Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Computer Networks

Switch(config)

CCNP 3 v4 Module 7
Minimizing Service Loss and Data
Theft in a Switched Network
© 2003, Cisco Systems, Inc. All rights reserved.
1
Objectives
•
Switch Security Issues
•
Mitigating VLAN attacks
•
Mitigating Spoof Attacks
•
Implementing Authentication,
Authorization and Accounting – AAA
•
Defending Network Switches
© 2003, Cisco Systems, Inc. All rights reserved.
2
Overview
•
•
•
This module describes some measures to secure
Cisco’s multilayer switches based on Cisco’s SAFE
blueprint.
Cisco Systems has implemented a number of device
level countermeasures to defend the individual
devices as well as the entire network from security
threats.
In this module we will spell out possible
vulnerabilities, define threats, and describes the
countermeasures that should be implemented to
mitigate security risks
© 2003, Cisco Systems, Inc. All rights reserved.
3
Switch Security Concerns
•
Network security coverage often focuses
on perimeter devices and the filtering of
packets based upon Layer 3 and 4
headers, ports, stateful packet
inspection and VPNs.
•
Campus Access devices and Layer 2
communication are left largely
unconsidered in most security
discussions.
© 2003, Cisco Systems, Inc. All rights reserved.
4
Firewalls, Routers and Switches
•
Firewalls, placed at the organizational
borders, arrive in a secure operational
mode and allow no communication, until
configured to do so.
•
The opposite is true for routers and
switches.
– Unlike firewalls, routers and switches have
a default operational mode that forwards all
traffic unless configured otherwise
© 2003, Cisco Systems, Inc. All rights reserved.
5
Securing more than the perimeter
© 2003, Cisco Systems, Inc. All rights reserved.
6
Layer 2 Attacks
•
Attacks launched against switches and
at Layer 2 can be grouped as follows:
– MAC Layer Attacks
– VLAN Attacks
– Spoof Attacks
– Attacks on Switch Devices
© 2003, Cisco Systems, Inc. All rights reserved.
7
MAC Flooding Attack
© 2003, Cisco Systems, Inc. All rights reserved.
8
MAC Flooding
•
•
A common Layer 2/switch attack is MAC Flooding,
resulting in CAM table overflow that causes flooding of
regular data frames out all switch ports.
–
A network intruder can maliciously flood a switch with a
large number of frames from a range of invalid source
MAC addresses.
–
Once the CAM is full the switch cannot create any
additional CAM table entries.
–
The switch must flood new legitimate frames out all ports
(the switch is in dumb hub mode).
The intruding device can now be attached to any
switchport and see all traffic that flows through that
switch.
© 2003, Cisco Systems, Inc. All rights reserved.
9
Mitigation for MAC Flood Attacks
•
Configure Port Security to define the
number of MAC addresses that are
allowed on a given port.
•
Port security can also specify what MAC
address is allowed on a given port.
– Sticky configuration with maximum MAC
address count.
© 2003, Cisco Systems, Inc. All rights reserved.
10
Port Security
•
Port security restricts a switch port to a specific
set and/or number of MAC addresses.
–
•
Addresses can be learned dynamically or configured
statically.
To dynamically allow a set of MAC address on an
interface, use the “sticky” configuration.
–
When configured on an interface, the interface
converts dynamically learned addresses to "sticky
secure" addresses.
–
The sticky configuration cannot be applied to trunk
ports
–
The swtichport must be in switchport mode access
Switch(config-if)# switchport port-security mac-address sticky
© 2003, Cisco Systems, Inc. All rights reserved.
11
Port Security Configuration
Switch(config)#int fa0/1
Switch(config-if)#switchport port-security
Command rejected: Fa0/1 is not an access port.
Switch(config-if)#switchport mode access
Switch(config-if)#switchport port-security
Switch(config-if)#switchport port-security mac-address sticky
Switch(config-if)#switchport port-security maximum 4
Switch(config-if)#switchport port-security violation ?
protect
Security violation protect mode
restrict Security violation restrict mode
shutdown Security violation shutdown mode
© 2003, Cisco Systems, Inc. All rights reserved.
12
show port-security
© 2003, Cisco Systems, Inc. All rights reserved.
13
show port-security address
© 2003, Cisco Systems, Inc. All rights reserved.
14
Caveats to Port Security Configuration
•
Port security is enabled on a port-by-port basis
•
By default, only one MAC address is allowed
access through a given switch port when port
security is enabled.
•
Static MAC address entries for a given
switchport may interfere with the maximum
MAC address configuration.
•
The default violation action is shutdown.
© 2003, Cisco Systems, Inc. All rights reserved.
15
Switchport Violation Actions
•
There are three violation actions that can be
configured on the secure port:
–
Protect – frames from the non-allowed address are
dropped but there is no log of the violation
–
Restrict – frames from the non-allowed address are
dropped and a log message is created
–
Shutdown – if any frames are seen from a nonallowed address, the interface is errdisabled and a
log message is created.
•
•
To bring a switchport out of errdisable, you must
manually use the shutdown/no shutdown inteface
configuration mode command.
Shutdown is the default violation action.
© 2003, Cisco Systems, Inc. All rights reserved.
16
VLAN Hopping
•
VLAN hopping is a network attack
whereby an end system sends packets
to, or collects them from, a VLAN that
should not be accessible to that end
system.
– VLAN Hopping can be accomplished by
Switch Spoofing or Double Tagging
http://www.sans.org/resources/idfaq/vlan.php
http://www.cisco.com/en/US/netsol/ns340/ns394/ns171/ns128/networking_solutions_white_paper09186a008014870f.shtml
http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a008013159f.shtml
© 2003, Cisco Systems, Inc. All rights reserved.
17
Switch Spoofing
•
•
In a Switch Spoofing attack, the network attacker
configures a system to spoof itself as a switch by
emulating ISL or 802.1Q signaling and using DTP.
– Doing so, allows the end system to negotiate a trunk link
with the switch.
– Remember, by default Cisco switchports are set to
dynamic desirable mode.
The solution to switch spoofing is to configure all edge
ports as access ports which essentially turns off trunking.
•
You can also change the native VLAN from the default of 1
so that the trunk is not negotiated properly.
Switch(config)# int range fa0/ 1 – 20
Switch(config-range-if)# switchport mode access
Switch(config-if)# switchport trunk native vlan 10
© 2003, Cisco Systems, Inc. All rights reserved.
18
Private VLANs
•
Private VLANs provide traffic isolation between
ports although they may exist on the same
Layer 3 segment and VLAN.
–
•
Private VLANs (PVLANs) can be implemented on
Catalyst 4500s and 6500s to keep some switch
ports shared and some switch ports isolated,
although all ports exist on the same VLAN.
The 2950 and 3550 support "protected ports"
which is functionally similar to PVLANs on a
per switch basis.
© 2003, Cisco Systems, Inc. All rights reserved.
19
Private VLAN Port Types
A port in a PVLAN can be one of three types:
•
•
•
Isolated An isolated port has complete Layer 2 separation
from other ports within the same PVLAN except for the
promiscuous port.
– Traffic received from an isolated port is forwarded only to
promiscuous ports.
Promiscuous A promiscuous port can communicate with all
ports within the PVLAN, including the community and
isolated ports.
– The default gateway for the segment would likely be
hosted on a promiscuous port.
Community Community ports communicate among
themselves and with their promiscuous ports.
– These interfaces are isolated at Layer 2 from all other
interfaces in other communities.
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/122sx/swcg/pvlans.htm
© 2003, Cisco Systems, Inc. All rights reserved.
20
Private VLAN Configuration Guidelines
•
•
•
VTP does not support private VLANs so you must configure your
VTP mode to transparent and manually add each primary and the
associated private VLANs to each switch.
VLAN 1 and VLANs 1002 – 1005 cannot be private VLANs.
A primary VLAN can have one isolated VLAN and multiple
community VLANs.
–
An isolated or community VLAN can have only one primary VLAN
associated with it.
•
If you delete a VLAN used in the private VLAN configuration, the
private VLAN ports associated with the VLAN become inactive
•
Private VLAN ports can be on different network devices if the
devices are trunk-connected and the primary and secondary
VLANs have not been removed from the trunk.
