1 © 2003, Cisco Systems, Inc. All rights reserved. CCNP 3 v4 Module 7 Minimizing Service Loss and Data Theft in a Switched Network
5/28/2018 Modul 3 Konfigurasi Router
1/69
1 2003, Cisco Systems, Inc. All rights reserved.
CCNP 3 v4 Module 7Minimizing Service Loss and Data
Theft in a Switched Network
5/28/2018 Modul 3 Konfigurasi Router
2/69
222 2003, Cisco Systems, Inc. All rights reserved.
Objectives
Switch Security Issues
Mitigating VLAN attacks
Mitigating Spoof Attacks
Implementing Authentication,Authorization and AccountingAAA
Defending Network Switches
5/28/2018 Modul 3 Konfigurasi Router
3/69
333 2003, Cisco Systems, Inc. All rights reserved.
Overview
This module describes some measures to secure
Ciscos multilayer switches based on Ciscos SAFE
blueprint.
Cisco Systems has implemented a number of devicelevel countermeasures to defend the individual
devices as well as the entire network from security
threats.
In this module we will spell out possible
vulnerabilities, define threats, and describes the
countermeasures that should be implemented to
mitigate security risks
5/28/2018 Modul 3 Konfigurasi Router
4/69444 2003, Cisco Systems, Inc. All rights reserved.
Switch Security Concerns
Network security coverage often focuseson perimeter devices and the filtering ofpackets based upon Layer 3 and 4
headers, ports, stateful packetinspection and VPNs.
Campus Access devices and Layer 2
communication are left largelyunconsidered in most securitydiscussions.
5/28/2018 Modul 3 Konfigurasi Router
5/69555 2003, Cisco Systems, Inc. All rights reserved.
Firewalls, Routers and Switches
Firewalls, placed at the organizationalborders, arrive in a secure operationalmode and allow no communication, until
configured to do so. The opposite is true for routers and
switches.
Unlike firewalls, routers and switches havea default operational mode that forwards alltraffic unless configured otherwise
5/28/2018 Modul 3 Konfigurasi Router
6/69666 2003, Cisco Systems, Inc. All rights reserved.
Securing more than the perimeter
5/28/2018 Modul 3 Konfigurasi Router
7/69777 2003, Cisco Systems, Inc. All rights reserved.
Layer 2 Attacks
Attacks launched against switches andat Layer 2 can be grouped as follows:
MAC Layer Attacks
VLAN Attacks
Spoof Attacks
Attacks on Switch Devices
5/28/2018 Modul 3 Konfigurasi Router
8/69888 2003, Cisco Systems, Inc. All rights reserved.
MAC Flooding Attack
5/28/2018 Modul 3 Konfigurasi Router
9/69999 2003, Cisco Systems, Inc. All rights reserved.
MAC Flooding
A common Layer 2/switch attack is MAC Flooding,resulting in CAM table overflow that causes flooding ofregular data frames out all switch ports.
A network intruder can maliciously flood a switch with a
large number of frames from a range of invalid sourceMAC addresses.
Once the CAM is full the switch cannot create anyadditional CAM table entries.
The switch must flood new legitimate frames out all ports
(the switch is in dumb hub mode). The intruding device can now be attached to any
switchport and see all traffic that flows through thatswitch.
5/28/2018 Modul 3 Konfigurasi Router
10/69101010 2003, Cisco Systems, Inc. All rights reserved.
Mitigation for MAC Flood Attacks
Configure Port Security to define thenumber of MAC addresses that are
allowed on a given port.
Port security can also specify what MACaddress is allowed on a given port.
Sticky configuration with maximum MACaddress count.
5/28/2018 Modul 3 Konfigurasi Router
11/69111111 2003, Cisco Systems, Inc. All rights reserved.
Port Security
Port security restricts a switch port to a specificset and/or number of MAC addresses.
Addresses can be learned dynamically or configuredstatically.
To dynamically allow a set of MAC address onan interface, use the sticky configuration.
When configured on an interface, the interfaceconverts dynamically learned addresses to "stickysecure" addresses.
