Published 6月 12, 2018 by with 0 comment

CCNP-BCMSN-v5.0 Lab 8-1: Securing the Layer 2 Switching Devices



!!!I used real Cisco 3550 switch *4 to do this lab. I did not use Dynamips to do this lab.!!!


Objective:
‧ Secure the Layer 2 network against MAC flood attacks
‧ Prevent DHCP spoofing attacks
‧ Prevent unauthorized access to the network using AAA and dot1x


Scenario:
Other security measures need to be put in place to further secure the network, but you begin with configuring the switches against a few specific types of attacks, including MAC flood attacks, DHCP spoofing attacks, and unauthorized access to the local network.

Basic Configuration:
All Switches:
enable
configure terminal
!
no ip domain lookup
!
line console 0
 logging synchronous
 exec-timeout 0 0
!
hostname


Step 1
Start by deleting the vlan.dat file, erasing the startup config, and reloading all your switches.
All Switches:
Clearing all Switches


Step 2
Configure the management IP addresses in VLAN 1, and configure the hostname, password, and Telnet access on all four switches. Set up the IP addressing for VLAN 1 on DLS1 and DLS2. Because 172.16.1.1 will be the virtual default gateway for this VLAN, use the .3 and .4 for the IP addresses on DLS1 and DLS2. You also need to configure a default gateway on the access layer switches. Set up 802.1q trunking between the switches according to the diagram.
DLS1(config-line)#hostname DLS1
DLS1(config)#interface vlan 1
DLS1(config-if)#ip address 172.16.1.3 255.255.255.0
DLS1(config-if)#no shutdown

DLS1(config)#enable secret cisco
DLS1(config)#line vty 0 15
DLS1(config-line)#password cisco
DLS1(config-line)#logging synchronous

DLS1(config)#interface range fastEthernet 0/7 - 12
DLS1(config-if-range)#switchport trunk encapsulation dot1q
DLS1(config-if-range)#switchport mode trunk

DLS2(config)#hostname DLS2
DLS2(config)#interface vlan 1
DLS2(config-if)#ip address 172.16.1.14 255.255.255.0
DLS2(config-if)#no shutdown

DLS2(config)#enable secret cisco
DLS2(config)#line vty 0 15
DLS2(config-line)#password cisco
DLS2(config-line)#logging synchronous

DLS2(config)#interface range fastEthernet 0/7 - 12
DLS2(config-if-range)#switchport trunk encapsulation dot1q
DLS2(config-if-range)#switchport mode trunk

ALS1(config)#hostname ALS1
ALS1(config)#interface vlan 1
ALS1(config-if)#ip address 172.16.1.101 255.255.255.0
ALS1(config-if)#no shutdown

ALS1(config)#enable secret cisco
ALS1(config)#line vty 0 15
ALS1(config-line)#password cisco
ALS1(config-line)#logging synchronous

ALS1(config)#interface range fastEthernet 0/7 - 12
ALS1(config-if-range)#switchport trunk encapsulation dot1q
ALS1(config-if-range)#switchport mode trunk

ALS1(config)#ip default-gateway 172.16.1.1

ALS2(config)#hostname ALS2
ALS2(config)#interface vlan 1
ALS2(config-if)#ip address 172.16.1.102 255.255.255.0
ALS2(config-if)#no shutdown

ALS2(config)#enable secret cisco
ALS2(config)#line vty 0 15
ALS2(config-line)#password cisco
ALS2(config-line)#logging synchronous

ALS2(config)#interface range fastEthernet 0/7 - 12
ALS2(config-if-range)#switchport trunk encapsulation dot1q
ALS2(config-if-range)#switchport mode trunk

ALS2(config)#ip default-gateway 172.16.1.1


Step 3
These VLANs will be created on DLS1, which is set up as a VTP server. DLS2 also remains in its default VTP mode and acts as a server as well. ALS1 and ALS2 are configured as VTP clients.

DLS1(config)#vtp domain SWPOD
DLS1(config)#vtp mode server

DLS1(config)#vlan 100
DLS1(config-vlan)#name Staff

DLS1(config)#vlan 200
DLS1(config-vlan)#name Student

DLS2(config)#vtp domain SWPOD
DLS2(config)#vtp mode server

ALS1(config)#vtp domain SWPOD
ALS1(config)#vtp mode client

ALS2(config)#vtp domain SWPOD
ALS2(config)#vtp mode client

The user access ports for these VLANs also needs to be configured on ALS1 and ALS2. Set up these ports as static access ports and turn spanning tree portfast on.

