Enterprise Networking Planet Earthweb
Images Events Jobs Premium Services Media Kit Network Map E-mail Offers Vendor Solutions Webcasts
EnterpriseNetworkingPlanet Webcasts:
Best Practices in Network Monitoring

Will Virtualization Pay Off for Your Enterprise?

more Webcasts...

Search EarthWeb Network

Be a Commerce Partner
Compare Prices
Domain registration
Laptop Computers
Web Hosting Directory
Phone Systems
Laptop Battery
Build a Server Rack
KVM Switches
Internet Security
Health Insurance
Promote Your Website
Server Racks
Online Meetings

Networking & Communications : Security: Configure Your Catalyst for a More Secure Layer 2

Xeon 5100 Series Brings Performance and Efficiency to Server Computing
The benefits of efficient servers extend far beyond the server room and the IT department. Businesses benefit from increased flexibility, which allows them to launch new services and respond faster to changes in the market. Powerful, efficient servers allow organizations to manage more servers, thereby keeping up with growth and demand Click here.
Server Rightsizing: Dual-Socket Systems Cut Costs
By establishing a policy of using two-socket servers except for large scale-up applications Intel has saved more than $8 million in capital costs, power and cooling, and data center infrastructure. Click here.
Building a Real-World Model to Assess Virtualization Platforms
To drive business decisions in the data center, Intel IT created a performance-driven methodology to compare the operating costs of virtualization platforms. By measuring workload performance, platform performance, and power consumption they were able to approximate the total cost of ownership (TCO) of each platform. Click here.
Server Consolidation Using Quad-Core Processors
Learn how Intel IT used the Quad-Core Intel Xeon processor 5300 series to consolidate test workloads from eight physical machines into virtual machines (VMs) running on a single server. Click here.
Migrating an Enterprise WAN from ATM to IP
Intel IT is undertaking a major WAN migration, moving its global network from asynchronous transfer mode to Internet protocol. This aligns the WAN technology direction with the telecommunications industry, ensuring that the network can support new services and future traffic growth, and helping us take advantage of low-cost bandwidth from telecommunications providers. Click here. >

directory service
intrusion detection system
network appliance
port scanning
Search for more networking terms ...
FREE Tech Newsletters

JupiterWebcasts: Next Generation Services--The Ethernet and MPLS Debate. Join us for this webcast as we explore issues and alternatives for supporting next generation services.

Configure Your Catalyst for a More Secure Layer 2
January 20, 2005
By Charlie Schluting

The latest Cisco Catalyst switches, including the 6500, 4500, and 3750, have some wonderful new features to keep your network safer and more secure. These multilayer switches are capable of inspecting ARP and layer 3/4 packets, which allows for very effective security features.

In this article we will describe and explain these new advances, referred to by Cisco as Catalyst Intelligent features. Using Smartports, the Catalyst switches can inspect, and keep track of DHCP (define) assignments. This means that if a client was assigned an IP address via DHCP, the switch can enforce that assignment by blocking any packets sent from the client's port claiming to be from a different IP addresses. This is accomplished by enabling DHCP snooping and IP source guard. Using the DHCP tables, the switch can also block forged ARP (define) packets, a feature called Dynamic ARP inspection.

DHCP Snooping

Using the features that leverage knowledge gained from DHCP snooping can create a new level of local network security. Combine that with port-level MAC security, and network admins will no longer cringe at the thought of turning on a network connection in a public area.
DHCP snooping is a security feature that filters untrusted DHCP messages, and can protect clients on the network from peering up with an unauthorized DHCP server. When enabled, it builds a table of MAC address, IP address, lease time, binding type, and interface information (the switch's interface).

There is also an important difference between trusted and untrusted interfaces when talking about DHCP snooping. Switch ports connected to the end-user should be configured as untrusted. Trusted interfaces are those connected to your DHCP server or another switch. When DHCP snooping on the entire switch is enabled, the switch acts like a firewall for your VLAN (define) . You'll also want to enable DHCP snooping on the VLAN, to allow the switch to act as a firewall for the entire VLAN domain.

Here's how it's done:

    !Turn on snooping for the entire switch:
    Switch(config)# ip dhcp snooping
    Switch(config)# ip dhcp snooping vlan [number or range]

    !Our DCHP server:
    Switch(config)# interface GigabitEthernet 5/1
    Switch(config-if)# ip dhcp snooping trust

    !An untrusted client (not a required step):
    Switch(config-if)# interface FastEthernet 2/1
    Switch(config-if)# ip dhcp snooping limit rate 10

A few notes on this:

First, and most importantly, you must realize that this will cause all DHCP requests to be dropped until a port is configured as trusted. Hence, this should be turned on with great care. Second, this isn't as cumbersome as it may seem. You can use the Interface Range command to specify all trusted ports at once. Here's how to enable trust on all trunk ports and ports that a dhcp server is connected to:

    Switch(config)#interface range FastEthernet 2/0/1 - 8 , GigabitEthernet 1/0/1 - 3
    Switch(config-if-range)# ip dhcp snooping trust

Interface range is a little-known command, introduced in IOS 12.1 that saves a tremendous amount of time.

