Wednesday, 28 December 2016

CCNP Switch Security

!!Task
Create Primary vlan 200 , create two secondary vlan community with
vlan id 205 & isolated with 210 and map with primary vlan
!!

Topology:


conf)#vtp mode transparent
! Private vlans only configured in transparent mode
vlan 200
private-vlan primary
vlan 205
private-vlan community
vlan 210
private-vlan isolated
private-vlan association 205,210
# show vlan private-vlan
! for community ports
int fa0/2
switchport mode private-vlan host
switchport mode private-vlan host-association 200 205
!
int fa0/3
switchport mode private-vlan host
switchport mode private-vlan host-association 200 205
!
! for isolated ports
int fa0/4
!
switchport mode private-vlan host
switchport mode private-vlan host-association 200 210
!
! for promiscuous port
int fa0/1
!
switchport mode private-vlan promiscuous
switchport private-vlan mapping 200 205,210
!
# sh vlan private-vlan
!

Span ports command:
()# monitor session 1 source interface fa0/1 - 2 rx
()# monitor session 1 destination interface f0/5
!
VLAN access List or VACLs
!
Create any access list to map
!
conf)# ip access-list extended VACL
permit tcp any any eq ftp
permit tcp any any eq telnet
!
conf)#vlan access-map VACL1 10
match ip address VACL
action drop
vlan access-map VACL1 20
action forward
!
()#vlan filter VACL1 vlan-list 2
!
# show vlan access-map
!

 Now Security Section:
!
Port Security
Port security is a layer two traffic control feature on Cisco Catalyst switches. It enables an administrator configure individual switch ports to allow only a specified number of source MAC addresses ingressing the port. Its primary use is to deter the addition by users of "dumb" switches to illegally extend the reach of the network (e.g. so that two or three users can share a single access port). The addition of unmanaged devices complicates troubleshooting by administrators and is best avoided.
Enabling Port Security
Port security can be enabled with default parameters by issuing a single command on an interface:
Switch(config)# interface f0/13
Switch(config-if)# switchport port-security
Although only a single interface is used for illustration in this article, port security, if configured, is typically configured on all user-facing interfaces.
We can view the default port security configuration with show port-security:
Switch# show port-security interface f0/13
Port Security              : Enabled
Port Status                : Secure-down
Violation Mode             : Shutdown
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 1
Total MAC Addresses        : 0
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 0
Last Source Address:Vlan   : 0000.0000.0000:0
Security Violation Count   : 0
As you can see, there are a number of attributes which can be adjusted. We'll cover these in a moment. When a host connects to the switch port, the port learns the host's MAC address as the first frame is received:
Switch# show port-security interface f0/13
Port Security              : Enabled
Port Status                : Secure-up
Violation Mode             : Shutdown
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 1
Total MAC Addresses        : 1
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 0
Last Source Address:Vlan   : 001b.d41b.a4d8:10
Security Violation Count   : 0
Now, we disconnect the host from the port, connect a small switch or hub, and reconnect the original host plus a second, unauthorized host so that they both attempt to share the access port. Observe what happens as soon as the second host attempts to send traffic:
%PM-4-ERR_DISABLE: psecure-violation error detected on Fa0/13, putting Fa0/13 in err-disable state
%PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0021.55c8.f13c on port FastEthernet0/13.
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/13, changed state to down
%LINK-3-UPDOWN: Interface FastEthernet0/13, changed state to down
Inspecting the status of port security on the port again, we can see that the new MAC address triggered a violation:
Switch# show port-security interface f0/13
Port Security              : Enabled
Port Status                : Secure-shutdown
Violation Mode             : Shutdown
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 1
Total MAC Addresses        : 0
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 0
Last Source Address:Vlan   : 0021.55c8.f13c:10
Security Violation Count   : 1
Switch# show interfaces f0/13
FastEthernet0/13 is down, line protocol is down (err-disabled)
  Hardware is Fast Ethernet, address is 0013.c412.0f0d (bia 0013.c412.0f0d)
  MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
...
By default, a port security violation forces the interface into the error-disabled state. An administrator must re-enable the port manually by issuing the shutdown interface command followed by no shutdown. This must be done after the offending host has been removed, or the violation will be triggered again as soon as the second host sends another frame.
Tweaking Port Security
Violation Mode
Port security can be configured to take one of three actions upon detecting a violation:
shutdown (default) ; The interface is placed into the error-disabled state, blocking all traffic. protect ; Frames from MAC addresses other than the allowed addresses are dropped; traffic from allowed addresses is permitted to pass normally. restrict ; Like protect mode, but generates a syslog message and increases the violation counter.
By changing the violation mode to restrict, we are still alerted when a violation occurs, but legitimate traffic remains unaffected:
Switch(config-if)# switchport port-security violation restrict
Switch(config-if)# ^Z
Switch#
%PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0021.55c8.f13c on port FastEthernet0/13.
Switch# show port-security interface f0/13
Port Security              : Enabled
Port Status                : Secure-up
Violation Mode             : Restrict
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 1
Total MAC Addresses        : 1
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 0
Last Source Address:Vlan   : 0021.55c8.f13c:10
Security Violation Count   : 3
Unfortunately, violating traffic will continue to trigger log notifications, and the violation counter will continue to increase, until the violating host is dealt with.
Maximum MAC Addresses
By default, port security limits the ingress MAC address count to one. This can be modified, for example, to accommodate both a host and an IP phone connected in series on a switch port:
Switch(config-if)# switchport port-security maximum 2
One also has the option to set a maximum MAC count for the access and voice VLANs independently (assuming a voice VLAN has been configured on the interface):
Switch(config-if)# switchport port-security maximum 1 vlan access
Switch(config-if)# switchport port-security maximum 1 vlan voice
MAC Address Learning
An administrator has the option of statically configuring allowed MAC addresses per interface. MAC addresses can optionally be configured per VLAN (access or voice).
Switch(config-if)# switchport port-security mac-address 001b.d41b.a4d8 ?
  vlan  set VLAN ID of the VLAN on which this address can be learned
  <cr>
Switch(config-if)# switchport port-security mac-address 001b.d41b.a4d8 vlan access
The configured MAC address(es) are recorded in the running configuration:
Switch# show running-config interface f0/13
Building configuration...

Current configuration : 259 bytes
!
interface FastEthernet0/13
 switchport access vlan 10
 switchport mode access
 switchport voice vlan 20
 switchport port-security
 switchport port-security violation restrict
 switchport port-security mac-address 001b.d41b.a4d8
 spanning-tree portfast
end
Obviously, this is not a scalable practice. A much more convenient alternative is to enable "sticky" MAC address learning; MAC addresses will be dynamically learned until the maximum limit for the interface is reached.
Switch(config-if)# no switchport port-security mac-address 001b.d41b.a4d8
Switch(config-if)# switchport port-security mac-address sticky
Switch(config-if)# ^Z
Switch# show port-security interface f0/13
Port Security              : Enabled
Port Status                : Secure-up
Violation Mode             : Restrict
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 1
Total MAC Addresses        : 1
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 1
Last Source Address:Vlan   : 001b.d41b.a4d8:10
Security Violation Count   : 0
After a MAC address has been learned, it is recorded to the configuration similarly to as if it were entered manually:
Switch# show running-config interface f0/13
Building configuration...

Current configuration : 311 bytes
!
interface FastEthernet0/13
 switchport access vlan 10
 switchport mode access
 switchport voice vlan 20
 switchport port-security
 switchport port-security violation restrict
 switchport port-security mac-address sticky
 switchport port-security mac-address sticky 001b.d41b.a4d8
 spanning-tree portfast
end
MAC Address Aging
By default, secure MAC addresses are learned (in effect) permanently. Aging can be configured so that the addresses expire after a certain amount of time has passed. This allows a new host to take the place of one which has been removed. Aging can be configured to take effect at regular intervals, or only during periods of inactivity. The following example configures expiration of MAC addresses after five minutes of inactivity:
Switch(config-if)# switchport port-security aging time 5
Switch(config-if)# switchport port-security aging type inactivity
Switch(config-if)# ^Z
Switch# show port-security interface f0/13
Port Security              : Enabled
Port Status                : Secure-up
Violation Mode             : Restrict
Aging Time                 : 5 mins
Aging Type                 : Inactivity
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 1
Total MAC Addresses        : 1
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 0
Last Source Address:Vlan   : 001b.d41b.a4d8:10
Security Violation Count   : 0
After five minutes of inactivity, we can see that the address has been purged:
Switch# show port-security interface f0/13
Port Security              : Enabled
Port Status                : Secure-up
Violation Mode             : Restrict
Aging Time                 : 5 mins
Aging Type                 : Inactivity
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 1
Total MAC Addresses        : 0
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 0
Last Source Address:Vlan   : 001b.d41b.a4d8:10
Security Violation Count   : 0
At this point, the old address will be re-learned the next time a frame is sent from that host, or a new host can take its place.
Auto-recovery
To avoid having to manually intervene every time a port-security violation forces an interface into the error-disabled state, one can enable auto-recovery for port security violations. A recovery interval is configured in seconds.
Switch(config)# errdisable recovery cause psecure-violation
Switch(config)# errdisable recovery interval 600
Ten minutes after a port was error-disabled, we can see that the port is automatically transitioned back into operation:
%PM-4-ERR_RECOVER: Attempting to recover from psecure-violation err-disable state on Fa0/13
%LINK-3-UPDOWN: Interface FastEthernet0/13, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/13, changed state to up
This is a great way to automatically clear port security violations after the user has been given an opportunity to remove the offending host(s). Note that is the cause is not cleared, the violation will trigger again after the port comes back up, re-initating the auto-recovery cycle.
Footnote
Although a deterrent, port security is not a reliable security feature, as MAC addresses are trivially spoofed, and multiple hosts can still easily be hidden behind a small router. IEEE 802.1X is a much more robust access edge security solution.

A simple wired 802.1X lab

IEEE 802.1X is a very cool security feature. It was developed to provide real security for wired and wireless networks at layer two. A client connected to an 802.1X-protected port can't send any traffic other than EAP to the switch until he successfully authenticates with the proper credentials or certificate. This article demonstrates how you can setup a simple 802.1X lab using a Windows XP-based client and RADIUS server.

802.1X Operation

A network switch acts as the middleman between an authenticating client and an authentication server. The switch implements two protocols: EAP is used to communicate with the client at the network perimeter, whileRADIUS is used to relay authentication details to the server inside the network. EAP offers a number of authentication mechanisms, but our setup will use simple username/password authentication with an MD5 challenge. The flow of a successful authentication is illustrated here:
For a better idea of what this exchange looks like on the wire, check out these packet captures of 802.1X andRADIUS traffic.

Switch Configuration

Port-based 802.1X authentication allows for some really cool security measures (like dynamic VLAN assignment and per-user ACLs), but for this lab we'll establish a base configuration just for demonstration's sake.
A preliminary step, if you haven't done so already, is to enable IP routing on the switch:
Switch(config)# ip routing
Before diving into the actual 802.1X configuration, we'll need to enable Authentication, Authorization, and Accounting (AAA) for the switch (this step can be skipped if AAA is already active). A word of caution: enabling AAA changes the authentication method used by the VTY (telnet) lines to fit the AAA model. It's a good idea to define a local username and password to authenticate to the switch if you haven't done so (this account is unrelated to our 802.1X configuration, just a way for us to log in again if we need to).
Switch(config)# aaa new-model
Switch(config)# username admin secret MyPassword
Next we'll configure the switch with the address and shared key of our RADIUS server. By default, Cisco switches will use UDP port 1645 for RADIUS authentication and port 1646 for accounting. Depending on the RADIUS daemon you chose to implement, you may need to modify these ports to match those used by your RADIUS daemon. FreeRADIUS, for example, uses the more recent port specification defined in RFC 2138, and requires additional configuration on the switch to reflect the port changes:
Switch(config)# radius-server host 10.0.0.100 auth-port 1812 acct-port 1813 key
 MyRadiusKey
Now we'll tie these two components together by configuring AAA to reference the RADIUS server for 802.1X authentication requests:
Switch(config)# aaa authentication dot1x default group radius
This takes care of the RADIUS portion of the configuration. Configuring 802.1X from this point is simple: enable it globally for the switch, and individually per interface:
Switch(config)# dot1x system-auth-control
Switch(config)# interface g0/12
Switch(config-if)# switchport mode access
Switch(config-if)# dot1x port-control auto
Note that the interface must be set to static access mode. If left in dynamic mode (where DTP is used to negotiate the port's function as either access or trunking), the switch will issue an error message stating that 802.1X cannot be configured on dynamic ports.
If you're inquisitive like me and issue a question mark to invoke the context-sensitive help in the midst of issuing a new command, you might have noticed that the dot1x port-control interface command has three options. These are:
  • auto - Normal 802.1X authentication
  • force-authorized - No 802.1X authentication is used (this is the default setting, to prevent service interruption while deploying 802.1X)
  • force-unauthorized - Ignores authentication attempts, port is always unauthorized
You can use the show dot1x command to verify the configuration of your client-facing interface:
Switch# show dot1x interface g0/12
Supplicant MAC 
   AuthSM State      = N/A
   BendSM State      = N/A
PortStatus        = N/A
MaxReq            = 2
MaxAuthReq        = 2
HostMode          = Single
PortControl       = Auto
QuietPeriod       = 60 Seconds
Re-authentication = Disabled
ReAuthPeriod      = 3600 Seconds
ServerTimeout     = 30 Seconds
SuppTimeout       = 30 Seconds
TxPeriod          = 30 Seconds
Guest-Vlan        = 0
!

DHCP Snooping and Dynamic ARP Inspection

DHCP snooping is a feature which allows a Cisco Catalyst switch to inspect DHCP traffic traversing a layer two segment and track which IP addresses have been assigned to hosts on which switch ports. This information can be handy for general troubleshooting, but it was designed specifically to aid two other features: IP source guard and dynamic ARP inspection. These features help to mitigate IP address spoofing at the layer two access edgeTake a  look at how to implement dynamic ARP inspection.
First, we need to enable DHCP snooping, both globally and per access VLAN:
Switch(config)# ip dhcp snooping
Switch(config)# ip dhcp snooping vlan 10
Switch(config)# ^Z
Switch# show ip dhcp snooping
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
10
DHCP snooping is operational on following VLANs:
10
DHCP snooping is configured on the following L3 Interfaces:
 
Insertion of option 82 is enabled
   circuit-id format: vlan-mod-port
    remote-id format: MAC
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Verification of giaddr field is enabled
DHCP snooping trust/rate is configured on the following Interfaces:
 
Interface                    Trusted     Rate limit (pps)
------------------------     -------     ----------------
In this scenario, our multilayer switch is relaying DHCP requests toward a central DHCP server elsewhere on the network, a behavior enabled by adding one or more ip helper-address commands under the access VLAN interface. However, if the access switch was functioning only at layer two, we would have to designate our uplink interfaces as trusted interfaces by applying the command ip dhcp snooping trust to the layer two interfaces. This informs the switch that DHCP responses are allowed to arrive on those interfaces.
Legitimate DHCP clients and their assigned IP addresses will appear in the DHCP snooping binding table:
Switch# show ip dhcp snooping binding
MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface
------------------  ---------------  ----------  -------------  ----  --------------------
00:19:AA:7D:E6:88   192.168.10.2     86250       dhcp-snooping   10    FastEthernet0/3
Total number of bindings: 1
Next, we'll enable dynamic ARP inspection for the VLAN. (When enabling the feature for multiple VLANs, a range of VLAN numbers can be specified.)
Switch(config)# ip arp inspection vlan 10
Switch(config)# ^Z
Switch# show ip arp inspection
 
Source Mac Validation      : Disabled
Destination Mac Validation : Disabled
IP Address Validation      : Disabled
 
Vlan     Configuration    Operation   ACL Match          Static ACL
 ----     -------------    ---------   ---------          ----------
   10     Enabled          Active
 
Vlan     ACL Logging      DHCP Logging      Probe Logging
 ----     -----------      ------------      -------------
   10     Deny             Deny              Off
 
Vlan      Forwarded        Dropped     DHCP Drops      ACL Drops
 ----      ---------        -------     ----------      ---------
   10              0              0              0              0
 
Vlan   DHCP Permits    ACL Permits  Probe Permits   Source MAC Failures
 ----   ------------    -----------  -------------   -------------------
   10              0              0              0                     0
 
Vlan   Dest MAC Failures   IP Validation Failures   Invalid Protocol Data
 ----   -----------------   ----------------------   ---------------------
   10                   0                        0                       0
Notice in the above output that source MAC, destination MAC, and IP address validation are indicated as being disabled. We can optionally enable one or more of these additional validation checks to achieve even more thorough security with the command ip arp inspection validate followed by the address type.
Now suppose an intruder connects to VLAN 10 on interface FastEthernet0/5 and begins sending gratuitous ARP replies, purporting to be the default router for the subnet in an attempt to initiate a man-in-the-middle attack. The switch inspects these ARP packets and does not find an entry in the DHCP snooping table for the source IP address 192.168.10.1 on port FastEthernet0/5. The packets are consequently discarded by the switch, as evidenced by this log message:
%SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa0/5, vlan 10.
([0013.6050.acf4/192.168.10.1/ffff.ffff.ffff/192.168.10.1/05:37:31 UTC Mon Mar 1 1993])
We can see the drop counter begin to increase in the output of show ip arp inspection:
Switch# show ip arp inspection
 
Source Mac Validation      : Disabled
Destination Mac Validation : Disabled
IP Address Validation      : Disabled
 
Vlan     Configuration    Operation   ACL Match          Static ACL
 ----     -------------    ---------   ---------          ----------
   10     Enabled          Active
 
Vlan     ACL Logging      DHCP Logging      Probe Logging
 ----     -----------      ------------      -------------
   10     Deny             Deny              Off
 
Vlan      Forwarded        Dropped     DHCP Drops      ACL Drops
 ----      ---------        -------     ----------      ---------
   10             22              2              2              0
 
Vlan   DHCP Permits    ACL Permits  Probe Permits   Source MAC Failures
 ----   ------------    -----------  -------------   -------------------
   10             22              0              0                     0
 
Vlan   Dest MAC Failures   IP Validation Failures   Invalid Protocol Data
 ----   -----------------   ----------------------   ---------------------
   10                   0                        0                       0

A word of caution

If the DHCP server is an IOS router directly connected to the layer two segment, you may see it throw the following error if DHCP server debugging is enabled (debug ip dhcp server packet):
DHCPD: inconsistent relay information.
DHCPD: relay information option exists, but giaddr is zero.
The router is complaining about the presence of DHCP option 82 with a null value being added by the switch performing DHCP snooping. This is easily remedied by issuing the commandno ip dhcp snooping information option in global configuration on the switch to disable the addition of option 82 to DHCP requests. Check out this article by Internetwork Expert for more information.

 

IP source guard without DHCP

Discussion of IOS' IP source guard feature typically accompanies the configuration of DHCP snooping. This is to be expected, as IP source guard relies on a switch's knowledge of DHCP-assigned host addresses in order to validate and restrict spoofed source addresses. However, IP source guard can be implemented independent of DHCP, a useful ability on networks or subnets using only static addressing.
When DHCP snooping is enabled, a switch maintains a database of the DHCP addresses assigned to the hosts connected to each access port. IP source guard references this database when a packet is received on any of these interfaces and compares the source address to the assigned address listed in the database. If the source address differs from the "allowed" address, the packet is assumed to spoofed and is discarded.
Assuming DHCP isn't available or in use on a subnet, static IP bindings can be manually configured per access port to achieve the same effect. The following topology illustrates the lab on which this is being demonstrated.
The first step is to enable IP source guard on every access interface:
Switch(config)# interface f0/10
Switch(config-if)# ip verify source
Switch(config-if)# interface f0/20
Switch(config-if)# ip verify source
(Note that for the purposes of the lab, IP source guard has only been enabled on the two relevant access ports. In a real-world deployment, IP source guard should be enabled consistently across all access ports.)
The next step isn't immediately obvious, and in fact a bit counter-intuitive: enabling DHCP snooping. Despite our reliance solely on static bindings in this lab, the DHCP snooping feature must be turned on to enable the inspection of incoming packets. DHCP snooping must be enabled globally, and again for each VLAN on which IP source guard will be run.
Switch(config)# ip dhcp snooping
Switch(config)# ip dhcp snooping vlan 10
Next we'll define the static IP source address bindings, under global configuration. Note that this also requires the source MAC address, which can be obtained from the switch's CAM table if not already known.
Switch# show mac address-table int f0/10
      Mac Address Table
-------------------------------------------
 
Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
  10    001d.60b3.0add    DYNAMIC     Fa0/10
Total Mac Addresses for this criterion: 1
Switch# show mac address-table int f0/20
      Mac Address Table
-------------------------------------------
 
Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
  10    0023.7d00.d0a8    DYNAMIC     Fa0/20
Total Mac Addresses for this criterion: 1
Switch# conf t
Switch(config)# ip source binding 001d.60b3.0add vlan 10 10.0.0.10 interface f0/10
Switch(config)# ip source binding 0023.7d00.d0a8 vlan 10 10.0.0.20 interface f0/20
We can verify our new entries with show ip source binding:
Switch# show ip source binding
MacAddress          IpAddress     Lease(sec)  Type        VLAN  Interface
------------------  ------------  ----------  ----------  ----  -----------------
00:1D:60:B3:0A:DD   10.0.0.10     infinite    static       10    FastEthernet0/10
00:23:7D:00:D0:A8   10.0.0.20     infinite    static       10    FastEthernet0/20
Total number of bindings: 2
The above output displays the bindings active in the database. However, to inspect the actual operation of IP source guard, the command show ip verify source is used:
Switch(config)# do sh ip verify source
Interface  Filter-type  Filter-mode  IP-address       Mac-address     Vlan
---------  -----------  -----------  ---------------  --------------  ----
Fa0/10     ip           active       10.0.0.10                        10
Fa0/20     ip           active       10.0.0.20                        10

Note : Article taken for famous blog  packetlife .

No comments:

Post a Comment