ALS1(config)#interface range fastEthernet 0/15 - 24
ALS1(config-if-range)#switchport access vlan 100
ALS1(config-if-range)#switchport mode access
ALS1(config-if-range)#spanning-tree portfast

ALS2(config)#interface range fastEthernet 0/15 - 24
ALS2(config-if-range)#switchport access vlan 200
ALS2(config-if-range)#switchport mode access
ALS2(config-if-range)#spanning-tree portfast

HSRP is a requirement for the network, and VLANs 100 and 200 are configured to use HSRP to provide redundancy at Layer 3. Use the priority command to make DLS1 the active router for VLANs 1 and 100, and DLS2 the active router for VLAN 200.
DLS1(config)#interface vlan 1
DLS1(config-if)#standby 1 ip 172.16.1.1
DLS1(config-if)#standby 1 preempt
DLS1(config-if)#standby 1 priority 105

DLS2(config)#interface vlan 1
DLS2(config-if)#standby 1 ip 172.16.1.1
DLS2(config-if)#standby 1 preempt
DLS2(config-if)#standby 1 priority 100

DLS1(config)#interface vlan 100
DLS1(config-if)#ip address 172.16.100.3 255.255.255.0
DLS1(config-if)#no shutdown
DLS1(config-if)#standby 100 ip 172.16.100.1
DLS1(config-if)#standby 100 preempt
DLS1(config-if)#standby 100 priority 105

DLS2(config)#interface vlan 100
DLS2(config-if)#ip address 172.16.100.4 255.255.255.0
DLS2(config-if)#no shutdown
DLS2(config-if)#standby 100 ip 172.16.100.1
DLS2(config-if)#standby 100 preempt
DLS2(config-if)#standby 100 priority 100

DLS1(config)#interface vlan 200
DLS1(config-if)#ip address 172.16.200.3 255.255.255.0
DLS1(config-if)#no shutdown
DLS1(config-if)#standby 200 ip 172.16.200.1
DLS1(config-if)#standby 200 preempt
DLS1(config-if)#standby 200 priority 100

DLS2(config)#interface vlan 200
DLS2(config-if)#no shutdown
DLS2(config-if)#standby 200 ip 172.16.200.1
DLS2(config-if)#standby 200 preempt
DLS2(config-if)#standby 200 priority 105

DLS1#show standby brief
                     P indicates configured to preempt.
                     |
Interface   Grp Prio P State    Active          Standby         Virtual IP   
Vl1         1   105  P Active   local           172.16.1.14     172.16.1.1   
Vl100       100 105  P Active   local           172.16.100.4    172.16.100.1 
Vl200       200 100  P Standby  172.16.200.4    local           172.16.200.1 
DLS1#

Step 4
Set up Studnet VLAN port security so that only one MAC address is allowed on a port at a given time.

ALS2(config)#interface range fastEthernet 0/15 - 24
ALS2(config-if-range)#switchport port-security maximum 1

Configure the staff VLAN so that the MAC address learned on a port is added to the configuration on the switch

ALS1(config)#interface range fastEthernet 0/15 - 24
ALS1(config-if-range)#switchport port-security mac-address sticky
ALS1(config-if-range)#switchport port-security maximum 2


Step 5
The first step to configure DHCP snooping is to turn snooping on globally on all switches using the ip dhcp snooping command.
ALL SWITCH(config)#ip dhcp snooping

Second, you configure the trusted interfaces. For this network, configure all trunk ports as trusted, as well as port FastEthernet 0/6 on DLS1, which connects to the DCHP server for the network.

DLS1(config)#interface fastEthernet 0/6
DLS1(config-if)#ip dhcp snooping trust

DLS1(config)#interface range fastEthernet 0/7 - 12
DLS1(config-if-range)#ip dhcp snooping trust

DLS2(config)#interface range fastEthernet 0/7 - 12
DLS2(config-if-range)#ip dhcp snooping trust

ALS1(config)#interface range fastEthernet 0/7 - 12
ALS1(config-if-range)#ip dhcp snooping trust

ALS2(config)#interface range fastEthernet 0/7 - 12
ALS2(config-if-range)#ip dhcp snooping trust

Finally, configure the VLANs that will use DHCP snooping. DHCP snooping will be used on both the student and staff VLANs.Limit the ALS1 and ALS2 rate that requests are received

