en_SWITCH_v6_Ch06.pdf

8/10/2019 en_SWITCH_v6_Ch06.pdf

1/155

Chapter 6:Securing the Campus

Infrastructure

2007 2010, Cisco Systems, Inc. All rights reserved. Cisco PublicSWITCH v6 Chapter 6

1


2/155

Chapter 6 Objectives

Identify attacks and threats to switches and methods tomitigate attacks.

on gure sw c es o guar aga ns - ase a ac s.

Configure tight control of trunk links to mitigate VLAN.

Configure switches to guard against DHCP, MAC, and

address resolution protocol (ARP) threats. Secure Layer 2 devices and protocols.

Develop and implement organizational security policies.

escr e too s use to mon tor an ana yze networ tra c.

Chapter 62 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public


3/155

w c ecur yFundamentals



4/155

Security Infrastructure Services

Core switch packetsquickly.

Distribution packetfiltering.

level.

Server farm provideapplication services;includenetworkmanagement system.



5/155

Unauthorized Access by Rogue Devices

Access Points

Servers



6/155

Layer 2 Attack Categories (1)

Attack Method Description Steps to Mitigation

MAC Layer Attacks

ress

Flooding

,

addresses flood the switch, exhaustingcontent addressable memory (CAM) tablespace, disallowing new entries from validhosts. Traffic to valid hosts is subsequently

.

VLAN access maps.

flooded out all ports.

VLAN Attacksopp ng

encapsulated for trunking, an attackingdevice can send or receive packetson various VLANs, bypassing Layer 3security measures.

and the negotiation stateof unused ports.Place unused ports in acommon

VLAN.

Attacks betweenDevices on a

Devices might need protection fromone another, even though they are ona common VLAN. This is especially

Implement private VLANs(PVLAN).


true on service-provider segments thatsupport devices from multiple customers.


7/155



Spoofing Attacks

DH P tarvation

and DHCPSpoofing

n a ac ng ev ce can ex aus e

address space available to the DHCPservers for a period of time or establishitself as a DHCP server in man-in-the-middle attacks.

se snoop ng.

Spanning-treeCompromises

Attacking device spoofs the rootbridge in the STP topology. If

successful, the network attackercan see a variety of frames.

Proactively configure theprimary and backup root

devices. Enable root guard.

MAC Spoofing Attacking device spoofs the MACaddress of a valid host currentlyin the CAM table. The switch thenforwards frames destined for the

Use DHCP snooping, portsecurity.

valid host to the attacking device.

Address ResolutionProtocol (ARP)

Attacking device crafts ARP repliesintended for valid hosts. Theattacking devices MAC address

Use Dynamic ARP Inspection(DAI), DHCP snooping, portsecurity.


then becomes the destinationaddress found in the Layer 2 frames

sent by the valid network device.


8/155



Switch Device Attacks

sco scovery ro oco

(CDP) Manipulation

n orma on sen roug s

transmitted in clear text andunauthenticated, allowing it to becaptured and divulge networkto olo information.

sa e on a por s w ere

it is not intentionally used.

Secure Shell Protocol(SSH) and Telnet Attacks

Telnet packets can be read inclear

text. SSH is an option but hassecurity issues in version 1.

Use SSH version 2.Use Telnet with vty ACLs.



9/155

Understandingan ro ec ngagainst MACLa er Attacks



10/155

Understanding MAC Layer Attacks

.entries.

Step 2.Attacker (MAC address C) sends out multiple packets with


various source MAC addresses.


11/155

Understanding MAC Layer Attacks

Step 3. Over a short time period, the CAM table in the switch fillsu until it cannot acce t new entries. As lon as the attack is

running, the MAC address table on the switch remains full.

Step 4. Switch begins to flood all packets that it receives out of


flooded out of Port 3 on the switch.


12/155

Protecting against MAC Layer Attacks

To revent MAC Address floodin , ort securit can be

used. Configure port security to define the number of MACaddresses allowed on a given port.


or secur y can a so spec y w a a ress s a owe

on a given port.


13/155

Port Security

Cisco-proprietary feature on Catalyst switches.

MAC addresses, which can be learned dynamicallyor configured statically.

Sticky learning combines dynamically learned

and statically configured addresses. Dynamically learned addresses are converted to

sticky secure addresses, as if they were configured

us ng e sw tc port port-secur ty mac-address sticky interface command.



14/155

Port Security Scenario 1 (Slide 1)

Imagine five individuals whose laptops are allowed toconnect to a specific switch port when they visit an area of

.

MAC addresses of those five laptops and allow noaddresses to be learned dynamically on that port.



15/155

Port Security Scenario 1 (Slide 2)Step Action Notes

1 Configure portsecurity.

Configure port security to allow only five connections on that port.Configure an entry for each of the five allowed MAC addresses.

, ,for that port and allows no additional entries to be learneddynamically.

2 Allowed frames When frames arrive on the switch port, their source MAC addressare processe . s c ec e aga ns e a ress a e. e rame source

MAC address matches an entry in the table for that port, theframes are forwarded to the switch to be processed like any other

frames on the switch.

3 New addressesare not allowed tocreate new MACaddress table

When frames with a non-allowed MAC address arrive on the port,the switch determines that the address is not in the current MACaddress table and does not create a dynamic entry for that newMAC address because the number of allowed addresses has

entries. been limited.4 Switch takes

action in response-

The switch disallows access to the port and takes one of theseconfiguration-dependent actions: (a) the entire switch port can be


frames.

and a log error can be generated; (c) access can be denied for

that MAC address but without generating a log message.


16/155


An attacker enables a hacking tool on the attackers rogue

addresses, causing the MAC address table to fill up. Whenthe MAC address table is full, it turns the switch into a hub


and floods all unicast frames.


17/155


.security limits MAC flooding attacks and locks down the port.

Port security also sets an SNMP trap alerting of any violation.

Port security allows the frames from already secured MACaddress below the maximum number of MAC addresses enabledon that port, and any frame with a new MAC address over the


limit is dropped.


18/155

Configuring Port Security

Step 1. Enable port security:Swi t ch( conf i g- i f ) # switchport port-security

Step 2. Set a maximum number of MAC addresses that will

be allowed on this port. The default is one:Swi t ch( conf i - i f ) #switch ort ort-securit maximumvalue

Step 3. Specify which MAC addresses will be allowed on

Swi t ch( conf i g- i f ) #switchport port-security mac-addressmac-address

Step 4. Define what action an interface will take if a non-allowed MAC address attempts access:

- -


{shutdown | restrict | protect}


19/155

Port Security Example

4503( conf i g) # interface FastEthernet 3/474503 conf i - i f # switch ort4503( conf i g- i f ) # switchport mode access4503( conf i g- i f ) # switchport port-security4503( conf i g- i f ) # switchport port-security mac-address 0000.0000.0008

4503( conf i g- i f ) # switchport port-security maximum 1con g- sw c por por -secur y ag ng me

4503( conf i g- i f ) # switchport port-security aging static4503( conf i g- i f ) # switchport port-security violation restrict4503( conf i g) # interface FastEthernet 2/24503( conf i g- i f ) # switchport

4503( conf i g- i f ) # switchport mode access4503( conf i g- i f ) # switchport port-security4503( conf i g- i f ) # switchport port-security mac-address 0000.0000.11184503( conf i g- i f ) # switchport port-security maximum 1

- -


4503( conf i g- i f ) # switchport port-security aging static4503( conf i g- i f ) # switchport port-security violation shutdown


20/155

Verifying Port Security (1)

The show port-security command can be used to

verify the ports on which port security has been enabled. It

taken per interface.

