Shulou(Shulou.com)06/01 Report--

Port and MAC binding: port-security

DHCP-based port and IP,MAC binding: ip source guard

Prevention of ARP***:DAI based on DHCP

Prevent DHCP***:DHCP Snooping

Cisco all the LAN mitigation technologies are here!

Commonly used methods:

1. 802.1X, port authentication, dot1x, also known as IBNS (note: IBNS includes port-security): identity-based network security; many names, a little annoying

When traffic comes to a port, it needs to interact with ACS and be authorized after authentication before it can access the network. The premise is that CLIENT must support 802.1X mode, such as installing some software.

Extensible Authentication Protocol Over Lan (EAPOL) uses this protocol to convey authentication and authorization information

Example configuration:

Router#configure terminal

Router (config) # aaa new-model

Router (config) # aaa authentication dot1x default group radius

Switch (config) # radius-server host 10.200.200.1 auth-port 1633 key radkey

Router (config) # dot1x system-auth-control uses DOT1X function

Router (config) # interface fa0/0

Router (config-if) # dot1x port-control auto

AUTO is a common way to pass the authentication and authorization process normally.

Compulsory authorization: does not pass authentication, always available status

Forced non-authorization: essentially similar to shutting down the interface, it is always unavailable

Optional configuration:

Switch (config) # interface fa0/3

Switch (config-if) # dot1x reauthentication

Switch (config-if) # dot1x timeout reauth-period 7200

Recertification in 2 hours

Switch#dot1x re-authenticate interface fa0/3

Now re-authenticate, note: if the session has been established, keep meeting in this way

Switch#dot1x initialize interface fa0/3

Initialize authentication and disconnect the session at this time

Switch (config) # interface fa0/3

Switch (config-if) # dot1x timeout quiet-period 45

It will take 45 seconds for the next authentication request to be initiated.

Switch (config) # interface fa0/3

Switch (config-if) # dot1x timeout tx-period 90 defaults to 30s

Switch (config-if) # dot1x max-req count 4

The client needs to enter authentication information and reply to the AAA server through this port. If the switch does not receive this information from the user, the retransmission message sent by the switch to the client will be sent once in 30s for 4 times in total.

Switch#configure terminal

Switch (config) # interface fastethernet0/3

Switch (config-if) # dot1x port-control auto

Switch (config-if) # dot1x host-mode multi-host

The default is one host. When you use multiple host modes, you must use AUTO authorization. When one host is successfully authorized, other hosts can access the network.

When authorization fails, such as re-authentication failure or LOG OFF, all hosts cannot use the port

Switch#configure terminal

Switch (config) # dot1x guest-vlan supplicant

Switch (config) # interface fa0/3

Switch (config-if) # dot1x guest-vlan 2

Unauthorized access to VLAN2, providing flexibility

Note: 1. VLAN2 must be activated in this switch and planned to be assigned to tourists; 2. VLAN2 information will not be transmitted by VTP.

Switch (config) # interface fa0/3

Switch (config-if) # dot1x default

Go back to the default settings

Show dot1x [all] | [interface interface-id] | [statistics interface interface-id] [{| begin | exclude | include} expression]

Switch#sho dot1x all

Dot1x Info for interface FastEthernet0/3

Supplicant MAC 0040.4513.075b

AuthSM State = AUTHENTICATED

BendSM State = IDLE

PortStatus = AUTHORIZED

MaxReq = 2

HostMode = Single

Port Control = Auto

QuietPeriod = 60 Seconds

Re-authentication = Enabled

ReAuthPeriod = 120 Seconds

ServerTimeout = 30 Seconds

SuppTimeout = 30 Seconds

TxPeriod = 30 Seconds

Guest-Vlan = 0debug dot1x {errors | events | packets | registry | state-machine | all}

2. Port security to solve CAM table overflow * * (there is a MACOF tool that can generate 155000 MAC addresses per minute to bombard the CAM table, so that all requirements of legitimate hosts must be FLOOD)

Example configuration:

Switch#configure terminal

Switch (config) # interface fastethernet0/0

Switch (config-if) # switchport mode access

Switch (config-if) # switchport port-security

Switch (config-if) # switchport port-security maximum 20 defaults to 1 here

Switch (config-if) # switchport port-security mac-address sticky

Save the learned address to the RUN CONFIG file to avoid the trouble of manual configuration and save the resources consumed by dynamic learning

Switchport port-security violation {protect | restrict | shutdown}

Three parameters are explained:

Protection: when a set number of MAC is reached, the later unknown MAC is no longer parsed, discarded directly, and no notification is generated

Limit: when a set number of MAC is reached, the unknown MAC is no longer parsed and discarded directly, generating notifications, such as SNMP TRAP and SYSLOG messages, and increasing the number of violations. Here is a problem. Malicious * * will generate a large number of similar information, which will bring harm to the network.

Shutdown: when a set number of MAC is reached, the unknown MAC will no longer be parsed, and the port will be closed directly, unless manually opened or port security policy changed.

Port security needs to be manually configured to increase the workload in the following two ways

DHCP SNOOP

For example, the administrator of an Internet bar performs the bundling of IP and MAC addresses when using DHCP to assign addresses.

Switch#configure terminal

Switch (config) # ip dhcp snooping

Switch (config) # ip dhcp snooping vlan 34

Switch (config) # ip dhcp snooping information option

Switch (config) # interface fa0/0 interface to connect to the DHCP server

Switch (config-if) # ip dhcp snooping limit rate 70

Switch (config-if) # ip dhcp snooping trust specifies that the interface is the trusted interface and will get the address assigned by the DHCP server

DHCP behaviors that occur on other interfaces will be rejected

DAI

Dynamic ARP review, calling ACL and DHCP SNOOP's IP-TO-MAC database

Switch#configure terminal

Switch (config) # ip arp inspection filter call ACL here note that only ARP ACL can be called, the ACL takes precedence with the IP-TO-MAC table being reviewed

That is, even if a binding item exists, if it is rejected by ARP-ACL, it cannot pass the

Switch (config) # ip arp inspection vlan 34

Switch (config) # interface fa0/0

Switch (config-if) # ip arp inspection trust connects to the interface of the DHCP server and calls the IP-TO-MAC table of DHCP SNOOP on that interface

The interfaces connected to the host by default are untrusted interfaces.

Switch (config-if) # ip arp inspection limit rate 20 burst interval 2

The untrusted interface is limited to 14 ARP requests per second, and the trusted interface is not limited by default, which is modified to 20 per second.

Switch (config-if) # exit

Switch (config) # ip arp inspection log-buffer entries 64 record 64 rejection messages

Note: DHCP SNOOP only provides IP-TO-MAC binding table, does not participate in traffic policy, only prevents DHCP spoofing, and cheats any IP and MAC

Is not capable of blocking, but it provides such a table for DAI calls to prevent MAC spoofing.

Ip arp-inspection only filters illegal ARP packets and does not work on IP packets and other packages.

Ip source verify restricts the IP or IP+MAC of the bound interface

3 、 VACL

Configuring VACLs for Catalyst 6500 Traffic Capture

Router (Config) # access-list 110 permit tcp any 172.12.31.0.0.0.255 eq 80

Router (config) # vlan access-map my_map

Router (config-access-map) # match ip address

Router (config-access-map) # action forward capture

Router (config) # vlan filter my_map 10-12 15

Router (config) # interface fa 5and7

Router (config-if) switchport capture allowed vlan 10-12, 15

4 、 SPAN 、 RSPAN

Two monitoring methods based on source port and source VLAN

Three traffic directions: RX, TX and BOTH

VLAN MONITOR can only monitor inbound traffic, that is, RX, and all physical ports in the source VLAN will become the source port to the destination port COPY flow

RX traffic from multiple source ports or VLAN can be assigned to the destination port

Cannot monitor outbound flow on multiple ports, but can monitor outbound flow on a single port

You can only configure a maximum of two monitoring sessions

The source port and the destination port are separate

You can configure the TRUNK port as the source port, and then use VLAN to filter the flow you want to analyze, but this command does not affect normal traffic forwarding

Filtering cannot be used in cases based on source VLAN

Destination Port:

Cannot be a source port or a reflection port

Do not participate in layer 2 protocol: CDP VTP PAGP LACP DTP STP

In the local SPAN, the destination port and the source port are the same switch

You can only participate in one SPAN session at a time, that is, you cannot configure two SPAN sessions on one port

Cannot be a member of EC

If the destination port is a source VLAN member, the traffic of this VLAN cannot be MONITOR, and other VLAN can be MONITOR

802.1X and SWITCHPORT PORT-SECURITY must be turned off on the destination port

SPAN can MONITOR layer 2 protocol information, but RSPAN cannot

The only impact of IDS or IPS devices on traffic is to deal with possible * behaviors, such as RESET TCP connections, according to IPS IDS policies, and not to interfere with the forwarding of normal traffic.

SPAN switch port analysis, simple SPAN only needs two commands

Monitor sess 1 sour int f1/4

Monitor sess 1 dest int f1/9

In this example, the traffic of F1amp 4 is sent to F1Universe 9 to be analyzed.

Switch (config) # no monitor session 2 delete syntax

Switch (config) # monitor session 2 source vlan 1-3 rx

Switch (config) # monitor session 2 destination interface gigabitethernet0/7

Switch (config) # monitor session 2 source vlan 10 rx

Switch (config) # end

Traffic received by VLAN1-3 is monitored on all ports, sent to G0 VLAN10 7 to be analyzed, and then traffic attached to it is also analyzed.

Switch (config) # monitor session 2 source interface gigabitethernet0/4 rx

Switch (config) # monitor session 2 filter vlan 1-5, 9

Switch (config) # monitor session 2 destination interface gigabitethernet0/8

Switch (config) # end

Monitor the traffic received on G0Plus 4, which only includes VLAN1-5 VLAN9, and send it to port G0Blue8 to be analyzed.

Note the difference from the above example: that is, there are two ways to define source traffic, one is source port traffic, the other is VLAN traffic

RSPAN configuration:

Step 1: provide a specified VLAN to the remote SPAN on all switches

Switch (config) # vlan 901

Switch (config-vlan) # remote span

Switch (config-vlan) # end

Step 2, configure the source switch

Switch (config) # monitor session 1 source interface fastethernet0/10 tx

Switch (config) # monitor session 1 source interface fastethernet0/2 rx

Switch (config) # monitor session 1 source interface fastethernet0/3 rx

Switch (config) # monitor session 1 source interface port-channel 102 rx

Switch (config) # monitor session 1 destination remote vlan 901 reflector-port

Fastethernet0/1

Switch (config) # end

Step 3, target switch configuration

Switch (config) # monitor session 1 source remote vlan 901

Switch (config) # monitor session 1 destination interface fastethernet0/5

Switch (config) # end

This example shows how to disable received traffic monitoring on port 1, which was configured for

Bidirectional monitoring:

Switch (config) # no monitor session 1 source interface fastEthernet0/1 rx

The monitoring of traffic received on port 1 is disabled, but traffic sent from this port continues to be

Monitored.

Monitoring of remote VLAN

Switch (config) # no monitor session 2

Switch (config) # monitor session 2 source vlan 1-3 rx

Switch (config) # monitor session 2 destination remote vlan 902 reflector-port

Gigabitethernet0/7

Switch (config) # monitor session 2 source vlan 10 rx

Switch (config) # end

Switch (config) # no monitor session 2

Switch (config) # monitor session 2 source interface gigabitethernet0/4 rx

Switch (config) # monitor session 2 filter vlan 1-5, 9

Switch (config) # monitor session 2 destination remote vlan 902 reflector-port

Gigabitethernet0/8

Switch (config) # end

Check SPAN

Switch# show monitor session 1

Session 1

-

Type: Local Session

Source Ports:

RX Only: None

TX Only: None

Both: Fa0/4

Source VLANs:

RX Only: None

TX Only: None

Both: None

Source RSPAN VLAN: None

Destination Ports: Fa0/5

Encapsulation: DOT1Q

Ingress: Enabled, default VLAN = 5

Reflector Port: None

Filter VLANs: None

Dest RSPAN VLAN: None

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.