Switch security features

4.2.a i VACL, PACL

VACL

VLAN Access Control List

General Information on “VACL”:

• Used within a VLAN or routed in/out of a VLAN
• Configured through access maps (multiple matches, single action)
• ACL is based on “match” and “action” keywords:
  • match: for matching traffic
  • action: is for the action on the matched traffic
• As with any ACL, after the first match the rest of the ACL doesn’t matter
• Implicit deny at the end of the VACL

Types of VACLs:

• IP ACL (IPv4, IPv6)
• MAC ACL (doesn’t filter IP)

Configuration considerations:

• Only one VLAN Access Map can be attached to each VLAN
• For Private VLANs the VLAN access map must be attached to the primary Private VLAN

“VACL” CLI configuration commands:

## Defining a MAC-based ACL
Switch(config)# mac access-list extended [ACL NAME]
Switch(config-ext-macl)# permit host [src-mac | any] [dst-mac | any]

## Defining an IP-based ACL
Switch(config)# ip access-list <type> [ACL NAME]
Switch(config-ext-nacl)# permit <protocol> [src-ip | any] [dst-ip | any]

## Defining a VLAN access map
Switch(config)# vlan access-map [MAP NAME]
Switch(config-access-map)# match [mac | ip] address [ACL NAME]
Switch(config-access-map)# action [drop | forward] [log]

Switch(config)# vlan filter [MAP NAME] vlan-list <vlan-ids>

PACL

Port Access Control List

General Information on “PACL”:

• Used on layer 2 devices
• Can be inbound on a port only
• Layer 2 control traffic (CDP, STP, …) is not affected

PACL types:

• IP PACL: Filters IPv4 and IPv6 traffic on a Layer 2 port
• MAC PACL: Filters traffic based on the L2 (MAC address) on a Layer 2 port

PACL interaction type:

• Prefer mode: PACL overrides other ACLs. This is the only allowed mode for trunks.
• Merge mode (default): PACLs, VACLs and RACLs are merged in the ingress direction.

“PACL” CLI configuration commands:

## Defining a MAC-based ACL
Switch(config)# mac access-list extended [ACL NAME]
Switch(config-ext-macl)# permit host [src-mac | any] [dst-mac | any]

## Applying a MAC-based ACL to an interface
Switch(config)# interface <if>
Switch(config-if)# mac access-group [ACL NAME] in

## Defining an IP-based ACL
Switch(config)# ip access-list <type> [ACL NAME]
Switch(config-ext-nacl)# permit <protocol> [src-ip | any] [dst-ip | any]

## Applying a IP-based ACL to an interface
Switch(config)# interface <if>
Switch(config-if)# ip access-group [ACL NAME] in

4.2.a ii Storm control

What Storm Control does:

• Prevents unicast, multicast, broadcast storms by measuring the input rate on a physical interface and allowing or denying the traffic based on defined thresholds

Why Storm Control is needed:

• Misconfigured STP or STP features DoS (Denial of Service) attacks happening on the network

// Graphic missing - Coming soon //

How Storm Control works:

• Measures the input rate on a physical interface
• Port can be either temporarily or completely blocked
• Two thresholds can be defined (Rising Thresholds and Falling Threshold)
• When defining only one threshold then Rising Threshold = Falling Threshold
• Once the rising threshold is reached, traffic is either temporarily blocked until it reaches the falling threshold again or the port is completely put into err-disabled state and optionally a SNMP trap will be sent
• Configuration is done per interface for each traffic type individually (unicast, multicast, broadcast)
• Storm control algorithms differ depending on the Cisco device type
• On EtherChannels the configurations ALWAYS needs to be done on the Port Channel interface, NEVER on the members itself
• Storm Control is typically configured on Access Ports to prevent storms from even reaching the network
• One time slot is a one-second (1) interval

Storm Control default behavior:

• Traffic is blocked for every NEXT one-second (1) interval until the threshold reaches and stays below the falling threshold

Storm Control optional behavior:

• Port can be put into err-disabled state completely
• SNMP trap can be sent

“Storm control” CLI configuration commands:

## Applying Strom control to an interface using percentage values
Switch(config)# interface <if>
Switch(config-if)# storm-control <traffic-type> level <rising-in-%> <falling-in-%>

## Applying Strom control to an interface using bits per second (bps) values
Switch(config)# interface <if>
Switch(config-if)# storm-control <traffic-type> bps <rising-in-bps> <falling-in-bps>

## Applying Strom control to an interface using packets per second (pps) values
Switch(config)# interface <if>
Switch(config-if)# storm-control <traffic-type> pps <rising-in-pps> <falling-in-pps>

## Configuring the behavior when storms occur (both actions simultaneously possible)
Switch(config)# interface <if>
Switch(config-if)# storm-control action [trap | shutdown]

“Storm control” CLI show commands:

## Showing the storm control enabled interfaces, thresholds, ...
Switch# show storm control

## Showing the storm control enabled interfaces, thresholds, ... for a specific traffic type
Switch# show storm control <traffic-type>

4.2.a iii DHCP Snooping, DHCP option 82

What DHCP Snooping does:

• Prevents malicious DHCP servers from responding to DHCP Discover messages

DHCP Spoofing (attack vector):

1. Attacker sets up malicious DHCP server (eg. his own machine) in the network
2. This machine responds to DHCP requests
3. Traffic gets routed via attackers machine and data can be sniffed

How DHCP Snooping works:

• DHCP snooping is a per-port security mechanism
• Switch ports will be set as trusted or untrusted:
  • Trusted ports are either a DHCP server or the uplink to a DHCP server
  • Untrusted ports cannot reply to DHCP discover messages
• If an untrusted port attempts a DHCP response it will be automatically shut down
• A dynamic DHCP snooping binding table will be built and maintained which includes the MAC and IP addresses, lease time, binding type (dynamic or static), VLAN and port information of the host it was assigned to

DHCP Option 82:

• Inserted by default into DHCP packets when DHCP snooping is enabled
• Includes information like switchport number etc.
• Cisco IOS acting as DHCP server devices can’t handle DHCP Option 82 and therefor sending it out needs to be disabled

DHCP Snooping configuration steps:

1. Enable DHCP Snooping globally
2. Enable DHCP Snooping on selected VLANs
3. Optionally: Disable DHCP Snooping DHCP option 82
4. Configure trusted interfaces (untrusted is the default config!)

“DHCP Snooping” CLI configuration commands:

## Enabling DHCP snooping globally
Switch(config)# ip dhcp snooping

## Enabling DHCP snooping per VLAN
Switch(config)# ip dhcp snooping vlan <vlan-id>

## Disabling DHCP snooping DHCP option 82 globally
Switch(config)# no ip dhcp snooping information option

## Configuring an interface as DHCP snooping trusted
Switch(config)# interface <if>
Switch(config-if)# ip dhcp snooping trust

“DHCP Snooping” CLI show commands:

## Showing DHCP snooping status
Switch# show ip dhcp snooping

## Showing DHCP snooping binding table
Switch# show ip dhcp snooping binding

4.2.a iv IP Source Guard

What IP Source Guard does:

• Protects against IP spoofing attacks

IP Spoofing (attack vector):

• Hijacking an IP address that another host uses for all its traffic

How IP Source Guard works:

• Needs enabled and configured DHCP snooping to work because it’s based on the binding table
• Tracks IP addresses to port associations
• Verifies source IP and optionally MAC address
• Maintains per-port VLAN ACLs based on IP-to-MAC-to-switch-port bindings
• Should be configured on Layer 2 untrusted ports

Possible port configurations:

• IP address only filter (normal mode)
• IP address + MAC address filter (with port-security keyword and port-security enabled)

IP Source Guard port behavior:

1. All traffic is blocked except for DHCP packets
2. When DHCP configuration or static configuration is assigned, a PVACL is installed

IP Source Guard configuration steps:

1. Enable and Configure DHCP Snooping
2. Configure IP Source Guard on untrusted Layer 2 ports

“IP Source Guard” CLI configuration commands:

## Enabling IP Source Guard (normal mode) on an interface
Switch(config)# interface <if>
Switch(config-if)# ip verify source

## Enabling IP Source Guard (extended mode) on an interface
Switch(config)# interface <if>
Switch(config-if)# ip verify source port-security

## Creating a static IP-to-MAC binding entry
Switch(config)# ip source binding [MAC] [VLAN] [IP] binding interface [INTERFACE]

“IP Source Guard” CLI show commands:

## Showing IP Source Guard status
Switch# show ip verify source

4.2.a v Dynamic ARP Inspection

What Dynamic ARP Inspection (DAI) does:

• Prevents rogue attackers from sending false/malicious ARP responses

ARP Spoofing (attack vector):

• The rogue attacker sends false/malicious ARP responses to the host so that the host thinks the attacker is in fact the target he wants to reach

How Dynamic ARP Inspection (DAI) works:

• Needs enabled and configured DHCP snooping to work because it’s based on the binding table
• Intercepts all ARP requests and responses on untrusted interfaces
• Verifies that each packet has a valid IP-to-MAC binding before updating the ARP cache or before forwarding the packet to the destination
• Drops invalid ARP packets
• Trusted interfaces bypass DAI
• Untrusted interfaces undergo DAI

Dynamic ARP Inspection (DAI) in detail:

• DAI is an ingress only feature
• DAI works on access and trunk ports, EtherChannels and PVLAN ports

Dynamic ARP Inspection (DAI) default settings (when enabled):

• Rate limit on untrusted ports: 15pps

Dynamic ARP inspection (DAI) configuration steps:

1. Enable and Configure DHCP Snooping
2. Disable DAI on DHCP Snooping trusted Layer 2 ports

“Dynamic ARP Inspection” CLI configuration commands:

## Enabling DAI per VLAN
Switch(config)# ip arp inspection vlan <vlan-id>

## Configuring an interface as DAI trusted
Switch(config)# interface <if>
Switch(config-if)# ip arp inspection trust

“Dynamic ARP Inspection” CLI show commands:

## Showing Dynamic ARP Inspection status
Switch# show ip arp inspection

4.2.a vi Port Security

What Port Security does:

• Provides Layer 2 security features to limit and/or specify the users able to connect to a given port

How Port Security works:

• Access to a given port is limited by allowing/disallowing specific set or learned MAC addresses
• Settings like maximum allowed MAC addresses, aging time, port violation state can be set
• MAC addresses can be learned dynamically and/or configured statically

Port Security default behavior:

• Maximum allowed MAC addresses: one (1)
• Violation mode: shutdown
• Aging type: absolute
• Aging time: zero (0) = infinite

Port Security optional behavior:

• Maximum allowed MAC addresses: 1 to 4097
• Violation mode “protect”: drops frames
• Violation mode: “restrict”: drops frames and SecurityViolation counter increases
• Aging type: inactivity
• Aging time: 1 to 1440
• MAC address: “sticky” = MAC address is learned AND saved (even after a reboot)

Port Security configuration steps:

1. Configure the port statically as access/trunk port
2. Enable port security on a given port
3. Fine tune the default port security settings if needed
4. Optionally: Define static MAC addresses

“Port Security” CLI configuration commands:

## Enabling port-security on an interface
Switch(config)# interface <if>
Switch(config-if)# switchport port-security

## Fine tuning port-security on an interface
Switch(config-if)# switchport port-security maximum <1-to-4097>
Switch(config-if)# switchport port-security aging type <type>
Switch(config-if)# switchport port-security aging time <time-in-sec>
Switch(config-if)# switchport port-security mac-address xxxx.xxxx.xxxx
Switch(config-if)# switchport port-security mac-address sticky
Switch(config-if)# switchport port-security violation <mode>

“Port Security” CLI show commands:

## Showing port security status
Switch# show switchport port-security

4.2.a vii Private VLAN

What Private VLANs do:

• Isolates devices within a VLAN so that they can’t communicate with each other

// Graphic missing - Coming soon //

Why Private VLANs are needed:

• Keeping the configuration simple when several/many isolated hosts are needed
• Keeping one subnet for many isolated hosts

Private VLAN types:

• Primary: The VLAN for the whole segment which contains sub-VLANs
• Secondary: Sub-VLANs either of type Isolated or Community

Private VLAN port types:

• Isolated: Hosts within a Isolated VLAN can’t talk to each other
• Community: Hosts within a Community VLAN can talk to each other
• Promiscuous: Belongs to the primary VLAN. Used for uplink ports. Can talk with all Isolated and Community ports.

Private VLAN configuration:

1. Configure Primary VLAN
2. Configure Secondary VLANs (Isolated + Community)
3. Associate Secondary VLANs to Primary VLAN

PVLAN port connections:

• PVLAN-Switch to Router/Gateway: Promiscuous port
  • Good to know: 802.1q tag from the secondary VLAN gets rewritten and replaced with the primary VLAN ID.
• PVLAN-Switch to PVLAN-Switch: Standard trunk port
• PVLAN-Switch to Non-PVLAN-Switch: Isolated trunk port
  • Good to know: Frame has the VLAN ID of the secondary VLAN.
• Switch SVI as PVLAN Gateway: Secondary PVLANs must be mapped

Important: VTP must be off/transparent mode or VTPv3 must be used for Private VLANs to work!

“Private VLAN” CLI configuration commands:

## Configuring PVLAN Primary
Switch(config)# vlan <vlan-id>
Switch(config-vlan)# private-vlan primary

## Configuring PVLAN Secondary Isolated
Switch(config)# vlan <vlan-id>
Switch(config-vlan)# private-vlan isolated

## Configuring PVLAN Secondary Community
Switch(config)# vlan <vlan-id>
Switch(config-vlan)# private-vlan community

## Associating PVLAN Primary with PVLAN Secondary
Switch(config)# vlan <primary-vlan-id>
Switch(config-vlan)# private-vlan association <secondary-vlan-ids>

## Configuring interface as Promiscuous port
Switch(config)# interface <if>
Switch(config-if)# switchport mode private-vlan promiscuous
Switch(config-if)# switchport private-vlan mapping <primary-vlan-id> add <secondary-vlan-ids>

## Configuring interface as Host port
Switch(config)# interface <if>
Switch(config-if)# switchport mode private-vlan host
Switch(config-if)# switchport private-vlan host-association <primary-vlan-id> <secondary-vlan-id>

## Configuring SVI as PVLAN gateway
Switch(config)# interface <if>
Switch(config-if)# private-vlan mapping <secondary-pvlans>

“Private VLAN” CLI show commands:

## Showing Private VLANs and associated ports, ...
Switch# show vlan private-vlan