Configure Your Catalyst for a More Secure Layer 2

By Charlie Schluting | Jan 20, 2005 | Print this Page
http://www.enterprisenetworkingplanet.com/netsecur/article.php/3462211/Configure-Your-Catalyst-for-a-More-Secure-Layer-2.htm

The latest Cisco Catalyst switches, including the 6500, 4500, and 3750, have some wonderful new features to keep your network safer and more secure. These multilayer switches are capable of inspecting ARP and layer 3/4 packets, which allows for very effective security features.

In this article we will describe and explain these new advances, referred to by Cisco as Catalyst Intelligent features. Using Smartports, the Catalyst switches can inspect, and keep track of DHCP (define) assignments. This means that if a client was assigned an IP address via DHCP, the switch can enforce that assignment by blocking any packets sent from the client's port claiming to be from a different IP addresses. This is accomplished by enabling DHCP snooping and IP source guard. Using the DHCP tables, the switch can also block forged ARP (define) packets, a feature called Dynamic ARP inspection.

DHCP Snooping

Using the features that leverage knowledge gained from DHCP snooping can create a new level of local network security. Combine that with port-level MAC security, and network admins will no longer cringe at the thought of turning on a network connection in a public area.
DHCP snooping is a security feature that filters untrusted DHCP messages, and can protect clients on the network from peering up with an unauthorized DHCP server. When enabled, it builds a table of MAC address, IP address, lease time, binding type, and interface information (the switch's interface).

There is also an important difference between trusted and untrusted interfaces when talking about DHCP snooping. Switch ports connected to the end-user should be configured as untrusted. Trusted interfaces are those connected to your DHCP server or another switch. When DHCP snooping on the entire switch is enabled, the switch acts like a firewall for your VLAN (define) . You'll also want to enable DHCP snooping on the VLAN, to allow the switch to act as a firewall for the entire VLAN domain.

Here's how it's done:

    !Turn on snooping for the entire switch:
    Switch(config)# ip dhcp snooping
    Switch(config)# ip dhcp snooping vlan [number or range]

    !Our DCHP server:
    Switch(config)# interface GigabitEthernet 5/1
    Switch(config-if)# ip dhcp snooping trust

    !An untrusted client (not a required step):
    Switch(config-if)# interface FastEthernet 2/1
    Switch(config-if)# ip dhcp snooping limit rate 10

A few notes on this:

First, and most importantly, you must realize that this will cause all DHCP requests to be dropped until a port is configured as trusted. Hence, this should be turned on with great care. Second, this isn't as cumbersome as it may seem. You can use the Interface Range command to specify all trusted ports at once. Here's how to enable trust on all trunk ports and ports that a dhcp server is connected to:

    Switch(config)#interface range FastEthernet 2/0/1 - 8 , GigabitEthernet 1/0/1 - 3
    Switch(config-if-range)# ip dhcp snooping trust

Interface range is a little-known command, introduced in IOS 12.1 that saves a tremendous amount of time.

The last caveat with DHCP snooping is that you must establish a trust relationship with downstream DHCP snoopers on a trunk port:

    Switch(config-if)# ip dhcp relay information trusted

Now, you may be thinking "DHCP snooping sounds nice, but what happens when I reboot the switch and the snooper doesn't have a database of leases anymore? Won't it require clients to re-obtain their DHCP leases?"

Yes. Cisco thought of this, and created a mechanism by which the database can be saved. It is possible to configure the database to live on flash memory, but because of space limitations it's best to use a tftp server with the command:

    Switch(config)# ip dhcp snooping database tftp://10.1.1.1/file

The database is updated constantly, and should survive a quick reboot. If some DHCP leases have expired by the time the switch comes alive again, those entries will be invalid, and the client won't have connectivity until it tries to peer up with DHCP again.

IP Source Guard and Port Security

Using just DHCP snooping, you have stopped untrusted devices from acting as a DHCP server; which is important in an environment where people think it's a good idea to bring in their Linksys access point to better cover the office with wireless. Port Security can also help to stop more than one MAC from being seen on a port, making it impossible to connect hubs and other network-extending devices.

Now, to stop malicious people from using IP addresses that weren't assigned to them, we use IP source guard. Even better, we can also stop clients from forging their MAC address. MAC address filtering makes flooding the switch impossible. Flooding is a technique by which an attacker sends so many MAC addresses from their port that the switch's MAC table overflows. Then the switch has no choice but to flood all Ethernet frames out of every single port, since it doesn't know what MAC is connected where, allowing an attacker to see all the traffic across the switch. Some viruses have been known to do this as well.

    Switch(config-if)# ip verify source vlan dhcp-snooping

But be careful! If the DHCP table doesn't have an association for this port, you've just stopped all IP traffic from it. It is recommended that DHCP snooping be turned on a day before enabling IP source guard to allow it to gather information.

To apply MAC address security, you must turn it on, then configure appropriate options:

    !Set explicit access mode (dynamic or trunk ports can't have security)
    Switch(config-if)# switchport mode access

    !Enable port-security
    Switch(config-if)# switchport port-security

    !Specify how many MAC addresses can be used:
    Switch(config-if)# switchport port-security maximum 1

    !Action to take when a violation happens:
    Switch(config-if)# switchport port-security violation {restrict | shutdown}

Violation Restrict will not disable the switch port, but instead cause the switch to increment a security violation counter, and send an SNMP trap. These options are quite configurable, you can even specify how long to shut down the port when a violation occurs. An alternative, less dynamic method, is to program the MAC address binding as static. This stops any other MAC from working on a port, ever.

Dynamic ARP Inspection

ARP inspection allows the switch to discard ARP packets with invalid IP to MAC address bindings, effectively stopping common man-in-the-middle attacks. ARP poisoning is a tactic where an attacker injects false ARP packets into the subnet, normally by broadcasting ARP responses where the attacker claims to be someone else.

To curtail poisoning, Dynamic ARP Inspection (DAI) uses our friend, the DHCP snooping table. There are many options, and you must be careful enabling DAI if all network devices don't support it. The most basic configuration is:

    Switch(config)# ip arp inspection vlan 1

Trunk ports need to be trusted:

    Switch(config)# int range f1/1 - 4 , f2/24
    Switch(config-if)# ip arp inspection trust

You can view the status with:

    Switch# show ip arp inspection ?

Using the features that leverage knowledge gained from DHCP snooping can create a new level of local network security. Combine that with port-level MAC security, and network admins will no longer cringe at the thought of turning on a network connection in a public area. Testing these features in a production environment is, of course, not recommended: Many of them have wicked side effects if configured incorrectly or out of order.