- Port-security
- PACL
- VACL
- 802.1x
- MACsec
- Storm control
- VLAN hopping
- Private VLAN
- SGT
- Password encryption
- Parser view
- Backup local
- Design
Port-security
- incompatible with
- Etherchannel: links, bundle (IOS only, NX-OS is compatible)
- SPAN destination port
- dynamic port
- vPC
- for static access, static trunk ports
- can ne complemented with blackhole VLAN (ports are in unused VLAN by default)
- modes:
- shutdown: errdisable
- restrict: drop, syslog, SNMP trap, increase violation counter
- protect: drop
(config-if)# switchport port-security
; = 3: PC, VoIP before CDP (VLAN PC) and after (Voice VLAN); 1 default
(config-if)# switchport port-security maximum <n>
; sticky saves learned MAC to running-config; looks like static entry in CAM
(config-if)# switchport port-security mac-address <MAC>|sticky
(config-if)# switchport port-security violation <mode>
; 0 default ≡ disabled
(config-if)# switchport port-security aging time <min>
; absolute default
(config-if)# switchport port-security aging type absolute|inactivity
# clear port-security all|configured|dynamic|sticky [address <MAC> | interface <intf>]
# show port-security [interface <intf>]
PACL
- port ACL
- ingress only
- access, trunk
- ASIC, does not filter traffic to CPU: CDP, VTP, DTP, STP, IP with options, ACEs with log
- no support for PVLAN
- mode
- prefer: override other ACLs
- merge: PACL → VACL → IP ACL on L3 port → VACL; not permitted on trunk
; does not filter IP, ARP, MPLS
(config)# mac access-list extended <MACL>
(config-if)# mac access-group <MACL> in
(config-if)# ip access-group <ACL> in
(config-if)# access-group mode merge|prefer port
VACL
- filters packets inside VLAN
- in TCAM
- no traffic direction, in+out
- NX-OS: has to include match statement
- IOS: can be without match statement
(config)# vlan access-map <MAP> [<seq>]
; if ACL is not set, all traffic permitted
(config-access-map)# match ip address <ACL>
; does not filter IP
(config-access-map)# match mac address <MACL>
; capture: alternative to SPAN (more granular), src; drop with no filter – drops all, e.g. STP
(config-access-map)# action drop|forward [capture]|redirect <intf>
(config)# vlan filter <MAP> vlan-list <LST>
; limits VLANs, from which traffic is copied
(config-if)# switchport capture allowed vlan <LST>
; enables sending traffic, identified by forward capture; on dst port
(config-if)# switchport capture
802.1x
- Ethertype 0x888e
- MAC dst:
- 0180.c200.0000: bridge group
- 0180.c200.0002: PAE (port access entity)
- 0180.c200.000e: LLDP
- IEEE, EAP over LAN + RADIUS
- L2 authC protocol
- compatible with port-security
- access ports only
- by default all clients are unauthorized: only EAPoL, STP, CDP, VoIP are permitted
- usually client tries 3 times to authenticate
- modes:
- single host
- multihost: several clients, shared authC
- multiauth: several clients, separate authC, single VLAN
- multidomain: 1 voice and 1 data VLAN clients (2 total), 2 VLANs
- port control modes:
- force-authorized: even if authZ fails, grant access
- force-unauthorized: does not authC (e.g. unused ports)
- auto: authZ if 802.1x is successful
IOS CLI
(config)# aaa new-model
; commands do not overwrite each other
(config)# raduis-server host <IP> <KEY>
(config)# aaa authentication dot1x default group radius
; enables 802.1x
(config)# dot1x system-auth-control
; off default
(config)# authentication mac-move permit
; enables reauthentication
(config-if)# authentication periodic
; permits traffic before authZ
(config-if)# authentication open
; restricted VLAN, single-host only
(config-if)# authentication event fail action authorize vlan <n>
; guest VLAN, no multi-auth support
(config-if)# authentication event no-response action authorize vlan <n>
(config-if)# authentication host-mode single-host|multi-host|multi-auth|multi-domain
; replace: tears down existing session, negotiates new session
(config-if)# authentication violation protect|restrict|shutdown|replace
; force-authorized default
(config-if)# authentication port-control <mode>
; ∞ default, authC attempt after failure
(config-if)# authentication timer restart <sec>
; legacy command, ≡ authentication port-control
(config-if)# dot1x port-control <mode>
; enable authenticator function
(config-if)# dot1x pae supplicant|authenticator|both
; permit several hosts on port
(config-if)# dot1x host-mode multi-host
; 3600s default; reauth authorized ports
(config-if)# dot1x timer reauthenticate <sec>|server
; ∞ default; tear down session if no traffic present
(config-if)# dot1x timer inactivity <sec>|server
; ∞ default; reauth unauthorized ports
(config-if)# dot1x timer restart <sec>
; 30s default; time EAP awaits response before resend
# show dot1x all
; hidden, reauth client
# dot1x reauthenticate [interface <intf>]
MAB
- MAC authentication bypass
- evolution of VMPS
- device authC based on MAC: for clients that do not support 802.1x
- source MAC filtering
- does not authC CDP, LLDP, STP, DTP
- src MAC as username, password and calling station ID
- RADIUS may return PACL or VLAN
- second port disconnect: IP phone signals via CDP that PC port is down
- no reauthC
- cannot change VLAN dynamically: client without supplicant may not find that out and refresh DHCP
(config-if)# mab
(config-if)# authentication order dot1x mab
; FlexAuth
(config-if)# authentication event fail action next-method
; 2 default, number of reauth before MAC kicks in
(config-if)# dot1x max-reauth-req <n>
FlexAuth
- authC procedures sequence
- can enable MAB without going through 802.1x
- if several procedures are successful (e.g. MAB, then 802.1x), selection is based on priority
- MAB can reset 802.1x session on reauthC
(config-if)# authentication order dot1x mab
(config-if)# authentication priority dot1x mab
Inaccessible auth bypass
- puts into critical VLAN in AAA server is unreachable
- reauthC when AAA server becomes reachable
- preserves pre-auth ACL
(config-if)# authentication event server dead action authorize vlan <n>
(config-if)# authentication event server dead action authorize voice
(config-if)# authentication event server alive action reinitialize
MACsec
- hop-by-hop
- EtherType = 0x88e5
- connectivity association (CA)
- long-lived
- Ethernet segment
- security association (SA)
- short-lived
- key rotation for the channel with MACsec key agreement (MKA)
- SA protocol (SAP)
- proprietary
- network admission via 802.1x
- trunk only (MKA on access)
; feature dot1x+cts
(config-if)# cts manual
; mode: gcm-encrypt, gmac, no-encap, null
(config-if-cts-manual)# sap pmk <KEY> mode-list <MODE>
(config-if-cts-manual)# no shutdown
(config-if-cts-manual)# no propagate sgt
Storm control
- only physical interfaces
- config applied to members of Etherchannel
- ingress limit for bcast, mcast and unicast based on thresholds
- processing takes place before flooding to other ports
- some models treat mcast ≡ bcast
- time window = 1s
- some models round threshold, threshold < 0.33 ≡ suppress
- no limit for BPDU, CDP because small frames (< 67 bytes) do not trigger storm control
; percent: part of BW, if exceeded during 1s time window, then action
; if drops to *low, then action stops
(config-if)# storm-control broadcast|multicast|unicast level <percent> [lvl-low] | bps <low> | pps <low>
; drop by default, shutdown ≡ err-disable
(config-if)# storm-control action shutdown|trap
; on exceeding – err-disable
(config-if)# small-frames violation-rate <pps>
; bcast by default
# show storm-control [<intf>] [broadcast|multicast|unicast]
VLAN hopping
- switch accepts tagged frames if VLAN number is 0 or matches configured VLAN; some models accept tagged frames only after configuration of Voice VLAN
- conceals target VLAN tag under port VLAN (native) tag ⇒ trunk removes outer tag and other switch forwards based on target tag
- mitigation
- native VLAN = unused VLAN + pruning
- tag native VLAN (untagged – drop)
- pruning native VLAN does not block CDP, PAgP, DTP
(config)# vlan dot1q tag native
Private VLAN
- isolation within VLAN: L2 ISPs, address shortage, difficult to allocate new VLAN
- secondary VLAN
