Home > Articles > Certification > Other IT

  • Print
  • + Share This
This chapter is from the book

Layer 2 Security Best Practices

To conclude this chapter, a list of best practices is presented here for implementing, managing, and maintaining secure Layer 2 network:

  • Manage the switches in a secure manner. For example, use SSH, authentication mechanism, access list, and set privilege levels.
  • Restrict management access to the switch so that untrusted networks are not able to exploit management interfaces and protocols such as SNMP.
  • Always use a dedicated VLAN ID for all trunk ports.
  • Be skeptical; avoid using VLAN 1 for anything.
  • Disable DTP on all non-trunking access ports.
  • Deploy the Port Security feature to prevent unauthorized access from switching ports.
  • Use the Private VLAN feature where applicable to segregate network traffic at Layer 2.
  • Use MD5 authentication where applicable.
  • Disable CDP where possible.
  • Prevent denial-of-service attacks and other exploitation by disabling unused services and protocols.
  • Shut down or disable all unused ports on the switch, and put them in a VLAN that is not used for normal operations.
  • Use port security mechanisms to provide protection against a MAC flooding attack.
  • Use port-level security features such as DHCP Snooping, IP Source Guard, and ARP security where applicable.
  • Enable Spanning Tree Protocol features (for example, BPDU Guard, Loopguard, and Root Guard).
  • Use Switch IOS ACLs and Wire-speed ACLs to filter undesirable traffic (IP and non-IP).
  • + Share This
  • 🔖 Save To Your Account