cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

298
Views
20
Helpful
10
Replies
Participant

Hotel Layer 2 Security questions

We are replacing our HP switches in a hotel to Cisco 3750x-48p-s for all access ports. I have requested some security steps to be taken as this hotel has a host of high tech guest and Layer 2 security is a concern. The company who manages the guest network doesn't seem to concerned with it so I was hoping to get some suggestions. On the switch ports that are located in each room that a guest can use for a hard wired connection I am proposing this

 

switchport mode access

switchport access vlan x

switchport protected 

switchport port-security maximum 1 (set the aging to type to inactivity of 60 seconds)

no vtp

no cdp

spanning-tree bpduguard (would set the reset timer to 120 seconds or so)

Should we add an ip arp inspection of some sort?

 

My vendor just wants to do switch mode access and switchport protected. I've always been told not doing spanning tree on a access port is asking for issues. They say they'd like to turn spanning tree off entirely on the switch.

 

Thank you

 

 

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
VIP Advisor

Re: Hotel Layer 2 Security questions

Hello

You are correct in your concerns, L2 security is my opinion is mostly always overlooked.

I wouldn't turn off spanning-tress that's for sure and would even consider applying some additional security for the guest user vlan such as dhcp snooping/dynamic arp inspection/ip source guard and even storm control but it all depends on your network.

Error recovery is okay but i wouldn't suggest enabling it for bpduguard and arp inspection.

 

FYI -a protected port only negates communication to only another protected port so any unprotected ports are accessible.


example:

errdisable recovery cause udld
errdisable recovery cause bpduguard
errdisable recovery cause psecure-violation
errdisable recovery cause storm-control
errdisable recovery interval x

ip dhcp snooping vlan x    < remember to trust ports you dont wont to be snooped
ip arp inspection vlan 10    < remember to trust ports you dont wont to be inspected

interface GigabitEthernet1/0/1
description Data_Vlan
switchport access vlan x
switchport mode access
switchport nonegotiate
switchport port-security maximum x
switchport port-security
switchport port-security aging time x
switchport port-security violation restrict
switchport port-security aging type inactivity
switchport protected 
storm-control broadcast level x.00
storm-control multicast level x.00
storm-control unicast level x.00
storm-control action shutdown
spanning-tree portfast
spanning-tree bpduguard enable
ip arp inspection limit xx  <default 15>
udld port aggressive
no cdp enable



kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future

View solution in original post

10 REPLIES 10
VIP Advisor

Re: Hotel Layer 2 Security questions

if the end device is always customer device, setting up access port is best option with maximum allows MAC Address in that port.

 

if high profile customer you know which room and which port, then make 2 VLAN seperatly for best security.

 

BB
*** Rate All Helpful Responses ***
Hall of Fame Master

Re: Hotel Layer 2 Security questions

Hotel security is an area in which I do not have much expertise. I did find this link from Cisco which I hope might point you toward some recommendations

https://www.cisco.com/c/en/us/solutions/industries/hospitality.html

 

HTH

 

Rick

VIP Advisor

Re: Hotel Layer 2 Security questions

Hello

You are correct in your concerns, L2 security is my opinion is mostly always overlooked.

I wouldn't turn off spanning-tress that's for sure and would even consider applying some additional security for the guest user vlan such as dhcp snooping/dynamic arp inspection/ip source guard and even storm control but it all depends on your network.

Error recovery is okay but i wouldn't suggest enabling it for bpduguard and arp inspection.

 

FYI -a protected port only negates communication to only another protected port so any unprotected ports are accessible.


example:

errdisable recovery cause udld
errdisable recovery cause bpduguard
errdisable recovery cause psecure-violation
errdisable recovery cause storm-control
errdisable recovery interval x

ip dhcp snooping vlan x    < remember to trust ports you dont wont to be snooped
ip arp inspection vlan 10    < remember to trust ports you dont wont to be inspected

interface GigabitEthernet1/0/1
description Data_Vlan
switchport access vlan x
switchport mode access
switchport nonegotiate
switchport port-security maximum x
switchport port-security
switchport port-security aging time x
switchport port-security violation restrict
switchport port-security aging type inactivity
switchport protected 
storm-control broadcast level x.00
storm-control multicast level x.00
storm-control unicast level x.00
storm-control action shutdown
spanning-tree portfast
spanning-tree bpduguard enable
ip arp inspection limit xx  <default 15>
udld port aggressive
no cdp enable



kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future

View solution in original post

Hall of Fame Community Legend

Re: Hotel Layer 2 Security questions

The reason why the company is disenchanted about doing something about it is because of wireless.
How many hotel guest(s) actually use the wired network?
Participant

Re: Hotel Layer 2 Security questions

Each guest room has at least 1 wired connection. It gets used more than you would think, especially from government employees. 

Beginner

Re: Hotel Layer 2 Security questions

How many access layer switches are you replacing? I defnitely wouldnt turn off STP

Someone mentioned DHCP snooping as well, would recommend this in addition to your suggested config.

Participant

Re: Hotel Layer 2 Security questions

Why would you turn off STP? I'm not trying to argue just trying to understand what your reasoning is. Everything I've read and a suggestion on this post have all said to make sure STP is on for access ports. I do agree with the DHCP snooping.

 

Thanks

Beginner

Re: Hotel Layer 2 Security questions

Think you misunderstand me. I am saying I agree and would not turn off STP, despite what your supplier is saying in the original post.

Highlighted
Hall of Fame Master

Re: Hotel Layer 2 Security questions

I found another link from Cisco that has information that I hope you will find useful.

https://www.cisco.com/c/en_ca/solutions/industries/smart-connected-real-estate/trec.html

 

HTH

 

Rick

Participant

Re: Hotel Layer 2 Security questions

Ah my mistake, I just woke up and am a little slow.

 

Thanks

CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards