Members Choice: Layer 2 Security Features

I recently asked the community members to suggest a topic for my next VIP blog. There were many potential options but I ultimately chose to write about Layer 2 security features. Thank you for your participation in the discussion. Perhaps I will use the other suggestions on my future posts.


This is not an extensive study of the various Layer 2 preventative measures but instead a look at the some of the common Layer 2 security features. This blog will focus on port security, DHCP snooping, Dynamic ARP Inspection (DAI), and IP Source Guard.


Port Security


The Problem

By default, a switch does not control the number of MAC addresses that it can learn on a port and it does not lock the entries in the CAM table. An attacker can exploit this default behavior in two ways. First, the attacker could quickly fill up the CAM table by sending a large quantity of frames using spoofed source MAC addresses. Once the CAM table is fully loaded, the switch can no longer accept new entries and it does not know where to forward legitimate frames. When there is no corresponding entry to the frame's destination MAC address in the CAM table, the switch will flood the frame out all ports, effectively acting like a hub. An attacker can then monitor all traffic. Second, the attacker could claim the ownership of the MAC address of a legitimate host. The attacker could simply send a frame with the same MAC address, and the switch would update its CAM table to refer to this mischievous source.


The Solution

Port security prevents both types of attacks by limiting the number of MAC addresses per port and binding specific MAC addresses on different ports. Enabling port security requires that the port is statically set as either access or trunk. Turning on the feature and controlling the number of MAC addresses on the port is specified by the switchport port-security [maximum <value>] command. If the optional parameters are omitted, only one MAC address is permitted by default. Note that if the optional parameter is included, interestingly, the feature is not enabled. The plain switchport port-security command is still needed.


By default, port security stores the secured MAC addresses in temporary memory. If a the switch is rebooted, the addresses must be relearned. However, there is also something called sticky learning, which can be optionally enabled (switchport port-security mac-address sticky). Sticky learning tells the switch to learn MAC addresses dynamically but also add the MAC addresses into the running configuration. If the running configuration is then saved, the MAC addresses are permanently locked into the configuration as static entries. Dynamically learned MAC addresses are differentiated from manually configured static MAC addresses (switchport port-security mac-address xxxx.xxxx.xxxx) by the sticky keyword. The entries will automatically appear into the configuration as switchport port-security mac-address yyyy.yyyy.yyyy sticky.


There are three violation modes that dictate how the switch handles violations: shutdown, restrict, and protect. By default, the shutdown mode is on. Shutdown puts the port in the err-disabled state (blocking all traffic), increments the violation counter, and sends a notification, when a violation occurs. The administrator must explicitly re-enable the port (shutdown and no shutdown) or configure automatic recovery (example: err-disable recovery cause psecure-violation and errdisable recovery interval 300). Restrict denies traffic from the violating MAC address, increases the security violation counter, and sends a notification. Protect simply drops frames from the violating device but does not, in any way, indicate that a violation has occurred.


The Configuration

Minimal configuration.


interface FastEthernet0/1

switchport port-security


Simply enabling the port security under the interface will turn on the feature using the default settings (violation mode: shutdown, maximum MAC addresses: 1).


Switch# show port-security interface FastEthernet0/1


Port Security              :Enabled

Port Status                :Secure-up

Violation Mode             :Shutdown

Aging Time                

Aging Type                 :Absolute 

SecureStatic Address Aging :Enabled

Maximum MAC Addresses      :1

Total MAC Addresses        :1

Configured MAC Addresses  

Sticky MAC Addresses      

Last Source Address        :0000.0000.0401

Security Violation Count  


If a violation occurs, the following error message is logged, and the interface goes down.


%PM-4-ERR_DISABLE: psecure-violation error detected on Fa0/1, putting Fa0/1 in err-disable state

%PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0001.6666.a13c on port FastEthernet0/1.

%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to down

%LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to down


The port is in the err-disabled state.


Switch# show interfaces FastEthernet0/1 | include line protocol

FastEthernet0/1 is down, line protocol is down (err-disabled)



DHCP Snooping


The Problem

There are two main issues. First, when a host broadcasts a DHCP request into the network, a rogue DHCP server could intercept this message and send back a DHCP offer with false information. The rogue DHCP server can devise a calculated man-in-the-middle attack by setting itself as the default gateway, for example. The unknowing end host would then forward practically all traffic through this vile machine. Second, an attacker could overload the network by sending an excessive amount of fake DHCP requests.


The Solution

To prevent such attacks, the DHCP snooping feature filters messages and rate-limits traffic. The DHCP snooping feature effectively prevents rogue DHCP servers from offering IP  address information to clients and controls the rate at which DHCP packets are pushed on the network. In short, DHCP snooping causes the switch to examine DHCP messages, filter unauthorized packets and rate-limit traffic.


The DHCP snooping feature determines ports as trusted or untrusted. By default, all interfaces are untrusted. Ports must be explicitly configured as trusted for devices that are under your administrative control. DHCP snooping (packet filtering and rate-limiting) is enforced on untrusted ports.


The DHCP snooping feature dynamically builds and maintains a database, the DHCP snooping binding table, using information extracted from intercepted DHCP messages. There are no entries for trusted interfaces. Each entry in the DHCP snooping binding database includes the MAC address of the host, the leased IP address, the lease time, the binding type, and the VLAN number and interface information associated with the host. This is used as a reference for filtering unauthorized packets.


DHCP snooping is enabled globally (ip dhcp snooping) and per VLAN (ip dhcp snooping vlan x,y-z) on the switch. The global command turns on the feature and the per-VLAN command defines which VLANs are monitored. Trusted state is configured under the interface configuration (ip dhcp snooping trust).