The last caveat with DHCP snooping is that you must establish a trust relationship with downstream DHCP snoopers on a trunk port:

    Switch(config-if)# ip dhcp relay information trusted

Now, you may be thinking "DHCP snooping sounds nice, but what happens when I reboot the switch and the snooper doesn't have a database of leases anymore? Won't it require clients to re-obtain their DHCP leases?"

Yes. Cisco thought of this, and created a mechanism by which the database can be saved. It is possible to configure the database to live on flash memory, but because of space limitations it's best to use a tftp server with the command:

    Switch(config)# ip dhcp snooping database tftp://

The database is updated constantly, and should survive a quick reboot. If some DHCP leases have expired by the time the switch comes alive again, those entries will be invalid, and the client won't have connectivity until it tries to peer up with DHCP again.

IP Source Guard and Port Security

Using just DHCP snooping, you have stopped untrusted devices from acting as a DHCP server; which is important in an environment where people think it's a good idea to bring in their Linksys access point to better cover the office with wireless. Port Security can also help to stop more than one MAC from being seen on a port, making it impossible to connect hubs and other network-extending devices.

Now, to stop malicious people from using IP addresses that weren't assigned to them, we use IP source guard. Even better, we can also stop clients from forging their MAC address. MAC address filtering makes flooding the switch impossible. Flooding is a technique by which an attacker sends so many MAC addresses from their port that the switch's MAC table overflows. Then the switch has no choice but to flood all Ethernet frames out of every single port, since it doesn't know what MAC is connected where, allowing an attacker to see all the traffic across the switch. Some viruses have been known to do this as well.

    Switch(config-if)# ip verify source vlan dhcp-snooping

But be careful! If the DHCP table doesn't have an association for this port, you've just stopped all IP traffic from it. It is recommended that DHCP snooping be turned on a day before enabling IP source guard to allow it to gather information.

To apply MAC address security, you must turn it on, then configure appropriate options:

    !Set explicit access mode (dynamic or trunk ports can't have security)
    Switch(config-if)# switchport mode access

    !Enable port-security
    Switch(config-if)# switchport port-security

    !Specify how many MAC addresses can be used:
    Switch(config-if)# switchport port-security maximum 1

    !Action to take when a violation happens:
    Switch(config-if)# switchport port-security violation {restrict | shutdown}

Violation Restrict will not disable the switch port, but instead cause the switch to increment a security violation counter, and send an SNMP trap. These options are quite configurable, you can even specify how long to shut down the port when a violation occurs. An alternative, less dynamic method, is to program the MAC address binding as static. This stops any other MAC from working on a port, ever.

Dynamic ARP Inspection

ARP inspection allows the switch to discard ARP packets with invalid IP to MAC address bindings, effectively stopping common man-in-the-middle attacks. ARP poisoning is a tactic where an attacker injects false ARP packets into the subnet, normally by broadcasting ARP responses where the attacker claims to be someone else.

To curtail poisoning, Dynamic ARP Inspection (DAI) uses our friend, the DHCP snooping table. There are many options, and you must be careful enabling DAI if all network devices don't support it. The most basic configuration is:

    Switch(config)# ip arp inspection vlan 1

Trunk ports need to be trusted:

    Switch(config)# int range f1/1 - 4 , f2/24
    Switch(config-if)# ip arp inspection trust

You can view the status with:

    Switch# show ip arp inspection ?

Using the features that leverage knowledge gained from DHCP snooping can create a new level of local network security. Combine that with port-level MAC security, and network admins will no longer cringe at the thought of turning on a network connection in a public area. Testing these features in a production environment is, of course, not recommended: Many of them have wicked side effects if configured incorrectly or out of order.

Add www.enterprisenetworkingplanet.com to your favorites
Add www.enterprisenetworkingplanet.com to your browser search box
IE 7 | Firefox 2.0 | Firefox 1.5.x
Receive news via our XML/RSS feed

Security Archives

Whitepaper: Learn How CIOs Can Drive Growth, Flexibility & Innovation in a Flex-Pon-Sive Company. Do you simply respond to change? Or drive it?
Whitepaper: Linux vs. Microsoft--Making the Right Choice for Your Client-Server Infrastructure.
eBook: Managing the Evolving Datacenter. See how your datacenter can keep up. Learn more. (PDF)
Symantec Whitepaper: Breaking Through the Dissimilar Hardware Restore Challenge.
eBook: The Admin's Guide to Server Infrastructure Tools. Learn more. (PDF)





Jupitermedia Corporation has two divisions: Jupiterimages and JupiterOnlineMedia

Jupitermedia Corporate Info

Legal Notices, Licensing, Reprints, & Permissions, Privacy Policy.

Advertise | Newsletters | Tech Jobs | Shopping | E-mail Offers