12-18-2018 11:43 AM - edited 03-08-2019 04:50 PM
We are replacing our HP switches in a hotel to Cisco 3750x-48p-s for all access ports. I have requested some security steps to be taken as this hotel has a host of high tech guest and Layer 2 security is a concern. The company who manages the guest network doesn't seem to concerned with it so I was hoping to get some suggestions. On the switch ports that are located in each room that a guest can use for a hard wired connection I am proposing this
switchport mode access
switchport access vlan x
switchport protected
switchport port-security maximum 1 (set the aging to type to inactivity of 60 seconds)
no vtp
no cdp
spanning-tree bpduguard (would set the reset timer to 120 seconds or so)
Should we add an ip arp inspection of some sort?
My vendor just wants to do switch mode access and switchport protected. I've always been told not doing spanning tree on a access port is asking for issues. They say they'd like to turn spanning tree off entirely on the switch.
Thank you
Solved! Go to Solution.
12-18-2018 02:46 PM - edited 12-18-2018 02:54 PM
Hello
You are correct in your concerns, L2 security is my opinion is mostly always overlooked.
I wouldn't turn off spanning-tress that's for sure and would even consider applying some additional security for the guest user vlan such as dhcp snooping/dynamic arp inspection/ip source guard and even storm control but it all depends on your network.
Error recovery is okay but i wouldn't suggest enabling it for bpduguard and arp inspection.
FYI -a protected port only negates communication to only another protected port so any unprotected ports are accessible.
example:
errdisable recovery cause udld
errdisable recovery cause bpduguard
errdisable recovery cause psecure-violation
errdisable recovery cause storm-control
errdisable recovery interval x
ip dhcp snooping vlan x < remember to trust ports you dont wont to be snooped
ip arp inspection vlan 10 < remember to trust ports you dont wont to be inspected
interface GigabitEthernet1/0/1
description Data_Vlan
switchport access vlan x
switchport mode access
switchport nonegotiate
switchport port-security maximum x
switchport port-security
switchport port-security aging time x
switchport port-security violation restrict
switchport port-security aging type inactivity
switchport protected
storm-control broadcast level x.00
storm-control multicast level x.00
storm-control unicast level x.00
storm-control action shutdown
spanning-tree portfast
spanning-tree bpduguard enable
ip arp inspection limit xx <default 15>
udld port aggressive
no cdp enable
12-18-2018 01:02 PM
if the end device is always customer device, setting up access port is best option with maximum allows MAC Address in that port.
if high profile customer you know which room and which port, then make 2 VLAN seperatly for best security.
12-18-2018 02:34 PM
Hotel security is an area in which I do not have much expertise. I did find this link from Cisco which I hope might point you toward some recommendations
https://www.cisco.com/c/en/us/solutions/industries/hospitality.html
HTH
Rick
12-18-2018 02:46 PM - edited 12-18-2018 02:54 PM
Hello
You are correct in your concerns, L2 security is my opinion is mostly always overlooked.
I wouldn't turn off spanning-tress that's for sure and would even consider applying some additional security for the guest user vlan such as dhcp snooping/dynamic arp inspection/ip source guard and even storm control but it all depends on your network.
Error recovery is okay but i wouldn't suggest enabling it for bpduguard and arp inspection.
FYI -a protected port only negates communication to only another protected port so any unprotected ports are accessible.
example:
errdisable recovery cause udld
errdisable recovery cause bpduguard
errdisable recovery cause psecure-violation
errdisable recovery cause storm-control
errdisable recovery interval x
ip dhcp snooping vlan x < remember to trust ports you dont wont to be snooped
ip arp inspection vlan 10 < remember to trust ports you dont wont to be inspected
interface GigabitEthernet1/0/1
description Data_Vlan
switchport access vlan x
switchport mode access
switchport nonegotiate
switchport port-security maximum x
switchport port-security
switchport port-security aging time x
switchport port-security violation restrict
switchport port-security aging type inactivity
switchport protected
storm-control broadcast level x.00
storm-control multicast level x.00
storm-control unicast level x.00
storm-control action shutdown
spanning-tree portfast
spanning-tree bpduguard enable
ip arp inspection limit xx <default 15>
udld port aggressive
no cdp enable
12-18-2018 09:54 PM
12-19-2018 05:46 AM
Each guest room has at least 1 wired connection. It gets used more than you would think, especially from government employees.
12-18-2018 11:55 PM
How many access layer switches are you replacing? I defnitely wouldnt turn off STP
Someone mentioned DHCP snooping as well, would recommend this in addition to your suggested config.
12-19-2018 05:47 AM
Why would you turn off STP? I'm not trying to argue just trying to understand what your reasoning is. Everything I've read and a suggestion on this post have all said to make sure STP is on for access ports. I do agree with the DHCP snooping.
Thanks
12-19-2018 06:02 AM
Think you misunderstand me. I am saying I agree and would not turn off STP, despite what your supplier is saying in the original post.
12-19-2018 06:06 AM
I found another link from Cisco that has information that I hope you will find useful.
https://www.cisco.com/c/en_ca/solutions/industries/smart-connected-real-estate/trec.html
HTH
Rick
12-19-2018 06:13 AM
Ah my mistake, I just woke up and am a little slow.
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide