Port Security
- Default violate mode shutdown,protect (do not allow),restirct(do not allow + generate a log)
- if port is shutdown all dynamically learnt mac address are removed
- if using a phone set maximum to at least 2 1 for pc and 1 for phone
- aging can be used to age out mac address
- default allowed mac addresses is 1
- you can enable port security on a trunk
- port secuirty supports pvlan ports
- supports 802.1q tunnel ports
- does not support span destination ports
- only supports nonegotiate trunks
- flex link and port security are not compatiable
- keep in fhrp like hrsp vrrp glbp they use virtual macs
Commands
int fa0/1
switchport port-security mac-address sticky/"48 bit mac"
switchport port-security maximum 1
switchport port-secuirty aging "minutes"
switchport port security violation " shutdown/protect/restrict"
OK so I am on s4 which has r4 connected on it fa0/4 int it is not trunk but just access port
s4>en
s4#sh mac address-table dynamic int fa0/4
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
146 0012.d993.728d DYNAMIC Fa0/4
Total Mac Addresses for this criterion: 1
s4#
s4(config)#int fa0/4
s4(config-if)#switchport port-security
s4(config-if)#switchport port-security ?
aging Port-security aging commands
mac-address Secure mac address
maximum Max secure addresses
violation Security violation mode
<cr>
s4(config-if)#switchport port-security violation protect
s4(config-if)#switchport port-security maximum 1
s4(config-if)#switchport port-security mac-address ?
H.H.H 48 bit mac address
sticky Configure dynamic secure addresses as sticky
s4(config-if)#switchport port-security mac-address sticky
s4#sh run int fa0/4
Building configuration...
Current configuration : 260 bytes
!
interface FastEthernet0/4
switchport access vlan 146
switchport mode access
switchport port-security
switchport port-security violation protect
switchport port-security mac-address sticky
switchport port-security mac-address sticky 0012.d993.728d
end
notice it dynamically learns the mac and puts it in the running config as i specfied sticky i
could alternatively by just doing
switchport port-security mac-address "mac"
s4#sh port-security int fa0/4
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Protect
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 1
Last Source Address:Vlan : 0012.d993.728d:146
Security Violation Count : 0
s4#
one of things to note that the mac asssigned to the port will not age out as it set to
abosulte so unless the port goes down it will not age out the mac if want to put in aging
s4(config-if)#switchport port-security aging time 30
it is in minutes so that is 30 mins
On trunk link fa0/13
s4(config)#int fa0/13
s4(config-if)#switchport port-security ?
aging Port-security aging commands
mac-address Secure mac address
maximum Max secure addresses
violation Security violation mode
<cr>
s4(config-if)#switchport port-security
s4(config-if)#
00:24:53: %PM-4-ERR_DISABLE: psecure-violation error detected on Fa0/13, putting Fa0/13 in
err-disable state
00:24:53: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC
address 0011.bb89.6e43 on port FastEthernet0/13.
00:24:54: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEtherne
the minute i put it on it shut it down as the default is 1 mac and default violate mode is
shutdown
s4(config)#int fa0/13
s4(config-if)#switchport port-security max 65
s4(config-if)#shut
s4(config-if)#no shut
s4#sh port-security int fa0/13
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 65
Total MAC Addresses : 33
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : 0011.bb89.6e15:1
Security Violation Count : 0
s4#sh port-security int fa0/13
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 65
Total MAC Addresses : 35
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : 0011.bb89.6e42:67
Security Violation Count : 0
we are on 35 at the moment
Static CAM Enteries
- Switches learn mac adddress dynamically from traffic flow it takes the source mac we can disabl this and decide to statically populate the cam table in very secure access
LAB
I removed the above config
to put static entry
s4(config)#mac address-table static 0012.d993.728d vlan 146 int fastethernet0/4
no mac address-table dynamic vlan 146 - to disable dynamically learning mac
Storm Control
- Storm Control is like like policing at layer 2
- You can limit the amount of unicast/broadcast/multicast accepted in port
- ingress rate limiting only
- A caveat of storm control Violating multicast rate will affect and suppress unicast broadcast + multicast
- A violate in unicast will only affect unicast
- A violate in broadcast will only affect broadcast
- Also anothe caveat is % is of the interface not the bandwidth. So it is percent of the negotiated speed so if for some reason you negotiated 10 mbs on 100 mbs link it % of 10 mbs
- You can configure traffic storm control on an EtherChannel (a port channel interface).
- Do not configure traffic storm control on ports that are members of an EtherChannel.
- Configuring traffic storm control on ports that are configured as members of an EtherChannel puts the ports into a suspended state.
- Storm Control uses rising and falling threshold. The rising threshold is if the number you need to go above before dropping will start the falling threshold is the number you need to go below to retrainsmit so the sample interval is a second so if you go above the rising threshold it will start dropping if in the next second you are below the rising threshold but above the falling threshold it will continue to block once you go below the falling threshold it will start retrainsmitting and you will need to go above the rising threshold for the process to start again
LAB
s4(config-if)#int fa0/4
s4(config-if)#storm-control broadcast level 2 1 - 2 is the high rate 1 is the low rate
s4#sh storm
Interface Filter State Upper Lower Current
--------- ------------- ----------- ----------- ----------
Fa0/4 Forwarding 2.00% 1.00% 0.00%
s4#
802.1X Authentication
- Autthenticates a port by requesting credentials from attached host
- uses EAP over lan protocol _ switch relay authentication packets to radius server
- Your end client must support eap
- you also need aaa and a radius server configured on your network
- force authorized disables 802.1x on a port
- force unauthorized - disables the port authentication will not even take place it will go into un authorized
s4(config)#aaa new-mode
s4(config)#aaa authentication dot1x default group radius
s4(config)#radius-server host 1.2.3.4 key PASSWORD
to enable 802.1x gloabally
s4(config)#dot1x system-auth-control
Then on interface
s4(config)#int fa0/4
s4(config-if)#dot1x port-control auto
PACL
- applies to layer 2 port only on incoming direction
- filter transit traffic only
- can be a ip or mac match
Commands
S4(config)#access-list 101 deny icmp 4.4.4.4 0.0.0.0 1.1.1.1 0.0.0.0
s4(config)#access-list 101 permit ip any any
s4(config)#int fa0/4
s4(config-if)#ip access-group 101 in
r4#ping 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
r4#ping 1.1.1.1 source 4.4.4.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 4.4.4.4
.....
Success rate is 0 percent (0/5)
r4#
ROUTED ACL
Same as pacl but only apply on l3 interface like routed port or svi
can be applied in both directions but can only filter on ipv4 standard/extended ACL not layer
2 acl
VACL
- VLan ACL or Vlan map
- Appy to a vlan/svi effective for all ports in the vlan
- if acl applied to router interface in the vlan and vlan acl. The vlan acl is checked first
- TCP intercept + reflexive acl take precendence over vlan acl
- vacl+ cbac can not be configured on the same interface
vlan access-map "Name"
match ip address 101
action drop
vlan access-map "Name" 20
match mac address 'name'
action drop
access-list 101 permit tcp any any eq 23
mac-access-list exteneded "name"
permit host 0012.d9993.7289 host 0013.80e4.901a
To apply to vlan
vlan-filter "nameofaccessmap" vlan-list 146
LAB
----
ok SO We will apply vlan access-map to deny telnet to anywhere on the vlan ports and also
deny traffic to r6 from r4
r4
---
s4(config)#access-list 101 permit tcp any any eq 23
s4(config)#mac access-list extended TRAFFIC
s4(config-ext-macl)#permit host 0012.d993.728d host 0013.80e4.901a
we will create the vlan access-map matching the mac access-list and the extended ip access
list for these it will drop for everything else it will forward
s4(config)#vlan access-map FILTER
s4(config-access-map)#match ip address 101
s4(config-access-map)#action drop
s4(config-access-map)#exit
s4(config)#vlan access-map FILTER 20
s4(config-access-map)#match mac address TRAFFIC
s4(config-access-map)#action drop
s4(config-access-map)#exit
s4(config)#vlan access-map FILTER 30
s4(config-access-map)#action forward
s4(config-access-map)#
to apply it to vlan 146
s4(config)#vlan filter FILTER vlan-list 146
No comments:
Post a Comment