This document discusses techniques for securing the local area network layer 2, including mitigating MAC address spoofing, STP manipulation, broadcast storms, and VLAN hopping attacks. It provides examples of how these attacks work and recommends configuration options like port security, BPDU guard, root guard, and controlling trunking to enhance network security. Specific commands are shown to enable these security features on Cisco switches to prevent common layer 2 attacks.

1. 06- Securing the Local Area Network
Ahmed Sultan
CCNA | CCNA Security | CCNP Security | JNCIA-Junos | CEH
© 2009 Cisco Learning Institute. 1

2. IPS
Layer 2 Security
Perimeter
VPN
ACS
Firewall
Web
Server
Email
Server DNS
Hosts
Internet
© 2009 Cisco Learning Institute. 2

3. OSI Model
When it comes to networking, Layer 2 is often a very weak link.
Application Application Stream
Protocols and Ports
IP Addresses
Initial Compromise
MAC Addresses
Physical Links
Presentation
Session
Transport
Network
Data Link
Physical
Compromised
Application
Presentation
Session
Transport
Network
Data Link
Physical
© 2009 Cisco Learning Institute. 3

4. MAC Address Spoofing Attack
1 2
Switch Port AABBcc 12AbDd
MAC
Address:
AABBcc
The switch keeps track of the
endpoints by maintaining a
MAC address table. In MAC
spoofing, the attacker poses
as another host—in this case,
AABBcc
MAC
Address:
12AbDd
MAC Address:
AABBcc Attacker
Port 1
Port 2
I have associated Ports 1 and 2 with
the MAC addresses of the devices
attached. Traffic destined for each
device will be forwarded directly.
© 2009 Cisco Learning Institute. 4

5. MAC Address Spoofing Attack
MAC
Address:
AABBcc
Switch Port
1 2
AABBcc
I have changed the MAC 1 2
address on my computer
to match the server.
Attacker
MAC Address:
AABBcc
Port 1 Port 2
AABBcc
The device with MAC
address AABBcc has
changed locations to Port2.
I must adjust my MAC
address table accordingly.
© 2009 Cisco Learning Institute. 5

6. MAC Address Table Overflow Attack
The switch can forward frames between PC1 and PC2 without
flooding because the MAC address table contains port-to-MAC-address
mappings in the MAC address table for these PCs.
© 2009 Cisco Learning Institute. 6

7. MAC Address Table Overflow Attack
VLAN 10 VLAN 10
A B
C D
2 1
Intruder runs macof
to begin sending
unknown bogus MAC
addresses.
Bogus addresses are
added to the CAM
table. CAM table is full.
MAC Port
X 3/25
Y 3/25
C 3/25
3/25
3/25 MAC X
3/25 MAC Y
3/25 MAC Z
XYZ
flood
Host C
VLAN 10
The switch floods
the frames.
4
Attacker sees traffic
to servers B and D.
3
© 2009 Cisco Learning Institute. 7

8. LAB
MAC ADDRESS TABLE
OVERFLOW ATTACK
© 2009 Cisco Learning Institute. 8

9. STP Manipulation Attack
• Spanning tree protocol
operates by electing a
root bridge
• STP builds a tree topology
• STP manipulation
changes the topology of a
network—the attacking
host appears to be the
root bridge
F F
Root Bridge
Priority = 8192
MAC Address=
0000.00C0.1234
F F
F B
© 2009 Cisco Learning Institute. 9

10. Configure Portfast
Server Workstatio
Command Description
Switch(config-if)# spanning-tree
portfast
n
Enables PortFast on a Layer 2 access port and forces it to
enter the forwarding stateimmediately.
Switch(config-if)# no
spanning-tree portfast
Disables PortFast on a Layer 2 access port. PortFast is
disabled by default.
Switch(config)# spanning-tree
portfast default
Globally enables the PortFast feature on all nontrunking
ports.
Switch# show running-config
interface type slot/port
Indicates whether PortFast has been configured on a port.
© 2009 Cisco Learning Institute. 10

11. STP Manipulation Attack
Root Bridge
Priority = 8192
F B
F
F F
Root
Bridge
F F
F F
F B
STP BPDU
Priority = 0
STP BPDU
Priority = 0
F
Attacker The attacking host broadcasts out STP
configuration and topology change BPDUs.
This is an attempt to force spanning tree
recalculations.
© 2009 Cisco Learning Institute. 11

12. BPDU Guard
F F
F
F
F B
Root
Bridge
BPDU
Guard
Enabled
Attacker
STP
BPDU
Switch(config)#
spanning-tree portfast bpduguard default
• Globally enables BPDU guard on all ports with PortFast
enabled
© 2009 Cisco Learning Institute. 12

13. Root Guard
Root Bridge
Priority = 0
MAC Address =
0000.0c45.1a5d
F F
F F
F B
F
STP BPDU
Priority = 0
Root
Guard
Enabled
MAC Address = 0000.0c45.1234
Attacker
Switch(config-if)#
spanning-tree guard root
• Enables root guard on a per-interface basis
© 2009 Cisco Learning Institute. 13

14. LAN Storm Attack
Broadcast
Broadcast
Broadcast
Broadcast
Broadcast
Broadcast
Broadcast
Broadcast
Broadcast
Broadcast
Broadcast
Broadcast
• Broadcast, multicast, or unicast packets are flooded on all ports in the
same VLAN.
• These storms can increase the CPU utilization on a switch to 100%,
reducing the performance of the network.
© 2009 Cisco Learning Institute. 14

15. VLAN Attacks
 Segmentatio
n
 Flexibility
 Security
VLAN = Broadcast Domain = Logical Network (Subnet)
© 2009 Cisco Learning Institute. 15

16. VLAN Hopping Attack
802.1Q
Trunk
802.1Q
Server
Trunk
VLAN
20
VLAN
10
Attacker sees traffic destined for servers Server
A VLAN hopping attack can be launched by
spoofing DTP Messages from the attacking host to
cause the switch to enter trunking mode.
© 2009 Cisco Learning Institute. 16

17. Port Security Overview
MAC A
MAC A
Port 0/1 allows MAC A
Port 0/2 allows MAC B
Port 0/3 allows MAC C
Attacker 1
MAC F
Attacker 2
0/1
0/2
0/3
Allows an administrator to statically specify MAC
Addresses for a port or to permit the switch to
dynamically learn a limited number of MAC
addresses
© 2009 Cisco Learning Institute. 17

18. CLI Commands
Switch(config-if)#
switchport mode access
• Sets the interface mode as access
Switch(config-if)#
switchport port-security
• Enables port security on the interface
Switch(config-if)#
switchport port-security maximum value
• Sets the maximum number of secure MAC addresses for
the interface (optional)
© 2009 Cisco Learning Institute. 18

19. LAB
MAC ADDRESS TABLE
OVERFLOW ATTACK
© 2009 Cisco Learning Institute. 19

20. Mitigating VLAN Attacks
Trunk
(Native VLAN = 10)
1. Disable trunking on all access
ports.
2. Disable auto trunking and manually
enable trunking
3. Be sure that the native VLAN is
used only for trunk lines and no
where else
© 2009 Cisco Learning Institute. 20

21. Controlling Trunking
Switch(config-if)#
switchport mode trunk
• Specifies an interface as a trunk link
.
Switch(config-if)#
switchport nonegotiate
• Prevents the generation of DTP frames.
Switch(config-if)#
switchport trunk native vlan vlan_number
• Set the native VLAN on the trunk to an unused VLAN
© 2009 Cisco Learning Institute. 21