying to argue just trying to understand what your reasoning is. Everything I've read and a suggestion on this post have all said to make sure STP is on for access ports. I do agree with the DHCP snooping.

 

Thanks

Think you misunderstand me. I am saying I agree and would not turn off STP, despite what your supplier is saying in the original post.

I found another link from Cisco that has information that I hope you will find useful.

https://www.cisco.com/c/en_ca/solutions/industries/smart-connected-real-estate/trec.html

 

HTH

 

Rick

HTH

Rick

Ah my mistake, I just woke up and am a little slow.

 

Thanks

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: