Security Switching

Explore and explain in detail how a Cisco switch may be configured for security

Maintaining a secure network protects users and secures commercial interests in an enterprise even though a Risk Management Strategy’s focus is mainly on environmental factors and securing Edge Devices,
but just as important is securing the datalink layer (Froom,R. and Frahim,E., 2015).
When it comes to networking, the Datalink Layer can be a weak link, as a switch has no built-in mechanism to detect an attack which will leave the higher layers of the OSI Model compromised and the upper layers unaware of the security breach.

Switching ports are in an open state by default with a possible result of a disgruntled employee or a cracker exploiting this weakness and launching a malicious attack to gather data or perform a DoS (Denial of Service) attack. To mitigate against this type of attack it is recommended to configure Port Security and disable unused ports, whilst implementing effective entry systems to facilities and having a secure separated area for networking devices.

During the planning stage the network must be resilient and able to automatically recover from a Physical Link failure whilst minimizing the attack vector on the Datalink and Network Layers of a Campus Switch Block.

Campus LAN Switch Block

Patching Management should also be included as part of a layer 2 defense as it protects an organization against security vulnerabilities as at the time of writing, Cisco Catalyst on the Computer Security Resource Center National Vulnerability Database (NVD) website has 106 common vulnerabilities and exposures (NIST,2017).

Network redundancy involves the integration of hardware with software to ensure the availability of the network in the event of a single point of failure (Austin,K., 2016), by implementing multiple networking devices and links, thus improving the security posture of a Campus LAN. Furthermore by incorporating redundant power supplies for devices, providing separated electrical ring circuits and backup electrical generators, as well as having UPS to protect against power failures and electrical surges, the switch block design is complemented.

High Availability is an additional layer to network redundancy and encompasses First-Hop Redundancy Protocols and cisco proprietary virtualization technologies of StackWise and Virtual Switching Systems (VSS) improving resiliency and performance whilst reducing management.
StackWise Technology uses cables to combine up to a maximum of 9 catalyst switches to form a single logical unit whereas VSS uses a virtual switch link to combine two catalyst switches (Hucaby, D., 2015). Both these technologies combine the switches to form a single managed logical unit.

The Spanning Tree Protocol (802.1D) is used to protect our network topology against bridging loops when switches are interconnected via multiple paths. To achieve this switches exchange Bridge Protocol Data Units (BPDUs) messages and the switch with the superior BPDU is elected as the Root Bridge and port roles are then established.
STP loops can occur when there is a hardware failure, a configuration issue or a man-in-the-middle launched attack causing the network topology to be altered (Bhaiji, Y., 2008).

In the event a port receives a superior BPDU from a rogue switch attached to the network, Cisco offers Root Guard and BPDU Guard to combat this type of attack. Root Guard will block the port and when the downstream device stops sending superior BPDUs the port will recover automatically. On the other hand BPDU Guard will shut down the port requiring a manual or a timeout value to be set to bounce the port. BPDU Guard is deployed alongside PortFast to prevent the switch transitioning to the forwarding state automatically, bypassing the listening and learning state.

Another form of disruption is an unexpected loss of the Root Bridge BPDU transmitted across adjacent dual link interconnected switches making these ports transition to the forwarding state causing an unintentional loop. The following features can be implemented to reduce the likelihood of this occurring on the network. Loop Guard works on non-designated ports and blocks the port from becoming a STP designated port, while Unidirectional Link Detection (UDLD) complements spanning tree by detecting a broken link that results in a unidirectional link shutting down the port, if configured in aggressive mode.

All the above features are incorporated into the Rapid Spanning Tree Protocol Standard (802.1W) which is the default on modern switches (Froom, R. and Frahim, E.,2015). To avoid configuration issues legacy switches need to be replaced, or the Internetwork Operating System upgraded as part of an upgrade strategy to migrate or deploy RSTP.

