Router security

n.oneill · ‎11-23-2004

We want to put a router in a unsecured area. I have configured the switch for port-security so only valid mac-addresses can use the network and I have disabled password-recovery on the router.

How can I stop someone plugging directly into the routers ethernet port to bypass the mac-address security on the switch and access the central office?

owillins · ‎11-29-2004

Is there any device currently connected to the ethernet port? You could shut down the port so that no device that is connected to the port is able to bypass the mac address.

igor-p · ‎11-30-2004

Hi! I believe you should create Ethernet ACL. Range 700-799, if I am not mistake, and apply it to eth interface.

n.oneill · ‎11-30-2004

Thanks igor

Do I have to enable irb to use this and create a BVI?

Nick

thisisshanky · ‎11-30-2004

To my knowledge, MAC based ACLs work only on non IP traffic.

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus

igor-p · ‎12-01-2004

Sorry Nick, I had a mistake. Ethernet ACLs on routers are working with non-IP traffic only :-( thisisshanky is true. But I see another solution of your task.

1. Create static MAC-to-IP mappings for permitted hosts

router(config)#arp aaaa.bbbb.cccc xxx.yyy.zzz.ttt arpa

...

2. Disable ARP on ethernet interface

router(config-if)#no arp arpa

3. Clear ARP cache

router#clear arp

It seemed to be working. But I see one drawback. You should also create static entrie on hosts if router interface isn't responding on ARP requests.

Sorry again.

n.oneill · ‎12-01-2004

Thant's a great suggestion igor.

Thanks for your help.

And thanks thisisshanky for pointing that out :)

igor-p · ‎12-01-2004

My another idea is the next. You create VLAN on switch and move all desired ports into VLAN. Enable trunk with ISL encapsulation on port connected with router interface. Configure ISL on router's ethernet port. Such way router will expect ISL tagged traffic only. But you should have at least FastEthernet router interface.

igor-p · ‎12-01-2004

I did a simple experiment with router and see the next.

no arp arpa command blocks ARP requests from router only. So dynamic entries appear in arp cache if packet or ARP request is coming to interface. If traffic is initiated by router its working properly. Bad.

n.oneill · ‎12-01-2004

Sorted

bridge irb

interface Ethernet0

description "LAN"

no ip address

no ip redirects

no cdp enable

bridge-group 1

bridge-group 1 input-address-list 700

bridge-group 1 spanning-disabled

hold-queue 100 out

interface BVI1

description "LAN"

ip address 192.168.0.254 255.255.255.0

no ip redirects

ip nat inside

access-list 700 permit 0011.2fba.aec4 0000.0000.0000

access-list 700 permit 00c0.49b4.dd92 0000.0000.0000

bridge 1 protocol ieee

bridge 1 route ip

:D

p-dolbow · ‎12-04-2004

I realize that you are most likely looking for a nice technical solution, but you should never forget the basic rule that physical possession = ownership (of the box). I suggest physically locking the device(s) up in a lockable rack/IDF cabinet.

-=Phil=-

n.oneill · ‎12-04-2004

Agreed

Unfortunately the comms room where the circuit is terminated is not under our jurisdiction and I realise a packet sniffer and mac spoofing could get round the security but casual attempts will be deterred.

Nick

jgfsurestorm · ‎12-21-2004

Anyway you could think use SSH instead telnet for network login and disable password recovery and/or console access.

In this way your password in sent via a ciphered tunnel and not in clear. This would only be posible if your chasis and IOS support SSH.

BR,

jonathan