!!!I used real Cisco 3550 switch *4 to do this lab. I did not use Dynamips to do this lab.!!!
Objective:
‧ Secure the Layer 2 network against MAC flood attacks
‧ Prevent DHCP spoofing attacks
‧ Prevent unauthorized access to the network using AAA and dot1x
Scenario:
Other security measures need to be put in place to further secure the network, but you begin with configuring the switches against a few specific types of attacks, including MAC flood attacks, DHCP spoofing attacks, and unauthorized access to the local network.
Basic Configuration:
All Switches:
enable
configure terminal
!
no ip domain lookup
!
line console 0
logging synchronous
exec-timeout 0 0
!
hostname
Step 1
Start by deleting the vlan.dat file, erasing the startup config, and reloading all your switches.
All Switches:
Clearing all Switches
Step 2
Configure the management IP addresses in VLAN 1, and configure the hostname, password, and Telnet access on all four switches. Set up the IP addressing for VLAN 1 on DLS1 and DLS2. Because 172.16.1.1 will be the virtual default gateway for this VLAN, use the .3 and .4 for the IP addresses on DLS1 and DLS2. You also need to configure a default gateway on the access layer switches. Set up 802.1q trunking between the switches according to the diagram.
DLS1(config-line)#hostname DLS1
DLS1(config)#interface vlan 1
DLS1(config-if)#ip address 172.16.1.3 255.255.255.0
DLS1(config-if)#no shutdown
DLS1(config)#enable secret cisco
DLS1(config)#line vty 0 15
DLS1(config-line)#password cisco
DLS1(config-line)#logging synchronous
DLS1(config)#interface range fastEthernet 0/7 - 12
DLS1(config-if-range)#switchport trunk encapsulation dot1q
DLS1(config-if-range)#switchport mode trunk
DLS2(config)#hostname DLS2
DLS2(config)#interface vlan 1
DLS2(config-if)#ip address 172.16.1.14 255.255.255.0
DLS2(config-if)#no shutdown
DLS2(config)#enable secret cisco
DLS2(config)#line vty 0 15
DLS2(config-line)#password cisco
DLS2(config-line)#logging synchronous
DLS2(config)#interface range fastEthernet 0/7 - 12
DLS2(config-if-range)#switchport trunk encapsulation dot1q
DLS2(config-if-range)#switchport mode trunk
ALS1(config)#hostname ALS1
ALS1(config)#interface vlan 1
ALS1(config-if)#ip address 172.16.1.101 255.255.255.0
ALS1(config-if)#no shutdown
ALS1(config)#enable secret cisco
ALS1(config)#line vty 0 15
ALS1(config-line)#password cisco
ALS1(config-line)#logging synchronous
ALS1(config)#interface range fastEthernet 0/7 - 12
ALS1(config-if-range)#switchport trunk encapsulation dot1q
ALS1(config-if-range)#switchport mode trunk
ALS1(config)#ip default-gateway 172.16.1.1
ALS2(config)#hostname ALS2
ALS2(config)#interface vlan 1
ALS2(config-if)#ip address 172.16.1.102 255.255.255.0
ALS2(config-if)#no shutdown
ALS2(config)#enable secret cisco
ALS2(config)#line vty 0 15
ALS2(config-line)#password cisco
ALS2(config-line)#logging synchronous
ALS2(config)#interface range fastEthernet 0/7 - 12
ALS2(config-if-range)#switchport trunk encapsulation dot1q
ALS2(config-if-range)#switchport mode trunk
ALS2(config)#ip default-gateway 172.16.1.1
Step 3
These VLANs will be created on DLS1, which is set up as a VTP server. DLS2 also remains in its default VTP mode and acts as a server as well. ALS1 and ALS2 are configured as VTP clients.
DLS1(config)#vtp domain SWPOD
DLS1(config)#vtp mode server
DLS1(config)#vlan 100
DLS1(config-vlan)#name Staff
DLS1(config)#vlan 200
DLS1(config-vlan)#name Student
DLS2(config)#vtp domain SWPOD
DLS2(config)#vtp mode server
ALS1(config)#vtp domain SWPOD
ALS1(config)#vtp mode client
ALS2(config)#vtp domain SWPOD
ALS2(config)#vtp mode client
The user access ports for these VLANs also needs to be configured on ALS1 and ALS2. Set up these ports as static access ports and turn spanning tree portfast on.
ALS1(config)#interface range fastEthernet 0/15 - 24
ALS1(config-if-range)#switchport access vlan 100
ALS1(config-if-range)#switchport mode access
ALS1(config-if-range)#spanning-tree portfast
ALS2(config)#interface range fastEthernet 0/15 - 24
ALS2(config-if-range)#switchport access vlan 200
ALS2(config-if-range)#switchport mode access
ALS2(config-if-range)#spanning-tree portfast
HSRP is a requirement for the network, and VLANs 100 and 200 are configured to use HSRP to provide redundancy at Layer 3. Use the priority command to make DLS1 the active router for VLANs 1 and 100, and DLS2 the active router for VLAN 200.
DLS1(config)#interface vlan 1
DLS1(config-if)#standby 1 ip 172.16.1.1
DLS1(config-if)#standby 1 preempt
DLS1(config-if)#standby 1 priority 105
DLS2(config)#interface vlan 1
DLS2(config-if)#standby 1 ip 172.16.1.1
DLS2(config-if)#standby 1 preempt
DLS2(config-if)#standby 1 priority 100
DLS1(config)#interface vlan 100
DLS1(config-if)#ip address 172.16.100.3 255.255.255.0
DLS1(config-if)#no shutdown
DLS1(config-if)#standby 100 ip 172.16.100.1
DLS1(config-if)#standby 100 preempt
DLS1(config-if)#standby 100 priority 105
DLS2(config)#interface vlan 100
DLS2(config-if)#ip address 172.16.100.4 255.255.255.0
DLS2(config-if)#no shutdown
DLS2(config-if)#standby 100 ip 172.16.100.1
DLS2(config-if)#standby 100 preempt
DLS2(config-if)#standby 100 priority 100
DLS1(config)#interface vlan 200
DLS1(config-if)#ip address 172.16.200.3 255.255.255.0
DLS1(config-if)#no shutdown
DLS1(config-if)#standby 200 ip 172.16.200.1
DLS1(config-if)#standby 200 preempt
DLS1(config-if)#standby 200 priority 100
DLS2(config)#interface vlan 200
DLS2(config-if)#no shutdown
DLS2(config-if)#standby 200 ip 172.16.200.1
DLS2(config-if)#standby 200 preempt
DLS2(config-if)#standby 200 priority 105
DLS1#show standby brief
P indicates configured to preempt.
|
Interface Grp Prio P State Active Standby Virtual IP
Vl1 1 105 P Active local 172.16.1.14 172.16.1.1
Vl100 100 105 P Active local 172.16.100.4 172.16.100.1
Vl200 200 100 P Standby 172.16.200.4 local 172.16.200.1
DLS1#
Step 4
Set up Studnet VLAN port security so that only one MAC address is allowed on a port at a given time.
ALS2(config)#interface range fastEthernet 0/15 - 24
ALS2(config-if-range)#switchport port-security maximum 1
Configure the staff VLAN so that the MAC address learned on a port is added to the configuration on the switch
ALS1(config)#interface range fastEthernet 0/15 - 24
ALS1(config-if-range)#switchport port-security mac-address sticky
ALS1(config-if-range)#switchport port-security maximum 2
Step 5
The first step to configure DHCP snooping is to turn snooping on globally on all switches using the ip dhcp snooping command.
ALL SWITCH(config)#ip dhcp snooping
Second, you configure the trusted interfaces. For this network, configure all trunk ports as trusted, as well as port FastEthernet 0/6 on DLS1, which connects to the DCHP server for the network.
