web analytics

CCNP BCMSN Notes – Securing Switch Access

Posted on November 9, 2009

Port Security

Port security can be used to restrict which or how many hosts connect to a switch port:

       clip_image002

Violation actions:

        protect – The port continues to function without logging a violation, but frames from violating MAC addresses are dropped.

        restrict – As with protect mode, frames from violating MAC addresses are dropped, but the violation is logged.

        shutdown – The port is transitioned to the error-disabled state, and no traffic is accepted.

IEEE 802.1x

Extensible Authentication Protocol Over LANs (EAPOL) is used to authenticate a connecting host to a switch via layer 2.

Enable AAA and specify a RADIUS server to be referenced for authentication:

      clip_image004

Enable 802.1x globally:

     clip_image006

Configure authorization per interface:

    clip_image008

Port control states:

       Force – authorized (default) – Port is always authorized

       Force – unauthorized – Port will never become authorized

       Auto – Authorization depends on a successful 802.1x authentication

Multiple hosts can be allowed to share a single port with dot1x host-mode multi-host.

show dot1x all will verify 802.1x operation.

DHCP Snooping

DHCP Snooping prevents DHCP-influenced Man-in-the-Middle (MITM) attacks by blocking DHCP replies from untrusted ports.

     clip_image010

To designate a port as trusted (DHCP replies are allowed inbound):

     clip_image012

DHCP snooping can also rate-limit DHCP requests on untrusted ports:

    clip_image014

A DHCP snooping switch can inject its own MAC and the port on which a request was received in option 82 of the request:

    clip_image016 

show ip dhcp snooping [binding] displays DHCP snooping status.

IP Source Guard

IP source guard is used to mitigate IP spoofing, and relies on DHCP snooping bindings to determine the legitimacy of a source address.

To enable IP source guard:

     clip_image018

The addition of the port-security parameter also enables validation of source MAC addresses for ports configured with port security.

Static address mappings can be entered for hosts which do not use DHCP:

     clip_image020

Verification:

       show ip verify source – Displays the IP source guard status

       show ip source binding – Displays the IP source guard database

Dynamic ARP Inspection (DAI)

DAI mitigates ARP spoofing attacks (ARP cache poisoning); static ARP entries or the DHCP snooping database must be used for reference.

To enable DAI per VLAN:

     clip_image022

DAI is only performed on untrusted ports; all ports are untrusted by default.

To configure an interface as trusted:

     clip_image024

Static ARP entries can be defined in an ARP access list:

     clip_image026

To apply the ARP ACL to one or more VLANs:

     clip_image028

The static keyword disables checking against the DHCP snooping database (ARP replies will only be allowed from hosts listed in the ACL).

By default DAI only checks the ARP source MAC and IP. DAI can be configured to also inspect the Ethernet header source and destination MAC, and ARP source IP:

     clip_image030

show ip arp inspection displays DAI status information.

         

Leave a Reply