-

Secur e Por t MaxSecur eAddr Cur r ent Addr Secur i t yVi ol at i on Secur i t y Act i on( Count ) ( Count ) ( Count )

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Fa0/ 1 2 1 0 Rest r i ct

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Tot al Addr esses i n Syst em ( excl udi ng one mac per por t ) : 0Max Addr esses l i mi t i n Syst em ( excl udi ng one mac per por t ) : 6144



21/155

Verifying Port Security (2)swi t ch# show port-security interface fastethernet0/1Por t Secur i t y : Enabl edPor t St at us : Secur e- upVi ol at i on Mode : Rest r i ctg ng me : m ns

Agi ng Type : I nact i vi t ySecur eSt at i c Addr ess Agi ng : Enabl edMaxi mum MAC Addr esses : 2Tot al MAC Addr esses : 1Conf i gur ed MAC Addr esses : 0St i cky MAC Addr esses : 0Last Sour ce Addr ess: Vl an : 001b. d513. 2ad2: 5

Secur i t y Vi ol at i on Count : 0

swi t ch# show port-security addressSecur e Mac Addr ess Tabl e

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Vl an Mac Addr ess Type Port s Remai ni ng Age

( mi ns)- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -2 001b. d513. 2ad2 Secur eDynami c Fa0/ 1 60 ( I )- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -


Max Addr esses l i mi t i n Syst em ( excl udi ng one mac per por t ) : 6144


22/155

Configuring Port Security with Sticky MAC

swi t ch# show running-config fastethernet 0/1i nt er f ace Fast Et her net 0/ 1swi t chpor t access vl an 2swi t chpor t mode access

swi t chpor t por t - secur i t y maxi mum 2swi t chpor t por t - secur i t yswi t chpor t por t - secur i t y vi ol at i on r est r i ct

- -swi t chpor t por t - secur i t y macaddr ess st i cky 001b. d513. 2ad2

swi t ch# show port-security addressSecur e Mac Addr ess Tabl e- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Vl an Mac Addr ess Type Por t s Remai ni ng Age

( mi ns)- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

-



23/155

Blocking Unicast Flooding

Cisco Catalyst switches can restrict flooding of unknownmulticast MAC-addressed traffic on a per-port basis, in

destination MAC addresses.

Ent er conf i gur at i on commands, one per l i ne. End wi t h CNTL/ Z.4503( conf i g) # interface FastEthernet 3/224503( conf i g- i f ) # switchport block unicast

-



24/155

Understandingan ro ec ngagainst VLAN

Attacks



25/155

VLAN Hopping

Switch Spoofing



26/155

VLAN Hopping Switch Spoofing (1)

An attacker can send amalicious DTP frame.

,

the switch would form atrunk port, which wouldthen give the attackeraccess to all the VLANs on

the trunk. The attacker ortbecomes a trunk port, andthe attacker can attack a

on the trunk.



27/155

VLAN Hopping Switch Spoofing (2)

,attacker connects an unauthorized Cisco switch to theswitch port. The unauthorized switch can send DTP frames

and form a trunk. The attacker has access to all the VLANsthrough the trunk. The attacker can attack a victim in anyVLAN.



28/155

VLAN Hopping Double Tagging

. .headers to Switch 1.

Step 2. Switch 1 strips the outer tag and forwards the frame to all ports.

Step 3. Switch 2 interprets frame according to information in the innertag marked with VLAN ID 20.


Step 4. Switch 2 forwards the frame out all ports associated with VLAN20, including trunk ports.


29/155

Mitigating VLAN Hopping Attacks

Configure all unused ports as access ports so that trunkingcannot be negotiated across those links.

ace a unuse por s n e s u own s a e an assoc a e

them with a VLAN designed for only unused ports, carryingno user data traffic.

When establishing a trunk link, purposefully configure

arguments to achieve the following results: The native VLAN is different from any data VLANs.

Trunking is set up as On or Nonegotiate rather than negotiated.

The specific VLAN range is carried on the trunk. This ensures that the

native VLAN will be pruned along with any other VLANs not explicitlyallowed on the trunk.



30/155

Catalyst Multilayer Switch ACL Types

Router access control lists

(RACL): Supported in the TCAMhardware on Cisco multilayersw c es. n a a ys sw c es,

RACL can be applied to any routedinterface, such as an SVI or routed

ort.

Port access control list (PACL):

Filters traffic at the port level.

PACLs can be applied on a Layer 2switch port, trunk port, orEtherChannel port. PACLs act atthe Layer 2 port level but can filter

information.



31/155

Catalyst Multilayer Switch ACL Types

VACLs:Also known as VLAN access-maps, apply to all traffic in a VLAN.VACLs support filtering based on Ethertype and MAC addresses. VACLs areorder-sensitive, analogous to route maps. VACLs can control traffic flowing


within the VLAN or control switched traffic, whereas RACLs control only routedtraffic.


32/155

Configuring VACLs (1)

Three ACL actions arepermitted with VACLs:

Permit (with capture,

Catalyst 6500 only)

only)

Deny (with logging,Catalyst 6500 only)



33/155


Step 1. Define a VLAN access map:

Swi t ch( conf i g) # vlan access-mapmap_name [ seq#]

.

Swi t ch( conf i g- access- map) #match {drop [log]} | {forward[capture]} | {redirect {{fastethernet | gigabitethernet |tengigabitethernet} slot/port} | {port-channel channel_id}}

Step 3. Configure an action clause:

Swi t ch( conf i g- access- map) # action {drop [log]} | {forward

[capture]} | {redirect {{fastethernet | gigabitethernet |tengigabitethernet} slot/port} | {port-channel channel_id}}

Step 4. Apply a map to VLANs:

Swi t ch( conf i g) # vlan filter map_name vlan_list list

Step 5. Verify the VACL configuration:Swi t ch# show vlan access-map map_name

Swi t ch# show vlan filter access-ma ma name vlan vlan id


_ _

]


34/155


Here a VACL is configured to drop all traffic from network10.1.9.0/24 on VLAN 10 and 20 and drop all traffic to

. . .

swi t ch( conf i g) # access-list 100 permit ip 10.1.9.0 0.0.0.255 any- _

swi t ch( conf i g- ext - mac) #permit any host 0000.1111.4444swi t ch( conf i g) # vlan access-map XYZ 10

swi t ch( conf i g- map) #match ip address 100

-swi t ch( conf i g- map) # vlan access-map XYZ 20swi t ch( conf i g- map) #match mac address BACKUP_SERVERswi t ch( conf i g- map) # action drop

- -

swi t ch( conf i g- map) # action forwardswi t ch( conf i g) # vlan filter XYZ vlan-list 10,20



35/155

Understandingan ro ec ngagainst Spoofing

Attacks



36/155

Catalyst Integrated Security Features

Dynamic Address ResolutionProtocol inspection (DAI)adds security to ARP usingthe DHCP snooping table to

minimize the impact of ARPpoisoning and spoofinga ac s.

IP Source Guard (IPSG)

prevents IP spoofinga resses us ng esnooping table.

Port security prevents MAC

oo ng a ac s. DHCP snooping prevents

client attacks on the DHCP


server an sw c .


37/155

DHCP Spoofing Attack

One of the ways that an attackercan gain access to networktraffic is to s oof res onses thatwould be sent by a valid DHCP

server.

The DHCP s oofin devicereplies to client DHCP requests.The legitimate server can reply

also, but if the spoofing device is on the same segment as theclient, its reply to the clientmight arrive first.

,forward packets to the attackingdevice, which in turn sendsthem to the desired destination.

The intruders DHCP replyoffers an IP address andsupporting information that

This is referred to as a man-in-the-middle attack and it can goentirely undetected as the


es gnates t e ntru er as t edefault gateway or DNS server.

intruder intercepts the data flowthrough the network.


38/155

DHCP Spoofing Attack Scenario 1

,sending thousands of DHCP requests. The DHCP serverdoes not have the capability to determine whether the

request is genuine and therefore might end up exhaustingall the available IP addresses. This results in a legitimateclient not ettin a IP address via DHCP.



39/155

DHCP Spoofing Attack Scenario 2

server to the network and has it assume the role of the DHCPserver for that segment. This enables the intruder to give outfalse DHCP information for the default atewa and domain

name servers, which points clients to the hackers machine. Thismisdirection enables the hacker to. become a man-in-the-middleand to gain access to confidential information, such as username


and password pairs, while the end user is unaware of the attack.


40/155

DHCP Snooping

DHCP snooping is a Cisco Catalyst feature that determines


.are identified as trusted and untrusted.


41/155

Configuring DHCP Snooping

Step Commands

1. Enable DHCP snooping globally:Swi t ch conf i # i dhc snoo in

2. Enable DHCP Option 82:Swi t ch( conf i g) # ip dhcp snooping informationoption

3. Configure DHCP server interfaces or uplink ports as trusted:Swi t ch( conf i g- i f ) # ip dhcp snooping trust

4. Confi ure the number of DHCP ackets er second s that areacceptable on the port:Swi t ch( conf i g- i f ) # ip dhcp snooping limit raterate

5. Enable DHCP snooping on specific VLANs:Swi t ch( conf i g) # ip dhcp snooping vlan number[number]


. er y e con gura on:Swi t ch# show ip dhcp snooping


42/155

DHCP Snooping Configuration Example

swi t ch( conf i g) # ip dhcp snoopingswi t ch( conf i g) # ip dhcp snooping information optionswi t ch( conf i g) # ip dhcp snooping vlan 10,20swi t ch( conf i g) # interface fastethernet 0/1swi t ch( conf i g- i f ) # description Access Portswi t ch( conf i g- i f ) # ip dhcp limit rate 5swi t ch( conf i g) # interface fastethernet 0/24swi t ch( conf i g- i f ) # description Uplinkswi t ch( conf i g- i f ) # switchport mode trunk


swi t ch( conf i g- i f ) # switchport trunk allowed vlan 10,20swi t ch( conf i g- i f ) # ip dhcp snooping trust


43/155

Verifying the DHCP Snooping

on gura onswi t ch# show ip dhcp snoopingSwi t ch DHCP snoopi ng i s enabl ed

10, 20

DHCP snoopi ng i s oper at i onal on f ol l owi ng VLANs:10, 20DHCP snoopi ng i s conf i gur ed on t he f ol l owi ng L3 I nt er f aces:I nser t i on of opt i on 82 i s enabl edci r cui t - i d def aul t f or mat : vl an- mod- por tr emote- i d: 001a. e372. ab00 ( MAC)Opt i on 82 on unt r ust ed por t i s not al l owed

Ver i f i cat i on of gi addr f i el d i s enabl edDHCP snoopi ng t r ust / r at e i s conf i gur ed on t he f ol l owi ng I nt er f aces:

I nt er f ace Tr ust ed Al l ow opt i on Rat e l i mi t ( pps)- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Fast Et her net 0/ 1 no no 5Fast Et her net 0/ 24 yes yes unl i mi t ed



44/155

ARP Spoofing Attack

. .

Step 2. Router C replies with its MAC and IP addresses. C also updates its ARP cache.

Step 3. Host A binds Cs MAC address to its IP address in its ARP cache.

Ste 4. Host B attacker sends ARP bindin Bs MAC address to Cs IP address.

Step 5. Host A updates ARP cache with Bs MAC address bound to Cs IP address.Step 6. Host B sends ARP binding Bs MAC address to As IP address.

Ste 7. Router C u dates ARP cache with Bs MAC address bound to As IP address.


Step 8. Packets are diverted through attacker (B).


45/155

Preventing ARP Spoofing through Dynamic

DAI takes these actions:

Forwards ARP ackets receivedon a trusted interface without

any checks.

untrusted ports.

Verifies that each intercepted

- -address binding beforeforwarding packets that canu date the local ARP cache.

Drops and logs ARP packetswith invalid IP-to-MAC addressbindin s.



46/155

DAI Recommended Configuration

DAI can also be used torate limit the ARP packets

interface if the rate isexceeded.

The figure here shows therecommended DAI

.



47/155

DAI Commands

Command Description

Swi t ch( conf i g) # ip arp

inspection vlan vlan_id[vlan_id]

Enables DAI on a VLAN or range ofVLANs.

Swi t ch( conf i g- i f ) # ip arp

inspection trust

Enables DAI on an interface and sets the

interface as a trusted interface.

Configures DAI to drop ARP packets when

Swi t ch( conf i g) # ip arpinspection validate {[src-mac] [dst-mac] [ip]}

the IP addresses are invalid, or when theMAC addresses in the body of the ARPpackets do not match the addresses


.


48/155

DAI Scenario with Catalyst Switches (1)

Switch B, both in VLAN 10.

The DHCP server is connected to Switch A. DHCPsnoop ng s ena e on o w c an w c as aprerequisite for DAI.

The inter-switch links are configured as DAI trusted ports,


and the user ports are left in the default untrusted state.

DAI S i i h C l S i h (2)


49/155


Swi t chA# configure terminalEnt er conf i gur at i on commands, one per l i ne. End wi t h CNTL/ Z.

Swi t chA( conf i g) # interface gigabitEthernet 1/1Swi t chA( conf i g- i f ) # ip arp inspection trustSwi t chA( conf i g- i f ) # end

Swi t chB# configure terminalEnt er conf i gur at i on commands, one per l i ne. End wi t h CNTL/ Z.Swi t chB( conf i g) # ip arp inspection vlan 10


Swi t chB( conf i g- i f ) # ip arp inspection trustSwi t chB( conf i g- i f ) # end

DAI S i ith C t l t S it h (3)


50/155


I nt er f ace Tr ust St at e Rat e ( pps) Bur st I nt er val- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Gi 1/ 1 Tr ust ed None N/ A

Fa2/ 1 Unt r ust ed 15 1Fa2/ 2 Unt r ust ed 15 1




51/155


Sour ce Mac Val i dat i on : Di sabl edDest i nat i on Mac Val i dat i on : Di sabl edI P Addr ess Val i dat i on : Di sabl ed

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -10 Enabl ed Act i veVl an ACL Loggi ng DHCP Loggi ng- - - - - - - - - - - - - - - - - - - - - - - - - - -


10 Deny Deny



52/155


MacAddr ess I pAddr ess Lease( sec) Type VLAN I nt er f ace- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -00: 01: 00: 01: 00: 01 10. 10. 10. 1 4995 dhcp- snoopi ng 10 Fast Et her net 2/ 1


DAI Scenario ith Catal st S itches (6)


53/155


I nt er f ace Tr ust St at e Rat e ( pps) Bur st I nt er val- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Gi 1/ 1 Tr ust ed None N/ A

Fa2/ 1 Unt r ust ed 15 1Fa2/ 2 Unt r ust ed 15 1Fa2/ 3 Unt r ust ed 15 1




54/155


Sour ce Mac Val i dat i on : Di sabl edDest i nat i on Mac Val i dat i on : Di sabl edI P Addr ess Val i dat i on : Di sabl ed

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -10 Enabl ed Act i ve


- - - - - - - - - - - - - - - - - - - - - - - - - - -10 Deny Deny



55/155


MacAddr ess I pAddr ess Lease( sec) Type VLAN I nt er f ace- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -00: 02: 00: 02: 00: 02 10. 10. 10. 2 4995 dhcp- snoopi ng 10 Fast Et her net 2/ 2




56/155


If an attacker connects to SwitchB and tries to send a bogus ARPrequest, Switch B will detect itand drop the ARP request

packet. Switch B can alsoerrdisable the port and send alog message to alert theadministrator.

DAI discards any ARP packetswith invalid MAC-address-to-IP-address bindings. An errormessage is displayed on thesw c w en a secur y v o a on

occurs:02: 46: 49: %SW_DAI - 4- DHCP_SNOOPI NG_DENY: 1 I nval i d ARPs ( Req) on Fa3/ 3, vl an


. . . . . . . . . . .2003] )

IP Spoofing and IP Source Guard


57/155

IP Spoofing and IP Source Guard

Attacker impersonates alegitimate host on the network byspoofing the IP address of thevictim.

IP source guard (IPSG) preventsa malicious host from attackingthe network with a hijacked IPaddress.

IPSG provides per-port trafficer ng o ass gne source .

