Securing your L2 network with an ERS-4548GT

By Matthew Turi

The ERS-4548GT is an Ethernet Routing Switch developed by Nortel (now owned by Avaya after Nortel Networks was bought in 2009). The ERS 4000 series of switches became EoL in 12/2015. While becoming less and less common in enterprise deployments, increasing numbers of these devices are making their way into the secondhand market. From locations such as eBay, ERS-4548GT units can be had on average for anywhere from $50-$150. This switch made its way into my homelab because it was an affordable 48-ports gigabit 802.3af-enabled device that I needed to support my PoE Cisco Aironet AP deployments. It, along with most of the other elements of my homelab, eventually ended up getting transitioned out of just lab use and into supporting day to day networking for myself and my roommates. In that process, I ended up configuring several options to better secure my L2 network including settings like DHCP snooping, ARP inspection, IP Source Guard, etc. Considering that these switches have nowhere near the popularity of Cisco or any other big manufacturer nowadays, getting the documentation I needed for performing various tasks was a challenge every now and again. In this post, I am going to cover some of the basic management functions with this switch, as well as how to configure some of the security tools that I mentioned earlier.

CLI/Web interface management

The ERS-4548, like any sensible managed switch, supports the usual switching features like VLANs, trunking, L3 routing, etc. These kinds of settings can be configured either via a CLI console, or through the objectively better method, the web interface (it is actually usable!). Unfortunately, I have only been able to get the web console to load properly in Internet Explorer (thank you Avaya, very cool).

EDM Web Console dashboard

From the dashboard, you can search for specific settings that you are looking for, as well as visualize the port statuses. Right clicking on one of the ports and clicking edit will take you to the port configuration menu. For using the CLI, documentation for specific commands can be found here.

Port configuration

Almost all of the management options for individual ports can be controlled here from VLANs to PoE and L3 options.

VLAN settings

I have my ERS-4548 configured to use 4 main VLANs. One for management (VLAN 10), one for end user devices like phones, laptops, and desktops (TTYLAN, VLAN 100), one for legacy devices that have wacky network requirements (i.e. that stupid printer, VLAN 110), and a guest network (VLAN 115). My guest VLAN is configured with firewall rules that drop any traffic destined for my other VLANs, so it should only be able to reach the internet and not the rest of my network.

DHCP Snooping

DHCP snooping provides protection in the way of whitelisting which ports can respond to DHCP messages. This prevents instances where a rogue DHCP server plugged in somewhere else on the network is able to start handing out IPs and configuration info. Once enabled, the switch updates its DHCP binding table whenever it passes a DHCP packet with the MAC, IP, and other DHCP lease info. ARP inspection and IP Source Guard use this binding table to fulfill their functions. This can be enabled using the following configuration steps:

CLI

> enable
> conf t
> ip dhcp-snooping vlan 1
> ip dhcp-snooping vlan 10 > ip dhcp-snooping vlan 100 > ip dhcp-snooping vlan 110 > ip dhcp-snooping vlan 115 > ip dhcp-snooping enable

> interface Ethernet 1/3
> ip dhcp-snooping trusted > exit

Web

Step 1: Set DHCP snooping to ‘Enabled’

Step 2: Set the VLANs that you want to enforce DHCP snooping on to ‘true’

Step 3: Set ports that you want to be able to respond to DHCP requests to ‘trusted’

ARP Inspection

Prerequisite: DHCP snooping must already be enabled.

(Dynamic) ARP inspection is a tool that validates the authenticity of ARP packets on a network. For it to function correctly, DHCP snooping needs to be enabled so that it can reference the DHCP binding table. Whenever an ARP packet passes through an untrusted port, it is filtered based on whether the MAC/IP matches the binding already learned in the DHCP binding table. This prevents a malicious host from performing an ARP poisoning attack by dropping an ARP packet if its IP/MAC does not match an entry in the DHCP binding table. This can be enabled using the following configuration steps:

CLI

> enable
> conf t
> ip arp-inspection vlan 1
> ip arp-inspection vlan 10 > ip arp-inspection vlan 100 > ip arp-inspection vlan 110 > ip arp-inspection vlan 115 > ip arp-inspection enable

> interface Ethernet 1/3
> ip arp-inspection [trusted/untrusted] > exit

Web

Step 1: Enable ARP inspection on the VLANs you want to protect. Change the dropdown to ‘true’ and click apply.

Step 2: Set trusted ports by changing their dropdown to be ‘trusted’. Click apply.

IP Source Guard

Prerequisite: DHCP snooping must already be enabled.

IP Source Guard is a tool that filters all of the IP packets on enabled ports. On an enabled port, a maximum of 10 unique IPs will be allowed before it starts dropping traffic from non-filtered IPs. Additionally, packets will be dropped regardless unless the IP/MAC matches an entry in the DHCP binding table. This is mainly useful on edge ports, where you do not expect there to be more than a couple of IPs originating. IPSG prevents spoofing the IP of a legitimate host. This can be enabled using the following configuration steps:

CLI

> enable
> conf t
> interface Ethernet 1/19
> ip verify source
> exit

Web

Step 1: Set ports that you want to enable IPSG on to ‘ip’ mode

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s