VLANs form a single broadcast domain and Trunking ports carry all VLAN data between the switches by inserting a Tag into the packet header of the VLAN, the destination switch will then remove this tag before forwarding the frame. Ports on a switch are always wanting to form a Dynamic Trunk by default because of Dynamic Trunking Protocol.

Basic VLAN hopping (Switch spoofing) occurs when an end station feigns to be a switch and by using appropriate Trunking protocols forms a trunk link and is able to capture frames and contact hosts on all VLANs. A similar type of attack is Double Tagging VLAN hopping when a host adds a tag to the frame and a switch will also add a tag this is a unidirectional DoS attack.
You can mitigate VLAN hopping attacks disabling Trunking by assigning a non-interconnected switch port as access ports and disable DTP by configuring the port as a static trunk port. To prevent Double Tagging you create a VLAN that will be the native VLAN for Trunking Links between switches so that no ports will be assigned to it.

Despite the variety and scale of threats posed to a modern networks there are no signs of it slowing down as there has been a steady increase in attacks over the years with some 30 percent of Cyber Security Professionals surveyed experiencing damage and theft at the datalink layer (ISACA, 2015).
Effective management, dissecting your campus network and implementing routing protocols between the access and distribution layers and deploying High Availability technologies will lead to a reduction in the attack surface area.


Austin, K. (2016) ‘Applying network best practices via Ethernet network redundancy’, Control Engineering, August 2 [Online] Available at (Accessed 26 August 2017)

Bhaiji, Y. (2008) ‘CCIE Professional Development Series: Network Security Technologies and Solutions’, Indianapolis, Indiana: Cisco Press

Bhaiji, Y. (2009) ‘Understanding, Preventing, and Defending Against Layer 2 Attacks’, Cisco [Online] Available at (Accessed 6 September 2017)

Bryant, C. CCIE No12933 (2015) ‘CCNP Success Series: CCNP Switch 300-115 Study Guide’, Published in Great Britain for Amazon

Cisco (2007) ‘Spanning-Tree Protocol Enhancements using Loop Guard and BPDU Skew Detection Features’, Cisco, January 22 [Online] Available at (Accessed 09 September 2017)

Computer Security Institute. (2008) ‘CSI Computer Crime & Security Survey’, Computer Security Institute [Online] Available at (Accessed 7 September 2017)

Computer Security Institute. (2011) ‘15TH Annual 2010/2011 Computer Crime and Security Survey’, Computer Security Institute [Online] Available at (Accessed 7 September 2017)

Hucaby, D. (2015) ‘CCNP Routing and Switching SWITCH 300-115 Official Cert Guide’, Indianapolis, Indiana: Cisco Press.

Froom, R. and Frahim, E. (2015) ‘Implementing Cisco IP Switched Networks (SWITCH) Foundation Learning Guide CCNP Switch 300-115’, Cisco Press

ISACA (2015) ‘State of Cybersecurity: Implications for 2015’, ISACA [Online] Available at (Accessed 6 September 2017)

Jedras, J. (2011) ‘Network managers aren’t taking their Cisco security updates seriously’, Computer Dealer News, June, 2011, Vol.27, p.14 [Online] Available at|A260149766&v=2.1&u=tou&it=r&p=CDB&sw=w (Accessed 24 August 2017)

Lammle, T. and Tedder, W. (2014) ‘CCNA Routing and Switching, Deluxe Study Guide’, Sybex

NIST (2017) National Vulnerability Database, NVD Dashboard, September 11 [Online] Available at (Accessed 11 September 2017)

Software Engineering Institute. (2012) ‘2012 CyberSecurity Watch Survey’, Carnegie Mellon University, September 2012 [Online] Available at (Accessed 11 September 2017)
Stewart, James M., Chapple, Mike and Gibson, Darril. (2012) ‘CISSP, Certified Information Systems Security Professional Study Guide’, 6th edition, Sybex

Leave a Reply

Your e-mail address will not be published. Required fields are marked *