of 155
8/10/2019 en_SWITCH_v6_Ch06.pdf
1/155
Chapter 6:Securing the Campus
Infrastructure
2007 2010, Cisco Systems, Inc. All rights reserved. Cisco PublicSWITCH v6 Chapter 6
1
8/10/2019 en_SWITCH_v6_Ch06.pdf
2/155
Chapter 6 Objectives
Identify attacks and threats to switches and methods tomitigate attacks.
on gure sw c es o guar aga ns - ase a ac s.
Configure tight control of trunk links to mitigate VLAN.
Configure switches to guard against DHCP, MAC, and
address resolution protocol (ARP) threats. Secure Layer 2 devices and protocols.
Develop and implement organizational security policies.
escr e too s use to mon tor an ana yze networ tra c.
Chapter 62 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
8/10/2019 en_SWITCH_v6_Ch06.pdf
3/155
w c ecur yFundamentals
Chapter 63 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
8/10/2019 en_SWITCH_v6_Ch06.pdf
4/155
Security Infrastructure Services
Core switch packetsquickly.
Distribution packetfiltering.
level.
Server farm provideapplication services;includenetworkmanagement system.
Chapter 64 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
8/10/2019 en_SWITCH_v6_Ch06.pdf
5/155
Unauthorized Access by Rogue Devices
Access Points
Servers
Chapter 65 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
8/10/2019 en_SWITCH_v6_Ch06.pdf
6/155
Layer 2 Attack Categories (1)
Attack Method Description Steps to Mitigation
MAC Layer Attacks
ress
Flooding
,
addresses flood the switch, exhaustingcontent addressable memory (CAM) tablespace, disallowing new entries from validhosts. Traffic to valid hosts is subsequently
.
VLAN access maps.
flooded out all ports.
VLAN Attacksopp ng
encapsulated for trunking, an attackingdevice can send or receive packetson various VLANs, bypassing Layer 3security measures.
and the negotiation stateof unused ports.Place unused ports in acommon
VLAN.
Attacks betweenDevices on a
Devices might need protection fromone another, even though they are ona common VLAN. This is especially
Implement private VLANs(PVLAN).
Chapter 66 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
true on service-provider segments thatsupport devices from multiple customers.
8/10/2019 en_SWITCH_v6_Ch06.pdf
7/155
Layer 2 Attack Categories (2)
Attack Method Description Steps to Mitigation
Spoofing Attacks
DH P tarvation
and DHCPSpoofing
n a ac ng ev ce can ex aus e
address space available to the DHCPservers for a period of time or establishitself as a DHCP server in man-in-the-middle attacks.
se snoop ng.
Spanning-treeCompromises
Attacking device spoofs the rootbridge in the STP topology. If
successful, the network attackercan see a variety of frames.
Proactively configure theprimary and backup root
devices. Enable root guard.
MAC Spoofing Attacking device spoofs the MACaddress of a valid host currentlyin the CAM table. The switch thenforwards frames destined for the
Use DHCP snooping, portsecurity.
valid host to the attacking device.
Address ResolutionProtocol (ARP)
Attacking device crafts ARP repliesintended for valid hosts. Theattacking devices MAC address
Use Dynamic ARP Inspection(DAI), DHCP snooping, portsecurity.
Chapter 67 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
then becomes the destinationaddress found in the Layer 2 frames
sent by the valid network device.
8/10/2019 en_SWITCH_v6_Ch06.pdf
8/155
Layer 2 Attack Categories (3)
Attack Method Description Steps to Mitigation
Switch Device Attacks
sco scovery ro oco
(CDP) Manipulation
n orma on sen roug s
transmitted in clear text andunauthenticated, allowing it to becaptured and divulge networkto olo information.
sa e on a por s w ere
it is not intentionally used.
Secure Shell Protocol(SSH) and Telnet Attacks
Telnet packets can be read inclear
text. SSH is an option but hassecurity issues in version 1.
Use SSH version 2.Use Telnet with vty ACLs.
Chapter 68 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
8/10/2019 en_SWITCH_v6_Ch06.pdf
9/155
Understandingan ro ec ngagainst MACLa er Attacks
Chapter 69 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
8/10/2019 en_SWITCH_v6_Ch06.pdf
10/155
Understanding MAC Layer Attacks
.entries.
Step 2.Attacker (MAC address C) sends out multiple packets with
Chapter 610 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
various source MAC addresses.
8/10/2019 en_SWITCH_v6_Ch06.pdf
11/155
Understanding MAC Layer Attacks
Step 3. Over a short time period, the CAM table in the switch fillsu until it cannot acce t new entries. As lon as the attack is
running, the MAC address table on the switch remains full.
Step 4. Switch begins to flood all packets that it receives out of
Chapter 611 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
flooded out of Port 3 on the switch.
8/10/2019 en_SWITCH_v6_Ch06.pdf
12/155
Protecting against MAC Layer Attacks
To revent MAC Address floodin , ort securit can be
used. Configure port security to define the number of MACaddresses allowed on a given port.
Chapter 612 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
or secur y can a so spec y w a a ress s a owe
on a given port.
8/10/2019 en_SWITCH_v6_Ch06.pdf
13/155
Port Security
Cisco-proprietary feature on Catalyst switches.
MAC addresses, which can be learned dynamicallyor configured statically.
Sticky learning combines dynamically learned
and statically configured addresses. Dynamically learned addresses are converted to
sticky secure addresses, as if they were configured
us ng e sw tc port port-secur ty mac-address sticky interface command.
Chapter 613 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
8/10/2019 en_SWITCH_v6_Ch06.pdf
14/155
Port Security Scenario 1 (Slide 1)
Imagine five individuals whose laptops are allowed toconnect to a specific switch port when they visit an area of
.
MAC addresses of those five laptops and allow noaddresses to be learned dynamically on that port.
Chapter 614 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
8/10/2019 en_SWITCH_v6_Ch06.pdf
15/155
Port Security Scenario 1 (Slide 2)Step Action Notes
1 Configure portsecurity.
Configure port security to allow only five connections on that port.Configure an entry for each of the five allowed MAC addresses.
, ,for that port and allows no additional entries to be learneddynamically.
2 Allowed frames When frames arrive on the switch port, their source MAC addressare processe . s c ec e aga ns e a ress a e. e rame source
MAC address matches an entry in the table for that port, theframes are forwarded to the switch to be processed like any other
frames on the switch.
3 New addressesare not allowed tocreate new MACaddress table
When frames with a non-allowed MAC address arrive on the port,the switch determines that the address is not in the current MACaddress table and does not create a dynamic entry for that newMAC address because the number of allowed addresses has
entries. been limited.4 Switch takes
action in response-
The switch disallows access to the port and takes one of theseconfiguration-dependent actions: (a) the entire switch port can be
Chapter 615 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
frames.
and a log error can be generated; (c) access can be denied for
that MAC address but without generating a log message.
8/10/2019 en_SWITCH_v6_Ch06.pdf
16/155
Port Security Scenario 2 (Slide 1)
An attacker enables a hacking tool on the attackers rogue
addresses, causing the MAC address table to fill up. Whenthe MAC address table is full, it turns the switch into a hub
Chapter 616 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
and floods all unicast frames.
8/10/2019 en_SWITCH_v6_Ch06.pdf
17/155
Port Security Scenario 2 (Slide 2)
.security limits MAC flooding attacks and locks down the port.
Port security also sets an SNMP trap alerting of any violation.
Port security allows the frames from already secured MACaddress below the maximum number of MAC addresses enabledon that port, and any frame with a new MAC address over the
Chapter 617 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
limit is dropped.
8/10/2019 en_SWITCH_v6_Ch06.pdf
18/155
Configuring Port Security
Step 1. Enable port security:Swi t ch( conf i g- i f ) # switchport port-security
Step 2. Set a maximum number of MAC addresses that will
be allowed on this port. The default is one:Swi t ch( conf i - i f ) #switch ort ort-securit maximumvalue
Step 3. Specify which MAC addresses will be allowed on
Swi t ch( conf i g- i f ) #switchport port-security mac-addressmac-address
Step 4. Define what action an interface will take if a non-allowed MAC address attempts access:
- -
Chapter 618 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
{shutdown | restrict | protect}
8/10/2019 en_SWITCH_v6_Ch06.pdf
19/155
Port Security Example
4503( conf i g) # interface FastEthernet 3/474503 conf i - i f # switch ort4503( conf i g- i f ) # switchport mode access4503( conf i g- i f ) # switchport port-security4503( conf i g- i f ) # switchport port-security mac-address 0000.0000.0008
4503( conf i g- i f ) # switchport port-security maximum 1con g- sw c por por -secur y ag ng me
4503( conf i g- i f ) # switchport port-security aging static4503( conf i g- i f ) # switchport port-security violation restrict4503( conf i g) # interface FastEthernet 2/24503( conf i g- i f ) # switchport
4503( conf i g- i f ) # switchport mode access4503( conf i g- i f ) # switchport port-security4503( conf i g- i f ) # switchport port-security mac-address 0000.0000.11184503( conf i g- i f ) # switchport port-security maximum 1
- -
Chapter 619 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
4503( conf i g- i f ) # switchport port-security aging static4503( conf i g- i f ) # switchport port-security violation shutdown
8/10/2019 en_SWITCH_v6_Ch06.pdf
20/155
Verifying Port Security (1)
The show port-security command can be used to
verify the ports on which port security has been enabled. It
taken per interface.
-
Secur e Por t MaxSecur eAddr Cur r ent Addr Secur i t yVi ol at i on Secur i t y Act i on( Count ) ( Count ) ( Count )
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Fa0/ 1 2 1 0 Rest r i ct
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Tot al Addr esses i n Syst em ( excl udi ng one mac per por t ) : 0Max Addr esses l i mi t i n Syst em ( excl udi ng one mac per por t ) : 6144
Chapter 620 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
8/10/2019 en_SWITCH_v6_Ch06.pdf
21/155
Verifying Port Security (2)swi t ch# show port-security interface fastethernet0/1Por t Secur i t y : Enabl edPor t St at us : Secur e- upVi ol at i on Mode : Rest r i ctg ng me : m ns
Agi ng Type : I nact i vi t ySecur eSt at i c Addr ess Agi ng : Enabl edMaxi mum MAC Addr esses : 2Tot al MAC Addr esses : 1Conf i gur ed MAC Addr esses : 0St i cky MAC Addr esses : 0Last Sour ce Addr ess: Vl an : 001b. d513. 2ad2: 5
Secur i t y Vi ol at i on Count : 0
swi t ch# show port-security addressSecur e Mac Addr ess Tabl e
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Vl an Mac Addr ess Type Port s Remai ni ng Age
( mi ns)- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -2 001b. d513. 2ad2 Secur eDynami c Fa0/ 1 60 ( I )- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Chapter 621 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Max Addr esses l i mi t i n Syst em ( excl udi ng one mac per por t ) : 6144
8/10/2019 en_SWITCH_v6_Ch06.pdf
22/155
Configuring Port Security with Sticky MAC
swi t ch# show running-config fastethernet 0/1i nt er f ace Fast Et her net 0/ 1swi t chpor t access vl an 2swi t chpor t mode access
swi t chpor t por t - secur i t y maxi mum 2swi t chpor t por t - secur i t yswi t chpor t por t - secur i t y vi ol at i on r est r i ct
- -swi t chpor t por t - secur i t y mac- addr ess st i cky 001b. d513. 2ad2
swi t ch# show port-security addressSecur e Mac Addr ess Tabl e- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Vl an Mac Addr ess Type Por t s Remai ni ng Age
( mi ns)- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-
Chapter 622 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
8/10/2019 en_SWITCH_v6_Ch06.pdf
23/155
Blocking Unicast Flooding
Cisco Catalyst switches can restrict flooding of unknownmulticast MAC-addressed traffic on a per-port basis, in
destination MAC addresses.
Ent er conf i gur at i on commands, one per l i ne. End wi t h CNTL/ Z.4503( conf i g) # interface FastEthernet 3/224503( conf i g- i f ) # switchport block unicast
-
Chapter 623 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
8/10/2019 en_SWITCH_v6_Ch06.pdf
24/155
Understandingan ro ec ngagainst VLAN
Attacks
Chapter 624 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
8/10/2019 en_SWITCH_v6_Ch06.pdf
25/155
VLAN Hopping
Switch Spoofing
Chapter 625 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
8/10/2019 en_SWITCH_v6_Ch06.pdf
26/155
VLAN Hopping Switch Spoofing (1)
An attacker can send amalicious DTP frame.
,
the switch would form atrunk port, which wouldthen give the attackeraccess to all the VLANs on
the trunk. The attacker ortbecomes a trunk port, andthe attacker can attack a
on the trunk.
Chapter 626 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
8/10/2019 en_SWITCH_v6_Ch06.pdf
27/155
VLAN Hopping Switch Spoofing (2)
,attacker connects an unauthorized Cisco switch to theswitch port. The unauthorized switch can send DTP frames
and form a trunk. The attacker has access to all the VLANsthrough the trunk. The attacker can attack a victim in anyVLAN.
Chapter 627 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
8/10/2019 en_SWITCH_v6_Ch06.pdf
28/155
VLAN Hopping Double Tagging
. .headers to Switch 1.
Step 2. Switch 1 strips the outer tag and forwards the frame to all ports.
Step 3. Switch 2 interprets frame according to information in the innertag marked with VLAN ID 20.
Chapter 628 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Step 4. Switch 2 forwards the frame out all ports associated with VLAN20, including trunk ports.
8/10/2019 en_SWITCH_v6_Ch06.pdf
29/155
Mitigating VLAN Hopping Attacks
Configure all unused ports as access ports so that trunkingcannot be negotiated across those links.
ace a unuse por s n e s u own s a e an assoc a e
them with a VLAN designed for only unused ports, carryingno user data traffic.
When establishing a trunk link, purposefully configure
arguments to achieve the following results: The native VLAN is different from any data VLANs.
Trunking is set up as On or Nonegotiate rather than negotiated.
The specific VLAN range is carried on the trunk. This ensures that the
native VLAN will be pruned along with any other VLANs not explicitlyallowed on the trunk.
Chapter 629 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
8/10/2019 en_SWITCH_v6_Ch06.pdf
30/155
Catalyst Multilayer Switch ACL Types
Router access control lists
(RACL): Supported in the TCAMhardware on Cisco multilayersw c es. n a a ys sw c es,
RACL can be applied to any routedinterface, such as an SVI or routed
ort.
Port access control list (PACL):
Filters traffic at the port level.
PACLs can be applied on a Layer 2switch port, trunk port, orEtherChannel port. PACLs act atthe Layer 2 port level but can filter
information.
Chapter 630 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
8/10/2019 en_SWITCH_v6_Ch06.pdf
31/155
Catalyst Multilayer Switch ACL Types
VACLs:Also known as VLAN access-maps, apply to all traffic in a VLAN.VACLs support filtering based on Ethertype and MAC addresses. VACLs areorder-sensitive, analogous to route maps. VACLs can control traffic flowing
Chapter 631 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
within the VLAN or control switched traffic, whereas RACLs control only routedtraffic.
8/10/2019 en_SWITCH_v6_Ch06.pdf
32/155
Configuring VACLs (1)
Three ACL actions arepermitted with VACLs:
Permit (with capture,
Catalyst 6500 only)
only)
Deny (with logging,Catalyst 6500 only)
Chapter 632 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
8/10/2019 en_SWITCH_v6_Ch06.pdf
33/155
Configuring VACLs (2)
Step 1. Define a VLAN access map:
Swi t ch( conf i g) # vlan access-mapmap_name [ seq#]
.
Swi t ch( conf i g- access- map) #match {drop [log]} | {forward[capture]} | {redirect {{fastethernet | gigabitethernet |tengigabitethernet} slot/port} | {port-channel channel_id}}
Step 3. Configure an action clause:
Swi t ch( conf i g- access- map) # action {drop [log]} | {forward
[capture]} | {redirect {{fastethernet | gigabitethernet |tengigabitethernet} slot/port} | {port-channel channel_id}}
Step 4. Apply a map to VLANs:
Swi t ch( conf i g) # vlan filter map_name vlan_list list
Step 5. Verify the VACL configuration:Swi t ch# show vlan access-map map_name
Swi t ch# show vlan filter access-ma ma name vlan vlan id
Chapter 633 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
_ _
]
8/10/2019 en_SWITCH_v6_Ch06.pdf
34/155
Configuring VACLs (3)
Here a VACL is configured to drop all traffic from network10.1.9.0/24 on VLAN 10 and 20 and drop all traffic to
. . .
swi t ch( conf i g) # access-list 100 permit ip 10.1.9.0 0.0.0.255 any- _
swi t ch( conf i g- ext - mac) #permit any host 0000.1111.4444swi t ch( conf i g) # vlan access-map XYZ 10
swi t ch( conf i g- map) #match ip address 100
-swi t ch( conf i g- map) # vlan access-map XYZ 20swi t ch( conf i g- map) #match mac address BACKUP_SERVERswi t ch( conf i g- map) # action drop
- -
swi t ch( conf i g- map) # action forwardswi t ch( conf i g) # vlan filter XYZ vlan-list 10,20
Chapter 634 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
8/10/2019 en_SWITCH_v6_Ch06.pdf
35/155
Understandingan ro ec ngagainst Spoofing
Attacks
Chapter 635 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
8/10/2019 en_SWITCH_v6_Ch06.pdf
36/155
Catalyst Integrated Security Features
Dynamic Address ResolutionProtocol inspection (DAI)adds security to ARP usingthe DHCP snooping table to
minimize the impact of ARPpoisoning and spoofinga ac s.
IP Source Guard (IPSG)
prevents IP spoofinga resses us ng esnooping table.
Port security prevents MAC
oo ng a ac s. DHCP snooping prevents
client attacks on the DHCP
Chapter 636 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
server an sw c .
8/10/2019 en_SWITCH_v6_Ch06.pdf
37/155
DHCP Spoofing Attack
One of the ways that an attackercan gain access to networktraffic is to s oof res onses thatwould be sent by a valid DHCP
server.
The DHCP s oofin devicereplies to client DHCP requests.The legitimate server can reply
also, but if the spoofing device is on the same segment as theclient, its reply to the clientmight arrive first.
,forward packets to the attackingdevice, which in turn sendsthem to the desired destination.
The intruders DHCP replyoffers an IP address andsupporting information that
This is referred to as a man-in-the-middle attack and it can goentirely undetected as the
Chapter 637 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
es gnates t e ntru er as t edefault gateway or DNS server.
intruder intercepts the data flowthrough the network.
8/10/2019 en_SWITCH_v6_Ch06.pdf
38/155
DHCP Spoofing Attack Scenario 1
,sending thousands of DHCP requests. The DHCP serverdoes not have the capability to determine whether the
request is genuine and therefore might end up exhaustingall the available IP addresses. This results in a legitimateclient not ettin a IP address via DHCP.
Chapter 638 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
8/10/2019 en_SWITCH_v6_Ch06.pdf
39/155
DHCP Spoofing Attack Scenario 2
server to the network and has it assume the role of the DHCPserver for that segment. This enables the intruder to give outfalse DHCP information for the default atewa and domain
name servers, which points clients to the hackers machine. Thismisdirection enables the hacker to. become a man-in-the-middleand to gain access to confidential information, such as username
Chapter 639 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
and password pairs, while the end user is unaware of the attack.
8/10/2019 en_SWITCH_v6_Ch06.pdf
40/155
DHCP Snooping
DHCP snooping is a Cisco Catalyst feature that determines
Chapter 640 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
.are identified as trusted and untrusted.
8/10/2019 en_SWITCH_v6_Ch06.pdf
41/155
Configuring DHCP Snooping
Step Commands
1. Enable DHCP snooping globally:Swi t ch conf i # i dhc snoo in
2. Enable DHCP Option 82:Swi t ch( conf i g) # ip dhcp snooping informationoption
3. Configure DHCP server interfaces or uplink ports as trusted:Swi t ch( conf i g- i f ) # ip dhcp snooping trust
4. Confi ure the number of DHCP ackets er second s that areacceptable on the port:Swi t ch( conf i g- i f ) # ip dhcp snooping limit raterate
5. Enable DHCP snooping on specific VLANs:Swi t ch( conf i g) # ip dhcp snooping vlan number[number]
Chapter 641 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
. er y e con gura on:Swi t ch# show ip dhcp snooping
8/10/2019 en_SWITCH_v6_Ch06.pdf
42/155
DHCP Snooping Configuration Example
swi t ch( conf i g) # ip dhcp snoopingswi t ch( conf i g) # ip dhcp snooping information optionswi t ch( conf i g) # ip dhcp snooping vlan 10,20swi t ch( conf i g) # interface fastethernet 0/1swi t ch( conf i g- i f ) # description Access Portswi t ch( conf i g- i f ) # ip dhcp limit rate 5swi t ch( conf i g) # interface fastethernet 0/24swi t ch( conf i g- i f ) # description Uplinkswi t ch( conf i g- i f ) # switchport mode trunk
Chapter 642 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
swi t ch( conf i g- i f ) # switchport trunk allowed vlan 10,20swi t ch( conf i g- i f ) # ip dhcp snooping trust
8/10/2019 en_SWITCH_v6_Ch06.pdf
43/155
Verifying the DHCP Snooping
on gura onswi t ch# show ip dhcp snoopingSwi t ch DHCP snoopi ng i s enabl ed
10, 20
DHCP snoopi ng i s oper at i onal on f ol l owi ng VLANs:10, 20DHCP snoopi ng i s conf i gur ed on t he f ol l owi ng L3 I nt er f aces:I nser t i on of opt i on 82 i s enabl edci r cui t - i d def aul t f or mat : vl an- mod- por tr emote- i d: 001a. e372. ab00 ( MAC)Opt i on 82 on unt r ust ed por t i s not al l owed
Ver i f i cat i on of gi addr f i el d i s enabl edDHCP snoopi ng t r ust / r at e i s conf i gur ed on t he f ol l owi ng I nt er f aces:
I nt er f ace Tr ust ed Al l ow opt i on Rat e l i mi t ( pps)- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Fast Et her net 0/ 1 no no 5Fast Et her net 0/ 24 yes yes unl i mi t ed
Chapter 643 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
8/10/2019 en_SWITCH_v6_Ch06.pdf
44/155
ARP Spoofing Attack
. .
Step 2. Router C replies with its MAC and IP addresses. C also updates its ARP cache.
Step 3. Host A binds Cs MAC address to its IP address in its ARP cache.
Ste 4. Host B attacker sends ARP bindin Bs MAC address to Cs IP address.
Step 5. Host A updates ARP cache with Bs MAC address bound to Cs IP address.Step 6. Host B sends ARP binding Bs MAC address to As IP address.
Ste 7. Router C u dates ARP cache with Bs MAC address bound to As IP address.
Chapter 644 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Step 8. Packets are diverted through attacker (B).
8/10/2019 en_SWITCH_v6_Ch06.pdf
45/155
Preventing ARP Spoofing through Dynamic
DAI takes these actions:
Forwards ARP ackets receivedon a trusted interface without
any checks.
untrusted ports.
Verifies that each intercepted
- -address binding beforeforwarding packets that canu date the local ARP cache.
Drops and logs ARP packetswith invalid IP-to-MAC addressbindin s.
Chapter 645 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
8/10/2019 en_SWITCH_v6_Ch06.pdf
46/155
DAI Recommended Configuration
DAI can also be used torate limit the ARP packets
interface if the rate isexceeded.
The figure here shows therecommended DAI
.
Chapter 646 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
8/10/2019 en_SWITCH_v6_Ch06.pdf
47/155
DAI Commands
Command Description
Swi t ch( conf i g) # ip arp
inspection vlan vlan_id[vlan_id]
Enables DAI on a VLAN or range ofVLANs.
Swi t ch( conf i g- i f ) # ip arp
inspection trust
Enables DAI on an interface and sets the
interface as a trusted interface.
Configures DAI to drop ARP packets when
Swi t ch( conf i g) # ip arpinspection validate {[src-mac] [dst-mac] [ip]}
the IP addresses are invalid, or when theMAC addresses in the body of the ARPpackets do not match the addresses
Chapter 647 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
.
8/10/2019 en_SWITCH_v6_Ch06.pdf
48/155
DAI Scenario with Catalyst Switches (1)
Switch B, both in VLAN 10.
The DHCP server is connected to Switch A. DHCPsnoop ng s ena e on o w c an w c as aprerequisite for DAI.
The inter-switch links are configured as DAI trusted ports,
Chapter 648 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
and the user ports are left in the default untrusted state.
DAI S i i h C l S i h (2)
8/10/2019 en_SWITCH_v6_Ch06.pdf
49/155
DAI Scenario with Catalyst Switches (2)
Swi t chA# configure terminalEnt er conf i gur at i on commands, one per l i ne. End wi t h CNTL/ Z.
Swi t chA( conf i g) # interface gigabitEthernet 1/1Swi t chA( conf i g- i f ) # ip arp inspection trustSwi t chA( conf i g- i f ) # end
Swi t chB# configure terminalEnt er conf i gur at i on commands, one per l i ne. End wi t h CNTL/ Z.Swi t chB( conf i g) # ip arp inspection vlan 10
Chapter 649 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Swi t chB( conf i g- i f ) # ip arp inspection trustSwi t chB( conf i g- i f ) # end
DAI S i ith C t l t S it h (3)
8/10/2019 en_SWITCH_v6_Ch06.pdf
50/155
DAI Scenario with Catalyst Switches (3)
I nt er f ace Tr ust St at e Rat e ( pps) Bur st I nt er val- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Gi 1/ 1 Tr ust ed None N/ A
Fa2/ 1 Unt r ust ed 15 1Fa2/ 2 Unt r ust ed 15 1
Chapter 650 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
DAI S i ith C t l t S it h (4)
8/10/2019 en_SWITCH_v6_Ch06.pdf
51/155
DAI Scenario with Catalyst Switches (4)
Sour ce Mac Val i dat i on : Di sabl edDest i nat i on Mac Val i dat i on : Di sabl edI P Addr ess Val i dat i on : Di sabl ed
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -10 Enabl ed Act i veVl an ACL Loggi ng DHCP Loggi ng- - - - - - - - - - - - - - - - - - - - - - - - - - -
Chapter 651 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
10 Deny Deny
DAI S i ith C t l t S it h (5)
8/10/2019 en_SWITCH_v6_Ch06.pdf
52/155
DAI Scenario with Catalyst Switches (5)
MacAddr ess I pAddr ess Lease( sec) Type VLAN I nt er f ace- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -00: 01: 00: 01: 00: 01 10. 10. 10. 1 4995 dhcp- snoopi ng 10 Fast Et her net 2/ 1
Chapter 652 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
DAI Scenario ith Catal st S itches (6)
8/10/2019 en_SWITCH_v6_Ch06.pdf
53/155
DAI Scenario with Catalyst Switches (6)
I nt er f ace Tr ust St at e Rat e ( pps) Bur st I nt er val- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Gi 1/ 1 Tr ust ed None N/ A
Fa2/ 1 Unt r ust ed 15 1Fa2/ 2 Unt r ust ed 15 1Fa2/ 3 Unt r ust ed 15 1
Chapter 653 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
DAI Scenario with Catalyst Switches (7)
8/10/2019 en_SWITCH_v6_Ch06.pdf
54/155
DAI Scenario with Catalyst Switches (7)
Sour ce Mac Val i dat i on : Di sabl edDest i nat i on Mac Val i dat i on : Di sabl edI P Addr ess Val i dat i on : Di sabl ed
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -10 Enabl ed Act i ve
Chapter 654 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
- - - - - - - - - - - - - - - - - - - - - - - - - - -10 Deny Deny
DAI Scenario with Catalyst Switches (8)
8/10/2019 en_SWITCH_v6_Ch06.pdf
55/155
DAI Scenario with Catalyst Switches (8)
MacAddr ess I pAddr ess Lease( sec) Type VLAN I nt er f ace- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -00: 02: 00: 02: 00: 02 10. 10. 10. 2 4995 dhcp- snoopi ng 10 Fast Et her net 2/ 2
Chapter 655 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
DAI Scenario with Catalyst Switches (9)
8/10/2019 en_SWITCH_v6_Ch06.pdf
56/155
DAI Scenario with Catalyst Switches (9)
If an attacker connects to SwitchB and tries to send a bogus ARPrequest, Switch B will detect itand drop the ARP request
packet. Switch B can alsoerrdisable the port and send alog message to alert theadministrator.
DAI discards any ARP packetswith invalid MAC-address-to-IP-address bindings. An errormessage is displayed on thesw c w en a secur y v o a on
occurs:02: 46: 49: %SW_DAI - 4- DHCP_SNOOPI NG_DENY: 1 I nval i d ARPs ( Req) on Fa3/ 3, vl an
Chapter 656 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
. . . . . . . . . . .2003] )
IP Spoofing and IP Source Guard
8/10/2019 en_SWITCH_v6_Ch06.pdf
57/155
IP Spoofing and IP Source Guard
Attacker impersonates alegitimate host on the network byspoofing the IP address of thevictim.
IP source guard (IPSG) preventsa malicious host from attackingthe network with a hijacked IPaddress.
IPSG provides per-port trafficer ng o ass gne source .
IPSG dynamically maintains per-port ACLs based on IP-to-MAC-
- .
IPSG typically deployed foruntrusted ports at access layer.
Chapter 657 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
wor s c ose y wsnooping.
IP Source Guard Operations
8/10/2019 en_SWITCH_v6_Ch06.pdf
58/155
IP Source Guard Operations
IPSG can be enabled on aDHCP snooping untrusted Layer2 ort to revent IP s oofin .
At first, all IP traffic on the port is
blocked except for DHCPackets ca tured b the DHCP
snooping process.
This process restricts the client
IP traffic to those source IPaddresses configured in thebinding; any IP traffic with asource IP address other thanthat in the IP source binding isfiltered out. This filtering limits ahosts capability to attack the
Chapter 658 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
networ y c a m ng a ne g orhosts IP address.
Configuring IP Source Guard
8/10/2019 en_SWITCH_v6_Ch06.pdf
59/155
Configuring IP Source Guard
Step Commands
1. Swi t ch( conf i g) # ip dhcp snooping
2. Swi t ch( conf i g) # ip dhcp snooping vlannumber [number]
3. Swi t ch( conf i g- i f ) # ip verify source vlandhcp-snooping
or
-dhcp-snooping port-security
4. Swi t ch( conf i g- i f ) # switchport portsecuritylimit rate invalid-source-mac N
5. Swi t ch( conf i g) # ip source binding ipaddrip vlan numberinterfaceinterface-id
Chapter 659 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
IPSG Scenario (1)
8/10/2019 en_SWITCH_v6_Ch06.pdf
60/155
IPSG Scenario (1)
connects to the same Catalyst switch as a server with astatic IP address.
Chapter 660 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
IPSG Scenario (2)
8/10/2019 en_SWITCH_v6_Ch06.pdf
61/155
IPSG Scenario (2)
Swi t ch# confi ure terminalEnt er conf i gur at i on commands, one per l i ne. End wi t h CNTL/ Z.Swi t ch( conf i g) # ip dhcp snoopingSwi t ch( conf i g) # ip dhcp snooping vlan 1,10Swi t ch( conf i g) # ip dhcp snooping verify mac-addressw . . . . .
Fa2/18
Swi t ch( conf i g) # interface fastethernet 2/1Swi t ch( conf i g- i f ) # switchportSwi t ch( conf i g- i f ) # switchport mode accessSwi t ch( conf i g- i f ) # switchport port-security
Swi t ch( conf i g- i f ) # ip verify source vlan dhcp-snooping port-securitySwi t ch( conf i g) # interface fastethernet 2/18Swi t ch( conf i g- i f ) # switchport
-
Chapter 661 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Swi t ch( conf i g- i f ) # switchport port-securitySwi t ch( conf i g- i f ) # ip verify source vlan dhcp-snooping port-security
IPSG Scenario (3)
8/10/2019 en_SWITCH_v6_Ch06.pdf
62/155
IPSG Scenario (3)
Swi t ch# show ip source bindingMacAddr ess I pAddress Lease( sec) Type VLAN I nt er f ace- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -00: 02: B3: 3F: 3B: 99 10. 1. 1. 11 6522 dhcp- snoopi ng 1 Fast Et her net 2/ 100: 00: 00: 0A: 00: 0B 10. 1. 10. 11 i nf i ni t e st at i c 10 Fast Et her net 2/ 18
I nt er f ace Fi l t er - t ype Fi l t er - mode I P- addr ess Mac- addr ess Vl an- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Fa2/ 1 i p- mac act i ve 10. 1. 1. 11 00: 02: B3: 3F: 3B: 99 1Fa2/ 18 i p- mac act i ve 10. 1. 10. 11 00: 00: 00: 0a: 00: 0b 10
Chapter 662 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
IPSG Scenario (4)
8/10/2019 en_SWITCH_v6_Ch06.pdf
63/155
IPSG Scenario (4)
An attacker is connectedto interface 2/10 and is
address of the server. The Catal st switch
detects and drops thepackets in the hardware
.also provides an errormessage to indicate thev o a on.
Chapter 663 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
8/10/2019 en_SWITCH_v6_Ch06.pdf
64/155
SecurinNetworkSwitches
Chapter 664 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Neighbor Discovery Protocols (NDP)
8/10/2019 en_SWITCH_v6_Ch06.pdf
65/155
g y ( )
Cisco Discovery Protocol (CDP)
Chapter 665 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Link Layer Discovery Protocol (LLDP)
Cisco Discovery Protocol
8/10/2019 en_SWITCH_v6_Ch06.pdf
66/155
y
Uses multicast hello messages
Uses a TTL in seconds
Cached CDP information available to network management
system via SNMP recommended to block SNMP access
Chapter 666 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Configuring CDP
8/10/2019 en_SWITCH_v6_Ch06.pdf
67/155
g g
CDP is enabled by default.
The no cdp run command disables CDP globally.
The no cdp enable command disables CDP on an
interface.
Chapter 667 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Displaying CDP Information (1)
8/10/2019 en_SWITCH_v6_Ch06.pdf
68/155
y g ( )
When CDP is enabled the command show cdpneighbor displays a summary of which devices are seen
.
Capabi l i t y Codes: R - Rout er , T - Tr ans Br i dge, B - Sour ce Rout e Br i dge
S - Swi t ch, H - Host , I - I GMP, r - Repeater , P - Phone,D - Remot e, C - CVTA, M - Two- por t Mac Rel ay
Devi ce I D Local I nt r f ce Hol dt me Capabi l i t y Pl at f or m Por t I D- - -
Chapter 668 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Displaying CDP Information (2)
8/10/2019 en_SWITCH_v6_Ch06.pdf
69/155
4506# show cdp neighbor detail- - - - - - - - - - - - - - - - - - - - - - -Devi ce I D: TBA03501074(Swi t chA- 6500)Ent r y addr ess( es) :I P addr ess: 10. 18. 2. 137Pl at f or m: WS- C6506, Capabi l i t i es: Tr ans- Br i dge Swi t ch I GMPI nt er f ace: Fast Et her net 3/ 21, Por t I D ( out goi ng por t ) : 3/ 36Hol dt i me : 170 secVer si on :WS- C6506 Sof t war e, Ver si on McpSW: 7. 6(1) NmpSW: 7. 6( 1)opyr g - y sco ys ems
adver t i sement ver si on: 2VTP Management Domai n: 0Nat i ve VLAN: 1Dupl ex: f ul l
- - - - - - - - - - - - - - - - - - - - - - -Devi ce I D: Swi t chC- 4503Ent r y addr ess( es) :I P addr ess: 10. 18. 2. 132Pl at f or m: ci sco WS- C4503, Capabi l i t i es: Rout er Swi t ch I GMPI nt er f ace: Fast Et her net 3/ 27, Por t I D ( out goi ng por t ) : Fast Et her net 3/ 14Hol dt i me : 130 sec
Ver si on :Ci sco I nt er net wor k Oper at i ng Syst em Sof t war eI OS ( t m) Cat al yst 4000 L3 Swi t ch Sof t ware ( cat 4000- I 5S- M) , Ver si on 12. 1( 19) EW,CI SCO ENHANCED PRODUCTI ON VERSI ON
Chapter 669 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
- , .Compi l ed Tue 27- May- 03 04: 31 by prot her o
Configuring LLDP
8/10/2019 en_SWITCH_v6_Ch06.pdf
70/155
LLDP is disabled by default.
The command lldp run enables LLDP globally.
The command lldp enable enables LLDP on an
interface.
Chapter 670 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Displaying LLDP Information
8/10/2019 en_SWITCH_v6_Ch06.pdf
71/155
When LLDP is enabled the command show lldpneighbor displays a summary of which devices are seen
.
swi t ch( conf i g) # endswi t ch# show lldp neighborCapabi l i t y codes:
( R) Rout er , ( B) Br i dge, ( T) Tel ephone, ( C) DOCSI S Cabl e Devi ce( W) WLAN Access Poi nt , ( P) Repeat er , ( S) St at i on, ( O) Ot her
Devi ce I D Local I nt f Hol d- t i me Capabi l i t y Por t I Dc2960- 8 Fa0/ 8 120 B Fa0/ 8Tot al ent r i es di spl ayed: 1
Chapter 671 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
CDP Vulnerabilit ies
8/10/2019 en_SWITCH_v6_Ch06.pdf
72/155
Sequence
of Events
Description
. CDP to view neighbor
information.2. Attacker uses a acket
analyzer to intercept CDPtraffic.
3.Attacker analyzes informationin CDP packets to gainknowledge of networkaddress and device
.
4. Attacker formulates attacksbased on knownvulnerabilities of network
Chapter 672 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
platforms.
Securing Switch Access
8/10/2019 en_SWITCH_v6_Ch06.pdf
73/155
Telnet Vulnerabilities
Secure Shell (SSH) Vulnerabilities
Chapter 673 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Telnet Vulnerabilities
8/10/2019 en_SWITCH_v6_Ch06.pdf
74/155
All usernames, passwords, and data sent over the public network inclear text are vulnerable.
A user with an account on the s stem could ain elevated rivile es.
A remote attacker could crash the Telnet service, preventing legitimate
use of that service by performing a DoS attack such as opening too
A remote attacker could find an enabled guest account that might bepresent anywhere within the trusted domains of the server.
Chapter 674 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Secure Shell (SSH)
8/10/2019 en_SWITCH_v6_Ch06.pdf
75/155
All usernames, passwords, and data sent over the public network inclear text are vulnerable.
A user with an account on the s stem could ain elevated rivile es.
A remote attacker could crash the Telnet service, preventing legitimate
use of that service by performing a DoS attack such as opening too
A remote attacker could find an enabled guest account that might bepresent anywhere within the trusted domains of the server.
Chapter 675 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Configuring SSH
8/10/2019 en_SWITCH_v6_Ch06.pdf
76/155
Step 1. Configure a user with a password.
Step 2. Configure the hostname and domain name.
Step 3. Generate RSA keys.
Step 4. Allow SSH transport on the vty lines.
swi t ch( conf i g) # ip domain-name xyz.comswi t ch( conf i g) # crypto key generate rsaswi t ch( conf i g) # ip ssh version 2
swi t ch( conf i g- l i ne) # login localswi t ch( conf i g- l i ne) # transport input ssh
Chapter 676 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
VTY Access Control Lists
8/10/2019 en_SWITCH_v6_Ch06.pdf
77/155
Chapter 677 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
HTTP Secure Server
8/10/2019 en_SWITCH_v6_Ch06.pdf
78/155
Step 1. Configure username and password. Step 2. Configure domain name.
Step 3. Generate RSA keys.
Step 4. Enable HTTPS (SSL) server. ep . on gure au en ca on.
Step 6. Configure an access list to limit access.
- . . . . . .sw( conf i g) # username xyz password abc123sw( conf i g) # ip domain-name xyz.comsw( conf i g) # crypto key generate rsa
sw( conf i g) # ip http secure-serversw( conf i g) # http access-class 100 insw( conf i g) # http authentication local
Chapter 678 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Authentication, Authorization, and Accounting
8/10/2019 en_SWITCH_v6_Ch06.pdf
79/155
-framework through which you set up access control on aCisco IOS switch. AAA is an architectural framework forconfiguring a set of three independent security functions ina consistent manner.
Chapter 679 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Authentication
8/10/2019 en_SWITCH_v6_Ch06.pdf
80/155
Authentication provides a method to handle:
User identification
Login and password dialog
Challenge and response essag ng
Encryption
Chapter 680 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Authorization
8/10/2019 en_SWITCH_v6_Ch06.pdf
81/155
Authorization provides the method for remote access control. Remote access control includes:
One-time authorization or
Authorization for each service on a per-user account list or a usergroup basis.
Uses RADIUS or TACACS+ security servers.
Chapter 681 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
8/10/2019 en_SWITCH_v6_Ch06.pdf
82/155
TACACS+ Attribute-Value Pairs (AVPs)
8/10/2019 en_SWITCH_v6_Ch06.pdf
83/155
Attribute Type of Value
Addr-pool String
Addr IP address
Idletime Integer
Protocol Keyword
Outacl Integer
Chapter 683 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Accounting
8/10/2019 en_SWITCH_v6_Ch06.pdf
84/155
Authorization provides the method for collecting andsending security server information used for billing, auditing,
.
User identities
Start and stop times
Executed commands
Number of packets
Chapter 684 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Configuring Authentication
8/10/2019 en_SWITCH_v6_Ch06.pdf
85/155
Variety of login authentication methods. First use aaa new-model command to initialize AAA.
Use aaa authentication login command to enable
AAA login authentication. ,
one or more lists of authentication methods.
The login authentication line {default |list-name} method1 [method2...] command
defines the list name and the authentication methods in, .
The login authentication {default | list-name} command applies the authentication list to an input
Chapter 685 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
line.
AAA Authentication Example
8/10/2019 en_SWITCH_v6_Ch06.pdf
86/155
Swi t ch( conf i g) # aaa new-modelSwi t ch( conf i g) # aaa authentication login TEST tacacs+Swi t ch( conf i g) # tacacs-server host 192.168.100.100Swi t ch( conf i g) # line vty 0 4w c con g- ne og n au en ca on
Chapter 686 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
AAA Authentication Configuration Detail
S 1 C f C CS f
8/10/2019 en_SWITCH_v6_Ch06.pdf
87/155
Step 1. Configure the TACACS+ server for a test user: When using Cisco Access Control Server (ACS) for Microsoft Windows, create a new test user
without specific options.
Step 2. Configure a new network device on the TACACS+ server:
When using Cisco ACS for Microsoft Windows, create a new network device by specifying the DNS
name and IP address, and specify a key to be used for TACACS+.
- -. .
Step 4. Enable AAA globally:
svs- san- 3550- 1( conf i g) # aaa new-model
.
svs- san- 3550- 1( conf i g) # tacacs-server host 172.18.114.33
svs- san- 3550- 1( conf i g) # tacacs-server key SWITCH
Ste 6. Confi ure the default lo in access:
svs- san- 3550- 1( conf i g) # aaa authentication login default group tacacs+
enable
Step 7. Test the login using a separate connection:
Chapter 6 87 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
This enables you to troubleshoot and make changes in real time while testing the configuration.
AAA Authorization Configuration
U th d
8/10/2019 en_SWITCH_v6_Ch06.pdf
88/155
Use the command:
aaa authorization {auth-proxy | network | exec |
-
ipmobile} {default | list-name} [method1 [method2...]]
authorization {arap | commandslevel | exec | reverse-access} {default | list-name}
Use the aaa authorization command with the group tacacs+
method keywords to request authorization via a TACACS+ server. Thegroup tacacs+ method instructs the switch to use a list of all
. Use the aaa authorization command with the local method
keyword to request authorization via the local user database.
method keywords to request authorization via a RADIUS server.
Chapter 6 88 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
AAA Authorization Example
Thi fi ti l ill t t fi i AAA
8/10/2019 en_SWITCH_v6_Ch06.pdf
89/155
This configuration example illustrates configuring AAAauthorization for users via VTY access for shell commands.
o a ow users o access e unc ons ey reques as ongas they have been authenticated, use the aaaauthorization command with the if-authenticated
method keyword, as shown.
-Swi t ch( conf i g) # aaa authorization commands 0 default if-authenticated group tacacs+
Swi t ch( conf i g) # line vty 0 4-
Chapter 6 89 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
AAA Accounting Types Supported
Network accounting: P id i f ti f ll PPP SLIP ARAP
8/10/2019 en_SWITCH_v6_Ch06.pdf
90/155
Network accounting: Provides information for all PPP, SLIP, or ARAPsessions, including packet and byte counts.
connections made from the network, such as Telnet and rlogin.
EXEC accounting: Provides information about user EXEC terminal,
username, date, start and stop times, the access server IP address, and(for dial-in users) the telephone number from which the call originated.
-events (for example, when the system reboots and when accounting isturned on or off).
commands for a specified privilege level executed on a network accessserver.
Chapter 6 90 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
that have passed user authentication.
AAA Accounting Configuration
Use the command
8/10/2019 en_SWITCH_v6_Ch06.pdf
91/155
Use the command:aaa accounting {system | network | exec | connection
- -
stop-only | none} [method1 [method2...]]
Apply the accounting method to an interface or lines usingthe command:accounting {arap | commands level | connection |
exec} {default | list-name}
Chapter 6 91 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
AAA Accounting Example
This configuration example illustrates configuring AAA
8/10/2019 en_SWITCH_v6_Ch06.pdf
92/155
This configuration example illustrates configuring AAAauthorization for users via VTY access for shell commands.
o a ow users o access e unc ons ey reques as ongas they have been authenticated, use the aaaauthorization command with the if-authenticated
method keyword, as shown.
-Swi t ch( conf i g) # aaa accounting exec default start-stop group tacacs+Swi t ch( conf i g) # line vty 0 4Swi t ch( conf i g- l i ne) # accounting exec default
Chapter 6 92 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Security Using IEEE 802.1X-
8/10/2019 en_SWITCH_v6_Ch06.pdf
93/155
Chapter 6 93 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
802.1X Roles
Client (or supplicant): The device that requests access to LAN
8/10/2019 en_SWITCH_v6_Ch06.pdf
94/155
Client (or supplicant): The device that requests access to LANand switch services and then responds to requests from the
-. .software.
Authentication server: Performs the actual authentication of thec en . e au en ca on server va a es e en y o e c enand notifies the switch whether the client is authorized to accessthe LAN and switch services. The RADIUS security system with
ex ens ons s e on y suppor e au en ca on server. Switch (or authenticator): Controls physical access to the
network based on the authentication status of the client. Theswitch acts as an intermediary (proxy) between the client and the
authentication server, requesting identifying information from theclient, verif in that information with the authentication server,
Chapter 6 94 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
and relaying a response to the client.
802.1X Port Authorization State (1)
You control the port authorization state by using the
8/10/2019 en_SWITCH_v6_Ch06.pdf
95/155
You control the port authorization state by using theinterface configuration command :
o x por -con ro au o orce-au or ze
| force-unauthorized}
- -
based authentication and causes the port to transition to theauthorized state without any authentication exchange
.without 802.1X-based authentication of the client. This isthe default setting. This configuration mode supports anynon-dot1x-enabled client.
Chapter 6 95 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
802.1X Port Authorization State (2)
You control the port authorization state by using the
8/10/2019 en_SWITCH_v6_Ch06.pdf
96/155
You control the port authorization state by using theinterface configuration command :o x por -con ro au o orce-au or ze
force-unauthorized}
The force-unauthorizedkeyword causes the port toremain in the unauthorized state, ignoring all attempts bythe client to authenticate. The switch cannot provide
.This configuration mode can be enabled to preventconnections from any users from unauthorized ports.
Chapter 6 96 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
802.1X Port Authorization State (3)
You control the port authorization state by using the interface
fi ti d
8/10/2019 en_SWITCH_v6_Ch06.pdf
97/155
You control the port authorization state by using the interfaceconfiguration command :dot1x ort-control {auto | force-authorized | force-unauthorized}
The auto keyword enables 802.1X port-based authenticationand causes the port to begin in the unauthorized state, enablingonly EAPOL frames to be sent and received through the port.The authentication process begins when the link state of the porttransitions from down to up (authenticator initiation) or when an
-s ar rame s rece ve supp can n a on . e sw crequests the identity of the client and begins relayingauthentication messages between the client and the
.
attempting to access the network by using the client MACaddress. This configuration mode can be used on ports that
Chapter 6 97 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Configuring IEEE 802.1X
Step 1 Enable AAA:
8/10/2019 en_SWITCH_v6_Ch06.pdf
98/155
Step 1. Enable AAA:Swi t ch( conf i g) # aaa new-model
. . -list:
Swi t ch( conf i g) # aaa authentication dot1x {default}...
Step 3. Globally enable 802.1X port-based authentication:Swi t ch( conf i g) # dot1x system-auth-control
Step 4. Enter interface configuration mode and specify theinterface to be enabled for 802.1X port-basedauthentication:Swi t ch( conf i g) # interfacetype slot/port
Step 5. Enable 802.1X port-based authentication on the
Chapter 6 98 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Swi t ch( conf i g- i f ) # dot1x port-control auto
8/10/2019 en_SWITCH_v6_Ch06.pdf
99/155
8/10/2019 en_SWITCH_v6_Ch06.pdf
100/155
w c ecur yConsiderations
Chapter 6 100 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Organizational Security Policies
Provides a process for auditing existing network security.
8/10/2019 en_SWITCH_v6_Ch06.pdf
101/155
o des a p ocess o aud g e s g e o secu y Provides a general security framework for implementing
ne wor secur y.
Defines disallowed behaviors toward electronic data.
organization.
Communicates consensus among a group of key decisionmakers and defines responsibilities of users andadministrators.
.
Enables an enterprise-wide, all-site security implementationand enforcement lan.
Chapter 6 101 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Securing Switch Devices and Protocols
Configure strong system passwords.
8/10/2019 en_SWITCH_v6_Ch06.pdf
102/155
g g y p Restrict management access using ACLs.
Secure physical access to the console.
Secure access to vty lines.
on gure sys em warn ng anners.
Disable unneeded or unused services.
. Disable the integrated HTTP daemon (where appropriate).
Confi ure basic s stem lo in s slo .
Secure SNMP. Limit trunking connections and propagated VLANs.
Chapter 6
102 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Secure the spanning-tree topology.
Configuring Strong System Passwords
Use the enable secret command instead of using thebl d d
8/10/2019 en_SWITCH_v6_Ch06.pdf
103/155
genable password command.
ecause e ena e secre comman s mp y
implements an MD5 hash on the configured password, thatassword remains vulnerable to dictionar attacks.
Therefore, standard practice in selecting a feasiblepassword applies. Try to pick passwords that contain
, , .An example of a feasible password is $pecia1$ that is,
the word specials where each s has been replaced by$ and the letter l has been replaced with the numeral 1.
Chapter 6
103 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Restricting Management Access Using ACLs
Subnet 10.1.2.0/24 is used for accessing all networkdevices for management purposes This subnet does not
8/10/2019 en_SWITCH_v6_Ch06.pdf
104/155
gdevices for management purposes. This subnet does not
.system administrators in the 10.1.3.0/24 subnet.
n er ace an
descr i pt i on User LANi p addr ess 10. 1. 1. 1 255. 255. 255. 0!i nt er f ace Vl an601
descr i pt i on Management VLANi p addr ess 10. 1. 2. 1 255. 255. 255. 0i p access- gr oup 100 i n!
descr i pt i on I T LAN
i p addr ess 10. 1. 3. 1 255. 255. 255. 0!access- l i st 100 per mi t i p 10. 1. 3. 0 0. 0. 0. 255 10. 1. 2. 0 0. 0. 0. 255
Chapter 6
104 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
access- l i st 100 deny i p any any l og!
Securing Physical Access to the Console
Physical security of switches or routers is often overlookedbut is a valuable security precaution
8/10/2019 en_SWITCH_v6_Ch06.pdf
105/155
but is a valuable security precaution.
onso e access requ res a m n mum eve o secur y ophysically and logically.
the ability to recover or reset the passwords or to reload thesystem, thereby enabling that individual to bypass all other
. It is imperative to physically secure access to the console
b usin securit ersonnel closed circuit television card-key entry systems, locking cabinets, access logging, orother means to control physical access as standard
Chapter 6
105 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
.
Securing Access to vty Lines
Apply ACLs on all vty lines to limit in-band access only tomanagement stations from specific subnets
8/10/2019 en_SWITCH_v6_Ch06.pdf
106/155
management stations from specific subnets.
on gure s rong passwor s or a con gure v y nes.
Use Secure Shell (SSH) instead of Telnet to access the.
Chapter 6
106 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Configuring System Warning Banners
For both legal and administrative purposes, configuring asystem warning banner to display prior to login is a
8/10/2019 en_SWITCH_v6_Ch06.pdf
107/155
system warning banner to display prior to login is a
general usage policies.
Clearl statin the ownershi , usa e, access, andprotection policies prior to a login aids in strongerprosecution if unauthorized access occurs. Use the global
messages.
Chapter 6
107 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Disabling Unneeded or Unused Services
TCP Small Servers (Echo, Chargen, Discard, Daytime) UDP Small Servers (Echo Discard Chargen)
8/10/2019 en_SWITCH_v6_Ch06.pdf
108/155
UDP Small Servers (Echo, Discard, Chargen)
Auto config
Packet Assembler and Disassembler (PAD) BOOTP server
Identification service
Source routing
IP Proxy-ARP
unreac a es
ICMP redirects Directed broadcast forwarding
Chapter 6
108 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Maintenance Operation Protocol (MOP)
Trimming and Minimizing Use of CDP/LLDP
Disable CDP/LLDP on a per-interface basis. RunCDP/LLDP only for administrative purposes such as on
8/10/2019 en_SWITCH_v6_Ch06.pdf
109/155
CDP/LLDP only for administrative purposes, such as on-
reside.
Confine CDP/LLDP de lo ment to run between devicesunder your control. Because CDP/LLDP is a link-level(Layer 2) protocol, it does not propagate end-to-end over a
place. As a result, for MAN and WAN connections, CDPtables might include the service providers next-hop routeror sw c an no e ar-en rou er un er your con ro .
Do not run CDP/LLDP to any unsecured connection, such
Chapter 6
109 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
.
Disabling Integrated HTTP Daemon
Use the no ip http server command in Cisco IOS todisable HTTP server access on a switch
8/10/2019 en_SWITCH_v6_Ch06.pdf
110/155
disable HTTP server access on a switch.
access s nee e , s recommen e o c ange edefault TCP port number (80) using the ip http portport-no command. Secure HTTP is recommended over
HTTP access.
Secure HTTP can be enabled via the ip http secure-
.
svs- san- msf c# conf i gur e t er mi nalEnt er con gur at on comman s, one per ne. En w t NTL Z.svs- san- msf c( conf i g) # no i p ht t p ser ver
svs- san- msf c( conf i g) # end
Chapter 6
110 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Configuring Basic System Logging
To assist and simplify both problem troubleshooting andsecurity investigations monitor switch subsystem
8/10/2019 en_SWITCH_v6_Ch06.pdf
111/155
security investigations, monitor switch subsystem.
To render the on-system logging useful, increase thedefault buffer size; enerall , the default buffer size is notadequate for logging most events.
Chapter 6
111 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Securing SNMP
Whenever possible, avoid using SNMP read-write features.SNMPv2c authentication consists of simple text strings that
8/10/2019 en_SWITCH_v6_Ch06.pdf
112/155
SNMPv2c authentication consists of simple text strings that,
text. In most cases, a read-only community string is
sufficient. To use SNMP in a secure method, use SNMPv3 with an
encrypted password and use ACL to limit SNMP from only
.
Chapter 6
112 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Limiting Trunking Connections and Propagated
By default, specific models of Catalyst switches that are running
8/10/2019 en_SWITCH_v6_Ch06.pdf
113/155
.poses a security risk because the negotiation enables the
introduction of an unauthorized trunk port into the network. an unau or ze run por s use or ra c n ercep on an o
generate DoS attacks, the consequences can be far moreserious than if only an access port is used. (A DoS attack on a
run por m g a ec mu p e s, w ereas a o a ac onan access port affects only a single VLAN.)
To prevent unauthorized trunks, disable automatic negotiation oftrunking on host and access ports. In addition, remove unused
VLANs from trunks manually or by using VTP.
Chapter 6
113 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Securing the Spanning-Tree Topology
Inadvertent or malicious introduction of STP BPDUspotentially overwhelms a device or creates a DoS. The first
8/10/2019 en_SWITCH_v6_Ch06.pdf
114/155
p y-
identify the intended root and designated bridge in the
design and to hard-code that bridges STP bridge priority toan acceptable root value.
Enable the root-guard feature to prevent authorized bridges
. Use BPDU Guard feature to prevent host devices from
maliciously sending BPDUs to a port. Upon receipt of anunauthorized STP BPDU, the feature automatically disables
the port until user intervention occurs or a time-out value isreached.
Chapter 6
114 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Mitigating Issues Sourced from a Switch
Enter the shutdown command on all unused ports andinterfaces.
8/10/2019 en_SWITCH_v6_Ch06.pdf
115/155
ace a unuse por s n a par ng- o usespecifically to group unused ports until they are proactivelylaced into service.
Configure all unused ports as access ports, disallowingautomatic trunk negotiation.
Physical device access: Physical access to the switch should beclosely monitored to avoid rogue device placement in wiring closetswith direct access to switch ports.
Access portbased security: Specific measures should be taken on
every access port of any switch placed into service. Ensure that apolicy is in place outlining the configuration of unused switch ports in
Chapter 6
115 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
.
8/10/2019 en_SWITCH_v6_Ch06.pdf
116/155
TroubleshootinPerformance andConnectivity
Chapter 6
116 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Techniques to Enhance Performance (1)
Critical performance-management issues are: User/application performance: For most users, response
8/10/2019 en_SWITCH_v6_Ch06.pdf
117/155
pp p , pme s e cr ca per ormance success ac or. s var a e
might shape the perception of network success by both your
users and a lication administrators.
Capacity planning: The process of determining futurenetwork resource requirements to prevent a performance or
- . Proactive fault management: Involves both responding to
faults as the occur and im lementin solutions that reventfaults from affecting performance.
Chapter 6
117 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
8/10/2019 en_SWITCH_v6_Ch06.pdf
118/155
Monitoring Performance with SPAN and
8/10/2019 en_SWITCH_v6_Ch06.pdf
119/155
The switch copies all traffic transmitted to and from Port 3/1e source por o or e es na on por .
workstation running a packet-capturing application on Port3/5 thus receives all network traffic received and transmitted
Chapter 6
119 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
on por .
8/10/2019 en_SWITCH_v6_Ch06.pdf
120/155
VSPAN Guidelines
VSPAN sessions, with both ingress and egress optionsconfigured, forward duplicate packets from the source port only if
8/10/2019 en_SWITCH_v6_Ch06.pdf
121/155
.
One copy of the packet is from the ingress traffic on the ingress
port, and the other copy of the packet is from the egress traffic one egress por .
VSPAN monitors only traffic that leaves or enters Layer 2 ports inthe VLAN:
Routed traffic that enters a monitored VLAN is not captured if theSPAN session is configured with that VLAN as an ingress sourcebecause traffic never appears as ingress traffic entering a Layer 2 portin the VLAN.
Traffic that is routed out of a monitored VLAN, which is configured asan egress source in a SPAN session, is not captured because the
Chapter 6
121 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
traffic never appears as egress traffic leaving a Layer 2 port in thatVLAN.
Configuring Local SPAN
The example shows the configuration and verification of alocal SPAN session on a Cisco IOSbased switch for the
8/10/2019 en_SWITCH_v6_Ch06.pdf
122/155
.3/1, and the destination interface is FastEthernet 3/5.
4506( conf i g) #monitor session 1 source interface FastEthernet 3/14506( conf i g) #monitor session 1 destination interface FastEthernet3/5
4506( conf i g) # end4506# show monitor session 1Sessi on 1- - - - -
Type : Local Sessi onSour ce Por t s :
Bot h : Fa3/ 1Dest i nat i on Por t s : Fa3/ 5
Chapter 6
122 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Encapsul at i on : Nat i veI ngr ess : Di sabl e
VSPAN Scenario (1)
8/10/2019 en_SWITCH_v6_Ch06.pdf
123/155
The administrator needs to troubleshoot the traffic flowbetween a client in VLAN 10 and server in VLAN 20.
Catalyst switch with rx-only traffic for VLAN 10 and tx-onlytraffic for VLAN 20 and destination port interface
Chapter 6
123 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
as erne .
VSPAN Scenario (2)
8/10/2019 en_SWITCH_v6_Ch06.pdf
124/155
cat 4k( conf i g) #monitor session 1 source vlan 10 rxcat 4k( conf i g) #monitor session 1 source vlan 20 tx
cat 4k( conf i g) #monitor session 1 destination interface FastEthernet 3 /4cat 4k# show monitor session 1Sessi on 1- - - - -
Sour ce VLANs :
RX Onl y : 10TX Onl y : 20
Dest i nat i on Por t s : Fa3/ 4
Chapter 6
124 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Encapsul at i on : Nat i veI ngr ess : Di sabl ed
Using SPAN to Monitor the CPU Interface
To configure a SPAN to monitor the CPU traffic on Catalyst4500 switches, use the keyword cpu in themonitor
8/10/2019 en_SWITCH_v6_Ch06.pdf
125/155
.
4506( conf i g) # moni t or sessi on 1 sour ce cpu ?
bot h Moni t or r ecei ved and t r ansmi t t ed t r af f i cqueue SPAN sour ce CPU queuer x Moni t or r ecei ved t r af f i c onl yt x Moni t or t r ansmi t t ed t r af f i c onl y
con g mon t or sess on est nat on nt er ace ast Et er net3/ 214506( conf i g) # end4506# show moni t or sessi on 1ess on
- - - - -
Type : - Source Por t s :Bot h : CPU Dest i nat i on Por t s : Fa3/ 21
Chapter 6
125 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
ncapsu a on : a veI ngr ess : Di sabl ed
Monitoring Performance with RSPAN
Remote SPAN (RSPAN) is similar to SPAN, but it supportssource ports, source VLANs, and destination ports on
8/10/2019 en_SWITCH_v6_Ch06.pdf
126/155
.
Chapter 6
126 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
RSPAN Guidelines
Configure the RSPAN VLANs in all source, intermediate,and destination network devices. If enabled, VTP can
8/10/2019 en_SWITCH_v6_Ch06.pdf
127/155
1024 as RSPAN VLANs. Manually configure VLANs
numbered higher than 1024 as RSPAN VLANs on allsource, intermediate, and destination network devices.
Switches impose no limit on the number of RSPAN VLANs.
Configure any VLAN as an RSPAN VLAN as long as allparticipating network devices support configuration ofRSPAN VLANs, and use the same RSPAN VLAN for each
RSPAN session.
Chapter 6
127 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Configuring RSPAN (1)
Step 1. Configure the RSPAN VLAN in the VTP server. ThisVLAN is then dedicated for RSPAN. If VTP transparent
8/10/2019 en_SWITCH_v6_Ch06.pdf
128/155
,domain consistently.
Ste 2. Confi ure the RSPAN session in the source anddestination switches and ensure that the intermediateswitches carry the RSPAN VLAN across respective VLAN
.
Chapter 6
128 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
8/10/2019 en_SWITCH_v6_Ch06.pdf
129/155
8/10/2019 en_SWITCH_v6_Ch06.pdf
130/155
RSPAN Configuration Example (2)
8/10/2019 en_SWITCH_v6_Ch06.pdf
131/155
2950- 1( conf i g) # vlan 100- - -2950- 1( conf i g- vl an) # exit2950- 1( conf i g) #monitor session 1 source interface FastEthernet 0/12950- 1( conf i g) #monitor session 1 destination remote vlan 100
-
2950- 1( conf i g) # interface FastEthernet 0/22950- 1( conf i g- i f ) # switchport mode trunk2950- 1( conf i g- vl an) # end
2950- 2( conf i g) #monitor session 2 source remote vlan 1002950- 2( conf i g) #monitor session 2 destination interface FastEthernet
Chapter 6
131 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
2950- 2( conf i g) # interface FastEthernet 0/22950- 2( conf i g- i f ) # switchport mode trunk
RSPAN Configuration Example (3)
8/10/2019 en_SWITCH_v6_Ch06.pdf
132/155
2950- 1# show monitor
Sessi on 1- - - - -Type : Remot e Source Sessi onSour ce Por t s :
Bot h : Fa0/ 1Ref l ect or Por t : f a0 24
Dest RSPAN VLAN : 1002950- 1# show interfaces trunkPor t Mode Encapsul at i on St at us Nat i ve vl anFa0 2 on 802. 1 t r unki n 1Por t Vl ans al l owed on t r unkFa0/ 2 1- 4094Por t Vl ans al l owed and act i ve i n management domai nFa0 2 1- 30 100
Chapter 6
132 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Por t Vl ans i n spanni ng t r ee f or war di ng st at e and not pr unedFa0/ 2 1- 30, 100
RSPAN Configuration Example (4)
8/10/2019 en_SWITCH_v6_Ch06.pdf
133/155
2950- 2# show interfaces trunk
Por t Mode Encapsul at i on St at us Nat i ve vl anFa on . q r un ngPor t Vl ans al l owed on t r unkFa0/ 2 1- 4094Por t Vl ans al l owed and act i ve i n management domai nFa - ,Por t Vl ans i n spanni ng t r ee f or war di ng st at e and not pr unedFa0/ 2 1- 30, 1002950- 2# show monitor session 2ess on
- - - - -
Type : Remot e Dest i nat i on Sessi onSource RSPAN VLAN : 100
Chapter 6133 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
es na on or s : aEncapsul at i on : Nat i ve
I ngr ess : Di sabl ed
Monitoring Performance with ERSPAN
Enhanced Remote SPAN (ERSPAN) is similar to RSPAN,but it supports source ports, source VLANs, and destination,
8/10/2019 en_SWITCH_v6_Ch06.pdf
134/155
boundary.
Chapter 6134 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
ERSPAN Guidelines
The payload of a Layer 3 ERSPAN packet is acopied Layer 2 Ethernet frame, excluding any ISLor 802 1Q tags
8/10/2019 en_SWITCH_v6_Ch06.pdf
135/155
or 802.1Q tags.
ERSPAN adds a 50-byte header to each copiedayer t ernet rame an rep aces t e - ytecyclic redundancy check (CRC) trailer.
suppor s um o rames a con a n ayer3 packets of up to 9202 bytes. If the length of the
bytes (9152-byte Layer 3 packet), ERSPANtruncates the co ied La er 2 Ethernet frame to
Chapter 6135 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
create a 9202-byte ERSPAN Layer 3 packet.