IPSG dynamically maintains per-port ACLs based on IP-to-MAC-

- .

IPSG typically deployed foruntrusted ports at access layer.


wor s c ose y wsnooping.

IP Source Guard Operations


58/155

IP Source Guard Operations

IPSG can be enabled on aDHCP snooping untrusted Layer2 ort to revent IP s oofin .

At first, all IP traffic on the port is

blocked except for DHCPackets ca tured b the DHCP

snooping process.

This process restricts the client

IP traffic to those source IPaddresses configured in thebinding; any IP traffic with asource IP address other thanthat in the IP source binding isfiltered out. This filtering limits ahosts capability to attack the


networ y c a m ng a ne g orhosts IP address.

Configuring IP Source Guard


59/155

Configuring IP Source Guard

Step Commands

1. Swi t ch( conf i g) # ip dhcp snooping

2. Swi t ch( conf i g) # ip dhcp snooping vlannumber [number]

3. Swi t ch( conf i g- i f ) # ip verify source vlandhcp-snooping

or

-dhcp-snooping port-security

4. Swi t ch( conf i g- i f ) # switchport portsecuritylimit rate invalid-source-mac N

5. Swi t ch( conf i g) # ip source binding ipaddrip vlan numberinterfaceinterface-id


IPSG Scenario (1)


60/155

IPSG Scenario (1)

connects to the same Catalyst switch as a server with astatic IP address.


IPSG Scenario (2)


61/155

IPSG Scenario (2)

Swi t ch# confi ure terminalEnt er conf i gur at i on commands, one per l i ne. End wi t h CNTL/ Z.Swi t ch( conf i g) # ip dhcp snoopingSwi t ch( conf i g) # ip dhcp snooping vlan 1,10Swi t ch( conf i g) # ip dhcp snooping verify mac-addressw . . . . .

Fa2/18

Swi t ch( conf i g) # interface fastethernet 2/1Swi t ch( conf i g- i f ) # switchportSwi t ch( conf i g- i f ) # switchport mode accessSwi t ch( conf i g- i f ) # switchport port-security

Swi t ch( conf i g- i f ) # ip verify source vlan dhcp-snooping port-securitySwi t ch( conf i g) # interface fastethernet 2/18Swi t ch( conf i g- i f ) # switchport

-


Swi t ch( conf i g- i f ) # switchport port-securitySwi t ch( conf i g- i f ) # ip verify source vlan dhcp-snooping port-security

IPSG Scenario (3)


62/155

IPSG Scenario (3)

Swi t ch# show ip source bindingMacAddr ess I pAddress Lease( sec) Type VLAN I nt er f ace- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -00: 02: B3: 3F: 3B: 99 10. 1. 1. 11 6522 dhcp- snoopi ng 1 Fast Et her net 2/ 100: 00: 00: 0A: 00: 0B 10. 1. 10. 11 i nf i ni t e st at i c 10 Fast Et her net 2/ 18

I nt er f ace Fi l t er - t ype Fi l t er - mode I P- addr ess Mac- addr ess Vl an- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Fa2/ 1 i p- mac act i ve 10. 1. 1. 11 00: 02: B3: 3F: 3B: 99 1Fa2/ 18 i p- mac act i ve 10. 1. 10. 11 00: 00: 00: 0a: 00: 0b 10


IPSG Scenario (4)


63/155

IPSG Scenario (4)

An attacker is connectedto interface 2/10 and is

address of the server. The Catal st switch

detects and drops thepackets in the hardware

.also provides an errormessage to indicate thev o a on.



64/155

SecurinNetworkSwitches


Neighbor Discovery Protocols (NDP)


65/155

g y ( )

Cisco Discovery Protocol (CDP)


Link Layer Discovery Protocol (LLDP)

Cisco Discovery Protocol


66/155

y

Uses multicast hello messages

Uses a TTL in seconds

Cached CDP information available to network management

system via SNMP recommended to block SNMP access


Configuring CDP


67/155

g g

CDP is enabled by default.

The no cdp run command disables CDP globally.

The no cdp enable command disables CDP on an

interface.


Displaying CDP Information (1)


68/155

y g ( )

When CDP is enabled the command show cdpneighbor displays a summary of which devices are seen

.

Capabi l i t y Codes: R - Rout er , T - Tr ans Br i dge, B - Sour ce Rout e Br i dge

S - Swi t ch, H - Host , I - I GMP, r - Repeater , P - Phone,D - Remot e, C - CVTA, M - Two- por t Mac Rel ay

Devi ce I D Local I nt r f ce Hol dt me Capabi l i t y Pl at f or m Por t I D- - -


Displaying CDP Information (2)


69/155

4506# show cdp neighbor detail- - - - - - - - - - - - - - - - - - - - - - -Devi ce I D: TBA03501074(Swi t chA- 6500)Ent r y addr ess( es) :I P addr ess: 10. 18. 2. 137Pl at f or m: WS- C6506, Capabi l i t i es: Tr ans- Br i dge Swi t ch I GMPI nt er f ace: Fast Et her net 3/ 21, Por t I D ( out goi ng por t ) : 3/ 36Hol dt i me : 170 secVer si on :WS- C6506 Sof t war e, Ver si on McpSW: 7. 6(1) NmpSW: 7. 6( 1)opyr g - y sco ys ems

adver t i sement ver si on: 2VTP Management Domai n: 0Nat i ve VLAN: 1Dupl ex: f ul l

- - - - - - - - - - - - - - - - - - - - - - -Devi ce I D: Swi t chC- 4503Ent r y addr ess( es) :I P addr ess: 10. 18. 2. 132Pl at f or m: ci sco WS- C4503, Capabi l i t i es: Rout er Swi t ch I GMPI nt er f ace: Fast Et her net 3/ 27, Por t I D ( out goi ng por t ) : Fast Et her net 3/ 14Hol dt i me : 130 sec

Ver si on :Ci sco I nt er net wor k Oper at i ng Syst em Sof t war eI OS ( t m) Cat al yst 4000 L3 Swi t ch Sof t ware ( cat 4000- I 5S- M) , Ver si on 12. 1( 19) EW,CI SCO ENHANCED PRODUCTI ON VERSI ON


- , .Compi l ed Tue 27- May- 03 04: 31 by prot her o

Configuring LLDP


70/155

LLDP is disabled by default.

The command lldp run enables LLDP globally.

The command lldp enable enables LLDP on an

interface.


Displaying LLDP Information


71/155

When LLDP is enabled the command show lldpneighbor displays a summary of which devices are seen

.

swi t ch( conf i g) # endswi t ch# show lldp neighborCapabi l i t y codes:

( R) Rout er , ( B) Br i dge, ( T) Tel ephone, ( C) DOCSI S Cabl e Devi ce( W) WLAN Access Poi nt , ( P) Repeat er , ( S) St at i on, ( O) Ot her

Devi ce I D Local I nt f Hol d- t i me Capabi l i t y Por t I Dc2960- 8 Fa0/ 8 120 B Fa0/ 8Tot al ent r i es di spl ayed: 1


CDP Vulnerabilit ies


72/155

Sequence

of Events

Description

. CDP to view neighbor

information.2. Attacker uses a acket

analyzer to intercept CDPtraffic.

3.Attacker analyzes informationin CDP packets to gainknowledge of networkaddress and device

.

4. Attacker formulates attacksbased on knownvulnerabilities of network


platforms.

Securing Switch Access


73/155

Telnet Vulnerabilities

Secure Shell (SSH) Vulnerabilities


Telnet Vulnerabilities


74/155

All usernames, passwords, and data sent over the public network inclear text are vulnerable.

A user with an account on the s stem could ain elevated rivile es.

A remote attacker could crash the Telnet service, preventing legitimate

use of that service by performing a DoS attack such as opening too

A remote attacker could find an enabled guest account that might bepresent anywhere within the trusted domains of the server.


Secure Shell (SSH)


75/155

All usernames, passwords, and data sent over the public network inclear text are vulnerable.

A user with an account on the s stem could ain elevated rivile es.

A remote attacker could crash the Telnet service, preventing legitimate

use of that service by performing a DoS attack such as opening too

A remote attacker could find an enabled guest account that might bepresent anywhere within the trusted domains of the server.


Configuring SSH


76/155

Step 1. Configure a user with a password.

Step 2. Configure the hostname and domain name.

Step 3. Generate RSA keys.

Step 4. Allow SSH transport on the vty lines.

swi t ch( conf i g) # ip domain-name xyz.comswi t ch( conf i g) # crypto key generate rsaswi t ch( conf i g) # ip ssh version 2

swi t ch( conf i g- l i ne) # login localswi t ch( conf i g- l i ne) # transport input ssh


VTY Access Control Lists


77/155


HTTP Secure Server


78/155

Step 1. Configure username and password. Step 2. Configure domain name.

Step 3. Generate RSA keys.

Step 4. Enable HTTPS (SSL) server. ep . on gure au en ca on.

Step 6. Configure an access list to limit access.

- . . . . . .sw( conf i g) # username xyz password abc123sw( conf i g) # ip domain-name xyz.comsw( conf i g) # crypto key generate rsa

sw( conf i g) # ip http secure-serversw( conf i g) # http access-class 100 insw( conf i g) # http authentication local


Authentication, Authorization, and Accounting


79/155

-framework through which you set up access control on aCisco IOS switch. AAA is an architectural framework forconfiguring a set of three independent security functions ina consistent manner.


Authentication


80/155

Authentication provides a method to handle:

User identification

Login and password dialog

Challenge and response essag ng

Encryption


Authorization


81/155

Authorization provides the method for remote access control. Remote access control includes:

One-time authorization or

Authorization for each service on a per-user account list or a usergroup basis.

Uses RADIUS or TACACS+ security servers.



82/155

TACACS+ Attribute-Value Pairs (AVPs)


83/155

Attribute Type of Value

Addr-pool String

Addr IP address

Idletime Integer

Protocol Keyword

Outacl Integer


Accounting


84/155

Authorization provides the method for collecting andsending security server information used for billing, auditing,

.

User identities

Start and stop times

Executed commands

Number of packets


Configuring Authentication


85/155

Variety of login authentication methods. First use aaa new-model command to initialize AAA.

Use aaa authentication login command to enable

AAA login authentication. ,

one or more lists of authentication methods.

The login authentication line {default |list-name} method1 [method2...] command

defines the list name and the authentication methods in, .

The login authentication {default | list-name} command applies the authentication list to an input


line.

AAA Authentication Example


86/155

Swi t ch( conf i g) # aaa new-modelSwi t ch( conf i g) # aaa authentication login TEST tacacs+Swi t ch( conf i g) # tacacs-server host 192.168.100.100Swi t ch( conf i g) # line vty 0 4w c con g- ne og n au en ca on


AAA Authentication Configuration Detail

S 1 C f C CS f


87/155

Step 1. Configure the TACACS+ server for a test user: When using Cisco Access Control Server (ACS) for Microsoft Windows, create a new test user

without specific options.

Step 2. Configure a new network device on the TACACS+ server:

When using Cisco ACS for Microsoft Windows, create a new network device by specifying the DNS

name and IP address, and specify a key to be used for TACACS+.

- -. .

Step 4. Enable AAA globally:

svs- san- 3550- 1( conf i g) # aaa new-model

.

svs- san- 3550- 1( conf i g) # tacacs-server host 172.18.114.33

svs- san- 3550- 1( conf i g) # tacacs-server key SWITCH

Ste 6. Confi ure the default lo in access:

svs- san- 3550- 1( conf i g) # aaa authentication login default group tacacs+

enable

Step 7. Test the login using a separate connection:

Chapter 6 87 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public

This enables you to troubleshoot and make changes in real time while testing the configuration.

AAA Authorization Configuration

U th d


88/155

Use the command:

aaa authorization {auth-proxy | network | exec |

-

ipmobile} {default | list-name} [method1 [method2...]]

authorization {arap | commandslevel | exec | reverse-access} {default | list-name}

Use the aaa authorization command with the group tacacs+

method keywords to request authorization via a TACACS+ server. Thegroup tacacs+ method instructs the switch to use a list of all

. Use the aaa authorization command with the local method

keyword to request authorization via the local user database.

method keywords to request authorization via a RADIUS server.


AAA Authorization Example

Thi fi ti l ill t t fi i AAA


89/155

This configuration example illustrates configuring AAAauthorization for users via VTY access for shell commands.

o a ow users o access e unc ons ey reques as ongas they have been authenticated, use the aaaauthorization command with the if-authenticated

method keyword, as shown.

-Swi t ch( conf i g) # aaa authorization commands 0 default if-authenticated group tacacs+

Swi t ch( conf i g) # line vty 0 4-


AAA Accounting Types Supported

Network accounting: P id i f ti f ll PPP SLIP ARAP


90/155

Network accounting: Provides information for all PPP, SLIP, or ARAPsessions, including packet and byte counts.

connections made from the network, such as Telnet and rlogin.

EXEC accounting: Provides information about user EXEC terminal,

username, date, start and stop times, the access server IP address, and(for dial-in users) the telephone number from which the call originated.

-events (for example, when the system reboots and when accounting isturned on or off).

commands for a specified privilege level executed on a network accessserver.


that have passed user authentication.

AAA Accounting Configuration

Use the command


91/155

Use the command:aaa accounting {system | network | exec | connection

- -

stop-only | none} [method1 [method2...]]

Apply the accounting method to an interface or lines usingthe command:accounting {arap | commands level | connection |

exec} {default | list-name}


AAA Accounting Example

This configuration example illustrates configuring AAA


92/155

This configuration example illustrates configuring AAAauthorization for users via VTY access for shell commands.

o a ow users o access e unc ons ey reques as ongas they have been authenticated, use the aaaauthorization command with the if-authenticated

method keyword, as shown.

-Swi t ch( conf i g) # aaa accounting exec default start-stop group tacacs+Swi t ch( conf i g) # line vty 0 4Swi t ch( conf i g- l i ne) # accounting exec default


Security Using IEEE 802.1X-


93/155


802.1X Roles

Client (or supplicant): The device that requests access to LAN


94/155

Client (or supplicant): The device that requests access to LANand switch services and then responds to requests from the

-. .software.

Authentication server: Performs the actual authentication of thec en . e au en ca on server va a es e en y o e c enand notifies the switch whether the client is authorized to accessthe LAN and switch services. The RADIUS security system with

ex ens ons s e on y suppor e au en ca on server. Switch (or authenticator): Controls physical access to the

network based on the authentication status of the client. Theswitch acts as an intermediary (proxy) between the client and the

authentication server, requesting identifying information from theclient, verif in that information with the authentication server,


and relaying a response to the client.

802.1X Port Authorization State (1)

You control the port authorization state by using the


95/155

You control the port authorization state by using theinterface configuration command :

o x por -con ro au o orce-au or ze

| force-unauthorized}

- -

based authentication and causes the port to transition to theauthorized state without any authentication exchange

.without 802.1X-based authentication of the client. This isthe default setting. This configuration mode supports anynon-dot1x-enabled client.



You control the port authorization state by using the


96/155

You control the port authorization state by using theinterface configuration command :o x por -con ro au o orce-au or ze

force-unauthorized}

The force-unauthorizedkeyword causes the port toremain in the unauthorized state, ignoring all attempts bythe client to authenticate. The switch cannot provide

.This configuration mode can be enabled to preventconnections from any users from unauthorized ports.



You control the port authorization state by using the interface

fi ti d


97/155

You control the port authorization state by using the interfaceconfiguration command :dot1x ort-control {auto | force-authorized | force-unauthorized}

The auto keyword enables 802.1X port-based authenticationand causes the port to begin in the unauthorized state, enablingonly EAPOL frames to be sent and received through the port.The authentication process begins when the link state of the porttransitions from down to up (authenticator initiation) or when an

-s ar rame s rece ve supp can n a on . e sw crequests the identity of the client and begins relayingauthentication messages between the client and the

.

attempting to access the network by using the client MACaddress. This configuration mode can be used on ports that


Configuring IEEE 802.1X

Step 1 Enable AAA:


98/155

Step 1. Enable AAA:Swi t ch( conf i g) # aaa new-model

. . -list:

Swi t ch( conf i g) # aaa authentication dot1x {default}...

Step 3. Globally enable 802.1X port-based authentication:Swi t ch( conf i g) # dot1x system-auth-control

Step 4. Enter interface configuration mode and specify theinterface to be enabled for 802.1X port-basedauthentication:Swi t ch( conf i g) # interfacetype slot/port

Step 5. Enable 802.1X port-based authentication on the


Swi t ch( conf i g- i f ) # dot1x port-control auto


99/155


100/155

w c ecur yConsiderations


Organizational Security Policies

Provides a process for auditing existing network security.


101/155

o des a p ocess o aud g e s g e o secu y Provides a general security framework for implementing

ne wor secur y.

Defines disallowed behaviors toward electronic data.

organization.

Communicates consensus among a group of key decisionmakers and defines responsibilities of users andadministrators.

.

Enables an enterprise-wide, all-site security implementationand enforcement lan.


Securing Switch Devices and Protocols

Configure strong system passwords.


102/155

g g y p Restrict management access using ACLs.

Secure physical access to the console.

Secure access to vty lines.

on gure sys em warn ng anners.

Disable unneeded or unused services.

. Disable the integrated HTTP daemon (where appropriate).

Confi ure basic s stem lo in s slo .

Secure SNMP. Limit trunking connections and propagated VLANs.

Chapter 6

102 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public

Secure the spanning-tree topology.

Configuring Strong System Passwords

Use the enable secret command instead of using thebl d d


103/155

genable password command.

ecause e ena e secre comman s mp y

implements an MD5 hash on the configured password, thatassword remains vulnerable to dictionar attacks.

Therefore, standard practice in selecting a feasiblepassword applies. Try to pick passwords that contain

, , .An example of a feasible password is $pecia1$ that is,

the word specials where each s has been replaced by$ and the letter l has been replaced with the numeral 1.

Chapter 6


Restricting Management Access Using ACLs

Subnet 10.1.2.0/24 is used for accessing all networkdevices for management purposes This subnet does not


104/155

gdevices for management purposes. This subnet does not

.system administrators in the 10.1.3.0/24 subnet.

n er ace an

descr i pt i on User LANi p addr ess 10. 1. 1. 1 255. 255. 255. 0!i nt er f ace Vl an601

descr i pt i on Management VLANi p addr ess 10. 1. 2. 1 255. 255. 255. 0i p access- gr oup 100 i n!

descr i pt i on I T LAN

i p addr ess 10. 1. 3. 1 255. 255. 255. 0!access- l i st 100 per mi t i p 10. 1. 3. 0 0. 0. 0. 255 10. 1. 2. 0 0. 0. 0. 255

Chapter 6


access- l i st 100 deny i p any any l og!

Securing Physical Access to the Console

Physical security of switches or routers is often overlookedbut is a valuable security precaution


105/155

but is a valuable security precaution.

onso e access requ res a m n mum eve o secur y ophysically and logically.

the ability to recover or reset the passwords or to reload thesystem, thereby enabling that individual to bypass all other

. It is imperative to physically secure access to the console

b usin securit ersonnel closed circuit television card-key entry systems, locking cabinets, access logging, orother means to control physical access as standard

Chapter 6


.

Securing Access to vty Lines

Apply ACLs on all vty lines to limit in-band access only tomanagement stations from specific subnets


106/155

management stations from specific subnets.

on gure s rong passwor s or a con gure v y nes.

Use Secure Shell (SSH) instead of Telnet to access the.

Chapter 6


Configuring System Warning Banners

For both legal and administrative purposes, configuring asystem warning banner to display prior to login is a


107/155

system warning banner to display prior to login is a

general usage policies.

Clearl statin the ownershi , usa e, access, andprotection policies prior to a login aids in strongerprosecution if unauthorized access occurs. Use the global

messages.

Chapter 6


Disabling Unneeded or Unused Services

TCP Small Servers (Echo, Chargen, Discard, Daytime) UDP Small Servers (Echo Discard Chargen)


108/155

UDP Small Servers (Echo, Discard, Chargen)

Auto config

Packet Assembler and Disassembler (PAD) BOOTP server

Identification service

Source routing

IP Proxy-ARP

unreac a es

ICMP redirects Directed broadcast forwarding

Chapter 6


Maintenance Operation Protocol (MOP)

Trimming and Minimizing Use of CDP/LLDP

Disable CDP/LLDP on a per-interface basis. RunCDP/LLDP only for administrative purposes such as on


109/155

CDP/LLDP only for administrative purposes, such as on-

reside.

Confine CDP/LLDP de lo ment to run between devicesunder your control. Because CDP/LLDP is a link-level(Layer 2) protocol, it does not propagate end-to-end over a

place. As a result, for MAN and WAN connections, CDPtables might include the service providers next-hop routeror sw c an no e ar-en rou er un er your con ro .

Do not run CDP/LLDP to any unsecured connection, such

Chapter 6


.

Disabling Integrated HTTP Daemon

Use the no ip http server command in Cisco IOS todisable HTTP server access on a switch


110/155

disable HTTP server access on a switch.

access s nee e , s recommen e o c ange edefault TCP port number (80) using the ip http portport-no command. Secure HTTP is recommended over

HTTP access.

Secure HTTP can be enabled via the ip http secure-

.

svs- san- msf c# conf i gur e t er mi nalEnt er con gur at on comman s, one per ne. En w t NTL Z.svs- san- msf c( conf i g) # no i p ht t p ser ver

svs- san- msf c( conf i g) # end

Chapter 6


Configuring Basic System Logging

To assist and simplify both problem troubleshooting andsecurity investigations monitor switch subsystem


111/155

security investigations, monitor switch subsystem.

To render the on-system logging useful, increase thedefault buffer size; enerall , the default buffer size is notadequate for logging most events.

Chapter 6


Securing SNMP

Whenever possible, avoid using SNMP read-write features.SNMPv2c authentication consists of simple text strings that


112/155

SNMPv2c authentication consists of simple text strings that,

text. In most cases, a read-only community string is

sufficient. To use SNMP in a secure method, use SNMPv3 with an

encrypted password and use ACL to limit SNMP from only

.

Chapter 6


Limiting Trunking Connections and Propagated

By default, specific models of Catalyst switches that are running


113/155

.poses a security risk because the negotiation enables the

introduction of an unauthorized trunk port into the network. an unau or ze run por s use or ra c n ercep on an o

generate DoS attacks, the consequences can be far moreserious than if only an access port is used. (A DoS attack on a

run por m g a ec mu p e s, w ereas a o a ac onan access port affects only a single VLAN.)

To prevent unauthorized trunks, disable automatic negotiation oftrunking on host and access ports. In addition, remove unused

VLANs from trunks manually or by using VTP.

Chapter 6


Securing the Spanning-Tree Topology

Inadvertent or malicious introduction of STP BPDUspotentially overwhelms a device or creates a DoS. The first


114/155

p y-

identify the intended root and designated bridge in the

design and to hard-code that bridges STP bridge priority toan acceptable root value.

Enable the root-guard feature to prevent authorized bridges

. Use BPDU Guard feature to prevent host devices from

maliciously sending BPDUs to a port. Upon receipt of anunauthorized STP BPDU, the feature automatically disables

the port until user intervention occurs or a time-out value isreached.

Chapter 6


Mitigating Issues Sourced from a Switch

Enter the shutdown command on all unused ports andinterfaces.


115/155

ace a unuse por s n a par ng- o usespecifically to group unused ports until they are proactivelylaced into service.

Configure all unused ports as access ports, disallowingautomatic trunk negotiation.

