Switch Security Configuration

Understanding Switch Security Configuration

Switch security is a cornerstone of modern network protection. Whether you are managing a small office or a large data center, configuring Cisco switches correctly can prevent a wide range of attacks, from VLAN hopping to MAC address spoofing. This course breaks down the most common security features, explains why they matter, and provides step‑by‑step guidance on how to implement them.

Disabling DTP Auto‑Negotiation on Access Ports

Dynamic Trunking Protocol (DTP) automatically negotiates trunk links between Cisco switches. While convenient, DTP can be abused by attackers to force a port into trunk mode and gain access to multiple VLANs. The safest practice on a pure access port is to turn off DTP negotiation.

• Command: switchport nonegotiate
• Effect: The port will no longer send or respond to DTP frames, ensuring it remains a static access port.
• Related commands: switchport mode access (sets the port as access) and switchport trunk native vlan 2 (used for trunk configuration, not for disabling DTP).

By combining switchport mode access with switchport nonegotiate, you lock the port into a non‑trunking state, eliminating the risk of accidental or malicious trunk creation.

Port‑Security Fundamentals

Port security limits the number of MAC addresses that can be learned on a switch interface. When a violation occurs, the switch can react in three ways: protect, restrict, or shutdown. Understanding each mode is essential for tailoring security to your environment.

Violation Modes Explained

• Protect: Frames from unknown MAC addresses are dropped silently. No syslog messages are generated, making it ideal for environments where you want minimal logging noise.
• Restrict: Similar to protect, but the switch also logs the violation and increments the security violation counter.
• Shutdown: The port is placed into an error‑disabled state, halting all traffic. This is the most aggressive response and is useful when you need immediate isolation of a compromised port.

For example, if a second unknown MAC appears on a port configured with violation shutdown, the port transitions to the error‑disabled state and stops all traffic, providing a clear, immediate containment action.

Sticky MAC Addresses

The switchport port-security mac-address sticky command bridges the gap between dynamic learning and static configuration. When a MAC address is learned on a sticky‑enabled port, the switch writes it to the running configuration as a static entry. This entry persists across reboots if you save the configuration, effectively turning dynamic learning into a permanent security policy.

• Key benefit: Administrators can quickly build a whitelist of legitimate devices without manually entering each MAC address.
• Persistence: Sticky MACs are stored in the running‑config; if you execute write memory, they become part of the startup‑config and survive reloads.

Mitigating VLAN Hopping Attacks

VLAN hopping allows an attacker to send traffic from one VLAN to another, bypassing segmentation controls. Two primary techniques exist: double‑tagging and switch spoofing. This section focuses on the mitigation that stops double‑tagging.

Preventing Double‑Tagging

Double‑tagging exploits the native VLAN on a trunk port. By setting the native VLAN to a value other than VLAN 1, you remove the default “untagged” pathway that attackers rely on.

• Command: switchport trunk native vlan 99 (choose a VLAN that is not used for user traffic).
• Why it works: The attacker’s first tag (the native VLAN) is stripped by the first switch, but the second tag (the target VLAN) remains. If the native VLAN is non‑default, the attacker’s frames are dropped because the switch expects untagged traffic only on the native VLAN.

Additional best practices include disabling DTP on all access ports and placing unused ports in an unused VLAN, but changing the native VLAN is the specific countermeasure for double‑tagging.

DHCP Snooping and Dynamic ARP Inspection (DAI)

Both DHCP snooping and DAI are complementary features that protect against IP‑based attacks such as ARP spoofing and DHCP starvation.

DHCP Snooping Binding Table

When DHCP snooping is enabled, the switch builds a binding table that records the IP‑to‑MAC mapping for each DHCP lease, along with the VLAN and lease time. This table becomes the reference point for DAI.

• DAI validation: DAI checks inbound ARP packets against the snooping binding table. If an ARP request or reply contains a MAC‑IP pair that does not match the table, the packet is dropped.
• Security impact: This prevents attackers from sending forged ARP replies (a classic man‑in‑the‑middle technique).

Remember, DHCP snooping alone does not block rogue DHCP servers; you must also configure ip dhcp snooping trust on legitimate uplink ports.

Spanning‑Tree PortFast and BPDU Guard

PortFast speeds up the transition of access ports to the forwarding state, which is essential for devices like servers and IP phones that need immediate network access. However, enabling PortFast globally can expose the network to rogue Bridge Protocol Data Units (BPDUs) that could unintentionally alter the spanning‑tree topology.

Protecting PortFast with BPDU Guard

The command spanning-tree bpduguard default automatically applies BPDU Guard to any port that has PortFast enabled. If a BPDU is received on such a port, the switch places the port into the error‑disabled state, preventing potential loops.

• Implementation steps:
  1. Enable PortFast globally: spanning-tree portfast
  2. Activate BPDU Guard default: spanning-tree bpduguard default
• Result: All PortFast ports are now protected against rogue BPDUs without needing per‑interface configuration.

Port‑Security Aging Options

Port‑security aging determines how and when secure MAC addresses are removed from the address table. Three aging types exist:

• Absolute: MAC addresses are removed after a fixed time, regardless of activity.
• Inactivity: Addresses are removed only after a period of no traffic from that MAC.
• Static: Addresses never age out; they remain until manually cleared.

Choosing inactivity is ideal for environments where devices may be unplugged temporarily. The switch will keep the MAC entry as long as the device continues to send traffic, and will purge it after the defined idle period, freeing up secure slots for new devices.

Putting It All Together: A Sample Secure Port Configuration

Below is a practical example that incorporates the concepts discussed. This configuration secures an access port used for a workstation.

interface GigabitEthernet0/1
  description Secure access port for workstation
  switchport mode access
  switchport access vlan 10
  switchport nonegotiate               ! Disable DTP auto‑negotiation
  spanning-tree portfast               ! Fast transition to forwarding
  spanning-tree bpduguard default      ! Protect against rogue BPDUs
  switchport port-security
    maximum 2                          ! Allow up to two MACs
    violation shutdown                 ! Shut down on violation
    mac-address sticky                 ! Learn and persist MACs
    aging time 1440                     ! 24‑hour aging period
    aging type inactivity               ! Remove only after inactivity
  exit

This snippet demonstrates how a single interface can be hardened against DTP attacks, rogue BPDUs, MAC spoofing, and VLAN hopping (assuming the trunk native VLAN is already changed elsewhere).

Best‑Practice Checklist for Switch Security

• Disable DTP on all access ports using switchport nonegotiate.
• Enable PortFast on end‑device ports and pair it with spanning-tree bpduguard default to guard against loops.
• Configure Port‑Security with appropriate maximum, violation, and aging settings.
• Use Sticky MACs to automatically build a secure MAC whitelist.
• Change the native VLAN on all trunk ports to a non‑default VLAN to stop double‑tagging attacks.
• Enable DHCP Snooping on all VLANs and trust only uplink ports.
• Activate DAI and ensure the DHCP snooping binding table is populated.
• Document and audit all security commands regularly; use show run | include port-security and show spanning-tree summary for verification.

Conclusion

Effective switch security is a layered approach that combines protocol hardening (disable DTP), port‑level controls (port‑security, sticky MACs, aging), and network‑wide safeguards (DHCP snooping, DAI, BPDU Guard). By mastering each of these features, network engineers can dramatically reduce the attack surface of their LAN infrastructure.

Implement the recommendations above, test them in a lab environment, and regularly review your configurations to stay ahead of emerging threats. Secure switches today, protect your organization tomorrow.