ALL SWITCH(config)#ip dhcp snooping vlan 100,200

ALS1(config)#interface range fastEthernet 0/15 - 24
ALS1(config-if-range)#ip dhcp snooping limit rate 20

ALS2(config)#interface range fastEthernet 0/15 - 24
ALS2(config-if-range)#ip dhcp snooping limit rate 20

ALS1#show ip dhcp snooping
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
100,200
DHCP snooping is operational on following VLANs:
100,200
DHCP snooping is configured on the following L3 Interfaces:

Insertion of option 82 is enabled
   circuit-id format: vlan-mod-port
    remote-id format: MAC
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Verification of giaddr field is enabled
DHCP snooping trust/rate is configured on the following Interfaces:

Interface                    Trusted     Rate limit (pps)
------------------------     -------     ----------------
FastEthernet0/7              yes         unlimited
FastEthernet0/8              yes         unlimited
FastEthernet0/9              yes         unlimited
FastEthernet0/10             yes         unlimited
FastEthernet0/11             yes         unlimited
FastEthernet0/12             yes         unlimited
FastEthernet0/15             no          20      
FastEthernet0/16             no          20      
FastEthernet0/17             no          20      
FastEthernet0/18             no          20      
FastEthernet0/19             no          20      
FastEthernet0/20             no          20      
FastEthernet0/21             no          20      
FastEthernet0/22             no          20      
FastEthernet0/23             no          20      
FastEthernet0/24             no          20      
ALS1#


Step 6
802.1x do not support the local authentication. A radius server is added to the network, all user ports, including the student VLAN, will also be added to the configuration.

Catalyst 3550 Multilayer Switch Software Configuration Guide, Rel. 12.2(44)SE
http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/12.2_44_se/configuration/guide/sw8021x.html#wp1025090

ALS1(config)#aaa new-model
ALS1(config)#aaa authentication dot1x default group radius
ALS1(config)#radius-server host 172.16.100.100 auth-port 1812 acct-port 1646 key cisco
ALS1(config)#dot1x system-auth-control

ALS1(config)#interface range fastEthernet 0/15 - 24
ALS1(config-if-range)#dot1x port-control auto

ALS1#show dot1x interface fastEthernet 0/15
Dot1x Info for FastEthernet0/15
-----------------------------------
PAE                       = AUTHENTICATOR
PortControl               = AUTO
ControlDirection          = Both
HostMode                  = SINGLE_HOST
Violation Mode            = PROTECT
ReAuthentication          = Disabled
QuietPeriod               = 60
ServerTimeout             = 30
SuppTimeout               = 30
ReAuthPeriod              = 3600 (Locally configured)
ReAuthMax                 = 2
MaxReq                    = 2
TxPeriod                  = 30
RateLimitPeriod           = 0

ALS1#


Final Configurations
DLS1:
hostname DLS1
!
enable secret cisco
!
no ip domain-lookup
!
ip dhcp snooping vlan 100,200
ip dhcp snooping
!
interface FastEthernet0/6
 switchport mode dynamic desirable
 ip dhcp snooping trust
!
interface FastEthernet0/7
 switchport trunk encapsulation dot1q
 switchport mode trunk
 ip dhcp snooping trust
!
interface FastEthernet0/8
 switchport trunk encapsulation dot1q
 switchport mode trunk
 ip dhcp snooping trust
!
interface FastEthernet0/9
 switchport trunk encapsulation dot1q
 switchport mode trunk
 ip dhcp snooping trust
!
interface FastEthernet0/10
 switchport trunk encapsulation dot1q
 switchport mode trunk
 ip dhcp snooping trust
!
interface FastEthernet0/11
 switchport trunk encapsulation dot1q
 switchport mode trunk
 ip dhcp snooping trust
!
interface FastEthernet0/12
 switchport trunk encapsulation dot1q
 switchport mode trunk
 ip dhcp snooping trust
!
interface Vlan1
 ip address 172.16.1.3 255.255.255.0
 standby 1 ip 172.16.1.1
 standby 1 priority 105
 standby 1 preempt
 no shutdown
!
interface Vlan100
 ip address 172.16.100.3 255.255.255.0
 standby 100 ip 172.16.100.1
 standby 100 priority 105
 standby 100 preempt
 no shutdown
!
interface Vlan200
 ip address 172.16.200.3 255.255.255.0
 standby 200 ip 172.16.200.1
 standby 200 preempt
 no shutdown
!
line con 0
 exec-timeout 0 0
 logging synchronous
line vty 0 4
 password cisco
 logging synchronous
 login
line vty 5 15
 password cisco
 logging synchronous
 login
!
end