•
All primary, isolated, and community VLANs associated within a
private VLAN must maintain the same topology across trunks.
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/122sx/swcg/pvlans.htm
© 2003, Cisco Systems, Inc. All rights reserved.
21
Private VLAN Configuration Example
Router# configure terminal
Router(config)# vlan 202
Router(config-vlan)# private-vlan primary
Router(config-vlan)# exi
Router(config)# vlan 303
Router(config-vlan)# private-vlan community
Router(config-vlan)# exi
Router(config)# vlan 440
Router(config-vlan)# private-vlan isolated
Router(config-vlan)# exi
Router(config)# vlan 202
Router(config-vlan)# private-vlan association 303-307,309,440
Router(config-vlan)# end
Router(config)# interface fastethernet 5/1
Router(config-if)# switchport mode private-vlan host | promiscuous
Router(config-if)# switchport private-vlan host-association 202 303
Router(config)# interface fastethernet 5/2
Router(config-if)# switchport mode private-vlan host | promiscuous
Router(config-if)# switchport private-vlan host-association 202 440
Router# show vlan private-vlan
Switch(config)# show vlan private-vlan
Primary Secondary Type
Ports
------- --------- ----------------- -----------------------------------------202
303
community
Fa5/1
202
440
isolated
© 2003, Cisco Systems, Inc. All rights reserved.
Fa5/2
22
Protected Ports
•
Protected ports do not forward any traffic to
other ports that are also protected ports.
•
Forwarding behavior between a protected port
and a nonprotected port proceeds as usual.
Switch# configure terminal
Switch(config)# interface fastethernet0/1
Switch(config-if)# switchport protected
Switch(config-if)# end
© 2003, Cisco Systems, Inc. All rights reserved.
23
VLAN Security using ACLs
Cisco multilayer switches support three types of ACLs:
•
Router access control lists (RACLs) Supported in the
ternary content addressable memory (TCAM) hardware on
Cisco multilayer switches
•
Quality of service (QoS) access control lists Supported in
the TCAM hardware on Cisco multilayer switches
•
VLAN access control lists (VACLs) Supported in software
on Cisco multilayer switches
–
VACLs are also referred to as VLAN maps
© 2003, Cisco Systems, Inc. All rights reserved.
24
VLAN ACL Examples
© 2003, Cisco Systems, Inc. All rights reserved.
25
Routed ACLs
•
RACLs are supported in hardware
through IP standard ACLs and IP
extended ACLs, with permit and deny
actions.
– With RACLs, access list statistics and
logging are not supported.
© 2003, Cisco Systems, Inc. All rights reserved.
26
VLAN ACLs
•
VACLs (also called VLAN access maps in IOS
software) apply to all traffic on the VLAN.
–
VACLs are similar to route maps and follow routemap conventions, where map sequences are
checked in order.
–
VLAN maps have three actions that can be
configured:
•
Drop
•
Forward
•
Redirect
© 2003, Cisco Systems, Inc. All rights reserved.
27
VLAN Map Configuration
ALSwitch7(config)#ip access-list extended HRServerAllowed
ALSwitch7(config-ext-nacl)#permit tcp 172.16.50.16 0.0.0.15 host 172.16.50.240 eq www
ALSwitch7(config-ext-nacl)#exit
ALSwitch7(config)#ip access-list extended HRServerBlocked
ALSwitch7(config-ext-nacl)#permit tcp 172.16.50.0 0.0.0.127 host 172.16.50.240 eq www
ALSwitch7(config-ext-nacl)#exit
ALSwitch7(config)#ip access-list extended HRServerDefaults
ALSwitch7(config-ext-nacl)#permit ip any any
ALSwitch7(config-ext-nacl)#exit
ALSwitch7(config)#vlan access-map HRServerMap 10
ALSwitch7(config-access-map)#match ip address HRServerAllowed
ALSwitch7(config-access-map)#action forward
ALSwitch7(config-access-map)#exit
ALSwitch7(config)#vlan access-map HRServerMap 20
ALSwitch7(config-access-map)#match ip address HRServerBlocked
ALSwitch7(config-access-map)#action drop
ALSwitch7(config-access-map)#exit
ALSwitch7(config)#vlan access-map HRServerMap 30
ALSwitch7(config-access-map)#match ip address HRServerDefaults
ALSwitch7(config-access-map)#action forward
ALSwitch7(config-access-map)#end
ALSwitch7#config t
ALSwitch7(config)# vlan filter HRServerMap vlan-list 20
© 2003, Cisco Systems, Inc. All rights reserved.
28
show vlan map and show vlan filter
ALSwitch7#show vlan access-map
Vlan access-map "HRServer" 10
Match clauses:
ip address: HRServerAllowed
Action:
forward
Vlan access-map "HRServerMap" 20
Match clauses:
ip address: HRServerBlocked
Action:
drop
Vlan access-map "HRServerMap" 30
Match clauses:
ip address: HRServerDefaults
Action:
forward
ALSwitch7#show vlan filter
VLAN Map HRServerMap is filtering VLANs:
50
ALSwitch7#
© 2003, Cisco Systems, Inc. All rights reserved.
29
Defending Network Switches
•
CDP can be selectively disabled on interfaces
where management is not being performed or
if you do not want CDP information learned
out of that interface.
Switch(config-if)#no cdp enable
© 2003, Cisco Systems, Inc. All rights reserved.
30
Controlling VTY Access
•
Cisco provides ACLs to permit or deny Telnet
access to the VTY ports of a switch.
•
Use the access-class line configuration mode
command to specify a subnet that is allowed to
telnet to the switch.
–
The access-class command uses a standard ACL
with the in keyword.
–
A standard ACL is used because the access-class
command filters inbound connections
Switch(config-line)#access-class 5 in
–
‘out’ can also be used to filter outbound VTY
connections.
© 2003, Cisco Systems, Inc. All rights reserved.
31
Access-class Example
© 2003, Cisco Systems, Inc. All rights reserved.
32
Use Secure Shell – SSH
•
SSH can be configured for remote access to Cisco
multilayer switches.
– Catalyst 2950s do not support SSH
Switch(config)#hostname ALSwitch
ALSwitch(config)#ip domain-name cisco.com
ALSwitch(config)#ip ssh version 2
Please create RSA keys to enable SSH.
ALSwitch(config)#crypto key generate rsa general-keys
The name for the keys will be: ALSwitch.cisco.com
Choose the size of the key modulus in the range of 360 to 2048 for your
How many bits in the modulus [512]: 1024
% Generating 1024 bit RSA keys ...[OK]
ALSwitch(config)#
00:47:18: %SSH-5-ENABLED: SSH 1.99 has been enabled
ALSwitch(config)#line vty 0 15
ALSwitch(config-line)#transport input ssh
ALSwitch(config-line)#login local
ALSwitch(config-line)#exit
ALSwitch(config)#username leo privilege 15 secret baca
© 2003, Cisco Systems, Inc. All rights reserved.
33
Encrypt Password
•
Make sure to use encrypted passwords.
•
Encrypted password can be used for enable passwords,
user passwords, console and vty passwords.
ALSwitch(config)#enable secret class
ALSwitch(config)#username user1 secret userpass
ALSwitch(config)#username leo privilege 15 secret baca
ALSwitch(config)#exi
ALSwitch#sho run
...
!
hostname ALSwitch
!
enable secret 5 $1$kH1o$2yH/E500t6PC1rCCDeFEb1
!
username leo privilege 15 secret 5 $1$nwnw$rvATQge3PqFS8qARlTOd51
username user1 secret 5 $1$CalZ$rCMYfxqKPrJfWENUrHIZL.
© 2003, Cisco Systems, Inc. All rights reserved.
34
Service Password Encryption
•
Some passwords are not encrypted by default,
such as the enable password command and
the line configuration mode password
command
•
To encrypt any plaintext passwords or
keystrings, use the global configuration mode
command:
Switch(config)# service password-encryption
•
This will encrypt plaintext passwords with
Cisco level 7 encryption.
–
This encryption level is not very strong
© 2003, Cisco Systems, Inc. All rights reserved.
35
END PART 1
PART 1 STOP HERE
© 2003, Cisco Systems, Inc. All rights reserved.
36
DHCP Spoof Attack
© 2003, Cisco Systems, Inc. All rights reserved.
37
DHCP Snooping
•
DHCP Snooping is a Catalyst feature that
determines which switch ports can respond to
DHCP requests.
–
•
Ports are identified as trusted and untrusted.
Trusted ports can source all DHCP messages
while untrusted ports can source requests
only.
–
Trusted ports host a DHCP server or can be an
uplink toward the DHCP server.
–
If a rogue device on an untrusted port attempts to
send a DHCP response packet into the network, the
port is shut down.
© 2003, Cisco Systems, Inc. All rights reserved.
38
DHCP Snooping Example
© 2003, Cisco Systems, Inc. All rights reserved.
39
DHCP Snooping Configuration
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2950/12122ea5/2950scg/swdhcp82.htm
© 2003, Cisco Systems, Inc. All rights reserved.
40
show ip dhcp snooping
© 2003, Cisco Systems, Inc. All rights reserved.
41
MAC Address Spoofing
•
MAC Spoofing attacks occur when a device
spoofs the MAC address of a valid network
device to gain access to frames of the valid
device.
•
The attacker generates a single frame with a
source MAC address of the valid device.
–
Once the valid host sends new frames, the spoofed
CAM table entry is overwritten so forwarding to that
MAC address resumes on the legitimate port.
© 2003, Cisco Systems, Inc. All rights reserved.
42
MAC Address Spoofing Example
© 2003, Cisco Systems, Inc. All rights reserved.
43
ARP Table Entries
•
•
•
In normal ARP operation, a host sends a
broadcast to determine the MAC address of a
host with a particular IP address.
The device at that IP address replies with its
MAC address.
The host that originated the request then
caches the ARP response, creating an ARP
table entry.
–
ARP table entries are used to populate the
destination Layer 2 header of packets sent to that
IP address.
© 2003, Cisco Systems, Inc. All rights reserved.
44
ARP Table Example
© 2003, Cisco Systems, Inc. All rights reserved.
45
ARP Spoofing
•
By spoofing an ARP reply, an attacking
device appears to be the destination
MAC address sought by the senders.
– Now the attacker’s MAC address is stored
with the legitimate dest. IP address.
•
All packets destined for that IP address
will be forwarded through the attacker’s
system on the Ethernet network.
ARP Cache Poisoning
http://www.grc.com/nat/arp.htm
© 2003, Cisco Systems, Inc. All rights reserved.
46
ARP Spoof Example
© 2003, Cisco Systems, Inc. All rights reserved.
47
Dynamic ARP Inspection (DAI)
•
•
Dynamic ARP Inspection (DAI) prevents ARP
spoofing by intercepting and validating all ARP
requests and responses.
Each intercepted ARP reply is verified for valid
MAC to IP address bindings before it is forwarded
to a PC.
–
•
ARP replies coming from invalid devices are dropped.
The switch checks the MAC to IP binding in the
ARP reply with the trusted DHCP snooping
database.
–
This database is built by DHCP snooping if DHCP
snooping is enabled on the VLANs and on the switch.
http://www.cisco.com/en/US/products/hw/switches/ps5528/products_configuration_guide_chapter09186a0080509b6f.html
© 2003, Cisco Systems, Inc. All rights reserved.
48
Dynamic ARP Inspection Example
Configure all Access switch ports as untrusted and
all switch ports connected to other switches as trusted.
© 2003, Cisco Systems, Inc. All rights reserved.
49
Dynamic ARP Inspection
•
To ensure that only valid ARP requests and
responses are relayed, DAI takes the following
actions:
–
Forwards ARP packets received on a trusted
interface without any checks
–
Intercepts all ARP packets on untrusted ports
–
Verifies that each intercepted packet has a valid IPto-MAC address binding before forwarding packets
that can update the local ARP cache.
–
Drops and/or logs ARP packets with invalid IP-toMAC address bindings.
