******************************* Cisco - Securing Switch Acccess ******************************* Port Security ============= - Controls access to a port based on MAC Address - MAC addresses are statically configured or dynamically learned - Limits the number of stations that can be used on a given port, by default 1 - MAC addresses learned as hosts transmit frames - Learned addresses are lost upon reboot by default unless "Sticky Addresses" is enabled - By default learned addresses do not age out, this can be configured Violation Actions ----------------- - Shutdown (Default) * Port put in errdisabled state * No traffic flow * Manual or error disabled recovery needed - Restrict * Port stays up * Frames for invalid MACs are dropped * Sends SNMP Trap - Protect * Port stays up * All traffic from violated MACs dropped * No record of violation recorded Port-Based Authentication ========================= - Combination of AAA Authentication and Port Security - Based on IEEE 802.1x - User is required to successfully authrnticate before traffic will flow - Requires support on the switch (Supplicant) and the end user device (client) - Client configured with 802.1x will still allow traffic to flow when switch is not configured to authenticate - Uses EAP Over LAN (EaPOL), A layer 2 protocol - Port returns to an unauthorised state when end user logs out or disconnects port - Authentication is done from the switch to an authentication server using RADIUS - Switch ports can be configued into 1 of 3 states * Force Authorised - No authentication needed (default) * Force Unauthorised - Port will never successfully authenticate * Auto - Requires sucessful 802.1x authentication - By default only a single host is supported on an authenticated port, muliple hosts can be configured Configuration Steps ------------------- - Enable AAA Globally On the switchh - Define RADIUS servers - Define Authentication Methods for 802.1x - Enable 802.1x globally on the switch - Configure individual ports to use 802.1x authentication by changing them from "Force Authorised" to "Auto" Using Storm Control =================== - Switches allow networks to be more efficient by only sending frames to the host(s) that need them - Swiitches cannot optimise the all frame times and must flood them * Broadcast * Multicast * Unknown Unicast - Storm Control helps by preventing hosts sending excesive amounts of these packet types - Configured per interface - Individual thresholds for each frame type - Thresholds are specified as a percentage of interface bandwidth in either bps or pps - hosts breaching thresholds can cause certain actions to occur Storm control actions --------------------- - Drop (Default) - Exceeding frames are dropped - Shutdown - Port is placed in error disabled state - Trap - Frames dropped and SNMP trap sent Best Practices for securing Switches ==================================== - Configure secure passwords - Use system banners - Secure/Disable the web interface - Secure the console ports - secure telnet/SSH access - Use SSH in preference to Telnet where supported - Use SNMPv3 where possible and restrict to read-only access - Secure unused switch ports - Secure STP operation (e.g. BPDU Guard) - Secure use of CDP/LLDP to only connections with trusted devices Configuring Port Security ========================= **Enable Port Security** :: interface switchport port-security **Define number of allowed MAC addresses on a port** :: interface switchport port-security maximum **Set Dynamically learned addresses to be sticky** :: interface switchport port-security mac-address sticky **Manually define the MAC address permitted on a port** :: interface switchport port-security mac-address **Define the action tkane upon detected an unknown MAC** *NOTE: Default action is "Shutdown"* :: interface switchport port-security violation {shutdown|restrict|protect} **Clear MAC addresses from the port cache** :: clear port-security {all | configured | dynamic | sticky } [address | interface ] **Shows status for an interface** :: show port-security [interface ] **Show summary of error disabled interfaces** :: show interfaces status err-disabled **Manually restore an interface** :: interface shutdown no shutdown **Configure Learned MAC address ageing** *NOTE: Disabled by default* :: interface switchport port-security aging {time | type {absolute | inactivity}} Configuring Port-Based Authentication ===================================== **Enable AAA Globall** :: aaa new-model **Define external RADIUS servers** :: radius-server host { | } [key ] **Define authentication method used for 802.1x** :: aaa authentication dot1x default group radius **Enable 802.1x supplicant on the switch** :: dot1x system-auth-control **Set The authentication mode on an interface** :: interface dot1x port-control {force-authorised|force-unauthorised|auto} **Allow multiple hosts on a single port** :: dot1x host-mode multi-host **Verify 802.1x operation** :: show dot1x all Configuring Storm Control ========================= **Enable Storm Control Thresholds** :: interface storm-control {broadcast|multicast|unicast} level { [ | bps [[ | pps []} **Enable Additional Actions When Thresholds Breached** *NOTE: Default is to drop exceeding packets* :: interface storm-control action {shutdown | trap} **Display Storm Control Status** :: show storm-control [] [broadcast|multicast|unicast]