Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
322
Views
4
Helpful
12
Replies

Gateway protection in an DNA Center SD-A environment

Go to solution
HansK_NL
Level 1
Level 1

‎11-01-2024 03:04 AM

Hi everyone,

I need your help and insights on the subject of (specifically) protecting the MAC address of the subnet gateway from being spoofed by an endpoint.

We recently received a report pointing out the lack of protection of the gateway MAC address in our environment. The pen/hack tester spoofed the MAC address of the gateway of the subnet he was put in through ISE policies and demonstrated that it was possible to intercept traffic from other clients in the subnet (and where the traffic was encrypted, the captured traffic could be decrypted offline, etc. etc) His recommendation was to implement Dynamic ARP Inspection.

Now, Dynamic ARP Inspection is very powerful, but is cumbersome in environments where static IP addresses are present on endpoints.

DNA/Catalyst Center does not seem to implement any form of gateway protection that I know of. And, in an SD-A environment the hacker will only impact the switch he is actually connected with, all other switches are not impacted (nature of SD-A), so the scope of the issue is limited, but the threat is real.

What alternatives can be deployed in a network of Cat9000 switches, SD-A managed by DNA Center and ISE?
So far, this is what I can think of:

  • Both "Anomalous Behaviour Detection" and "Anomalous Behaviour Enforcement" from ISE (not yet enabled due to the migration we're in)
  • SVIs in an SD-A environment are programmed with a software defined MAC address. Collect all of these MAC addresses into an endpoint group and add these to a blacklist policy in ISE
  • Implement DAI and deal with the hassle.

Are there other alternatives out there?
Are there notable pro's and cons's regarding the first two options that would impact decision making?

Again, any help and insight is welcome.

Cheers, Hans

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jedolphi
Cisco Employee
Cisco Employee
In response to HansK_NL

‎11-07-2024 01:47 AM

OK. IP and MAC theft warnings went into the IOS XE in 16.x (can't remeber exact version), this would Syslog a theft message but not block the theft. IP and MAC theft protection went into IOS XE at 17.9. IP and MAC theft protection are native to SDA Fabric Edge Nodes as of 17.9. It uses Device Tracking, DHCP Snooping, RA Guard and DHCP Guard. I'll explain this in BRKENS-3555 at Cisco Live Melbourne next week. Slides should be available on ciscolive.com in 2-ish weeks. Happy to try and answer specific quesitons here in the iterrum. If it's not working in your network for some reason you could raise a TAC case or ask here. If it's urgent TAC case is best.

 

View solution in original post

12 Replies 12

Go to solution
Torbjørn
Spotlight
Spotlight

‎11-01-2024 03:23 AM

The best option in my view is to implement DAI for all VLANs where you are able to use DHCP through templates. For VLANs/VNs where DHCP isn't an option you will probably have to rely on ISE profiling as I don't think adding static ARP table entries for static hosts is achievable unless you configure it manually per edge.

Happy to help! Please mark as helpful/solution if applicable.
Get in touch: https://torbjorn.dev
0 Helpful

Go to solution
HansK_NL
Level 1
Level 1
In response to Torbjørn

‎11-01-2024 06:31 AM

Hi Torbjørn,

Can you eloborate on how ISE Profiling is going to help circumvent the static IP addressing issue with DAI?
I don't see a connection between the two of them...

Cheers,
Hans

0 Helpful

Go to solution
jedolphi
Cisco Employee
Cisco Employee

‎11-06-2024 09:31 AM - edited ‎11-06-2024 09:33 AM

Fabric Edge Nodes natively protect against IP and MAC theft for both Anycast Gateway (SVI) and endpoints, unless those protections have been switched off. Did PEN tester connect through wired or wireless? Did PEN tester connect to Fabric Edge Node switch port? What IOS XE version on Fabric Edge Node? I'll cover it at Cisco Live Melbourne next week. Recordings should be up in a few weeks on ciscolive.com. Session code BRKENS-3555. Thanks, Jerome

 

 

 

Go to solution
HansK_NL
Level 1
Level 1
In response to jedolphi

‎11-07-2024 12:21 AM

Hi Jerome,

I appreciate you answering.

