Port-security

incompatible with
- Etherchannel: links, bundle (IOS only, NX-OS is compatible)
- SPAN destination port
- dynamic port
- vPC
for static access, static trunk ports
can ne complemented with blackhole VLAN (ports are in unused VLAN by default)
modes:
1. shutdown: errdisable
2. restrict: drop, syslog, SNMP trap, increase violation counter
3. protect: drop

(config-if)# switchport port-security

; = 3: PC, VoIP before CDP (VLAN PC) and after (Voice VLAN); 1 default
(config-if)# switchport port-security maximum <n>

; sticky saves learned MAC to running-config; looks like static entry in CAM
(config-if)# switchport port-security mac-address <MAC>|sticky

(config-if)# switchport port-security violation <mode>

; 0 default ≡ disabled
(config-if)# switchport port-security aging time <min>

; absolute default
(config-if)# switchport port-security aging type absolute|inactivity

# clear port-security all|configured|dynamic|sticky [address <MAC> | interface <intf>]

# show port-security [interface <intf>]

PACL

port ACL
ingress only
access, trunk
ASIC, does not filter traffic to CPU: CDP, VTP, DTP, STP, IP with options, ACEs with log
no support for PVLAN
mode
- prefer: override other ACLs
- merge: PACL → VACL → IP ACL on L3 port → VACL; not permitted on trunk

; does not filter IP, ARP, MPLS
(config)# mac access-list extended <MACL>

(config-if)# mac access-group <MACL> in
(config-if)# ip access-group <ACL> in
(config-if)# access-group mode merge|prefer port

VACL

filters packets inside VLAN
in TCAM
no traffic direction, in+out
NX-OS: has to include match statement
IOS: can be without match statement

(config)# vlan access-map <MAP> [<seq>]

; if ACL is not set, all traffic permitted
(config-access-map)# match ip address <ACL>

; does not filter IP
(config-access-map)# match mac address <MACL>

; capture: alternative to SPAN (more granular), src; drop with no filter – drops all, e.g. STP
(config-access-map)# action drop|forward [capture]|redirect <intf>

(config)# vlan filter <MAP> vlan-list <LST>

; limits VLANs, from which traffic is copied
(config-if)# switchport capture allowed vlan <LST>

; enables sending traffic, identified by forward capture; on dst port
(config-if)# switchport capture

802.1x

Ethertype 0x888e
MAC dst:
- 0180.c200.0000: bridge group
- 0180.c200.0002: PAE (port access entity)
- 0180.c200.000e: LLDP
IEEE, EAP over LAN + RADIUS
L2 authC protocol
compatible with port-security
access ports only
by default all clients are unauthorized: only EAPoL, STP, CDP, VoIP are permitted
usually client tries 3 times to authenticate
modes:
1. single host
2. multihost: several clients, shared authC
3. multiauth: several clients, separate authC, single VLAN
4. multidomain: 1 voice and 1 data VLAN clients (2 total), 2 VLANs
port control modes:
- force-authorized: even if authZ fails, grant access
- force-unauthorized: does not authC (e.g. unused ports)
- auto: authZ if 802.1x is successful

IOS CLI

(config)# aaa new-model

; commands do not overwrite each other
(config)# raduis-server host <IP> <KEY>

(config)# aaa authentication dot1x default group radius

; enables 802.1x
(config)# dot1x system-auth-control

; off default
(config)# authentication mac-move permit

; enables reauthentication
(config-if)# authentication periodic

; permits traffic before authZ
(config-if)# authentication open

; restricted VLAN, single-host only
(config-if)# authentication event fail action authorize vlan <n>

; guest VLAN, no multi-auth support
(config-if)# authentication event no-response action authorize vlan <n>

(config-if)# authentication host-mode single-host|multi-host|multi-auth|multi-domain

; replace: tears down existing session, negotiates new session
(config-if)# authentication violation protect|restrict|shutdown|replace

; force-authorized default
(config-if)# authentication port-control <mode>

; ∞ default, authC attempt after failure
(config-if)# authentication timer restart <sec>

; legacy command, ≡ authentication port-control
(config-if)# dot1x port-control <mode>

; enable authenticator function
(config-if)# dot1x pae supplicant|authenticator|both

; permit several hosts on port
(config-if)# dot1x host-mode multi-host

; 3600s default; reauth authorized ports
(config-if)# dot1x timer reauthenticate <sec>|server

; ∞ default; tear down session if no traffic present
(config-if)# dot1x timer inactivity <sec>|server

; ∞ default; reauth unauthorized ports
(config-if)# dot1x timer restart <sec>

; 30s default; time EAP awaits response before resend

# show dot1x all

; hidden, reauth client
# dot1x reauthenticate [interface <intf>]

MAB

MAC authentication bypass
evolution of VMPS
device authC based on MAC: for clients that do not support 802.1x
source MAC filtering
does not authC CDP, LLDP, STP, DTP
src MAC as username, password and calling station ID
RADIUS may return PACL or VLAN
second port disconnect: IP phone signals via CDP that PC port is down
no reauthC
cannot change VLAN dynamically: client without supplicant may not find that out and refresh DHCP

(config-if)# mab

(config-if)# authentication order dot1x mab

; FlexAuth
(config-if)# authentication event fail action next-method

; 2 default, number of reauth before MAC kicks in
(config-if)# dot1x max-reauth-req <n>

FlexAuth

authC procedures sequence
can enable MAB without going through 802.1x
if several procedures are successful (e.g. MAB, then 802.1x), selection is based on priority
MAB can reset 802.1x session on reauthC

(config-if)# authentication order dot1x mab
(config-if)# authentication priority dot1x mab

Inaccessible auth bypass

puts into critical VLAN in AAA server is unreachable
reauthC when AAA server becomes reachable
preserves pre-auth ACL

(config-if)# authentication event server dead action authorize vlan <n>
(config-if)# authentication event server dead action authorize voice
(config-if)# authentication event server alive action reinitialize

MACsec

hop-by-hop
EtherType = 0x88e5
connectivity association (CA)
- long-lived
- Ethernet segment
security association (SA)
- short-lived
- key rotation for the channel with MACsec key agreement (MKA)
SA protocol (SAP)
- proprietary
- network admission via 802.1x
- trunk only (MKA on access)

; feature dot1x+cts
(config-if)# cts manual

; mode: gcm-encrypt, gmac, no-encap, null
(config-if-cts-manual)# sap pmk <KEY> mode-list <MODE>

(config-if-cts-manual)# no shutdown
(config-if-cts-manual)# no propagate sgt

Storm control

only physical interfaces
config applied to members of Etherchannel
ingress limit for bcast, mcast and unicast based on thresholds
processing takes place before flooding to other ports
some models treat mcast ≡ bcast
time window = 1s
some models round threshold, threshold < 0.33 ≡ suppress
no limit for BPDU, CDP because small frames (< 67 bytes) do not trigger storm control

; percent: part of BW, if exceeded during 1s time window, then action
; if drops to *low, then action stops
(config-if)# storm-control broadcast|multicast|unicast level <percent> [lvl-low] | bps <low> | pps <low>

; drop by default, shutdown ≡ err-disable
(config-if)# storm-control action shutdown|trap

; on exceeding – err-disable
(config-if)# small-frames violation-rate <pps>

; bcast by default
# show storm-control [<intf>] [broadcast|multicast|unicast]

VLAN hopping

switch accepts tagged frames if VLAN number is 0 or matches configured VLAN; some models accept tagged frames only after configuration of Voice VLAN
conceals target VLAN tag under port VLAN (native) tag ⇒ trunk removes outer tag and other switch forwards based on target tag
mitigation
- native VLAN = unused VLAN + pruning
- tag native VLAN (untagged – drop)
pruning native VLAN does not block CDP, PAgP, DTP

