Securing switches

louis0001 · ‎06-14-2018

I'm reviewing our switches and just wondering if there is anything else I can do to secure the ports.

We've got all the other stuff going eg tacacs, vty lines secured, logging etc but I was wondering more about the ports themselves?

Steps I have taken so far:

No dynamic ports eg access or trunk only

Management, Data, Voice & Guest tagged vlans with ACL's on the router to prevent inter vlan access
Port security enabled
Spanning tree portfast & bpdugaurd
Protected ports enabled

I read an article about native vlans on trunks with somebody suggesting that on trunk ports, you should create an unused vlan and designate this as the native vlan for the trunk instead of the default being vlan 1?

Would this be of benefit and is there anything else we could do to secure the ports?

paul driver · ‎06-14-2018

Hello
From a security point of view yes it would, Cisco’s vlan 1 is well known as a untagged vlan and it can be spoofed (vlan hopping)

You can tag all vlans (including vlan 1) if you wish but the recommended solution is to disable vlan 1, create a unused vlan and use that as the native vlan.

As for other port security's, you can look into the following?

IP Source guard (IPSG)
DHCP snooping
Dynamic Arp Inspection (DAI)
Mac filtering
Storm control
Private Vlans (PVLAN)
Port based 802.1x

res

Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

louis0001 · ‎06-14-2018

Cheers Paul, bit of a silly question probably but how would you disable vlan1?

vlan 4000

Int range G1/0/1 - 48

Switchport trunk native vlan 4000

No vlan 1

Would it be as simple as that?

Jon Marshall · ‎06-15-2018

You can't disable vlan 1 because it is used even if you don't allocate any ports into it.

I suspect what Paul meant was to not allocate any ports into it and use a different vlan to manage the switches with (correct me if I am misrepresenting you Paul).

Jon

paul driver · ‎06-15-2018

Hello

yes Jon apologies - maybe I should have been a clearer I meant to say if you had the L3 interface of vlan 1 enabled then disable that if it’s not being used- its quite often left enabled when it doesn’t have to be

As for the L2 vlan1 - Jon is correct just dont use it as it cannot be disabled

Apologies for the confusion

res

Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

louis0001 · ‎06-15-2018

Ah, thought I was missing some secret command there. Our L2 switches don't have anything on vlan 1 and all our vlans including our management vlan is tagged. There is only one interface on the switch for the management vlan ie no int vlan1.

Going back to the original question then, should you define a native (unused) vlan on the trunk ports or by not having anything on vlan1 and no int vlan 1 is enough?

For example:

Switchport mode trunk

switchport trunk allowed x,y,z

switchport trunk native vlan 4000 << unused vlan

or will this be sufficient (knowing nothing resides on vlan1):

switchport mode trunk

switchport trunk allowed x,y,z

or what about:

switchport trunk native vlan tag?

paul driver · ‎06-15-2018

Hello

I would a suggest define a unused vlan as you native

res

Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul