LAN Security Issues

In this section we discuss LAN security issues as they pertain to core security. We also illustrate LAN factors for peering constructs.

In the case of a LAN-based Layer 2 interconnect, the PE router will need to maintain ARP entries for all of the end system addresses that are reachable beyond that interface.

The number of entries may be considerable depending on the size of the connected site, and it can considerably impact router CPU and memory. It is generally viewed that an excess of 20,000 ARP entries can lead to issues on the connected router and, as such, it may be desirable to segment such a large campus.

As well, because there is no Layer 3 "CE" router in this scenario, there are no reasonable mechanisms available to ensure that the only accesses into the VPN from this interface are those authorized to do so. That is, given some large number of hosts on this Layer 2 domain, it is difficult, if not impossible, to create access controls that can ensure that only the appropriate traffic sources exist?the Layer 2 domain must be a "trusted" network space. This must be an operational consideration of the entity controlling the Layer 2 network?be it the customer or the SP. Intrusion into the network at this point will give access to much if not all of the entire VPN (depending on VLAN arrangements).

Also, because this is a Layer 2 environment, there are no Layer 3 opportunities for controlling denial of service (DoS) issues beyond the PE edge. If an assault or intrusion reaches the Layer 2 space, it must be dealt with at that level. For example, a broadcast-oriented attack would have an immediate impact on all nodes within the same Layer 2 domain.

The SP must also determine the degree of interaction it wants to perform with respect to L2 operations?spanning tree termination, Cisco Discovery Protocol (CDP) functions, quality of service (QoS), trusted ports, and so on.

LAN Factors for Peering Constructs

A third party in the same VLAN (such as Internet Exchange Point, or IXP) can insert spoofed packets into VPNs, thus introducing a risk scenario for a service provider.

Note that within a VLAN, attacks are easy (these will be further discussed in Chapter 7) via ARP spoofing (hacking tool hunt, arpspoof); CAM overflow (hacking tool macof); DoS against Spanning Tree, and DoS storms (for which a hacking tool exists). An example of a solution includes, for 1 and 2, port security.

Few service providers do this normally, so this attack is not difficult; and to disable Spanning Tree on the router port, hard code Root Bridge is a factor here.

For labeled packets on a VLAN, the data plane attributes are that any label combination can be sent, by any station in the VLAN, and for Carriers Carrier, the top label (LSP) is checked by the PE.


For both CsC and Inter-AS deployments, implement only on private peerings due to vulnerabilities highlighted above. For Inter-AS and CsC (when labeled packets are exchanged), do not use a shared VLAN.

Best recommendation: Dedicated connection

Second best recommendation: Dedicated VLAN