Saturday, August 29, 2009

BCMSN Lab 8 - Switch Security

Saturday at last!  The kid is napping, the wife is working on her project, and I finally get some "daytime" studying hours.  Today I labbed up the switch security chapter in the BCMSN Lab Portfolio.  I started with a lab topology that looked like so:
 
Just a note:  I did not hook up ALS2.  I ran basically a triangle with dls1, dls2, and als1.  A dhcp server was set up off of fa0/6 on dls1.  This lab also ran these vlans and HSRP gateways:
  • VLAN 1 - 172.16.1.1/24
  • VLAN100 (staff)- 172.16.100.1/24 (USERS WHERE ON ALS1 FA0/3 -4)
  • VLAN200 (students)- 172.16.200.1/24 (USERS WHERE ON ALS1 FA0/1 -2)
So the first thing I did was get the etherchanneled trunks up between the switches, and set the vlans and hsrp addresses.  I wont post that here because we have been over it already before.  The first thing again, was protecting from MAC flooding.  This is done through port-security commands.  Vlan 200 is unique because the mac addresses will change often because of student laptops, etc...However, the staff uses desktops and ip phones that never really change.  So their configurations will appear a bit differently.  Heres the configs on als1:
ALS1(config)#int range fa0/3 - 4
ALS1(config-if-range)#switchport mode access
ALS1(config-if-range)#switchport access vlan 200
ALS1(config-if-range)#switchport port-security
ALS1(config-if-range)#switch port-security max 1
ALS1(config-if-range)#end
ALS1#sh port-security interface fastEthernet 0/3
Port Security              : Enabled
Port Status                : Secure-down
Violation Mode             : Shutdown
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 1
Total MAC Addresses        : 0
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 0
Last Source Address        : 0000.0000.0000
Security Violation Count   : 0

The staff ports were configured as follows:
ALS1(config)#int range fa0/1 - 2
ALS1(config-if-range)#switchport mode access
ALS1(config-if-range)#switch access vlan 100
ALS1(config-if-range)#switchport port-security
ALS1(config-if-range)#switchport port-security maximum 2
ALS1(config-if-range)#switchport port-security mac-address sticky ?
  H.H.H  48 bit mac address
 

ALS1(config-if-range)#switchport port-security mac-address sticky
ALS1(config-if-range)#end

ALS1#sh port-security int fastEthernet 0/1
Port Security              : Enabled
Port Status                : Secure-down
Violation Mode             : Shutdown
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 2
Total MAC Addresses        : 0
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 0
Last Source Address        : 0000.0000.0000
Security Violation Count   : 0

So as you can see, the configured maximum mac addresses to be learned on the ports were different for the two access vlan ports.  The mac-address sticky command allows the first two mac addresses to be learned dynamically, and then added to the running config.  What what happens when I plug a switch into that port:
ALS1#sh run int fa0/1
Building configuration...

Current configuration : 312 bytes
!
interface FastEthernet0/1
 switchport access vlan 100
 switchport mode access
 switchport port-security
 switchport port-security maximum 2
 switchport port-security mac-address sticky
 switchport port-security mac-address sticky 000d.65eb.5e88
 switchport port-security mac-address sticky 0014.692f.7f00
end

The first two addresses learned where added to the config.  Good shit!  Currently there is no aging time set on these ports, so those dynamically learned addresses are it! Notice in the show port-security interface commands, the aging time is 0, essentially disabled.  If we wanted to change this we would use the switchport port-security aging {static | time time | type {absolute | inactivity}} command.


The next lesson was DHCP spoofing attack mitigation.  This is to protect from rouge DHCP servers being put on your network.  They create was is a man in the middle attack scenario, which we should all try to avoid.  Here is the basic config:

ALS1(config)#ip dhcp snooping - enable it globally
ALS1(config)#ip dhcp snooping vlan 100 200 - enable it for vlans 100 and 200
ALS1(config)#int fa0/24
ALS1(config-if)#ip dhcp snooping trust - Trust all trunk ports!!
ALS1(config-if)#int range fa0/15 - 16
ALS1(config-if-range)#ip dhcp snooping trust - Trust all trunk ports!!
ALS1(config-if-range)#exit




The config was the same on all of the other switches.  However on DLS1 I also trusted fa0/6 which was the port that the DHCP server was connected too.  Here is a show command from ALS1:

ALS1#sh ip dhcp snooping
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
100-200
Insertion of option 82 is enabled
Interface                    Trusted     Rate limit (pps)
------------------------     -------     ----------------
FastEthernet0/15             yes         unlimited - we COULD change this with the ip dhcp snooping limit rate [# in pps command]
FastEthernet0/16             yes         unlimited
FastEthernet0/24             yes         unlimited

Now the port is suppose to shut down if it sees any dhcp server activity, but the only results I got were that of the packets being blocked :) 
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)