© 2003, Cisco Systems, Inc. All rights reserved.
50
Dynamic ARP Inspection Configuration
Dynamic ARP inspection is enabled on a per-VLAN basis
Make sure to enable DHCP snooping first
Dynamic ARP Inspection is not supported on 29xx series switches
© 2003, Cisco Systems, Inc. All rights reserved.
51
What is AAA?
•
•
•
AAA stands for Authentication, Authorization
and Accounting.
AAA is an architectural framework for
configuring access control security functions.
AAA is generally concerned with access
control to a network or network device.
–
For instance, an AAA server can be used to
authenticate remote users via a VPN or it can be
used to authenticate local users to a router, switch
or firewall.
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/fsaaa/scfaaa.htm
© 2003, Cisco Systems, Inc. All rights reserved.
52
AAA in a Nutshell
•
Authentication provides the method of identifying users.
–
•
Authorization provides a method of controlling access to
what a user can do.
–
•
The most common method of authentication is
username/password.
Authorization is usually tied to a policy, profile or group.
Accounting provides a method for collecting and sending
security server information used for billing, auditing, and
reporting.
–
Accounting collects data as to what a user did once
logged in.
© 2003, Cisco Systems, Inc. All rights reserved.
53
AAA Servers and Authentication
•
AAA uses protocols such as RADIUS,
TACACS+, or 802.1X to administer its security
functions.
•
There is an authenticator (device) that permits
or denies access to the network or network
resource and an authentication server that
provides the actual database of user
identification.
–
The Authenticator can be a switch, router, firewall,
wireless access point, VPN server or access server.
© 2003, Cisco Systems, Inc. All rights reserved.
54
Using AAA for Login Security
•
The AAA security services facilitate a variety of
login authentication methods.
–
•
•
Use ‘aaa authentication login’ to enable AAA
authentication.
With the ‘aaa authentication login’
command, it is possible to create one or more
lists of authentication methods that are tried at
login.
The ‘login authentication’ line
configuration command applies these lists to
login attempts.
© 2003, Cisco Systems, Inc. All rights reserved.
55
AAA Login Configuration
© 2003, Cisco Systems, Inc. All rights reserved.
56
AAA Login Configuration Example
Switch(config)#aaa new-model
Switch(config)#tacacs-server host 147.144.51.46 key 0 tacacskey
Switch(config)#aaa group server tacacs+ TACACS
Switch(config-sg-tacacs+)#server 147.144.51.46
Switch(config-sg-tacacs+)#exi
Switch(config)#
Switch(config)#aaa authentication login TACACS local
Switch(config)#line con 0
Switch(config-line)#login authentication TACACS
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/fsaaa/scfathen.htm
© 2003, Cisco Systems, Inc. All rights reserved.
57
Authentication Methods
© 2003, Cisco Systems, Inc. All rights reserved.
58
AAA Authorization
•
AAA authorization enables the limitation of the
services available to a user.
•
When AAA authorization is enabled, the device
uses information retrieved from the user profile
–
The user profile is located either in the local user
database on the switch or on the security server
–
You can configure up to 16 hierarchical levels of
commands for each mode.
Setting Passwords and Privileges
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/fothersf/scfpass.htm
© 2003, Cisco Systems, Inc. All rights reserved.
59
AAA Accounting
•
Accounting is the process of keeping
track of the activity of each user who is
accessing the network resources.
•
Accounting data is used for trend
analysis, capacity planning, billing,
auditing and cost allocation.
© 2003, Cisco Systems, Inc. All rights reserved.
60
802.1X Port-based Authentication
Authenticator
Supplicant
© 2003, Cisco Systems, Inc. All rights reserved.
61
802.1X Port-based Authentication
•
Until the workstation is authenticated, 802.1x access
control allows only Extensible Authentication Protocol
over LAN (EAPOL) traffic through the switchport.
•
After authentication is successful, normal traffic can pass
through the port.
•
The port starts in the unauthorized state.
–
While in this state, the port disallows all ingress and
egress traffic except for 802.1x protocol packets.