DLS2:
hostname DLS2
!
enable secret cisco
!
no ip domain-lookup
!
ip dhcp snooping vlan 100,200
ip dhcp snooping
!
interface FastEthernet0/7
 switchport trunk encapsulation dot1q
 switchport mode trunk
 ip dhcp snooping trust
!
interface FastEthernet0/8
 switchport trunk encapsulation dot1q
 switchport mode trunk
 ip dhcp snooping trust
!
interface FastEthernet0/9
 switchport trunk encapsulation dot1q
 switchport mode trunk
 ip dhcp snooping trust
!
interface FastEthernet0/10
 switchport trunk encapsulation dot1q
 switchport mode trunk
 ip dhcp snooping trust
!
interface FastEthernet0/11
 switchport trunk encapsulation dot1q
 switchport mode trunk
 ip dhcp snooping trust
!
interface FastEthernet0/12
 switchport trunk encapsulation dot1q
 switchport mode trunk
 ip dhcp snooping trust
!
interface Vlan1
 ip address 172.16.1.14 255.255.255.0
 standby 1 ip 172.16.1.1
 standby 1 preempt
 no shutdown
!
interface Vlan100
 ip address 172.16.100.4 255.255.255.0
 standby 100 ip 172.16.100.1
 standby 100 preempt
 no shutdown
!
interface Vlan200
 ip address 172.16.200.4 255.255.255.0
 standby 200 ip 172.16.200.1
 standby 200 priority 105
 standby 200 preempt
 no shutdown
!
line con 0
 exec-timeout 0 0
 logging synchronous
line vty 0 4
 password cisco
 logging synchronous
 login
line vty 5 15
 password cisco
 logging synchronous
 login
!
end


ASL1:
hostname ALS1
!
enable secret cisco
!
aaa new-model
!
aaa authentication dot1x default group radius
!
no ip domain-lookup
!
ip dhcp snooping vlan 100,200
ip dhcp snooping
!
dot1x system-auth-control
!
interface FastEthernet0/7
 switchport trunk encapsulation dot1q
 switchport mode trunk
 ip dhcp snooping trust
!
interface FastEthernet0/8
 switchport trunk encapsulation dot1q
 switchport mode trunk
 ip dhcp snooping trust
!
interface FastEthernet0/9
 switchport trunk encapsulation dot1q
 switchport mode trunk
 ip dhcp snooping trust
!
interface FastEthernet0/10
 switchport trunk encapsulation dot1q
 switchport mode trunk
 ip dhcp snooping trust
!
interface FastEthernet0/11
 switchport trunk encapsulation dot1q
 switchport mode trunk
 ip dhcp snooping trust
!
interface FastEthernet0/12
 switchport trunk encapsulation dot1q
 switchport mode trunk
 ip dhcp snooping trust
!
interface FastEthernet0/15
 switchport access vlan 100
 switchport mode access
 switchport port-security maximum 2
 switchport port-security mac-address sticky
 dot1x port-control auto
 spanning-tree portfast
 ip dhcp snooping limit rate 20
!
interface FastEthernet0/16
 switchport access vlan 100
 switchport mode access
 switchport port-security maximum 2
 switchport port-security mac-address sticky
 dot1x port-control auto
 spanning-tree portfast
 ip dhcp snooping limit rate 20
!       
interface FastEthernet0/17
 switchport access vlan 100
 switchport mode access
 switchport port-security maximum 2
 switchport port-security mac-address sticky
 dot1x port-control auto
 spanning-tree portfast
 ip dhcp snooping limit rate 20
!
interface FastEthernet0/18
 switchport access vlan 100
 switchport mode access
 switchport port-security maximum 2
 switchport port-security mac-address sticky
 dot1x port-control auto
 spanning-tree portfast
 ip dhcp snooping limit rate 20
!
interface FastEthernet0/19
 switchport access vlan 100
 switchport mode access
 switchport port-security maximum 2
 switchport port-security mac-address sticky
 dot1x port-control auto
 spanning-tree portfast
 ip dhcp snooping limit rate 20
!
interface FastEthernet0/20
 switchport access vlan 100
 switchport mode access
 switchport port-security maximum 2
 switchport port-security mac-address sticky
 dot1x port-control auto
 spanning-tree portfast
 ip dhcp snooping limit rate 20
!
interface FastEthernet0/21
 switchport access vlan 100
 switchport mode access
 switchport port-security maximum 2
 switchport port-security mac-address sticky
 dot1x port-control auto
 spanning-tree portfast
 ip dhcp snooping limit rate 20
!
interface FastEthernet0/22
 switchport access vlan 100
 switchport mode access
 switchport port-security maximum 2
 switchport port-security mac-address sticky
 dot1x port-control auto
 spanning-tree portfast
 ip dhcp snooping limit rate 20
!
interface FastEthernet0/23
 switchport access vlan 100
 switchport mode access
 switchport port-security maximum 2
 switchport port-security mac-address sticky
 dot1x port-control auto
 spanning-tree portfast
 ip dhcp snooping limit rate 20
!
interface FastEthernet0/24
 switchport access vlan 100
 switchport mode access
 switchport port-security maximum 2
 switchport port-security mac-address sticky
 dot1x port-control auto
 spanning-tree portfast
 ip dhcp snooping limit rate 20
!
interface Vlan1
 ip address 172.16.1.101 255.255.255.0
 no shutdown
!
ip default-gateway 172.16.1.1
!
radius-server host 172.16.100.100 auth-port 1812 acct-port 1646 key cisco
!
line con 0
 exec-timeout 0 0
 logging synchronous
line vty 0 4
 password cisco
 logging synchronous
line vty 5 15
 password cisco
 logging synchronous
!
end


