Every time I have been asked what kind of security recommendations are required for data center access layer? Let's understand what does Access Layer in data center is used for first.
The data center access layer provides Layer-2 connectivity for server farms. In most cases the primary role of the access layer is to provide port density for scaling the server farm or a network segment; it could be Physical or Virtual. Security at the access layer is primarily focused on securing Layer-2 flows and communication within the sites.
Recommendations for this layer are:
Use VLANs to segment and isolate traffic where it’s needed. This is the very basic stuff used in almost every data centers but always not consider it as security. Deploy private VLANs (PVLANs) after confirming that traffic flows will not be affected once they are deployed. It is best to ensure that hosts that need to communicate are placed in the same community while hosts that don’t require such connectivity are isolated. Communication of host matrix must be given by customer by clearly defines the traffic flows.
The following layer 2 security mechanisms should be enabled at the access layer :
1. Address Resolution Protocol (ARP) inspection/Arp Spoofing: Private vlan edge feature will to help mitigate this type of attack. 2. Dynamic Host Configuration Protocol (DHCP) Snooping.
3. IP Source Guard.
4. Port security where it can be used to lock down a critical server to a specific port
5. Blocking user-user L2 communication: Private vlan edge/Protected Port feature will to help mitigate this type of attack
6. Broadcast/Multicast Suppression: Strom Control feature will to help mitigate this type of attack
7. MAC address hijacking: protected port and port security features will to help mitigate this type of attack
8. IP source spoofing: uRPF feature will to help mitigate this type of attack
9. Content-addressable memory (CAM) overflow: This can be mitigated by using port security on customer facing port
10. Dynamic Host Configuration Protocol (DHCP) DoS: This can be mitigated by using port security/DHCP Snooping on customer facing port
11. DoS storms: This can be mitigated by using port security/private vlans edge on customer facing port