The PEN tester was connected to a Fabric Edge and on a regular client port.

We're running an SD-A that was first build in 2020 (release DNAC v1.3) We noticed that a lot has changed in DNAC and not all design changes were carried through (thinking about ISIS L1 and L2 updates)

Which protection mechanisms are you thinking about, because this is exactly what I'm looking for.

Cheers,
Hans

0 Helpful

Go to solution
HansK_NL
Level 1
Level 1
In response to HansK_NL

‎11-07-2024 12:23 AM

Oh, IOS-XE 17.6.5 + selected SMU and 17.9.5 + selected SMU

0 Helpful

Go to solution
jedolphi
Cisco Employee
Cisco Employee
In response to HansK_NL

‎11-07-2024 01:47 AM

OK. IP and MAC theft warnings went into the IOS XE in 16.x (can't remeber exact version), this would Syslog a theft message but not block the theft. IP and MAC theft protection went into IOS XE at 17.9. IP and MAC theft protection are native to SDA Fabric Edge Nodes as of 17.9. It uses Device Tracking, DHCP Snooping, RA Guard and DHCP Guard. I'll explain this in BRKENS-3555 at Cisco Live Melbourne next week. Slides should be available on ciscolive.com in 2-ish weeks. Happy to try and answer specific quesitons here in the iterrum. If it's not working in your network for some reason you could raise a TAC case or ask here. If it's urgent TAC case is best.

 

Go to solution
Torbjørn
Spotlight
Spotlight
In response to jedolphi

‎11-07-2024 02:12 AM

I must be missing something here. I thought/think IPDT "only" populates the local binding table, does this also enable DAI? DHCP snooping, RA guard and DHCP guard won't protect against what @HansK_NL describes here.

Happy to help! Please mark as helpful/solution if applicable.
Get in touch: https://torbjorn.dev
0 Helpful

Go to solution
jedolphi
Cisco Employee
Cisco Employee
In response to Torbjørn

‎11-07-2024 03:57 AM - edited ‎11-07-2024 04:01 AM

Hi, DT protects against MAC and IP theft on Fabric Edge Nodes in SDA. It consults LISP CP to determine if the IP/MAC is previosuly registered, then polls the previously registered location, and then allows or blocks a new IP/MAC based on probe results. BRKENS-3555 will unpack the details.

 

0 Helpful

Go to solution
Torbjørn
Spotlight
Spotlight
In response to jedolphi

‎11-07-2024 04:24 AM

Cool! Wasn't aware of that.
For clarification: does DT only block registering to the EID table, or into the local CAM as well?

Happy to help! Please mark as helpful/solution if applicable.
Get in touch: https://torbjorn.dev
0 Helpful

Go to solution
jedolphi
Cisco Employee
Cisco Employee
In response to Torbjørn

‎11-07-2024 05:41 AM

Yes, IP/MAC theif is fully blocked, no comms permitted on the Fabric Edge Node or over LISP/VXLAN.

 

Go to solution
HansK_NL
Level 1
Level 1
In response to jedolphi

‎11-07-2024 04:56 AM

Aha than we have found our culprit, root cause and solution. We have a working DT solution with all features enabled (as is default in SD-A) But we're running IOS-XE 1.7.6.5 on the switches involved in the P&H testing, so theft is detected, but not blocked. We're already rolling out IOS-XE 17.9.5, which by default will both detect and block. And if this works as planned, we do not need to think about Dynamic ARP Inspection (DAI)

I'll check for publication of BRKENS-3555 and study its contents with interest.

0 Helpful

Go to solution
jedolphi
Cisco Employee
Cisco Employee
In response to HansK_NL

‎11-07-2024 05:41 AM

DAI not required or compatible with SDA. Yes, please test 17.9+ and raise TAC case if something not working.

 

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card