The sticky configuration cannot be applied to trunkports
The swtichport must be in switchport mode access
Switch(config-if)# switchport port-security mac-address sticky
5/28/2018 Modul 3 Konfigurasi Router
12/69121212 2003, Cisco Systems, Inc. All rights reserved.
Port Security Configuration
Switch(config)#int fa0/1
Switch(config-if)#switchport port-security
Command rejected: Fa0/1 is not an access port.
Switch(config-if)#switchport mode access
Switch(config-if)#switchport port-security
Switch(config-if)#switchport port-security mac-address stickySwitch(config-if)#switchport port-security maximum 4
Switch(config-if)#switchport port-security violation ?
protect Security violation protect mode
restrict Security violation restrict mode
shutdown Security violation shutdown mode
5/28/2018 Modul 3 Konfigurasi Router
13/69131313 2003, Cisco Systems, Inc. All rights reserved.
show port-security
5/28/2018 Modul 3 Konfigurasi Router
14/69141414 2003, Cisco Systems, Inc. All rights reserved.
show port-security address
5/28/2018 Modul 3 Konfigurasi Router
15/69151515 2003, Cisco Systems, Inc. All rights reserved.
Caveats to Port Security Configuration
Port security is enabled on a port-by-port basis
By default, only one MAC address is allowed
access through a given switch port when portsecurity is enabled.
Static MAC address entries for a givenswitchport may interfere with the maximum
MAC address configuration. The default violation action is shutdown.
5/28/2018 Modul 3 Konfigurasi Router
16/69161616 2003, Cisco Systems, Inc. All rights reserved.
Switchport Violation Actions
There are three violation actions that can beconfigured on the secure port:
Protectframes from the non-allowed address aredropped but there is no log of the violation
Restrictframes from the non-allowed address aredropped and a log message is created
Shutdownif any frames are seen from a non-allowed address, the interface is errdisabled and alog message is created.
To bring a switchport out of errdisable, you mustmanually use the shutdown/no shutdown intefaceconfiguration mode command.
Shutdown is the default violation action.
5/28/2018 Modul 3 Konfigurasi Router
17/69171717 2003, Cisco Systems, Inc. All rights reserved.
VLAN Hopping
VLAN hopping is a network attackwhereby an end system sends packetsto, or collects them from, a VLAN that
should not be accessible to that endsystem.
VLAN Hopping can be accomplished by
Switch Spoofing or Double Tagging
http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a008013159f.shtml
http://www.cisco.com/en/US/netsol/ns340/ns394/ns171/ns128/networking_solutions_white_paper09186a008014870f.shtml
http://www.sans.org/resources/idfaq/vlan.php
http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a008013159f.shtmlhttp://www.cisco.com/en/US/netsol/ns340/ns394/ns171/ns128/networking_solutions_white_paper09186a008014870f.shtmlhttp://www.sans.org/resources/idfaq/vlan.phphttp://www.sans.org/resources/idfaq/vlan.phphttp://www.cisco.com/en/US/netsol/ns340/ns394/ns171/ns128/networking_solutions_white_paper09186a008014870f.shtmlhttp://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a008013159f.shtml5/28/2018 Modul 3 Konfigurasi Router
18/69181818 2003, Cisco Systems, Inc. All rights reserved.
Switch Spoofing
In a Switch Spoofing attack, the network attackerconfigures a system to spoof itself as a switch byemulating ISL or 802.1Q signaling and using DTP.
Doing so, allows the end system to negotiate a trunk linkwith the switch.
Remember, by default Cisco switchports are set todynamic desirable mode.
The solution to switch spoofing is to configure all edgeports as access ports which essentially turns off trunking.
You can also change the native VLAN from the default of 1
so that the trunk is not negotiated properly.Switch(config)# int range fa0/ 1 20
Switch(config-range-if)# switchport mode access
Switch(config-if)# switchport trunk native vlan 10
5/28/2018 Modul 3 Konfigurasi Router
19/69191919 2003, Cisco Systems, Inc. All rights reserved.
Private VLANs
Private VLANs provide traffic isolation betweenports although they may exist on the sameLayer 3 segment and VLAN.
Private VLANs (PVLANs) can be implemented onCatalyst 4500s and 6500s to keep some switchports shared and some switch ports isolated,although all ports exist on the same VLAN.
The 2950 and 3550 support "protected ports"
which is functionally similar to PVLANs on aper switch basis.
5/28/2018 Modul 3 Konfigurasi Router
20/69202020 2003, Cisco Systems, Inc. All rights reserved.
Private VLAN Port Types
A port in a PVLAN can be one of three types:
IsolatedAn isolated port has complete Layer 2 separationfrom other ports within the same PVLAN except for thepromiscuous port.
Traffic received from an isolated port is forwarded only to
promiscuous ports. PromiscuousA promiscuous port can communicate with all
ports within the PVLAN, including the community andisolated ports.
The default gateway for the segment would likely behosted on a promiscuous port.
CommunityCommunity ports communicate amongthemselves and with their promiscuous ports.
These interfaces are isolated at Layer 2 from all otherinterfaces in other communities.
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/122sx/swcg/pvlans.htm
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/122sx/swcg/pvlans.htmhttp://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/122sx/swcg/pvlans.htm5/28/2018 Modul 3 Konfigurasi Router
21/69212121 2003, Cisco Systems, Inc. All rights reserved.
Private VLAN Configuration Guidelines
VTP does not support private VLANs so you must configure yourVTP mode to transparent and manually add each primary and theassociated private VLANs to each switch.
VLAN 1 and VLANs 10021005 cannot be private VLANs.
A primary VLAN can have one isolated VLAN and multiple
community VLANs. An isolated or community VLAN can have only one primary VLAN
associated with it.
If you delete a VLAN used in the private VLAN configuration, theprivate VLAN ports associated with the VLAN become inactive
Private VLAN ports can be on different network devices if the
devices are trunk-connected and the primary and secondaryVLANs have not been removed from the trunk.
All primary, isolated, and community VLANs associated within aprivate VLAN must maintain the same topology across trunks.
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/122sx/swcg/pvlans.htm
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/122sx/swcg/pvlans.htmhttp://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/122sx/swcg/pvlans.htm5/28/2018 Modul 3 Konfigurasi Router
22/69
222222 2003, Cisco Systems, Inc. All rights reserved.
Private VLAN Configuration Example
Router# configure terminal
Router(config)# vlan 202Router(config-vlan)# private-vlan primary
Router(config-vlan)# exi
Router(config)# vlan 303
Router(config-vlan)# private-vlan community
Router(config-vlan)# exi
Router(config)# vlan 440
Router(config-vlan)# private-vlan isolated
Router(config-vlan)# exi
Router(config)# vlan 202
Router(config-vlan)# private-vlan association 303-307,309,440
Router(config-vlan)# end
Router(config)# interface fastethernet 5/1
Router(config-if)# switchport mode private-vlan host | promiscuous
Router(config-if)# switchport private-vlan host-association 202 303
Router(config)# interface fastethernet 5/2
Router(config-if)# switchport mode private-vlan host | promiscuous
Router(config-if)# switchport private-vlan host-association 202 440Router# show vlan private-vlan
Switch(config)# show vlan private-vlan
Primary Secondary Type Ports
------- --------- ----------------- ------------------------------------------
202 303 community Fa5/1
202 440 isolated Fa5/2
5/28/2018 Modul 3 Konfigurasi Router
23/69
232323 2003, Cisco Systems, Inc. All rights reserved.
Protected Ports
Protected ports do not forward any traffic toother ports that are also protected ports.
Forwarding behavior between a protected portand a nonprotected port proceeds as usual.
Switch# configure terminal
Switch(config)# interface fastethernet0/1
Switch(config-if)# switchport protected
Switch(config-if)# end
5/28/2018 Modul 3 Konfigurasi Router
24/69
242424 2003, Cisco Systems, Inc. All rights reserved.
VLAN Security using ACLs
Cisco multilayer switches support three types of ACLs:
Router access control lists(RACLs) Supported in theternary content addressable memory (TCAM) hardware onCisco multilayer switches
Quality of service(QoS) access control lists Supported inthe TCAM hardware on Cisco multilayer switches
VLAN access control lists(VACLs) Supported in softwareon Cisco multilayer switches
VACLs are also referred to as VLAN maps
5/28/2018 Modul 3 Konfigurasi Router
25/69
252525 2003, Cisco Systems, Inc. All rights reserved.