ALS2:
hostname ALS2
!
enable secret cisco
!
no ip domain-lookup
!
ip dhcp snooping vlan 100,200
ip dhcp snooping
!
interface FastEthernet0/7
 switchport trunk encapsulation dot1q
 switchport mode trunk
 ip dhcp snooping trust
!
interface FastEthernet0/8
 switchport trunk encapsulation dot1q
 switchport mode trunk
 ip dhcp snooping trust
!
interface FastEthernet0/9
 switchport trunk encapsulation dot1q
 switchport mode trunk
 ip dhcp snooping trust
!
interface FastEthernet0/10
 switchport trunk encapsulation dot1q
 switchport mode trunk
 ip dhcp snooping trust
!
interface FastEthernet0/11
 switchport trunk encapsulation dot1q
 switchport mode trunk
 ip dhcp snooping trust
!
interface FastEthernet0/12
 switchport trunk encapsulation dot1q
 switchport mode trunk
 ip dhcp snooping trust
!
interface FastEthernet0/15
 switchport access vlan 200
 switchport mode access
 spanning-tree portfast
 ip dhcp snooping limit rate 20
!
interface FastEthernet0/16
 switchport access vlan 200
 switchport mode access
 spanning-tree portfast
 ip dhcp snooping limit rate 20
!
interface FastEthernet0/17
 switchport access vlan 200
 switchport mode access
 spanning-tree portfast
 ip dhcp snooping limit rate 20
!
interface FastEthernet0/18
 switchport access vlan 200
 switchport mode access
 spanning-tree portfast
 ip dhcp snooping limit rate 20
!
interface FastEthernet0/19
 switchport access vlan 200
 switchport mode access
 spanning-tree portfast
 ip dhcp snooping limit rate 20
!
interface FastEthernet0/20
 switchport access vlan 200
 switchport mode access
 spanning-tree portfast
 ip dhcp snooping limit rate 20
!
interface FastEthernet0/21
 switchport access vlan 200
 switchport mode access
 spanning-tree portfast
 ip dhcp snooping limit rate 20
!
interface FastEthernet0/22
 switchport access vlan 200
 switchport mode access
 spanning-tree portfast
 ip dhcp snooping limit rate 20
!
interface FastEthernet0/23
 switchport access vlan 200
 switchport mode access
 spanning-tree portfast
 ip dhcp snooping limit rate 20
!
interface FastEthernet0/24
 switchport access vlan 200
 switchport mode access
 spanning-tree portfast
 ip dhcp snooping limit rate 20
!
interface Vlan1
 ip address 172.16.1.102 255.255.255.0
 no shutdown
!
ip default-gateway 172.16.1.1
!       
line con 0
 exec-timeout 0 0
 logging synchronous
line vty 0 4
 password cisco
 logging synchronous
 login
line vty 5 15
 password cisco
 logging synchronous
 login
!
end


Reference:
Cisco Networking Academy
http://www.cisco.com/web/learning/netacad/index.html

CCNP Version 5.0: Building Multilayer Switched Networks
Student Lab Manual


最初發表 / 最後更新: 2008.10.20 / 2018.06.12

0 comments:

張貼留言