Switches and Security

Before you start

Objectives: Learn about switch security features such as VLANs, MAC address filtering, and port authentication.

Prerequisites: no prerequisites.

Key terms: VLAN, port security, port authentication, switch, security


Switch Functions

Early switches performed a single function, they switch packets between switch ports based on the MAC address. As switches have evolved, switch functions went beyond simple frame switching. The first switch security function is VLAN.

Virtual LAN (VLAN)

With a VLAN we identify logical groupings of computers based on switch port. So, if we have switch with multiple ports, we can assign each port to a specific virtual LAN. We identify the port with a VLAN ID or name. So, for example, if we have a switch with 8 ports, we can associate the first 4 ports (from 1 to 4) to VLAN10, and the last four ports (from 5 to 8) a VLAN20. Keep in mind that devices connected to a switch port associated with a specific VLAN can only communicate with other devices within the same VLAN. So, in our case a device in VLAN10 can only communicate with the devices within that same VLAN (connected to ports from 1 to 4). Devices in VLAN20 can communicate with other devices in VLAN20 (connected to ports from 5 to 8). Keep in mind that devices in one VLAN cannot communicate with devices in a different VLAN. So, in our case, devices in VLAN10 can’t communicate with devices in VLAN20.

Forwarding decisions are made by the switch based on the VLAN ID associated with the port. We can move a device from one VLAN to another by simply changing the association of the port. So, with VLAN we can isolate traffic of one group of computers from another group of computers.  Also, using VLANs, the switch can be used to create multiple IP broadcast domains. Each VLAN is in its own broadcast domain, with broadcast traffic being sent only to members of the same VLAN.

In a larger implementation, we may have several switches on the same subnet within our network. On each switch, we can have multiple VLANs assigned. In fact, we can have the same VLAN assigned on different switches. The basic rule still applies here; traffic only stays within the same VLAN and can only be sent out of ports that are associated with that same VLAN. Keep in mind that a switch can have multiple VLANs configured on it, but each switch port can only be a member of a single VLAN (with the exception of trunk port).

Trunk Port

When interconnecting multiple switches we define a special port on each switch as a trunk port. Trunk port identifies a connection that can be used by multiple VLANs. By default, a trunk port is actually a member of all VLANs defined on the switch. The trunk port is typically the uplink port on the switch but it can be any normal port, that we define as a special trunk port.

For communications from switch to switch over trunk port, the frame needs to be modified so that the receiving switch knows the VLAN ID associated with that frame. For that, switches use a special trunking protocol that identifies the VLAN information for frames that move between switches. In trunking, a special tag is inserted into the frame that identifies the VLAN membership of that frame. When the receiving switch receives that frame, it know is can only forward that frame out of the port that is a member of that same VLAN, or it can forward the frame to another trunking port which is a member of all VLANs. This special function performed by switches on the trunking ports is called frame tagging.

One problem with adding VLAN information to the fram is that end devices do not understand this additional information in the frame. So, the final switch, before forwarding the frame to the end device, removes the additional tagging information in the frame, so that the destination device receives the original frame without the tag information inserted.

VLANs and Router (or layer 3 switch)

When using VLANs, devices can only communicate with other devices that are members of the same VLAN. Devices that are members of different VLANs cannot communicate through the switch. In order to allow devices on different VLANs to communicate, we need to use a router (or layer 3 switch).

One way to enable communication is to connect on port on the router with one port the switch belonging to first VLAN, and another port on the router to another port on the switch belonging to the second VLAN. So, in this case, the router has two ports connected to different VLANs on the switch. This enables communication between end devices on different VLANs. When a device on the first VLAN wants to send data to a device on another LAN, the information sent from the first device goes through the router and is then forwarded to the receiving device.

Another thing we can do is connect the router and the switch with a trunk port. This single port will be a member of both VLANs. This type of configuration is often called a router on a stick. The router has a single interface connected to the switch, but because the router understands the trunking information, frames sent through are received by the router, processed and forwarded out on the same trunking port, to arrive at the destination device.

The benefit of using VLANs is that we can create virtual LANs based on criteria such as a physical location, or some logical criteria. Also, the moving of devices is simplified since we only need to modify the port VLAN assignment. The security is implemented since with VLANs we isolate traffic. However, keep in mind that when using VLANs, we will still need routers to route data in to and out of the local area network or to route data between VLANs, if we need to. Routers can also be used to apply firewall filtering rules to traffic. VLANs are commonly used with Voice over IP (VoIP) to distinguish voice traffic from data traffic. Traffic on the voice VLAN can be given a higher priority to ensure timely delivery.

MAC Address Filtering

Another feature we can use on switches is MAC address filtering, also called port security. With port security, the switch drops frames that are not associated with allowed MAC addresses. Port security uses the MAC address to make decisions about whether frame should be forwarded through the switch. With port security, the switch keeps track of a list of MAC addresses and ports. In this case, when we connect a device to the switch, the switch will identify its MAC address and the port that it’s connected on. With address filtering we can identify a valid combination of a MAC address and a port. So, if the switch sees the accepted MAC address on the specific port, it will allow that device to send frames through the switch. If we were to connect a different computer to that same port, the switch would look in its table to identify the MAC address of the connected device, and realize that this new device is not authorized to use that port. When an unauthorized device is detected on the switch, a port violation occurs. The switch can take several different actions when port violation occurs, depending on how it’s configured. For example, it can simply drop all of the frames. The device may attempt to transmit on the network, but the frames will not be allowed through the switch. Another action is to simply disable the port so that it no longer listens or accepts any traffic on that port. If we were to connect the original (allowed) device to the disabled port, different things can happen depending on the configuration. It may recognize the allowed device, and enable the port, or the port may stay disabled until manually enabled. We can manually configure MAC addresses table to identify specific devices and the ports that are allowed. We can also allow the switch to use learning functions. With learning enabled, when we connected a device to a port, the switch will identify the MAC address and make an entry in its table. With this configuration, the switch may accept only the first device that connects to the port.  When additional devices connect to the same port, those devices will not be allowed. We can also use the same feature to allow multiple computers to connect to the same port. For example, we may choose to allow up to two computers to connect to the same port, and after that, additional computers will not be allowed.

Port Authentication

Another switch security feature is port authentication. While this may sound the same as port security, it is actually quite different. Port authentication uses the 802.1X protocol to allow only authenticated devices or users to use the switch. Port authentication uses authentication methods such as username and password, or smart cards, to identify allowed devices. Port authentication enables or disables communication through a specific port based on the authentication status of the device.

Ports on a switch begin in an unauthorized state. Ports in unauthorized states can only be used for 802.1x authentication traffic. When a device connects to the switch, the switch sends an 802.1X authentication request to the device. For example, this request may prompt for a username and a password. The computer replies with the requested information and that information is forwarded through the switch to a connected device that performs authentication, such as a radius server. The radius server receives the authentication information and identifies whether that device, or that user, is allowed to connect to the network. After the authentication server authenticates the user, that information is passed back to both the user and the switch. The switch receives the information that the user has been authenticated and changes the status of the port to authenticated. Once the port reaches the authenticated state, the device can communicate with the other devices on the network. When the device is turned off or is disconnected, the switch senses that and changes the status of the port back to unauthenticated.