DLS1(config)#interface fastEthernet 0/6
DLS1(config-if)#ip dhcp snooping trust
DLS1(config)#interface range fastEthernet 0/7 - 12
DLS1(config-if-range)#ip dhcp snooping trust
DLS2(config)#interface range fastEthernet 0/7 - 12
DLS2(config-if-range)#ip dhcp snooping trust
ALS1(config)#interface range fastEthernet 0/7 - 12
ALS1(config-if-range)#ip dhcp snooping trust
ALS2(config)#interface range fastEthernet 0/7 - 12
ALS2(config-if-range)#ip dhcp snooping trust
Finally, configure the VLANs that will use DHCP snooping. DHCP snooping will be used on both the student and staff VLANs.Limit the ALS1 and ALS2 rate that requests are received
ALL SWITCH(config)#ip dhcp snooping vlan 100,200
ALS1(config)#interface range fastEthernet 0/15 - 24
ALS1(config-if-range)#ip dhcp snooping limit rate 20
ALS2(config)#interface range fastEthernet 0/15 - 24
ALS2(config-if-range)#ip dhcp snooping limit rate 20
ALS1#show ip dhcp snooping
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
100,200
DHCP snooping is operational on following VLANs:
100,200
DHCP snooping is configured on the following L3 Interfaces:
Insertion of option 82 is enabled
circuit-id format: vlan-mod-port
remote-id format: MAC
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Verification of giaddr field is enabled
DHCP snooping trust/rate is configured on the following Interfaces:
Interface Trusted Rate limit (pps)
------------------------ ------- ----------------
FastEthernet0/7 yes unlimited
FastEthernet0/8 yes unlimited
FastEthernet0/9 yes unlimited
FastEthernet0/10 yes unlimited
FastEthernet0/11 yes unlimited
FastEthernet0/12 yes unlimited
FastEthernet0/15 no 20
FastEthernet0/16 no 20
FastEthernet0/17 no 20
FastEthernet0/18 no 20
FastEthernet0/19 no 20
FastEthernet0/20 no 20
FastEthernet0/21 no 20
FastEthernet0/22 no 20
FastEthernet0/23 no 20
FastEthernet0/24 no 20
ALS1#
Step 6
802.1x do not support the local authentication. A radius server is added to the network, all user ports, including the student VLAN, will also be added to the configuration.
Catalyst 3550 Multilayer Switch Software Configuration Guide, Rel. 12.2(44)SE
http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/12.2_44_se/configuration/guide/sw8021x.html#wp1025090
ALS1(config)#aaa new-model
ALS1(config)#aaa authentication dot1x default group radius
ALS1(config)#radius-server host 172.16.100.100 auth-port 1812 acct-port 1646 key cisco
ALS1(config)#dot1x system-auth-control
ALS1(config)#interface range fastEthernet 0/15 - 24
ALS1(config-if-range)#dot1x port-control auto
ALS1#show dot1x interface fastEthernet 0/15
Dot1x Info for FastEthernet0/15
-----------------------------------
PAE = AUTHENTICATOR
PortControl = AUTO
ControlDirection = Both
HostMode = SINGLE_HOST
Violation Mode = PROTECT
ReAuthentication = Disabled
QuietPeriod = 60
ServerTimeout = 30
SuppTimeout = 30
ReAuthPeriod = 3600 (Locally configured)
ReAuthMax = 2
MaxReq = 2
TxPeriod = 30
RateLimitPeriod = 0
ALS1#
Final Configurations
DLS1:
hostname DLS1
!
enable secret cisco
!
no ip domain-lookup
!
ip dhcp snooping vlan 100,200
ip dhcp snooping
!
interface FastEthernet0/6
switchport mode dynamic desirable
ip dhcp snooping trust
!
interface FastEthernet0/7
switchport trunk encapsulation dot1q
switchport mode trunk
ip dhcp snooping trust
!
interface FastEthernet0/8
switchport trunk encapsulation dot1q
switchport mode trunk
ip dhcp snooping trust
!
interface FastEthernet0/9
switchport trunk encapsulation dot1q
switchport mode trunk
ip dhcp snooping trust
!
interface FastEthernet0/10
switchport trunk encapsulation dot1q
switchport mode trunk
ip dhcp snooping trust
!
interface FastEthernet0/11
switchport trunk encapsulation dot1q
switchport mode trunk
ip dhcp snooping trust
!
interface FastEthernet0/12
switchport trunk encapsulation dot1q
switchport mode trunk
ip dhcp snooping trust
!
interface Vlan1
ip address 172.16.1.3 255.255.255.0
standby 1 ip 172.16.1.1
standby 1 priority 105
standby 1 preempt
no shutdown
!
interface Vlan100
ip address 172.16.100.3 255.255.255.0
standby 100 ip 172.16.100.1
standby 100 priority 105
standby 100 preempt
no shutdown
!
interface Vlan200
ip address 172.16.200.3 255.255.255.0
standby 200 ip 172.16.200.1
standby 200 preempt
no shutdown
!
line con 0
exec-timeout 0 0
logging synchronous
line vty 0 4
password cisco
logging synchronous
login
line vty 5 15
password cisco
logging synchronous
login
!
end
DLS2:
hostname DLS2
!
enable secret cisco
!
no ip domain-lookup
!
ip dhcp snooping vlan 100,200
ip dhcp snooping
!
interface FastEthernet0/7
switchport trunk encapsulation dot1q
switchport mode trunk
ip dhcp snooping trust
!
interface FastEthernet0/8
switchport trunk encapsulation dot1q
switchport mode trunk
ip dhcp snooping trust
!
interface FastEthernet0/9
switchport trunk encapsulation dot1q
switchport mode trunk
ip dhcp snooping trust
!
interface FastEthernet0/10
switchport trunk encapsulation dot1q
switchport mode trunk
ip dhcp snooping trust
!
interface FastEthernet0/11
switchport trunk encapsulation dot1q
switchport mode trunk
ip dhcp snooping trust
!
interface FastEthernet0/12
switchport trunk encapsulation dot1q
switchport mode trunk
ip dhcp snooping trust
!
interface Vlan1
ip address 172.16.1.14 255.255.255.0
standby 1 ip 172.16.1.1
standby 1 preempt
no shutdown
!
interface Vlan100
ip address 172.16.100.4 255.255.255.0
standby 100 ip 172.16.100.1
standby 100 preempt
no shutdown
!
interface Vlan200
ip address 172.16.200.4 255.255.255.0
standby 200 ip 172.16.200.1
standby 200 priority 105
standby 200 preempt
no shutdown
!
line con 0
exec-timeout 0 0
logging synchronous
line vty 0 4
password cisco
logging synchronous
login
line vty 5 15
password cisco
logging synchronous
login
!
end
ASL1:
hostname ALS1
!
enable secret cisco
!
aaa new-model
!
aaa authentication dot1x default group radius
!
no ip domain-lookup
!
ip dhcp snooping vlan 100,200
ip dhcp snooping
!
dot1x system-auth-control
!
interface FastEthernet0/7
switchport trunk encapsulation dot1q
switchport mode trunk
ip dhcp snooping trust
!
interface FastEthernet0/8
switchport trunk encapsulation dot1q
switchport mode trunk
ip dhcp snooping trust
!
interface FastEthernet0/9
switchport trunk encapsulation dot1q
switchport mode trunk
ip dhcp snooping trust
!
interface FastEthernet0/10
switchport trunk encapsulation dot1q
switchport mode trunk
ip dhcp snooping trust
!
interface FastEthernet0/11
switchport trunk encapsulation dot1q
switchport mode trunk
ip dhcp snooping trust
!
interface FastEthernet0/12
switchport trunk encapsulation dot1q
switchport mode trunk
ip dhcp snooping trust
!
interface FastEthernet0/15
switchport access vlan 100
switchport mode access
switchport port-security maximum 2
switchport port-security mac-address sticky
dot1x port-control auto
spanning-tree portfast
ip dhcp snooping limit rate 20
!
interface FastEthernet0/16
switchport access vlan 100
switchport mode access
switchport port-security maximum 2
switchport port-security mac-address sticky
dot1x port-control auto
spanning-tree portfast
ip dhcp snooping limit rate 20
!
interface FastEthernet0/17
switchport access vlan 100
switchport mode access
switchport port-security maximum 2
switchport port-security mac-address sticky
dot1x port-control auto
spanning-tree portfast
ip dhcp snooping limit rate 20
!
interface FastEthernet0/18
switchport access vlan 100
switchport mode access
switchport port-security maximum 2
switchport port-security mac-address sticky
dot1x port-control auto
spanning-tree portfast
ip dhcp snooping limit rate 20
!
interface FastEthernet0/19
switchport access vlan 100
switchport mode access
switchport port-security maximum 2
switchport port-security mac-address sticky
dot1x port-control auto
spanning-tree portfast
ip dhcp snooping limit rate 20
!
interface FastEthernet0/20
switchport access vlan 100
switchport mode access
switchport port-security maximum 2
switchport port-security mac-address sticky
dot1x port-control auto
spanning-tree portfast
ip dhcp snooping limit rate 20
!
