Today’s foundamental topcis would be Port Security Using MAC Address
,Port-based Security Using IEEE 802.1x
, Mitigating Spoofing Attacks
.
Traditionally, users can just connect to a PC to a switch and gain immediate access to enterprise resources, but that is not safe any more and it is important to limit the access that users receive.
User access can be recorded as switch accounting information. Users should be authenticated as they connect to or through a switch and can be authorized to perform certain actions.
Port Security
Switch offers the port security feature to control port access based on MAC addresses.
Switch(config-if)#switchport port-security
Next, we need to identify a st of allowed MAC addresses so that port can grant them access. Of course, they can be learned dynamically from port traffic and we can specify the maximum number of MAC address.
Switch(config-if)#switchport port-security maximum
You can also statically define one or more MAC address on an interface
switch(config-if)#switchport port-security mac-address 0006.5b02.a841
In the end, you can decide how interface should react to the violation by using the following command
Switch(config-if)#switchport port-security violation {shutdown | protect | restrict}
A violation occurs if more than maximum number of MAC addresses are learned or if an unknown MAC address attempt to transmit on the port.
- shutdown: errdisable, must be re-enabled manually
- restrict: port is still up, packets are dropped. Switch would send SNMP trap and a syslog message as an alert of the violation
- protect: same as restrict but not record
Authentication
I feel like I have studied this topic like a thousand times.
This feature is based on the IEEE 802.1x standard. When it is enabled, a switch port will not pass any traffic until a user has authenticated with the switch
Port-based authentication can be handled by one or more RADIUS SERVER. The actual RADIUS authentication method must be configured first, followed by 802.1x, as shown in the following steps:
- Enable AAA on the switch using command like
aaa new-model
- Define external server along with its secret: `radius-server host x.x.x.x key3. Define the authentication method for 802.1x:
aaa authentication dot1x default group radius
- Enable 802.1x on the switch:
dot1q system-auth-control
- Configure the switchport as usual
Scenario: two Raduis servers are located at 10.1.1.1 and 10.1.1.2. Switchport would use 802.1x for port-based authentication.
Switch(config)#aaa new-model
Switch(config)#radius-server host 10.1.1.1 key MANQING
Switch(config)#radius-server host 10.1.1.2 key ZHOU
Switch(config)#aaa authentication dot1x default group radius
Switch(config)#dot1x system-auth-control
Switch(config)#interface range FastEthernet0/1 - 40
Switch(config-if)#switchport access vlan 10
Switch(config-if)#switchport mode access
Switch(config-if)#dot1x port-control auto
Now, end user would be associated with vlan 10. Let us save DHCP snooping and Dynamic arp inspection for later use. I am gonna eat and do a quick workout.