Mitigating Threats at Access Layer with Cisco Switches

By | September 3, 2013

The access layer is the point at which user-controlled and user-accessible devices are connected to the network and it is the one architecture component that is found in every LAN. Because the access layer is the connection point between network-based services and client devices it plays an important role in protecting other users, the application resources, and the network itself from human error and malicious attacks. Network resiliency and security in the access layer is achieved through the use of Cisco Catalyst Infrastructure Security Features (CISF) including DHCP snooping, IP Source Guard, port security, and Dynamic ARP Inspection

flooding attacks are used to force a LAN switch to flood all their traffic out to all the switch interfaces. Port security limits the number of MAC addresses that can be active on a single port to protect against such attacks. Port security lets you to configure Layer 2 interfaces to allow inbound traffic from only a restricted set of MAC addresses. The MAC addresses in the restricted set are called secure MAC addresses. In addition, the device does not allow traffic from these MAC addresses on another interface within the same VLAN.

The number of MAC addresses that the device secures on each interface is configurable. For ease of management, the device can learn the addresses dynamically. Using the dynamic learning method, the device secures MAC addresses while ingress traffic passes through the interface. If the address is not yet secured and the device has not reached any applicable maximum, it secures the address and allows the traffic. The device ages dynamic addresses and drops them when the age limit is reached.

DHCP snooping is a DHCP security feature that blocks DHCP replies on an untrusted interface. An untrusted interface is any interface on the switch not specifically configured as a known DHCP server or path towards a known DHCP server. The DHCP snooping feature helps simplify management and troubleshooting by tracking MAC address, IP address, lease time, binding type, VLAN number, and interface information that correspond to the local untrusted interfaces on the switch. DHCP snooping stores that information in the DHCP binding table.

Dynamic ARP inspection (DAI) mitigates ARP poisoning attacks. An ARP poisoning attack is a method by which an attacker sends false ARP information to a local segment. This information is designed to poison the ARP cache of devices on the LAN, allowing the attacker to execute man-in-the-middle attacks.

DHCP snooping and ARP inspection
DAI uses the data generated by the DHCP snooping feature and intercepts and validates the IP-to-MAC address relationship of all ARP packets on untrusted interfaces. ARP packets that are received on trusted interfaces are not validated and invalid packets on untrusted interfaces are discarded.

IP Source Guard is a means of preventing a packet from using an incorrect source IP address to obscure its true source, also known as IP spoofing. IP Source Guard uses information from DHCP snooping to dynamically configure a port access control list (PACL) on the interface that denies any traffic from IP addresses that are not in the DHCP binding table.