The recommended rate limiting is no more than 100 packets per second (pps). DHCP snooping puts ports where the rate limit is exceeded into the error-disabled state. Similar to port security, the ports must be either manually recovered or automatically re-enabled with auto-recovery.



The Configuration

Let's do a simple configuration and enable DHCP snooping only for VLAN 24.


ip dhcp snooping

ip dhcp snooping vlan 24


interface FastEhternet0/10

ip dhcp snooping trust




Switch# show ip dhcp snooping

Switch DHCP snooping is enabled

DHCP snooping is configured on following VLANs:


DHCP snooping is operational on following VLANs:


DHCP snooping is configured on the following L3 Interfaces:


Insertion of option 82 is enabled

  circuit-id format: vlan-mod-port

    remote-id format: MAC

Option 82 on untrusted port is not allowed

Verification of hwaddr field is enabled

Verification of giaddr field is enabled

DHCP snooping trust/rate is configured on the following Interfaces:


Interface                    Trusted    Rate limit (pps)

------------------------    -------    ----------------


Let's see some action. A host connected to Fa0/1 has received an IP address from a legitimate DHCP server (connected to the trusted interface Fa0/10), and the entry is tracked in the DHCP binding table.


Switch# show ip dhcp snooping binding

MacAddress          IpAddress        Lease(sec)  Type          VLAN  Interface

------------------  ---------------  ----------  -------------  ----  ---------------

00:20:AA:6E:41:85    86250      dhcp-snooping  24  FastEthernet0/1

Total number of bindings: 1


Rate-limiting is configured under the interface.


interface FastEthernet0/1

ip dhcp snooping limit rate 100



Switch# show ip dhcp snooping | begin pps

Interface                  Trusted    Rate limit (pps)

------------------------    -------    ----------------

FastEthernet0/1            no          100



Dynamic ARP Inspection


The Problem

A malicious user can orchestrate a man-in-the-middle attack by sending spoofed ARP packets. ARP allows a gratuitous reply from a host even if an ARP request was not received. The attacker can poison the ARP cache by sending altered ARP packets containing false information, claiming the ownership of the MAC address of a legitimate host. By sending these forged ARP responses, the attacker can impersonate as the the legitimate host.


The Solution

Dynamic ARP Inspection (DAI) often works in conjuction with DHCP snooping. DAI intercepts and validates ARP packets against the DHCP snooping database or against statically configured ARP entries from ARP access-lists (non-DHCP environments). In the processing order, ARP ACLs take precedence over entries in the DHCP snooping database. ARP packets with invalid IP-to-MAC address bindings are discarded.


Similar to DHCP snooping, ports are specified as trusted or untrusted (default). DAI inspects all ARP packets received on untrusted ports. Packets arriving on trusted interfaces bypass all DAI validation checks.


DAI also rate limits ARP packets. By default, the rate for untrusted interfaces is 15 packets per second (pps). Trusted interfaces are not rate limited. If the rate of incoming ARP packets exceeds the configured limit, the switch places the port in the err-disabled state. Again, the same recovery methods (manual and auto-recovery) are available.


Optional validations on the destination MAC address, the sender and target IP addresses, and the source MAC address can also be enabled. The logging options are also very granular. More information here.


The Configuration

DAI is enabled on a per-VLAN basis.


ip arp inspection vlan 24


Configuring a trusted interface.


interface FastEthernet0/10

ip arp inspection trust




Switch# show ip arp inspection vlan 24

Source Mac Validation      : Disabled

Destination Mac Validation : Disabled

IP Address Validation      : Disabled


Vlan    Configuration    Operation  ACL Match          Static ACL

----    -------------    ---------  ---------          ----------

24      Enabled          Active


Vlan    ACL Logging      DHCP Logging

----    -----------      ------------

24      Deny            Deny

Switch# show ip arp inspection interfaces FastEthernet0/12

Interface      Trust State    Rate (pps)

--------------  -----------    ----------

Fa0/12          Trusted        None



IP Source Guard

The idea behind IP Source Guard is similar to DAI. IP Source Guard prevents a malicious host from impersonating as a legitimate host by performing a validity check on the source IP address. IP Source Guard uses the DHCP snooping table or static IP source bindings to match source IP addresses on untrusted Layer 2 ports. Any ingress IP traffic with a source IP address other than that assigned via DHCP or static configuration will be filtered out.


Initially, all IP traffic is blocked except for DHCP packets. After a client receives an IP address from a trusted DHCP server, or after a static IP source bind is manually configured, all traffic with that IP source address is permitted. Traffic from other source IP addresses is denied. Technically, IP Source Guard automatically creates an implicit port acccess-list (PACL).


The Configuration

The IP Source Guard feature is enabled in combination with the DHCP snooping feature on untrusted ports. It builds and maintains an IP source binding table that is learned by DHCP snooping or manually configured static IP source bindings (example: ip source binding 0011.0011.0011 vlan 24 interface FastEthernet0/15).


The configuration itself is straightforward.


inteface FastEthernet0/1

ip verify source




Switch# show ip verify source interface Fa0/1


Interface  Filter-type  Filter-mode  IP-address      Mac-address        Vlan

---------  -----------  -----------  ---------------  -----------------  ----------

Fa0/1      ip          active    00:20:AA:6E:41:85  24


Switch# show ip source binding


MacAddress          IpAddress        Lease(sec)  Type          VLAN  Interface

------------------  ---------------  ----------  -------------  ----  ---------------

00:20:AA:6E:41:85    6522        dhcp-snooping  24    FastEthernet0/1