Layer 1 and 2 checklist


Introduction

In this doc, we go over the layer 1 and layer 2 network assessment checklist so that your network be up to the standard 

Layer 1 and 2 network assessment checklist video






Layer 1 

Network redundancy: 
Highly recommended we need to have a minimum of 2 uplinks to 2 different physical switches to improve performance and redundancy.

Network Topology: 
We recommend having three switch levels:  Core, Distribution, and Access.

Bandwidth Link Utilization: 
Verify there are no over-utilised links 

 

Layer 2 

Spanning Tree Protocol: Spanning Tree Protocol is an Ethernet network protocol that helps ensure a loop-free logical topology across a switched campus network. Verify that we are on the same STP protocol because having multiple STP protocols will cause more processing time and might cause issues.

Port-channel: 
Check that none of the port channels are mode on, as this can cause loops on the network if cables are misplaced.
Configuring the port channels with LACP or PAGP will require the switch to negotiate the port-channel protocol before forwarding traffic, so if placed on the wrong interface, it won’t come up.

Enable BPDU Guard and STP port fast: 
The BPDU guard feature should be active on ports that should not receive BPDUs from connected devices, such as client access ports.
If PortFast is configured for client ports, BPDU Guard is a valuable enhancement to prevent BPDUs from creating a bridging loop. The BPDU Guard blocks interfaces as a preventative measure.

Enable Storm Control: 
Storm Control enables network switches to monitor broadcast, multicast, and unknown unicast traffic levels.
When a specified traffic threshold is reached, this feature can drop or shut down the port, thus preventing broadcast packets from proliferating and degrading the LAN.

Enable Root Guard: 
Root Guard provides a way to designate and enforce a specific switching device as the Spanning Tree (STP) root bridge.

V-Switch configuration: 
Verify virtual switches are configured for fault tolerance and redundancy.  

Vlan Naming Convention: 
Proper naming of VLANs improves the supportability of the network and ensures adequate reporting from monitoring services. VLAN names specify VLAN usage or purpose in the network.

Verify the layer2 redundancy: 
Check that the layer2 redundancy is correct and possible perform failover testing. Check STP, virtual switch and more ...

Enable MAC security: 
MAC security limits the number of mac addresses on access ports. Which can help prevent a mac-address storm which will overwhelm the network switches' cam tables, causing them to flood all traffic out of all interfaces.

Enable DHCP Snooping: 
DHCP Snooping drops DHCP traffic determined to be unacceptable. DHCP Snooping prevents unauthorised rogue devices from offering IP addresses to DHCP clients by classifying interfaces on a switch into two categories, trusted and untrusted.

Enable Dynamic ARP inspection: 
Dynamic ARP inspection (DAI) is a security feature that rejects invalid and malicious ARP packets. The feature prevents a class of man-in-the-middle attacks. The switch drops an ARP packet if the sender's MAC and IP do not match the DHCP snooping bindings database.

Disable proxy arp: 
It increases the amount of ARP in your segment. Hosts need larger ARP tables to handle IP-to-MAC address mappings. Process intensive 

Disabling Dynamic Trunking Protocol (DTP):
DTP facilitate the automatic creation of trunks between two switches which is a security vulnerability as it allows VLAN hopping 

Prune unused vlans:
Prune unused vlans to avoid broadcast propagation on your up and down links if you have VTP v2 or v3 it is done automatically but manually is preferred

Unidirectional link detection protocol 
In order to detect the unidirectional links before the forwarding loop is created

QoS: 

  • Verify that QoS is configured from end to end on WLAN LAN and WAN 

  • Quality of Service allows certain types of latency-sensitive traffic, such as Voice, Video and Collaboration traffic, to be forwarded as priority traffic on a network.

LAN 802.1x: 
Checks a user's credentials to see if they are an active member of the organization and, depending on the network policies, grants users varying levels of access to the network.




Thank you for reading. I hope this has been helpful. If you need any help, don't hesitate to reach out.  We are more than happy to assist.

Talk to an expert

List of titles