–
When a client is successfully authenticated, the port
transitions to the authorized state
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2950/12122ea5/2950scg/sw8021x.htm
© 2003, Cisco Systems, Inc. All rights reserved.
62
802.1X Configuration
Switch1(config)#aaa new-model
Switch1(config)#aaa authentication dot1x TACACS local
Switch1(config)#dot1x system-auth-control
Switch1(config)#interface range fa0/2 - 20
Switch1(config-if-range)#switchport mode access
Switch1(config-if-range)#dot1x port-control auto
Switch1(config-if-range)#end
Switch1# show run
!
interface FastEthernet0/1
!
interface FastEthernet0/2
switchport mode access
dot1x port-control auto
spanning-tree portfast
© 2003, Cisco Systems, Inc. All rights reserved.
63
Capturing Traffic in a Switched Network
•
If a network analyzer is connected to a switch port, by
default the analyzer will only collect data directed to the
MAC address of the analyzer.
•
To resolve this issue, we configure Switch Port Analyzer
(SPAN) ports.
•
SPAN sends a copy of frames generated on one port or an
entire VLAN to another switch port hosting a network
analyzer.
–
Also known as port mirroring or port monitoring
http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12225see/scg/swspan.htm
© 2003, Cisco Systems, Inc. All rights reserved.
64
SPAN Example
© 2003, Cisco Systems, Inc. All rights reserved.
65
Remote SPAN (RSPAN)
•
RSPAN sends traffic from a monitored port
through an intermediate switch network to a
traffic analyzer on another switch.
•
RSPAN supports source ports, source VLANs,
and destination ports on different switches.
•
RSPAN provides remote monitoring of ports on
multiple switches across the network
© 2003, Cisco Systems, Inc. All rights reserved.
66
RSPAN Example
© 2003, Cisco Systems, Inc. All rights reserved.
67
Reflector Ports
•
•
•
•
•
•
•
•
The reflector port is the mechanism that copies packets
onto an RSPAN VLAN.
The reflector port forwards only the traffic from the RSPAN
source session with which it is affiliated.
– Any device connected to a port set as a reflector port
loses connectivity until the RSPAN source session is
disabled.
The reflector port has these characteristics:
It is a port set to loopback.
It cannot be an EtherChannel group, it does not trunk, and
it cannot do protocol filtering.
A port used as a reflector port cannot be a SPAN source or
destination port, nor can a port be a reflector port for more
than one session at a time.
It is invisible to all VLANs.
Spanning tree is automatically disabled on a reflector port.
© 2003, Cisco Systems, Inc. All rights reserved.
68
SPAN and RSPAN Configuration
SPAN:
Switch(config)#monitor
Switch(config)#monitor
Switch(config)#monitor
Switch(config)#monitor
session
session
session
session
1
1
1
1
source interface fa0/2
source interface fa0/2 - 24
source vlan 33 , 34 , 40 - 50
destination interface fa0/10
RSPAN:
SourceSw(config)#vlan 100
SourceSw(config-vlan)#remote-span
SourceSw(config-vlan)#exi
SourceSw(config)#monitor session 1 source interface fa0/10 both
SourceSw(config)#monitor session 1 destination remote vlan 100
reflector-port fa0/12
DestSw(config)#monitor session 1 source remote vlan 100
DestSw(config)#monitor session 1 destination interface fa0/5
© 2003, Cisco Systems, Inc. All rights reserved.
69
Related documents
WWW+Internet+networking - Edulink
WWW+Internet+networking - Edulink
Slide #9
Slide #9
CCENT 640-822 ICND1 Exam Topics Review
CCENT 640-822 ICND1 Exam Topics Review
7 Survival Skills - 21st Century Schools
7 Survival Skills - 21st Century Schools
if not using preferred method of corporate MPLS circuits
if not using preferred method of corporate MPLS circuits
AIR-CAP3702E-EK910
AIR-CAP3702E-EK910
SPN-5300-K9
SPN-5300-K9
PPT-2 - Convergence Technology Center
PPT-2 - Convergence Technology Center
if not using preferred method of corporate MPLS circuits
if not using preferred method of corporate MPLS circuits
Download