Physical device access: Physical access to the switch should beclosely monitored to avoid rogue device placement in wiring closetswith direct access to switch ports.

Access portbased security: Specific measures should be taken on

every access port of any switch placed into service. Ensure that apolicy is in place outlining the configuration of unused switch ports in

Chapter 6


.


116/155

TroubleshootinPerformance andConnectivity

Chapter 6


Techniques to Enhance Performance (1)

Critical performance-management issues are: User/application performance: For most users, response


117/155

pp p , pme s e cr ca per ormance success ac or. s var a e

might shape the perception of network success by both your

users and a lication administrators.

Capacity planning: The process of determining futurenetwork resource requirements to prevent a performance or

- . Proactive fault management: Involves both responding to

faults as the occur and im lementin solutions that reventfaults from affecting performance.

Chapter 6



118/155

Monitoring Performance with SPAN and


119/155

The switch copies all traffic transmitted to and from Port 3/1e source por o or e es na on por .

workstation running a packet-capturing application on Port3/5 thus receives all network traffic received and transmitted

Chapter 6


on por .


120/155

VSPAN Guidelines

VSPAN sessions, with both ingress and egress optionsconfigured, forward duplicate packets from the source port only if


121/155

.

One copy of the packet is from the ingress traffic on the ingress

port, and the other copy of the packet is from the egress traffic one egress por .

VSPAN monitors only traffic that leaves or enters Layer 2 ports inthe VLAN:

Routed traffic that enters a monitored VLAN is not captured if theSPAN session is configured with that VLAN as an ingress sourcebecause traffic never appears as ingress traffic entering a Layer 2 portin the VLAN.

Traffic that is routed out of a monitored VLAN, which is configured asan egress source in a SPAN session, is not captured because the

Chapter 6


traffic never appears as egress traffic leaving a Layer 2 port in thatVLAN.

Configuring Local SPAN

The example shows the configuration and verification of alocal SPAN session on a Cisco IOSbased switch for the


122/155

.3/1, and the destination interface is FastEthernet 3/5.

4506( conf i g) #monitor session 1 source interface FastEthernet 3/14506( conf i g) #monitor session 1 destination interface FastEthernet3/5

4506( conf i g) # end4506# show monitor session 1Sessi on 1- - - - -

Type : Local Sessi onSour ce Por t s :

Bot h : Fa3/ 1Dest i nat i on Por t s : Fa3/ 5

Chapter 6


Encapsul at i on : Nat i veI ngr ess : Di sabl e

VSPAN Scenario (1)


123/155

The administrator needs to troubleshoot the traffic flowbetween a client in VLAN 10 and server in VLAN 20.

Catalyst switch with rx-only traffic for VLAN 10 and tx-onlytraffic for VLAN 20 and destination port interface

Chapter 6


as erne .

VSPAN Scenario (2)


124/155

cat 4k( conf i g) #monitor session 1 source vlan 10 rxcat 4k( conf i g) #monitor session 1 source vlan 20 tx

cat 4k( conf i g) #monitor session 1 destination interface FastEthernet 3 /4cat 4k# show monitor session 1Sessi on 1- - - - -

Sour ce VLANs :

RX Onl y : 10TX Onl y : 20

Dest i nat i on Por t s : Fa3/ 4

Chapter 6


Encapsul at i on : Nat i veI ngr ess : Di sabl ed

Using SPAN to Monitor the CPU Interface

To configure a SPAN to monitor the CPU traffic on Catalyst4500 switches, use the keyword cpu in themonitor


125/155

.

4506( conf i g) # moni t or sessi on 1 sour ce cpu ?

bot h Moni t or r ecei ved and t r ansmi t t ed t r af f i cqueue SPAN sour ce CPU queuer x Moni t or r ecei ved t r af f i c onl yt x Moni t or t r ansmi t t ed t r af f i c onl y

con g mon t or sess on est nat on nt er ace ast Et er net3/ 214506( conf i g) # end4506# show moni t or sessi on 1ess on

- - - - -

Type : - Source Por t s :Bot h : CPU Dest i nat i on Por t s : Fa3/ 21

Chapter 6


ncapsu a on : a veI ngr ess : Di sabl ed

Monitoring Performance with RSPAN

Remote SPAN (RSPAN) is similar to SPAN, but it supportssource ports, source VLANs, and destination ports on


126/155

.

Chapter 6


RSPAN Guidelines

Configure the RSPAN VLANs in all source, intermediate,and destination network devices. If enabled, VTP can


127/155

1024 as RSPAN VLANs. Manually configure VLANs

numbered higher than 1024 as RSPAN VLANs on allsource, intermediate, and destination network devices.

Switches impose no limit on the number of RSPAN VLANs.

Configure any VLAN as an RSPAN VLAN as long as allparticipating network devices support configuration ofRSPAN VLANs, and use the same RSPAN VLAN for each

RSPAN session.

Chapter 6


Configuring RSPAN (1)

Step 1. Configure the RSPAN VLAN in the VTP server. ThisVLAN is then dedicated for RSPAN. If VTP transparent


128/155

,domain consistently.

Ste 2. Confi ure the RSPAN session in the source anddestination switches and ensure that the intermediateswitches carry the RSPAN VLAN across respective VLAN

.

Chapter 6



129/155


130/155

RSPAN Configuration Example (2)


131/155

2950- 1( conf i g) # vlan 100- - -2950- 1( conf i g- vl an) # exit2950- 1( conf i g) #monitor session 1 source interface FastEthernet 0/12950- 1( conf i g) #monitor session 1 destination remote vlan 100

-

2950- 1( conf i g) # interface FastEthernet 0/22950- 1( conf i g- i f ) # switchport mode trunk2950- 1( conf i g- vl an) # end

2950- 2( conf i g) #monitor session 2 source remote vlan 1002950- 2( conf i g) #monitor session 2 destination interface FastEthernet

Chapter 6


2950- 2( conf i g) # interface FastEthernet 0/22950- 2( conf i g- i f ) # switchport mode trunk



132/155

2950- 1# show monitor

Sessi on 1- - - - -Type : Remot e Source Sessi onSour ce Por t s :

Bot h : Fa0/ 1Ref l ect or Por t : f a0 24

Dest RSPAN VLAN : 1002950- 1# show interfaces trunkPor t Mode Encapsul at i on St at us Nat i ve vl anFa0 2 on 802. 1 t r unki n 1Por t Vl ans al l owed on t r unkFa0/ 2 1- 4094Por t Vl ans al l owed and act i ve i n management domai nFa0 2 1- 30 100

Chapter 6


Por t Vl ans i n spanni ng t r ee f or war di ng st at e and not pr unedFa0/ 2 1- 30, 100



133/155

2950- 2# show interfaces trunk

Por t Mode Encapsul at i on St at us Nat i ve vl anFa on . q r un ngPor t Vl ans al l owed on t r unkFa0/ 2 1- 4094Por t Vl ans al l owed and act i ve i n management domai nFa - ,Por t Vl ans i n spanni ng t r ee f or war di ng st at e and not pr unedFa0/ 2 1- 30, 1002950- 2# show monitor session 2ess on

- - - - -

Type : Remot e Dest i nat i on Sessi onSource RSPAN VLAN : 100


es na on or s : aEncapsul at i on : Nat i ve

I ngr ess : Di sabl ed

Monitoring Performance with ERSPAN

Enhanced Remote SPAN (ERSPAN) is similar to RSPAN,but it supports source ports, source VLANs, and destination,


134/155

boundary.


ERSPAN Guidelines

The payload of a Layer 3 ERSPAN packet is acopied Layer 2 Ethernet frame, excluding any ISLor 802 1Q tags


135/155

or 802.1Q tags.

ERSPAN adds a 50-byte header to each copiedayer t ernet rame an rep aces t e - ytecyclic redundancy check (CRC) trailer.

suppor s um o rames a con a n ayer3 packets of up to 9202 bytes. If the length of the

bytes (9152-byte Layer 3 packet), ERSPANtruncates the co ied La er 2 Ethernet frame to


create a 9202-byte ERSPAN Layer 3 packet.

