Layer 2 LAN Access

We have discussed Layer 2 access security issues in Chapter 7, particularly in the context of Ethernet over MPLS. As customers converge their services onto an MPLS-based network, Layer 2 security considerations will be even more pivotal, especially for interworking OAM constructs and interprovider pseudowire mechanisms, such as pseudowire switching, which are being discussed at the time of the writing of this book.

Some points to highlight for deployment are the following:

  • Inter-As and CsC connections only in private peering relationships?Use a dedicated connection rather than a shared VLAN.

  • Within VLANs, ARP spoofing (hacking tools hunt, arpspoof), CAM overflow (hacking tool macof), DoS against spanning tree, and DoS storms (a hacking tool exists) can be done. For ARP spoofing and CAM overflow prevention, look at port security. Also, disable the spanning tree on the router port by hard coding the root bridge, for example.

These are not extensive and are the most obvious best practices for Layer 2 deployments.