(config)# vlan dot1q tag native

Private VLAN

isolation within VLAN: L2 ISPs, address shortage, difficult to allocate new VLAN
secondary VLAN
- can communicate only to primary VLAN (aggregates all secondaries)
- isolated: cannot communicate with secondary VLAN (full isolation)
- community: can communicate only within own secondary VLAN
primary VLAN
- aggregates secondary (single gateway for everyone)
- 1 primary permits
  - 1 isolated
  - many community
VTP v1, v2 do not distribute private VLAN info (locally significant); VTPv3 distributes PVLAN info
port modes:
- promiscuous: connection to default GW, ignores PVLAN rules
- host: connection to hosts, communication within community or via promiscuous port
trunk
- promiscuous PVLAN trunk
  - replaces secondary VLAN tag with primary VLAN tag (egress)
  - router-on-a-stick
- isolated PVLAN trunk
  - replaces primary VLAN tag with isolated VLAN tag (egress)
  - towards 2950 with protected ports
if global association changes, interfaces with conflicting mappings → suspended
if access port is assigned to PVLAN, it does not pass traffic

isolated → promisc

community → community, promisc (secondary VLAN tag in trunk, e.g. 20)

promisc → promisc, isolated, community (primary VLAN tag in trunk, e.g. 30)

Communication direction is deduced from CAM (lookup in primary + secondary VLAN CAMs)

; secondary VLAN
(config-vlan)# private-vlan isolated|community

(config-vlan)# private-vlan primary
(config-vlan)# private-vlan association <secondary-vlan-list>

; for smaller models, local significance, hosts do not reach each other but can reach the rest network (e.g. via trunk), ≡ isolated
(config-if)# switchport protected

(config-if)# switchport private-vlan host|promisc|trunk|trunk promisc

; on host intf
(config-if)# switchport private-vlan host-association <primary> <secondary>

; on promiscuous intf, on SVI – no primary needed
(config-if)# switchport private-vlan mapping <primary> <secondary-list>

# show vlan private-vlan [type]

PVLAN attack

PC1 can bypass PVLAN if it uses GW MAC

Solution: ACL on GW (deny ip 192.168.0.0/24 192.168.0.0/24)

SGT

security group tag
16 bit
profiling: user ID, user device, location, access time → tag on switch: 802.1x, IP address, VLAN
policy: SGT-based
mapping
- inline
  - tag is part of frame
  - MACsec
  - Ethertype 0x8909, CMD (Cisco Metadata)
- SXP
  - security group tag exchange protocol
  - connection with ISE via EAP-FAST (IOS)
  - map SGT for devices, not supporting inline, ~BGP
  - TCP 64999
  - supports GRE, IPsec
  - DNA-ACI integration
    - ISE passes IP-SGT mapping to switch
    - ISE passes IP-EPG mapping to L3Out
  - IP-SGT mapping is based on source IP – requires IPDT to map MAC-IP
  - speaker ≡ Tx, listener ≡ Rx
- pxGrid
SGT values
- 0 = untagged traffic
- 2 = network device

(config)# cts sxp enable
(config)# cts sxp connection peer <IP> source <IP> pass <PWD> mode local|peer listener|speaker
; for L3 intf, vlan-list – L2
(config)# cts role-based enforcement [vlan-list <LST>]
(config)# cts role-based sgt-map <IP>|<network>|vlan-list <LST> sgt <n>

(config-if)# cts manual
(config-if-cts-manual)# propagate sgt
; trusted ≡ accept tag from neighbour, do not overwrite it
(config-if-cts-manual)# policy static sgt <n> [trusted]

; connect to ISE with EAP-FAST, RADIUS key, download CTS data
# cts credentials id <ID> password <PASS>

Password encryption

0 = no encryption
4 = SHA256 (default for secret starting from IOS 15.0)
5 = MD5 (default for IOS 12.4)
7 = proprietary Cisco (Vigenere cipher)

; 6 default
(config)# security password min-length <n>

Parser view

(config)# enable secret <PASS>
(config)# aaa new-model
(config)# parser view <VIEW>
(config-view)# secret <PASSWORD>
; commands starting with "cmd"
(config-view)# commands exec include all <cmd>

(config)# username <NAME> view <VIEW> secret <SECRET>

; root view, PASS password
# enable view
; NAME view, PASSWORD password
# enable view <VIEW>

# show parser view

Backup local

create copies in flash

; can be enabled remotely, disable – only via console
(config)# secure boot-config
(config)# secure boot-image

; dir does not list secure files
# show secure bootset

Design

blackhole VLAN
disable DTP, SAP, MOP

Networking and IT

Uncovering the Why

L2 Security