Skip to content

Security: ACLs and Layer-2 Security Features

Configure extended ACLs

  1. Configure extended ACL OfficeA_to_OfficeB where appropriate:
    a. Allow ICMP messages from the Office A PCs subnet to the Office B PCs subnet.
    b. Block all other traffic from the Office A PCs subnet to the Office B PCs subnet.
    c. Allow all other traffic.
    d. Apply the ACL according to general best practice for extended ACLs. (As close to the source as possible)

(Standard ACLs on the other hand, should generally be applied as close to the destination as possible)

The closest L3 location to the source is the VLAN 10 SVI of DSW-A1 and DSW-A2.

Configure on both DSW-A1 and DSW-A2:

DSW-A1(config)#ip access-list extended OfficeA_to_OfficeB
DSW-A1(config-ext-nacl)#permit icmp 10.1.0.0 0.0.0.255 10.3.0.0 0.0.0.255
DSW-A1(config-ext-nacl)#deny ip 10.1.0.0 0.0.0.255 10.3.0.0 0.0.0.255
DSW-A1(config-ext-nacl)#permit ip any any
DSW-A1(config-ext-nacl)#
DSW-A1(config-ext-nacl)#int vlan 10
DSW-A1(config-if)#ip access-group OfficeA_to_OfficeB in

Configure Port Security

  1. Configure Port Security on each Access switch's F0/1 port:
    a. Allow the minimum necessary number of MAC addresses on each port.
    i. SRV1 does not use virtualization, so it uses a single MAC address.
    b. Configure a violation mode that blocks invalid traffic without affecting valid traffic. The switches should send notifications when invalid traffic is detected.
    c. Switches should automatically save the secure MAC addresses they learn to the running-config. (Sticky MAC Address learning)

ASW-A1, ASW-B1, ASW-B3:

interface f0/1
 switchport port-security
 switchport port-security mac-address sticky
 switchport port-security violation restrict

ASW-A2, ASW-A3, ASW-B2:
maximum 2 is needed on these due to the phone/PC using 2 MAC addresses

interface f0/1
 switchport port-security
 switchport port-security maximum 2
 switchport port-security mac-address sticky
 switchport port-security violation restrict

DHCP Snooping

  1. Configure DHCP Snooping on all Access switches.
    a. Enable it for all active VLANs in each LAN.
    b. Trust the appropriate ports (those pointing towards the DHCP server, R1, the G0/1 and G0/2 uplinks that connect to the distribution layer).
    c. Disable insertion of DHCP Option 82 (also known as the relay agent information option).
    d. Set a DHCP rate limit of 15 pps (packets per second) on active untrusted ports.
    e. Set a higher limit (100 pps) on ASW-A1’s connection to WLC1.

Configure ASW-A1:

Enable DHCP Snooping and on a per VLAN basis:

ASW-A1(config-if)#ip dhcp snooping
ASW-A1(config)#ip dhcp snooping vlan 10,20,40,99

Disable option 82 insertion:

ASW-A1(config)#no ip dhcp snooping information option

Trust the uplinks to the distribution layer:

ASW-A1(config)#int range g0/1-2
ASW-A1(config-if-range)#ip dhcp snooping trust

Set rate limits for DHCP messages on untrusted ports. If the switch recieves DHCP messages on this interface at a rate greater than 15 packets per second, the interface will be error-disabled.

ASW-A1(config-if-range)#int f0/1
ASW-A1(config-if)#ip dhcp snooping limit rate 15

Increase the limit for the WLC:

ASW-A1(config-if)#int f0/2
ASW-A1(config-if)#ip dhcp snooping limit rate 100

Configure the rest of the switches
ASW-A2, ASW-A3:

ip dhcp snooping
ip dhcp snooping vlan 10,20,40,99
no ip dhcp snooping information option
interface range g0/1-2
 ip dhcp snooping trust
interface f0/1
 ip dhcp snooping limit rate 15

ASW-B1, ASW-B2, ASW-B3:

ip dhcp snooping
ip dhcp snooping vlan 10,20,30,99
no ip dhcp snooping information option
interface range g0/1-2
 ip dhcp snooping trust
interface f0/1
 ip dhcp snooping limit rate 15

Dynamic ARP Inspection

  1. Configure DAI on all Access switches.
    a. Enable it for all active VLANs in each LAN.
    b. Trust the appropriate ports.
    c. Enable all optional validation checks.

Unlike DHCP Snooping, DAI only needs to be enabled per-VLAN. You don’t need to enable it globally.

ASW-A1(config)#ip arp inspection vlan 10,20,40,99

Next, let’s enable the optional checks. Usually, DAI checks to make sure a matching entry exists in the DHCP Snooping binding table. But you can enable these checks to make it perform a more thorough inspection of ARP messages. The command is IP ARP INSPECTION DST-MAC SRC-MAC IP.

ASW-A1(config)#ip arp inspection validate dst-mac src-mac ip

Finally, I’ll trust the two uplink ports. 

ASW-A1(config)#int range g0/1-2
ASW-A1(config-if-range)#ip arp inspection trust

Complete the rest of the switches as such
ASW-A2, ASW-A3:

ip arp inspection vlan 10,20,40,99
ip arp inspection validate src-mac dst-mac ip
interface range g0/1-2
 ip arp inspection trust

ASW-B1, ASW-B2, ASW-B3:

ip arp inspection vlan 10,30,40,99
ip arp inspection validate src-mac dst-mac ip
interface range g0/1-2
 ip arp inspection trust