Configuring ERSPAN

Step 1. Configure the source ERSPAN session. Step 2. Configure the destination ERSPAN session on a

eren sw c .


136/155


ERSPAN Configuration Example


137/155

Swi t ch1( conf i g) #monitor session 66 type erspan-sourceSwi t ch1 conf i - mon- er s an- sr c # source interface i abitethernet 6 1Swi t ch1( conf i g- mon- er span- sr c) # destinationSwi t ch1( conf i g- mon- er span- sr c- dst ) # ip address 10.10.10.10Swi t ch1( conf i g- mon- er span- sr c- dst ) # origin ip address 20.20.20.200Swi t ch1 conf i - mon- er s an- sr c- dst # ers an-id 111

Swi t ch2( conf i g) #monitor session 60 type erspan-destinationSwi t ch2 conf i - er s an- dst # destination interface i abitethernet8/2

Swi t ch2( conf i g- er span- dst ) # sourceSwi t ch2( conf i g- er span- dst - sr c) # ip address 10.10.10.10Swi t ch2 conf i - er s an- dst - sr c # ers an-id 111


ERSPAN Verification Example (2)

w c wSessi on 66


138/155

Sessi on 66- - - - -

Type : ERSPAN Source Sessi onu

Sour ce Por t s :Bot h : Gi 6/ 1

Dest i nat i on I P Addr ess : 10. 10. 10. 10

Or i gi n I P Addr ess : 20. 20. 20. 200

Swi t ch2# show monitor session 60

- - - - - - - - - -

Type : ERSPAN Dest i nat i on Sessi onSt at us : Admi n Enabl ed


Sour ce I P Addr ess : 10. 10. 10. 10Source ERSPAN I D : 111


139/155

Capture Option with VACLs Example (1)


140/155

A user is troubleshooting a session timeout between a


. . .10.1.1.2.



141/155

- . . . . . .

cat 6k( conf i g) # access-list 101 permit ip host 10.1.1.2 host 10.1.1.1cat 6k( conf i g) # vlan access-map SWITCHvaclcat 6k( conf i g- access- map) #match ip address 101

- -cat 6k( conf i g- access- map) # exit

cat 6k( conf i g) # vlan filter SWITCHvacl vlan-list 1cat 6k( conf i g) # in GigabitEthernet 3/26-


cat 6k( conf i g- i f ) # switchport capture allowed vlan 1cat 6k( conf i g- i f ) # switchport capture



142/155

cat 6k# show vlan access-map

Vl an access- map SWI TCHvacl 10mat ch: i p addr ess 101


cat 6k# show vlan filterVLAN Map SWI TCHvacl :

Troubleshooting Using L2 Traceroute

All switches and interfaces in the network require CDP to berunning and functioning properly.

n erme a e sw c es e ween e source an ev ce nti t t th L2 t t f t


143/155

question must support the L2 traceroute feature.


L2 Traceroute Example (1)

A user needs to identify theperformance and path on a hop-by-hop basis for a specificserver an c en ex ng s owfile-transfer performance so she


144/155

file transfer performance, so sheuses the L2 traceroute featurewith the source MAC address ofthe server, 0000.0000.0007, tothe destination MAC address ofthe client, 0000.0000.0011.

To perform an L2 traceroute,she can choose any switch inthe network as long as that

destination MAC addresses in

the MAC address table. Here,she performed the L2 traceroute


comman on e a a ysin the figure.

L2 Traceroute Example (2)


145/155

2950G# traceroute mac 0000.0000.0007 0000.0000.0011Source 0000. 0000. 0007 f ound on 45034503 ( 14. 18. 2. 132) : Fa3/ 48 => Fa3/ 2

6500 ( 14. 18. 2. 145) : 3/ 40 => 3/ 242950G 14. 18. 2. 176 : Fa0 24 => Fa0 23


2948G ( 14. 18. 2. 91) : 2/ 2 => 2/ 24Dest i nat i on 0000. 0000. 0011 f ound on 2948G Layer 2 t r ace compl et ed

Enhancing Troubleshooting and Recovery

(EEM)

event collectors.


146/155

event collectors.

Generic Online Diagnostic (GOLD) test can be tracked asan event.

Enhances troubleshooting and recovery from network.


Sample Embedded Event Manager Scenarios

Event (User Configurable) Action (User Defined)

A specific interface error crosses Disable the interface and bring up a backup - . .


147/155

Configuration changes are made

during production hours.

Deny the configuration changes and send an

email alert.

A GOLD diagnostic test fails. Generate a custom syslog message indicatingthe action to take for Level 1 network operators.

user ogs n o e sys em. enera e a cus om og n message ase on euser ID.

Unauthorized hardware is Send a page to the administrator.

switch.

It is necessary to collect data for Run a user-defined set of commands to collect


. .

Embedded Event Manager Configuration

EEM using applet CLI: Cisco IOS CLIbased configurationa prov es a m e se o ac ons an e ec on

EEM using Tool Command Language (TCL) script:


148/155

EEM using Tool Command Language (TCL) script:

Provides full flexibilit in definin the events and thesubsequent actions


Performance Monitoring Using the Network

Family of Switches

on ors an ana yzes ne wor ra c us ng remo e ne wormonitoring (RMON)


149/155

monitoring (RMON).

NAM.

Can monitor individual VLANs.

Can access link, host, protocol, and response-time statisticsfor capacity planning and real-time protocol monitoring.


Network Analysis Module Source Support

Supports multiple simultaneous sources:

Ethernet, Fast Ethernet, Gigabit Ethernet, trunk port, or Faster anne ; or source por ; an

and VACL with the capture option


150/155

and VACL with the capture option.

.NDE feature collects individual flow statistics of the trafficswitched through the switch. NDE can also export the

NetFlow FlowCollector application. The NAM is anotherexample of such a flow collector.


Chapter 6 Summary (1)

Security is a primary concern in maintaining a secure,stable, and uninterrupted network.

e wor secur y goes ar eyon e n orma on n schapter and includes topics such as intrusion detection


151/155

chapter and includes topics such as intrusion detection,

firewalls, virus rotection, and o eratin s stem atchin . Unless you recognize and understand the importance of

network security, your network is at risk.

The following list summarizes the aspects andrecommended practices for avoiding, limiting, andminimizin network vulnerabilities strictl related to Catal stswitches as a single network entity:


Chapter 6 Summary (2)

Layer 2 attacks vary in nature and include spoofing attacks, VLAN attacks, MAC flood attacks,

and switch device attacks, among others. Use strong passwords with SSH access instead of Telnet exclusively to Cisco network devices.

sa e unuse serv ces suc as an sma serv ces w ere appropr a e.

Use AAA for centralized authentication, authorization, and accounting of network devices andt


152/155

remote access.

Use an access control feature such as 802.1X or ort securit to restrict workstation access toCatalyst switches.

Use DHCP snooping to prevent rogue DHCP servers on the network.

Use IPSG and DAI with DHCP snooping to prevent IP address and ARP spoofing attacks.

Apply management ACLs to limit remote access to Cisco network devices.

Apply data plane security ACLs to filter unwarranted traffic in the network.

Use private VLANs where appropriate to limit communication in specific VLANs.

, , , ,

L2 Traceroute, EEM, and NAM to ensure proper network performance.


Chapter 6 Labs

Lab 6-1 Securing Layer 2 Switches

Lab 6-2 Securing Spanning Tree Protocol

- , ,

VACLs


153/155


Resources

Catalyst 3560 Command Reference

www.cisco.com/en/US/partner/docs/switches/lan/catalyst3560/software/release/12.2_55_se/command/reference/3560_cr.html

on gur ng or ecur y:www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2 55 / fi ti / id / t f ht l# 1038501


154/155

2_55_se/configuration/guide/swtrafc.html#wp1038501

.www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_55_se/configuration/guide/sw8021x.html

Confi urin

en_SWITCH_v6_Ch06.pdf

Documents