Configuring ERSPAN
Step 1. Configure the source ERSPAN session. Step 2. Configure the destination ERSPAN session on a
eren sw c .
8/10/2019 en_SWITCH_v6_Ch06.pdf
136/155
Chapter 6136 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
ERSPAN Configuration Example
8/10/2019 en_SWITCH_v6_Ch06.pdf
137/155
Swi t ch1( conf i g) #monitor session 66 type erspan-sourceSwi t ch1 conf i - mon- er s an- sr c # source interface i abitethernet 6 1Swi t ch1( conf i g- mon- er span- sr c) # destinationSwi t ch1( conf i g- mon- er span- sr c- dst ) # ip address 10.10.10.10Swi t ch1( conf i g- mon- er span- sr c- dst ) # origin ip address 20.20.20.200Swi t ch1 conf i - mon- er s an- sr c- dst # ers an-id 111
Swi t ch2( conf i g) #monitor session 60 type erspan-destinationSwi t ch2 conf i - er s an- dst # destination interface i abitethernet8/2
Swi t ch2( conf i g- er span- dst ) # sourceSwi t ch2( conf i g- er span- dst - sr c) # ip address 10.10.10.10Swi t ch2 conf i - er s an- dst - sr c # ers an-id 111
Chapter 6137 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
ERSPAN Verification Example (2)
w c wSessi on 66
8/10/2019 en_SWITCH_v6_Ch06.pdf
138/155
Sessi on 66- - - - -
Type : ERSPAN Source Sessi onu
Sour ce Por t s :Bot h : Gi 6/ 1
Dest i nat i on I P Addr ess : 10. 10. 10. 10
Or i gi n I P Addr ess : 20. 20. 20. 200
Swi t ch2# show monitor session 60
- - - - - - - - - -
Type : ERSPAN Dest i nat i on Sessi onSt at us : Admi n Enabl ed
Chapter 6138 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Sour ce I P Addr ess : 10. 10. 10. 10Source ERSPAN I D : 111
8/10/2019 en_SWITCH_v6_Ch06.pdf
139/155
Capture Option with VACLs Example (1)
8/10/2019 en_SWITCH_v6_Ch06.pdf
140/155
A user is troubleshooting a session timeout between a
Chapter 6140 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
. . .10.1.1.2.
Capture Option with VACLs Example (2)
8/10/2019 en_SWITCH_v6_Ch06.pdf
141/155
- . . . . . .
cat 6k( conf i g) # access-list 101 permit ip host 10.1.1.2 host 10.1.1.1cat 6k( conf i g) # vlan access-map SWITCHvaclcat 6k( conf i g- access- map) #match ip address 101
- -cat 6k( conf i g- access- map) # exit
cat 6k( conf i g) # vlan filter SWITCHvacl vlan-list 1cat 6k( conf i g) # in GigabitEthernet 3/26-
Chapter 6141 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
cat 6k( conf i g- i f ) # switchport capture allowed vlan 1cat 6k( conf i g- i f ) # switchport capture
Capture Option with VACLs Example (3)
8/10/2019 en_SWITCH_v6_Ch06.pdf
142/155
cat 6k# show vlan access-map
Vl an access- map SWI TCHvacl 10mat ch: i p addr ess 101
Chapter 6142 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
cat 6k# show vlan filterVLAN Map SWI TCHvacl :
Troubleshooting Using L2 Traceroute
All switches and interfaces in the network require CDP to berunning and functioning properly.
n erme a e sw c es e ween e source an ev ce nti t t th L2 t t f t
8/10/2019 en_SWITCH_v6_Ch06.pdf
143/155
question must support the L2 traceroute feature.
Chapter 6143 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
L2 Traceroute Example (1)
A user needs to identify theperformance and path on a hop-by-hop basis for a specificserver an c en ex ng s owfile-transfer performance so she
8/10/2019 en_SWITCH_v6_Ch06.pdf
144/155
file transfer performance, so sheuses the L2 traceroute featurewith the source MAC address ofthe server, 0000.0000.0007, tothe destination MAC address ofthe client, 0000.0000.0011.
To perform an L2 traceroute,she can choose any switch inthe network as long as that
destination MAC addresses in
the MAC address table. Here,she performed the L2 traceroute
Chapter 6144 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
comman on e a a ysin the figure.
L2 Traceroute Example (2)
8/10/2019 en_SWITCH_v6_Ch06.pdf
145/155
2950G# traceroute mac 0000.0000.0007 0000.0000.0011Source 0000. 0000. 0007 f ound on 45034503 ( 14. 18. 2. 132) : Fa3/ 48 => Fa3/ 2
6500 ( 14. 18. 2. 145) : 3/ 40 => 3/ 242950G 14. 18. 2. 176 : Fa0 24 => Fa0 23
Chapter 6145 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
2948G ( 14. 18. 2. 91) : 2/ 2 => 2/ 24Dest i nat i on 0000. 0000. 0011 f ound on 2948G Layer 2 t r ace compl et ed
Enhancing Troubleshooting and Recovery
(EEM)
event collectors.
8/10/2019 en_SWITCH_v6_Ch06.pdf
146/155
event collectors.
Generic Online Diagnostic (GOLD) test can be tracked asan event.
Enhances troubleshooting and recovery from network.
Chapter 6146 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Sample Embedded Event Manager Scenarios
Event (User Configurable) Action (User Defined)
A specific interface error crosses Disable the interface and bring up a backup - . .
8/10/2019 en_SWITCH_v6_Ch06.pdf
147/155
Configuration changes are made
during production hours.
Deny the configuration changes and send an
email alert.
A GOLD diagnostic test fails. Generate a custom syslog message indicatingthe action to take for Level 1 network operators.
user ogs n o e sys em. enera e a cus om og n message ase on euser ID.
Unauthorized hardware is Send a page to the administrator.
switch.
It is necessary to collect data for Run a user-defined set of commands to collect
Chapter 6147 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
. .
Embedded Event Manager Configuration
EEM using applet CLI: Cisco IOS CLIbased configurationa prov es a m e se o ac ons an e ec on
EEM using Tool Command Language (TCL) script:
8/10/2019 en_SWITCH_v6_Ch06.pdf
148/155
EEM using Tool Command Language (TCL) script:
Provides full flexibilit in definin the events and thesubsequent actions
Chapter 6148 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Performance Monitoring Using the Network
Family of Switches
on ors an ana yzes ne wor ra c us ng remo e ne wormonitoring (RMON)
8/10/2019 en_SWITCH_v6_Ch06.pdf
149/155
monitoring (RMON).
NAM.
Can monitor individual VLANs.
Can access link, host, protocol, and response-time statisticsfor capacity planning and real-time protocol monitoring.
Chapter 6149 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Network Analysis Module Source Support
Supports multiple simultaneous sources:
Ethernet, Fast Ethernet, Gigabit Ethernet, trunk port, or Faster anne ; or source por ; an
and VACL with the capture option
8/10/2019 en_SWITCH_v6_Ch06.pdf
150/155
and VACL with the capture option.
.NDE feature collects individual flow statistics of the trafficswitched through the switch. NDE can also export the
NetFlow FlowCollector application. The NAM is anotherexample of such a flow collector.
Chapter 6150 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Chapter 6 Summary (1)
Security is a primary concern in maintaining a secure,stable, and uninterrupted network.
e wor secur y goes ar eyon e n orma on n schapter and includes topics such as intrusion detection
8/10/2019 en_SWITCH_v6_Ch06.pdf
151/155
chapter and includes topics such as intrusion detection,
firewalls, virus rotection, and o eratin s stem atchin . Unless you recognize and understand the importance of
network security, your network is at risk.
The following list summarizes the aspects andrecommended practices for avoiding, limiting, andminimizin network vulnerabilities strictl related to Catal stswitches as a single network entity:
Chapter 6151 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Chapter 6 Summary (2)
Layer 2 attacks vary in nature and include spoofing attacks, VLAN attacks, MAC flood attacks,
and switch device attacks, among others. Use strong passwords with SSH access instead of Telnet exclusively to Cisco network devices.
sa e unuse serv ces suc as an sma serv ces w ere appropr a e.
Use AAA for centralized authentication, authorization, and accounting of network devices andt
8/10/2019 en_SWITCH_v6_Ch06.pdf
152/155
remote access.
Use an access control feature such as 802.1X or ort securit to restrict workstation access toCatalyst switches.
Use DHCP snooping to prevent rogue DHCP servers on the network.
Use IPSG and DAI with DHCP snooping to prevent IP address and ARP spoofing attacks.
Apply management ACLs to limit remote access to Cisco network devices.
Apply data plane security ACLs to filter unwarranted traffic in the network.
Use private VLANs where appropriate to limit communication in specific VLANs.
, , , ,
L2 Traceroute, EEM, and NAM to ensure proper network performance.
Chapter 6152 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Chapter 6 Labs
Lab 6-1 Securing Layer 2 Switches
Lab 6-2 Securing Spanning Tree Protocol
- , ,
VACLs
8/10/2019 en_SWITCH_v6_Ch06.pdf
153/155
Chapter 6153 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Resources
Catalyst 3560 Command Reference
www.cisco.com/en/US/partner/docs/switches/lan/catalyst3560/software/release/12.2_55_se/command/reference/3560_cr.html
on gur ng or ecur y:www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2 55 / fi ti / id / t f ht l# 1038501
8/10/2019 en_SWITCH_v6_Ch06.pdf
154/155
2_55_se/configuration/guide/swtrafc.html#wp1038501
.www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_55_se/configuration/guide/sw8021x.html
Confi urin