VLAN ACL Examples
5/28/2018 Modul 3 Konfigurasi Router
26/69
262626 2003, Cisco Systems, Inc. All rights reserved.
Routed ACLs
RACLs are supported in hardware
through IP standard ACLs and IPextended ACLs, with permit and denyactions.
With RACLs, access list statistics and
logging are not supported.
5/28/2018 Modul 3 Konfigurasi Router
27/69
272727 2003, Cisco Systems, Inc. All rights reserved.
VLAN ACLs
VACLs (also called VLAN access maps in IOSsoftware) apply to all traffic on the VLAN.
VACLs are similar to route maps and follow route-map conventions, where map sequences arechecked in order.
VLAN maps have three actions that can beconfigured:
Drop
Forward
Redirect
5/28/2018 Modul 3 Konfigurasi Router
28/69
282828 2003, Cisco Systems, Inc. All rights reserved.
VLAN Map Configuration
ALSwitch7(config)#ip access-list extended HRServerAllowed
ALSwitch7(config-ext-nacl)#permit tcp 172.16.50.16 0.0.0.15 host 172.16.50.240 eq wwwALSwitch7(config-ext-nacl)#exit
ALSwitch7(config)#ip access-list extended HRServerBlocked
ALSwitch7(config-ext-nacl)#permit tcp 172.16.50.0 0.0.0.127 host 172.16.50.240 eq www
ALSwitch7(config-ext-nacl)#exit
ALSwitch7(config)#ip access-list extended HRServerDefaults
ALSwitch7(config-ext-nacl)#permit ip any any
ALSwitch7(config-ext-nacl)#exit
ALSwitch7(config)#vlan access-map HRServerMap 10
ALSwitch7(config-access-map)#match ip address HRServerAllowed
ALSwitch7(config-access-map)#action forward
ALSwitch7(config-access-map)#exit
ALSwitch7(config)#vlan access-map HRServerMap 20
ALSwitch7(config-access-map)#match ip address HRServerBlocked
ALSwitch7(config-access-map)#action drop
ALSwitch7(config-access-map)#exit
ALSwitch7(config)#vlan access-map HRServerMap 30
ALSwitch7(config-access-map)#match ip address HRServerDefaults
ALSwitch7(config-access-map)#action forward
ALSwitch7(config-access-map)#end
ALSwitch7#config t
ALSwitch7(config)# vlan filter HRServerMap vlan-list 20
5/28/2018 Modul 3 Konfigurasi Router
29/69
292929 2003, Cisco Systems, Inc. All rights reserved.
show vlan mapand show vlan filter
ALSwitch7#show vlan access-mapVlan access-map "HRServer" 10
Match clauses:
ip address: HRServerAllowed
Action:
forward
Vlan access-map "HRServerMap" 20
Match clauses:ip address: HRServerBlocked
Action:
drop
Vlan access-map "HRServerMap" 30
Match clauses:
ip address: HRServerDefaultsAction:
forward
ALSwitch7#show vlan filter
VLAN Map HRServerMap is filtering VLANs:
50
ALSwitch7#
5/28/2018 Modul 3 Konfigurasi Router
30/69
303030 2003, Cisco Systems, Inc. All rights reserved.
Defending Network Switches
CDP can be selectively disabled on interfaceswhere management is not being performed or
if you do not want CDP information learnedout of that interface.
Switch(config-if)#no cdp enable
5/28/2018 Modul 3 Konfigurasi Router
31/69
313131 2003, Cisco Systems, Inc. All rights reserved.
Controlling VTY Access
Cisco provides ACLs to permit or deny Telnetaccess to the VTY ports of a switch.
Use the access-class line configuration modecommand to specify a subnet that is allowed to
telnet to the switch. The access-class command uses a standard ACL
with the in keyword.
A standard ACL is used because the access-classcommand filters inbound connections
Switch(config-line)#access-class 5 in
out can also be used to filter outbound VTYconnections.
5/28/2018 Modul 3 Konfigurasi Router
32/69
323232 2003, Cisco Systems, Inc. All rights reserved.
