A few stray commands to help you button things down.
I just wanted to go through a few things with you guys before we move on to intensive things like DAI and DHCP snooping. These are commands that are good to put into your configs that will help raise your security and, if you need to follow them, help you come into compliance with STIGS.
First off, we really don't want anyone to be able to auto-trunk on your network. Auto-trunking is actually not that hard to do, and it relies on a bad network admin not disabling it from the start. You want your individual ports to be either access or trunk, and you start by entering these commands:
For an access port:
Switch (config-if)# switchport mode access
Switch (config-if)# switchport nonegotiateFor a trunk port:
Switch (config-if)# switchport mode trunk
Switch (config-if)# switchport trunk native vlan 69
Switch (config-if)# switchport trunk allowed vlan 9, 10, 68, 70, 119
Switch (config-if)# switchport nonegotiate
Now, the commands for the access port first told the port "You are an access port", then told it "If someone tells you that they are a trunk and want you to be a truck, tell them to go to hell". There is NO negotiation, get it?
For the trunk port, we told the port "You are a trunk port and here's the VLAN that's native to you", followed by "These are the only VLANs you're allow to pass traffic for". It finishes with "If someone tells you to become an access port, explain to them in a series of 1's and 0's where they can get off". You'll notice that I highlighted the "nonegotiate" commands. That's because you should have already known how to create an access and trunk port, but you probably forgot to tell them that "we do not negotiate with terrorists". Or something like that...
Now I want to speak to you for a minute about STP. Even though Scott Weiland's voice stinks... wait... wrong STP... Spanning Tree Protocol is your friend. We all love it; we all use it (hopefully). Let's guard it.
Switch (config-if)# spanning-tree bpduguard enable
Switch (config-if)# spanning-tree guard root
What we're doing by implementing the BPDU (I call them "bippy-du's") guard is allowing you to enforce the STP domain borders and keep the active topology predictable. The devices behind the ports that have STP PortFast enabled are not able to influence the STP topology. At the reception of BPDUs, the BPDU guard puts the port in errdisable.
The "root guard" feature provides a way to enforce the root bridge placement in the network. The root guard ensures that the port on which root guard is enabled is the designated port. Normally, root bridge ports are all designated ports, unless two or more ports of the root bridge are connected together. If the bridge receives superior STP BPDUs on a root guard-enabled port, root guard moves this port to a root-inconsistent STP state. This root-inconsistent state is effectively equal to a listening state. No traffic is forwarded across this port. In this way, the root guard enforces the position of the root bridge.
Now, you can leave it like this, or you can add a timeout to the errdisabled state caused by the Bippy-du's. When BPDU guard disables the port, the port remains in the disabled state unless the port is enabled manually. You can configure a port to reenable itself automatically from the errdisable state. The command is:
Switch (config-if)# errdisable recovery cause bpduguard
Switch (config-if)# errdisable revovery interval 500
The default timeout interval is 300 seconds and, by default, the timeout feature is disabled. If you want to know what ports are in errdisable, enter:
Switch# show interfaces status err-disabled
If you need to get it out of errdisabled manually, you'll need to enter a "shutdown" then "no shutdown" on the port to bring it back up.
-Greg
Secure your network with Switchport Port-Security!!!
It's been a couple of months since I've posted, so today we're going to play catch-up. Right now you know how to securely login to your Cisco devices using SSH (and TACACS+). Today we're going to make sure that no one else can just walk in to your building and start plugging in unauthorized devices.
We're going to start with Port-Security. Port-security is part of Cisco's best practice and it should be one of the first things that you do when you set up your Catalyst switch. For this lesson, I'm going to be using a Catalyst 3750 PoE-48 running c3750-ipbasek9-mz.122-25.SEE2 as the test bed.
The reason we want to run Port-Security is because this will start your network security on Layer 2. Your layer 1 security should be in place in the sense that you don't just give Joe Blow of the street access to plug into the network. Any unused ports should be in SHUTDOWN! Only, and I mean ONLY, those ports that are currently being used should be active. But Joe Blow decides to unplug a PC and plug his laptop in. BAD Joe! To stop Joe from doing this, plug this into your config.
Switch (config-if)#switchport port-security
WAIT! Don't get carried away. Let's discuss the best way to do this first. There's a good chance that there's some "dumb" switches and hubs on your network. Not to mention the phones, PCs, printers, etc. There's a couple of ways you can go about figuring out what's out there. The way I do it (though probably not the best way, but it sure is easy) is to enter the following commands, in order.
Switch# config terminal
Switch (config)# interface range FastEthernet 0/1-48 (if you're stacked, 1/0/1-48, fa2/0/1-48, etc)
Switch (config-if-range)# switchport port-security violation restrict
Switch (config-if-range)# switchport port-security maximum 24
Switch (config-if-range)# switchport port-security mac-address sticky
Switch (config-if-range)# switchport port-security
What we just did was put port-security on all the ports on the switch with a maximum of 24 MACs per port and for a violation, we don't shut down the port. I let this run for about a week. This will build a nice MAC table so when you run the command "show port-security", you can find out what's out there. The "mac-address sticky" will write the MAC addresses to the startup config so they don't have to be learned again. Let's look at a "show port-security" output now...
Switch# show port-security
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
thisis is for formating(Count) (Count) (Count)
---------------------------------------------------------------------------
Fa0/1 24 1 0 Restrict
Fa0/2 24 1 0 Restrict
Fa0/3 24 3 0 Restrict
Fa0/4 24 1 0 Restrict
Fa0/5 24 2 0 Restrict---------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) : 3
Max Addresses limit in System (excluding one mac per port) : 655
As you can see, we've got a couple of ports with only 1 thing plugged into them and a couple with more than one. Port fa0/3 has a PC and a Cisco 7960 plugged into it, and port fa0/5 has a "dumb" switch. The reason that fa0/3 is showing 3 MAC addresses is because you need to have the phone on both the data and voice VLANs. When the phone boots, the switch thinks it's a data device until CDP tells it to move to the Voice VLAN. That's 2 MACs (phone Data and phone Voice), plus the PC on the data VLAN. Putting it into "Restrict" rather than the default of "shutdown" will keep the port alive if there's a violation and send you an SNMP trap if there's a violation.
Now we know what's on our network, so let's button things down. You can go back through the interfaces and reduce the maximum number of MAC's allowed to what's already there. On a rather static Cisco VoIP network, this number will be 3. The commands are:
Switch# config t
Switch (config)# int fa0/3
Switch (config-int)# switchport port-security mac-address maximum 3
Switch (config-int)# switchport port-security violation shutdown
Now, port security is running and it's going to shutdown the port during a violation. I prefer to leave it in shutdown with no aging on it so I have to physically reactivate the port after a violation. Now let's look at what happens when Joe Blow plugs into your network...
Joe Blow walks into your building, unplugs a user that is on vacation's computer and plugs his laptop in. Joe is up to no good. The second he plugs the laptop in, the switch will check the MAC address against the MAC table it built for that port, see that Joe's laptop is NOT supposed to be plugged into that port, and shutdown that port. It will then send an SNMP trap to your NMS server (or whatever) alerting you to the fact that there's a port-security violation. You bust Joe Blow, your boss showers you with 4 extra weeks of vacation for a job well done, and they throw a ticker-tape parade for you in Time Square. Well, maybe not, but you'll have better security than you had before!
This is all fine and dandy, as long as Joe Blow doesn't know how to spoof a MAC address. If he does, we'll have to use DHCP Snooping and Dynamic ARP Inspection (DAI) to avert this. Guess what the next article will be about?
-Greg