Ccna security lab securing layer 2 switches topology. Understanding, preventing, and defending against layer 2. Next, youll learn common mitigation techniques that are known for layer 2. The training videos introduce concepts in chronological order starting with.
The data link layer is adjacent to the physical layer, so they are associated pretty closely together. Devices in the same layer 2 segment do not need routing to reach local peers. This can be pretty usefulfor example, lets say you have two remote sites and an application that requires that hosts are on the same subnet. Candidates are expected to program and automate the network within their exam, as per exam topics below. Layer 2 network design guidelines always connect hierarchically if there are multiple switches in a building, use an aggregation switch locate the aggregation switch close to the building entry point e. It involves tying a physical port of a switch to a specific mac addresses. Layer 2 security network switch internet architecture. Create a new management vlan vlan 20 and attach a management pc to that vlan. Ccna security 210260 official cert guide is a bestofbreed cisco exam study. Cisco selfdefending network a suite of security solutions to identify threats, prevent threats and adapt to emerging threats. This course helps to prepare you for the layer 2 technologies portion of exam 300. Want to learn more about these attacks or others which target layer 2. Enable port security to prevent cam table overflow attacks. Virtual local area networks vlans a tutorial author.
With a network that lets them generate and protect terabits of data, this centuriesold port became one of the worlds most modern. This can be mitigated by adding redundancy at the server layer. If multiple networks are connected to a switch, you need to specify how the switch forwards the internetwork frames, because the path must be determined at layer three. Essential lockdowns for layer 2 switch security techrepublic. We were tired of doing always the same layer 2 attacks arp poisoning, cam flooding. In contrast, physical layer security methods are keyless and they can be used to. All attacks and mitigation techniques assume a switched ethernet network running ipv4. Download free firewall tutorial course material, tutorial training, pdf file by cisco systems on 21 pages. Although ill use cisco in my example, the tactics and lessons discussed here apply to any other vendor. One key disadvantage of the clientserver architecture is that the server can present a single point of failure. Secure spanningtree parameters to prevent stp manipulation attacks.
They break up one large collision domain into multiple smaller ones in a typical lan, all hosts are connected to. Layer 2 vpn is not supported on the ex9200 virtual chassis. Toronto info sec layer 2 security the threat the osi model was built to allow different layers to work without knowledge of each other, and that means that if a layer is compromised the other layers will not be aware domino effect. Pdf exploring layer 2 network security in virtualized. The switch cisco ios software provides many security features that are specific to switch functions and protocols. Layer 3 switch and security appliance best practices for vlans. First, youll learn about the threats seen at layer 2. This is not a comprehensive talk on configuring ethernet switches for security or nac or ieee 802.
Up to 4094 vlans can be configured on cisco catalyst switches. Cisco ios xr virtual private network configuration guide for the cisco crs router ol2466901. Welcome to website, a free ccna tutorial site that closely follows the cisco ccna curriculum. Use the webex training center to share files and documents, hold online meetings and conferences, and foster online collaboration.
It is a layer 2 security feature available on intelligent ethernet switches. Just like ipsec protects network layer, and ssl protects application data, macsec protects traffic at data link layer layer 2. Overlooked a network external to or intruders are suceptibles conduct to attacks. Get up to speed on the latest trends shaping tomorrows networks. By default, only vlan 1 is configured on the switch, so if you connect hosts on an outofthebox switch they all belong to the same layer 2 continue reading. Application presentation session transport network data link physical application transport internet network access layer 2. Such protocols require a secure and random key sequence shared between the authenticated nodes a priori 1, 2. Implement an acl to prevent outside users from accessing the management vlan. We were tired of check that, very often, routers and switches configuration are poorly set up and rarely hardened. As a result, clientserver networks can scale far larger than peertopeer networks. Cisco security experts omar santos and john stuppi share preparation hints and testtaking tips, helping you identify areas of weakness and improve both your conceptual knowledge and handson skills. S1 is a layer 2 switch, so it makes forwarding decisions based on the layer 2 header.
For example, use ssh, authentication mechanism, access list, and set privilege levels. This post will deal with creating layer 2 vlans on cisco switches and performing all relevant configurations. Lesson 17 cisco network foundation protection nfp framework management plane, control plane and data plane. It consists of two key components, cisco security manager and mars. We were tired of watching the same interesting packets flowing in our customers networks and not being able to play with them. Cisco switches layer 2 security best practices it tips. If violation errordisable, the following log message will be. On ex9200 switches, graceful routing engine switchover gres, nonstop active routing nsr, and logical systems are not supported on layer 2 vpn configurations. This is done by specifying a default gateway address that points to a router or layer 3 switch.
The second level of the open system interconnection osi model is the data link layer. This can be considered a continuation of the work we presented at def con 23 evaluating layer 2 network security. Ciscos deference in depth implement multi layer network defences asafirewalls, nips, hips cisco security agent, out of band management. The nameif and security lines go under the int vlan section. Video showing how to setup and view basic configurations and port security on cisco switches.
Understanding layer 2 vpns techlibrary juniper networks. Why ciscos webex room usb might be the right fit for you. Ccna security 210260 section 8 securing layer 2 infrastructure. The data link layer is often overlooked and trusted as it is limited by the organization physical boundaries is this true. Layer 2 switching or data link layer switching is the process of using devices mac addresses to decide where to forward frames. There have been a number of attacks on the network recently. The cisco ccna security certification also provides the tools and skills needed for an it security beginner for installation, troubleshooting, and monitoring of network devices to maintain the integrity, confidentiality, and availability of. Increased security of separate firewall and router vs. This module provides the conceptual and configuration information for mpls layer 2 virtual private networks vpns on cisco ios xr software. Media access control security or macsec is the layer 2 hop to hop network traffic protection. If the management systems reside within the same layer 2 switching domain as the managed network elements, then separate vlans will be deployed to provide separation at that level. For example, say there is a client that connects to wifi, but does not have a usernamepassword for layer 3 web auth.
L2tpv3 layer two tunneling protocol version 3 is a pointtopoint layer two over ip tunnel. Layer 2 switch security technical implementation guide cisco. Exploring layer 2 network security in virtualized environments. Ccna security 210260 section 11 introducing the cisco asa v9.
Cisco merakis architecture delivers outofthebox security, scalability, and management to enterprise networks. One thing i dont cover in this video is setting a static mac address for security, so ill do it here. Switches and bridges are used for layer 2 switching. You can reliably tune hsrpglbp timers to achieve 900 ms convergence for linknode failure in the l2l3 boundary in the distribution hierarchical model. Enable trunking and configure security on the new trunk link between sw1 and sw2. This means you can tunnel l2 protocols like ethernet, framerelay, atm, hdlc, ppp, etc. Download file pdf pt activity layer 2 vlan security answers pt activity layer 2 vlan security answers. Objectives assign the central switch as the root bridge. Ethernet switching attack resilience varies widely from vendor to vendor. In this lab, you will configure ssh access and layer 2 security for s1 and s2. Cisco ios provides the small services that include.
Arrayas network and security team stands ready to help. The site was designed to help you pass the ccna exam 200125, but it can also be used as a reference site for anything networking related. Types of virtual lans q layer1 vlan group of physical ports q layer2 vlan group of mac addresses q layer3 vlan ip subnet 1 2 23. A list of best practices is presented here for implementing, managing, and maintaining secure layer 2 network. Cisco qualified system affiliate ccna redirecting and changing is a documentation program for entrylevel network technicians that helps increase your investment in fundamental social media. Save my name, email, and website in this browser for the next time i comment. Traditional switching operates at layer 2 of the osi model, where packets are sent to a specific switch port based on destination mac addresses. In this course, layer 2 security for ccna security 210260 iins, youll learn all you need to know about the subset of the 210260 ccna security exam. Are client wifi connections more resilient against eavesdroppers with a preshared key at layer 2 versus simply having an open network and just using layer 3 web auth. Restrict management access to the switch so that untrusted networks are not able to exploit management interfaces.