interface FastEthernet0/21
switchport access vlan 100
switchport mode access
switchport port-security maximum 2
switchport port-security mac-address sticky
dot1x port-control auto
spanning-tree portfast
ip dhcp snooping limit rate 20
!
interface FastEthernet0/22
switchport access vlan 100
switchport mode access
switchport port-security maximum 2
switchport port-security mac-address sticky
dot1x port-control auto
spanning-tree portfast
ip dhcp snooping limit rate 20
!
interface FastEthernet0/23
switchport access vlan 100
switchport mode access
switchport port-security maximum 2
switchport port-security mac-address sticky
dot1x port-control auto
spanning-tree portfast
ip dhcp snooping limit rate 20
!
interface FastEthernet0/24
switchport access vlan 100
switchport mode access
switchport port-security maximum 2
switchport port-security mac-address sticky
dot1x port-control auto
spanning-tree portfast
ip dhcp snooping limit rate 20
!
interface Vlan1
ip address 172.16.1.101 255.255.255.0
no shutdown
!
ip default-gateway 172.16.1.1
!
radius-server host 172.16.100.100 auth-port 1812 acct-port 1646 key cisco
!
line con 0
exec-timeout 0 0
logging synchronous
line vty 0 4
password cisco
logging synchronous
line vty 5 15
password cisco
logging synchronous
!
end
ALS2:
hostname ALS2
!
enable secret cisco
!
no ip domain-lookup
!
ip dhcp snooping vlan 100,200
ip dhcp snooping
!
interface FastEthernet0/7
switchport trunk encapsulation dot1q
switchport mode trunk
ip dhcp snooping trust
!
interface FastEthernet0/8
switchport trunk encapsulation dot1q
switchport mode trunk
ip dhcp snooping trust
!
interface FastEthernet0/9
switchport trunk encapsulation dot1q
switchport mode trunk
ip dhcp snooping trust
!
interface FastEthernet0/10
switchport trunk encapsulation dot1q
switchport mode trunk
ip dhcp snooping trust
!
interface FastEthernet0/11
switchport trunk encapsulation dot1q
switchport mode trunk
ip dhcp snooping trust
!
interface FastEthernet0/12
switchport trunk encapsulation dot1q
switchport mode trunk
ip dhcp snooping trust
!
interface FastEthernet0/15
switchport access vlan 200
switchport mode access
spanning-tree portfast
ip dhcp snooping limit rate 20
!
interface FastEthernet0/16
switchport access vlan 200
switchport mode access
spanning-tree portfast
ip dhcp snooping limit rate 20
!
interface FastEthernet0/17
switchport access vlan 200
switchport mode access
spanning-tree portfast
ip dhcp snooping limit rate 20
!
interface FastEthernet0/18
switchport access vlan 200
switchport mode access
spanning-tree portfast
ip dhcp snooping limit rate 20
!
interface FastEthernet0/19
switchport access vlan 200
switchport mode access
spanning-tree portfast
ip dhcp snooping limit rate 20
!
interface FastEthernet0/20
switchport access vlan 200
switchport mode access
spanning-tree portfast
ip dhcp snooping limit rate 20
!
interface FastEthernet0/21
switchport access vlan 200
switchport mode access
spanning-tree portfast
ip dhcp snooping limit rate 20
!
interface FastEthernet0/22
switchport access vlan 200
switchport mode access
spanning-tree portfast
ip dhcp snooping limit rate 20
!
interface FastEthernet0/23
switchport access vlan 200
switchport mode access
spanning-tree portfast
ip dhcp snooping limit rate 20
!
interface FastEthernet0/24
switchport access vlan 200
switchport mode access
spanning-tree portfast
ip dhcp snooping limit rate 20
!
interface Vlan1
ip address 172.16.1.102 255.255.255.0
no shutdown
!
ip default-gateway 172.16.1.1
!
line con 0
exec-timeout 0 0
logging synchronous
line vty 0 4
password cisco
logging synchronous
login
line vty 5 15
password cisco
logging synchronous
login
!
end
Reference:
Cisco Networking Academy
http://www.cisco.com/web/learning/netacad/index.html
CCNP Version 5.0: Building Multilayer Switched Networks
Student Lab Manual
最初發表 / 最後更新: 2008.10.20 / 2018.06.12
0 comments:
張貼留言