Security Design

The access layer is the edge of a campus network, which provides diverse access modes to PCs, network cameras, printers, IP phones, and wireless terminals. It is the first tier of the campus network, and needs to meet access demands of various terminals. The access layer also needs to protect the entire network against access of unauthorized users and applications, so it must provide enough security without compromising network availability. You are advised to enable the following security functions on the access switch:

• Broadcast storm control

  When a Layer 2 Ethernet interface on a device receives broadcast, unknown-unicast, and multicast (BUM) packets, the device forwards these packets to other Layer 2 Ethernet interfaces in the same VLAN if the outbound interfaces cannot be determined based on the destination MAC addresses of these packets. As a result, a broadcast storm may be generated, degrading forwarding performance of the device. On downlink interfaces of the access layer (access switch), configure suppression of BUM packets to effectively reduce broadcast storms.

• DHCP snooping, with the uplink interfaces that directly or indirectly connect the access switch to the DHCP server configured as trusted interfaces

  DHCP snooping defends against bogus DHCP server attacks, DHCP server DoS attacks, bogus DHCP packet attacks, and other DHCP attacks. DHCP snooping allows administrators to configure trusted interfaces and untrusted interfaces, so DHCP clients can obtain IP addresses from authorized DHCP servers. A trusted interface forwards DHCP messages it receives whereas an untrusted interface discards DHCP ACK messages and DHCP Offer messages received from a DHCP server.

  An interface directly or indirectly connected to the DHCP server trusted by the administrator needs to be configured as the trusted interface, and other interfaces are configured as untrusted interfaces. This ensures that DHCP clients only obtain IP addresses from authorized DHCP servers and prevents bogus DHCP servers from assigning IP addresses to DHCP clients.

• IP source guard and dynamic ARP inspection (DAI)

  Unauthorized users often send bogus packets with the source IP address and MAC address of authorized users to access or attack the network. Then authorized users cannot access stable and secure networks. To address this problem, you can configure IP source guard. IP source guard prevents unauthorized hosts from using IP addresses of authorized hosts or specified IP addresses to access or attack the network.

  You can configure DAI to defend against Man in The Middle (MITM) attacks, preventing theft of authorized user information. When a device receives an ARP packet, it matches the source IP address, source MAC address, VLAN ID, and interface number of the ARP packet against binding entries. If a match is found, the device considers the ARP packet valid and allows it to pass through. Otherwise, the device discards the packet.

• Port isolation

  You are advised to configure port isolation on the interfaces connecting the access switch to terminals. This configuration secures user communication and prevents invalid broadcast packets from affecting user services.

  Note: If the connection type "terminal" is selected for a port during access management configuration for the fabric, the port isolation function is automatically configured on the port.

On a WLAN, service data is transmitted through radio signals. Such open channels are vulnerable to service data eavesdropping and tampering during transmission, such as rogue STAs, spoofing APs, and denial of service (DoS) attacks of malicious terminals. As shown in Figure 2-124, WLAN security design covers the following aspects:

• Air interface security: Identifies and defends against attacks such as rogue APs, rogue STAs, unauthorized ad-hoc networks, and DoS attacks.
• STA access security: Ensures the validity and security of STAs' access to the WLAN.
• Service security: Protects service data of authorized users from being intercepted by unauthorized users during transmission.

For the network security design at the aggregation layer, refer to Access Layer (Access Switch) if terminals are connected to the aggregation switch, and refer to Core Layer if the aggregation switch functions as the user gateway or authentication point.

Core switches are located at key positions of the network, and thus the security of core switches is crucial. When the core switch functions as a centralized authentication point, its CPU performance must be able to support protocol packet processing when a large number of users access the network. When the core switch functions as a user gateway, ARP security must be considered.

To protect the CPU and ensure that the CPU processes and responds to normal services, the core switch provides local attack defense functions. In the event of an attack, these functions ensure uninterrupted service transmission and minimize the impact of the attack on network services.

Local attack defense functions include CPU attack defense, attack source tracing, port attack defense, and user-level rate limiting. By default, the core switch is enabled with these functions.

• CPU attack defense

  CPU attack defense enables the device to rate limit the packets sent to the CPU within a specified period of time, protecting the CPU and ensuring normal service processing.

  The key to CPU attack defense is the Control Plane Committed Access Rate (CPCAR). CPCAR limits the rate of protocol packets sent to the control plane to ensure security of the control plane.

• Attack source tracing

  Attack source tracing defends against denial of service (DoS) attacks. The device enabled with attack source tracing analyzes packets sent to the CPU, collects statistics about the packets, and specifies a threshold for the packets. Excess packets are considered to be attack packets. The device finds the source user address or source interface of the attack by analyzing the attack packets and generates logs or alarms. Accordingly, the network administrator can take measures to defend against the attacks or configure the device to discard packets from the attack source.

• Port attack defense

  Port attack defense is an anti-DoS attack method. It defends against attacks based on ports and prevents protocol packets on ports from occupying bandwidth and causing other packets to be discarded.

  By default, port attack defense is enabled on the device for common user protocol packets, such as ARP, ICMP, DHCP, and IGMP packets. If a user attack occurs, the device restricts the attack impact within the port, reducing the impact on other ports.

• User-level rate limiting

  User-level rate limiting identifies users based on MAC addresses, and rate-limits specified protocol packets, such as ARP, ND, DHCP Request, DHCPv6 Request, IGMP, 802.1X, and HTTPS-SYN packets. If a user undergoes a DoS attack, other users are not affected. The core of user-level rate limiting is host CAR. By default, user-level rate limiting is enabled.

When a switch functions as an access gateway, it receives a large number of ARP packets requesting the interface MAC address of the switch. If all these ARP Request packets are sent to the main control board for processing, the CPU usage of the main control board will increase and other services cannot be processed promptly.

The optimized ARP reply function addresses this issue. After this function is enabled, the interface card directly responds to ARP requests if the ARP Request packets are destined for the local interface of the switch, helping defend against ARP flood attacks. This function is applicable to the scenario where a modular switch is configured with multiple interface cards or fixed switches are stacked.

By default, the optimized ARP reply function is enabled on a switch. Do not disable the function.