Securing the Cisco IOS and IOS XE Software Layer 2 Traceroute Server

The Layer 2 (L2) traceroute utility identifies the L2 path that a packet takes from a source device to a destination device. Cisco IOS Software and Cisco IOS XE Software for Cisco Catalyst switches have inherited the L2 traceroute feature from Cisco CatOS Software. As such, this feature has been supported since Cisco IOS and IOS XE Software were first released. Cisco has confirmed that the L2 traceroute feature is not supported in Cisco IOS XR Software or Cisco NX-OS Software.

The L2 traceroute feature is enabled by default in Cisco IOS and IOS XE Software for Cisco Catalyst switches. Enabling the feature starts the L2 traceroute server, which is reachable through IPv4, listening on UDP port 2228. The following example shows the output of the show ip sockets command on a device that has the L2 traceroute feature enabled:

Switch#show ip sockets
Proto        Remote      Port      Local       Port  In Out  Stat TTY OutputIF
 17     0.0.0.0             0 10.10.10.1       2228   0   0   211   0 

By design, the L2 traceroute server does not require authentication, and it allows certain information about an affected device to be read, including the following:

  • Hostname
  • Hardware model
  • Configured interfaces
  • Configured IP addresses
  • VLAN database
  • MAC address table
  • Layer 2 filtering table
  • Cisco Discovery Protocol (CDP) neighbor information

Reading this information from multiple switches in the network could allow an attacker to build a complete L2 topology map of that network.

Customers are advised to secure the L2 traceroute server as described in the Recommendations section of this advisory.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190925-l2-traceroute

Security Impact Rating: Informational

Related:

Leave a Reply