Access-class Example
5/28/2018 Modul 3 Konfigurasi Router
33/69
333333 2003, Cisco Systems, Inc. All rights reserved.
Use Secure ShellSSH
SSH can be configured for remote access to Ciscomultilayer switches.
Catalyst 2950s do not support SSH
Switch(config)#hostname ALSwitch
ALSwitch(config)#ip domain-name cisco.com
ALSwitch(config)#ip ssh version 2
Please create RSA keys to enable SSH.ALSwitch(config)#crypto key generate rsa general-keys
The name for the keys will be: ALSwitch.cisco.com
Choose the size of the key modulus in the range of 360 to 2048 for your
How many bits in the modulus [512]: 1024
% Generating 1024 bit RSA keys ...[OK]
ALSwitch(config)#
00:47:18: %SSH-5-ENABLED: SSH 1.99 has been enabled
ALSwitch(config)#line vty 0 15
ALSwitch(config-line)#transport input ssh
ALSwitch(config-line)#login local
ALSwitch(config-line)#exit
ALSwitch(config)#username leo privilege 15 secret baca
5/28/2018 Modul 3 Konfigurasi Router
34/69
343434 2003, Cisco Systems, Inc. All rights reserved.
Encrypt Password
Make sure to use encrypted passwords.
Encrypted password can be used for enable passwords,user passwords, console and vty passwords.
ALSwitch(config)#enable secret class
ALSwitch(config)#username user1 secret userpassALSwitch(config)#username leo privilege 15 secret baca
ALSwitch(config)#exi
ALSwitch#sho run
...
!
hostname ALSwitch
!
enable secret 5 $1$kH1o$2yH/E500t6PC1rCCDeFEb1
!
username leo privilege 15 secret 5 $1$nwnw$rvATQge3PqFS8qARlTOd51
username user1 secret 5 $1$CalZ$rCMYfxqKPrJfWENUrHIZL.
5/28/2018 Modul 3 Konfigurasi Router
35/69
353535 2003, Cisco Systems, Inc. All rights reserved.
Service Password Encryption
Some passwords are not encrypted by default,such as the enable password command andthe line configuration mode passwordcommand
To encrypt any plaintext passwords orkeystrings, use the global configuration modecommand:
Switch(config)# service password-encryption
This will encrypt plaintext passwords withCisco level 7 encryption.
This encryption level is not very strong
5/28/2018 Modul 3 Konfigurasi Router
36/69
363636 2003, Cisco Systems, Inc. All rights reserved.
END PART 1
PART 1 STOP HERE
5/28/2018 Modul 3 Konfigurasi Router
37/69
373737 2003, Cisco Systems, Inc. All rights reserved.
DHCP Spoof Attack
5/28/2018 Modul 3 Konfigurasi Router
38/69
383838 2003, Cisco Systems, Inc. All rights reserved.
DHCP Snooping
DHCP Snooping is a Catalyst feature thatdetermines which switch ports can respond toDHCP requests.
Ports are identified as trusted and untrusted.
Trusted ports can source all DHCP messageswhile untrusted ports can source requestsonly.
Trusted ports host a DHCP server or can be anuplink toward the DHCP server.
If a rogue device on an untrusted port attempts tosend a DHCP response packet into the network, theport is shut down.
5/28/2018 Modul 3 Konfigurasi Router
39/69
393939 2003, Cisco Systems, Inc. All rights reserved.
DHCP Snooping Example
5/28/2018 Modul 3 Konfigurasi Router
40/69
404040 2003, Cisco Systems, Inc. All rights reserved.
DHCP Snooping Configuration
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2950/12122ea5/2950scg/swdhcp82.htm
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2950/12122ea5/2950scg/swdhcp82.htmhttp://www.cisco.com/univercd/cc/td/doc/product/lan/cat2950/12122ea5/2950scg/swdhcp82.htm5/28/2018 Modul 3 Konfigurasi Router
41/69
414141 2003, Cisco Systems, Inc. All rights reserved.
show ip dhcp snooping
5/28/2018 Modul 3 Konfigurasi Router
42/69
424242 2003, Cisco Systems, Inc. All rights reserved.
MAC Address Spoofing
MAC Spoofing attacks occur when a devicespoofs the MAC address of a valid networkdevice to gain access to frames of the valid
device.
The attacker generates a single frame with asource MAC address of the valid device.
Once the valid host sends new frames, the spoofedCAM table entry is overwritten so forwarding to thatMAC address resumes on the legitimate port.
5/28/2018 Modul 3 Konfigurasi Router
43/69
434343 2003, Cisco Systems, Inc. All rights reserved.
MAC Address Spoofing Example
5/28/2018 Modul 3 Konfigurasi Router
44/69
444444 2003, Cisco Systems, Inc. All rights reserved.
ARP Table Entries
In normal ARP operation, a host sends abroadcast to determine the MAC address of ahost with a particular IP address.
The device at that IP address replies with its
MAC address. The host that originated the request then
caches the ARP response, creating an ARPtable entry.
ARP table entries are used to populate thedestination Layer 2 header of packets sent to thatIP address.
5/28/2018 Modul 3 Konfigurasi Router
45/69
454545 2003, Cisco Systems, Inc. All rights reserved.
ARP Table Example
5/28/2018 Modul 3 Konfigurasi Router
46/69
464646 2003, Cisco Systems, Inc. All rights reserved.
ARP Spoofing
By spoofing an ARP reply, an attackingdevice appears to be the destinationMAC address sought by the senders.
Now the attackers MAC address is storedwith the legitimate dest. IP address.
All packets destined for that IP addresswill be forwarded through the attackers
system on the Ethernet network.
ARP Cache Poisoninghttp://www.grc.com/nat/arp.htm
http://www.grc.com/nat/arp.htmhttp://www.grc.com/nat/arp.htm5/28/2018 Modul 3 Konfigurasi Router
47/69
474747 2003, Cisco Systems, Inc. All rights reserved.
ARP Spoof Example
5/28/2018 Modul 3 Konfigurasi Router
48/69
484848 2003, Cisco Systems, Inc. All rights reserved.
Dynamic ARP Inspection (DAI)
Dynamic ARP Inspection (DAI) prevents ARPspoofing by intercepting and validating all ARPrequests and responses.
Each intercepted ARP reply is verified for validMAC to IP address bindings before it is forwarded
to a PC. ARP replies coming from invalid devices are dropped.
The switch checks the MAC to IP binding in theARP reply with the trusted DHCP snooping
database. This database is built by DHCP snooping if DHCP
snooping is enabled on the VLANs and on the switch.
http://www.cisco.com/en/US/products/hw/switches/ps5528/products_configuration_guide_chapter09186a0080509b6f.html
http://www.cisco.com/en/US/products/hw/switches/ps5528/products_configuration_guide_chapter09186a0080509b6f.htmlhttp://www.cisco.com/en/US/products/hw/switches/ps5528/products_configuration_guide_chapter09186a0080509b6f.html5/28/2018 Modul 3 Konfigurasi Router
49/69
494949 2003, Cisco Systems, Inc. All rights reserved.
Dynamic ARP Inspection Example
Configure all Access switch ports as untrusted and
all switch ports connected to other switches as trusted.
5/28/2018 Modul 3 Konfigurasi Router
50/69
505050 2003, Cisco Systems, Inc. All rights reserved.
Dynamic ARP Inspection
To ensure that only valid ARP requests andresponses are relayed, DAI takes the followingactions:
Forwards ARP packets received on a trusted
interface without any checks Intercepts all ARP packets on untrusted ports
Verifies that each intercepted packet has a valid IP-to-MAC address binding before forwarding packets
that can update the local ARP cache. Drops and/or logs ARP packets with invalid IP-to-
MAC address bindings.
5/28/2018 Modul 3 Konfigurasi Router
51/69
515151 2003, Cisco Systems, Inc. All rights reserved.
Dynamic ARP Inspection Configuration
Dynamic ARP inspection is enabled on a per-VLAN basis
Make sure to enable DHCP snooping first
Dynamic ARP Inspection is not supported on 29xx series switches
5/28/2018 Modul 3 Konfigurasi Router
52/69
525252 2003, Cisco Systems, Inc. All rights reserved.
What is AAA?
AAA stands for Authentication, Authorizationand Accounting.
AAA is an architectural framework for
configuring access control security functions. AAA is generally concerned with access
control to a network or network device.
For instance, an AAA server can be used to
authenticate remote users via a VPN or it can beused to authenticate local users to a router, switchor firewall.
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/fsaaa/scfaaa.htm
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/fsaaa/scfaaa.htmhttp://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/fsaaa/scfaaa.htm5/28/2018 Modul 3 Konfigurasi Router
53/69
535353 2003, Cisco Systems, Inc. All rights reserved.
AAA in a Nutshell
Authentication provides the method of identifying users.
The most common method of authentication isusername/password.
Authorization provides a method of controlling access to
what a user can do. Authorization is usually tied to a policy, profile or group.
Accounting provides a method for collecting and sendingsecurity server information used for billing, auditing, andreporting.
Accounting collects data as to what a user did oncelogged in.
5/28/2018 Modul 3 Konfigurasi Router
54/69
545454 2003, Cisco Systems, Inc. All rights reserved.
AAA Servers and Authentication
AAA uses protocols such as RADIUS,TACACS+, or 802.1X to administer its securityfunctions.
There is an authenticator (device) that permitsor denies access to the network or networkresource and an authentication server thatprovides the actual database of useridentification.
The Authenticator can be a switch, router, firewall,wireless access point, VPN server or access server.
5/28/2018 Modul 3 Konfigurasi Router
55/69
555555 2003, Cisco Systems, Inc. All rights reserved.
Using AAA for Login Security
The AAA security services facilitate a variety oflogin authentication methods.
Use aaa authentication loginto enableAAA authentication.
With the aaa authentication logincommand, it is possible to create one or morelists of authentication methods that are tried atlogin.
The login authenticationline
configuration command applies these lists tologin attempts.
5/28/2018 Modul 3 Konfigurasi Router
56/69
565656 2003, Cisco Systems, Inc. All rights reserved.
AAA Login Configuration
5/28/2018 Modul 3 Konfigurasi Router
57/69
575757 2003, Cisco Systems, Inc. All rights reserved.
AAA Login Configuration Example
Switch(config)#aaa new-model
Switch(config)#tacacs-server host 147.144.51.46 key 0 tacacskey
Switch(config)#aaa group server tacacs+ TACACS
Switch(config-sg-tacacs+)#server 147.144.51.46
Switch(config-sg-tacacs+)#exiSwitch(config)#
Switch(config)#aaa authentication login TACACS local
Switch(config)#line con 0
Switch(config-line)#login authentication TACACS
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/fsaaa/scfathen.htm
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/fsaaa/scfathen.htmhttp://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/fsaaa/scfathen.htm5/28/2018 Modul 3 Konfigurasi Router
58/69
585858 2003, Cisco Systems, Inc. All rights reserved.
Authentication Methods
5/28/2018 Modul 3 Konfigurasi Router
59/69
595959 2003, Cisco Systems, Inc. All rights reserved.
AAA Authorization
AAA authorization enables the limitation of theservices available to a user.
When AAA authorization is enabled, the device
uses information retrieved from the user profile The user profile is located either in the local user
database on the switch or on the security server
You can configure up to 16 hierarchical levels of
commands for each mode.
Setting Passwords and Privilegeshttp://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/fothersf/scfpass.htm
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/fothersf/scfpass.htmhttp://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/fothersf/scfpass.htm5/28/2018 Modul 3 Konfigurasi Router
60/69
606060 2003, Cisco Systems, Inc. All rights reserved.
AAA Accounting
Accounting is the process of keepingtrack of the activity of each user who isaccessing the network resources.
Accounting data is used for trendanalysis, capacity planning, billing,auditing and cost allocation.
5/28/2018 Modul 3 Konfigurasi Router
61/69
616161 2003, Cisco Systems, Inc. All rights reserved.
802.1X Port-based Authentication
Supplicant
Authenticator
5/28/2018 Modul 3 Konfigurasi Router
62/69
626262 2003, Cisco Systems, Inc. All rights reserved.
802.1X Port-based Authentication
Until the workstation is authenticated, 802.1x accesscontrol allows only Extensible Authentication Protocolover LAN (EAPOL) traffic through the switchport.
After authentication is successful, normal traffic can passthrough the port.
The port starts in the unauthor ized state.
While in this state, the port disallows all ingress andegress traffic except for 802.1x protocol packets.
When a client is successfully authenticated, the porttransitions to the authorizedstate
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2950/12122ea5/2950scg/sw8021x.htm
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2950/12122ea5/2950scg/sw8021x.htmhttp://www.cisco.com/univercd/cc/td/doc/product/lan/cat2950/12122ea5/2950scg/sw8021x.htm5/28/2018 Modul 3 Konfigurasi Router
63/69
636363 2003, Cisco Systems, Inc. All rights reserved.
802.1X Configuration
Switch1(config)#aaa new-modelSwitch1(config)#aaa authentication dot1x TACACS local
Switch1(config)#dot1x system-auth-control
Switch1(config)#interface range fa0/2 - 20
Switch1(config-if-range)#switchport mode access
Switch1(config-if-range)#dot1x port-control autoSwitch1(config-if-range)#end
Switch1# show run
!
interface FastEthernet0/1
!
interface FastEthernet0/2
switchport mode access
dot1x port-control auto
spanning-tree portfast
5/28/2018 Modul 3 Konfigurasi Router
64/69
646464 2003, Cisco Systems, Inc. All rights reserved.
Capturing Traffic in a Switched Network
If a network analyzer is connected to a switch port, bydefault the analyzer will only collect data directed to theMAC address of the analyzer.
To resolve this issue, we configure Switch Port Analyzer(SPAN) ports.
SPAN sends a copy of frames generated on one port or anentire VLAN to another switch port hosting a networkanalyzer.
Also known as port mirroring or port monitoring
http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12225see/scg/swspan.htm
http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12225see/scg/swspan.htmhttp://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12225see/scg/swspan.htm5/28/2018 Modul 3 Konfigurasi Router
65/69
656565 2003, Cisco Systems, Inc. All rights reserved.
SPAN Example
5/28/2018 Modul 3 Konfigurasi Router
66/69
666666 2003, Cisco Systems, Inc. All rights reserved.
Remote SPAN (RSPAN)
RSPAN sends traffic from a monitored portthrough an intermediate switch network to a
traffic analyzer on another switch. RSPAN supports source ports, source VLANs,
and destination ports on different switches.
RSPAN provides remote monitoring of ports onmultiple switches across the network
5/28/2018 Modul 3 Konfigurasi Router
67/69
676767 2003, Cisco Systems, Inc. All rights reserved.
RSPAN Example
5/28/2018 Modul 3 Konfigurasi Router
68/69
686868 2003, Cisco Systems, Inc. All rights reserved.
Reflector Ports
The reflector port is the mechanism that copies packetsonto an RSPAN VLAN.
The reflector port forwards only the traffic from the RSPANsource session with which it is affiliated.
Any device connected to a port set as a reflector portloses connectivity until the RSPAN source session is
disabled. The reflector port has these characteristics:
It is a port set to loopback.
It cannot be an EtherChannel group, it does not trunk, andit cannot do protocol filtering.
A port used as a reflector port cannot be a SPAN source ordestination port, nor can a port be a reflector port for morethan one session at a time.
It is invisible to all VLANs.
Spanning tree is automatically disabled on a reflector port.
5/28/2018 Modul 3 Konfigurasi Router
69/69
SPAN and RSPAN Configuration
SPAN:Switch(config)#monitor session 1 source interface fa0/2
Switch(config)#monitor session 1 source interface fa0/2 - 24
Switch(config)#monitor session 1 source vlan 33 , 34 , 40 - 50
Switch(config)#monitor session 1 destination interface fa0/10
RSPAN:SourceSw(config)#vlan 100
SourceSw(config-vlan)#remote-span
SourceSw(config-vlan)#exi
SourceSw(config)#monitor session 1 source interface fa0/10 both
SourceSw(config)#monitor session 1 destination remote vlan 100
reflector-port fa0/12
DestSw(config)#monitor session 1 source remote vlan 100
DestSw(config)#monitor session 1 destination interface fa0/5