- can communicate only to primary VLAN (aggregates all secondaries)
- isolated: cannot communicate with secondary VLAN (full isolation)
- community: can communicate only within own secondary VLAN
- primary VLAN
- aggregates secondary (single gateway for everyone)
- 1 primary permits
- 1 isolated
- many community
- VTP v1, v2 do not distribute private VLAN info (locally significant); VTPv3 distributes PVLAN info
- port modes:
- promiscuous: connection to default GW, ignores PVLAN rules
- host: connection to hosts, communication within community or via promiscuous port
- trunk
- promiscuous PVLAN trunk
- replaces secondary VLAN tag with primary VLAN tag (egress)
- router-on-a-stick
- isolated PVLAN trunk
- replaces primary VLAN tag with isolated VLAN tag (egress)
- towards 2950 with protected ports
- promiscuous PVLAN trunk
- if global association changes, interfaces with conflicting mappings → suspended
- if access port is assigned to PVLAN, it does not pass traffic
isolated → promisc
community → community, promisc (secondary VLAN tag in trunk, e.g. 20)
promisc → promisc, isolated, community (primary VLAN tag in trunk, e.g. 30)
Communication direction is deduced from CAM (lookup in primary + secondary VLAN CAMs)
; secondary VLAN
(config-vlan)# private-vlan isolated|community
(config-vlan)# private-vlan primary
(config-vlan)# private-vlan association <secondary-vlan-list>
; for smaller models, local significance, hosts do not reach each other but can reach the rest network (e.g. via trunk), ≡ isolated
(config-if)# switchport protected
(config-if)# switchport private-vlan host|promisc|trunk|trunk promisc
; on host intf
(config-if)# switchport private-vlan host-association <primary> <secondary>
; on promiscuous intf, on SVI – no primary needed
(config-if)# switchport private-vlan mapping <primary> <secondary-list>
# show vlan private-vlan [type]
PVLAN attack
PC1 can bypass PVLAN if it uses GW MAC
Solution: ACL on GW (deny ip 192.168.0.0/24 192.168.0.0/24)
SGT
- security group tag
- 16 bit
- profiling: user ID, user device, location, access time → tag on switch: 802.1x, IP address, VLAN
- policy: SGT-based
- mapping
- inline
- tag is part of frame
- MACsec
- Ethertype 0x8909, CMD (Cisco Metadata)
- SXP
- security group tag exchange protocol
- connection with ISE via EAP-FAST (IOS)
- map SGT for devices, not supporting inline, ~BGP
- TCP 64999
- supports GRE, IPsec
- DNA-ACI integration
- ISE passes IP-SGT mapping to switch
- ISE passes IP-EPG mapping to L3Out
- IP-SGT mapping is based on source IP – requires IPDT to map MAC-IP
- speaker ≡ Tx, listener ≡ Rx
- pxGrid
- inline
- SGT values
- 0 = untagged traffic
- 2 = network device
(config)# cts sxp enable
(config)# cts sxp connection peer <IP> source <IP> pass <PWD> mode local|peer listener|speaker
; for L3 intf, vlan-list – L2
(config)# cts role-based enforcement [vlan-list <LST>]
(config)# cts role-based sgt-map <IP>|<network>|vlan-list <LST> sgt <n>
(config-if)# cts manual
(config-if-cts-manual)# propagate sgt
; trusted ≡ accept tag from neighbour, do not overwrite it
(config-if-cts-manual)# policy static sgt <n> [trusted]
; connect to ISE with EAP-FAST, RADIUS key, download CTS data
# cts credentials id <ID> password <PASS>
Password encryption
- 0 = no encryption
- 4 = SHA256 (default for secret starting from IOS 15.0)
- 5 = MD5 (default for IOS 12.4)
- 7 = proprietary Cisco (Vigenere cipher)
; 6 default
(config)# security password min-length <n>
Parser view
(config)# enable secret <PASS>
(config)# aaa new-model
(config)# parser view <VIEW>
(config-view)# secret <PASSWORD>
; commands starting with "cmd"
(config-view)# commands exec include all <cmd>
(config)# username <NAME> view <VIEW> secret <SECRET>
; root view, PASS password
# enable view
; NAME view, PASSWORD password
# enable view <VIEW>
# show parser view
Backup local
- create copies in flash
; can be enabled remotely, disable – only via console
(config)# secure boot-config
(config)# secure boot-image
; dir does not list secure files
# show secure bootset
Design
- blackhole VLAN
- disable DTP, SAP, MOP