- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
on 08-05-2024 06:34 AM
Environment
- Switch: Cisco Catalyst 9300
- OS Version: IOS-XE 17.6.5
- Network topology: Multi-floor, multi-switch environment
Objective
Good morning. I wanted to think/test a solution that would render computer traffic useless to stop the spread of malware while maintaining phone functionality in a network where phones are daisy-chained to computers. My goal is to stop all types of traffic except voice on the network, layer 3 and layer 2. Below is what I've tried, suggestions, and test results. I would be grateful if anyone has any knowledge, experience, ideas, or solutions they can share.
I can talk more about the scenario if anyone wanted to get a better idea on why this is something I was looking to achieve. you can think of the network as a standard 3 tier architecture. one building as multiple floors, the basement is distribution/routing, and core routers are in dedicated buildings. each floor that's non basement has access layer 9300 switches running v17.6.5. I found that removing the 'data' vlan from the interfaces (no switchport access vlan 58) puts all of the interfaces in vlan 1 rather than render it useless, and that layer 2 traffic is still possible between the access switches. issuing the 'shutdown' command on an interface is what we currently do but that also renders phones useless, which I'm trying to keep. This job will be automated in scripts and run in a test environment. We also have tools like ISE, DNAC, Umbrella, and Prime.
Methods Tested and Proposed
1. Removal of Access VLAN Command (Tested)
Procedure:
- Removed the command switchport access vlan 58 from interface configurations.
Results:
- Phone traffic continued to function.
- Computer traffic was initially rendered useless.
- Further testing revealed that interfaces defaulted to VLAN 1, allowing potential inter-switch communication.
Conclusion: This method is not suitable for a multi-switch environment as it doesn't fully isolate layer2 traffic.
2. Quarantine VLAN Implementation (Proposed)
Procedure:
- Create a quarantine VLAN:vlan 999 name QUARANTINE
- Configure VACL for the quarantine VLAN:ip access-list extended QUARANTINE_ACLpermit udp any any eq domaindeny ip any any!vlan access-map QUARANTINE_MAP 10match ip address QUARANTINE_ACLaction forwardvlan access-map QUARANTINE_MAP 20action drop!vlan filter QUARANTINE_MAP vlan-list 999
- Modify access ports:interface range GigabitEthernet1/0/1-48switchport access vlan 999switchport voice vlan 100
Expected Results:
- All data traffic is placed in the highly restricted quarantine VLAN.
- Voice traffic remains unaffected in its separate VLAN.
- Layer 2 communication is blocked within the quarantine VLAN.
3. Port Security with MAC Filtering (Proposed)
Procedure:
- Configure quarantine VLAN as in method 2.
- Configure quarantine VLAN as in method 2.
- Apply port security settings:interface GigabitEthernet1/0/1switchport mode accessswitchport access vlan 999switchport voice vlan 100switchport port-security switchport port-security maximum 2switchport port-security violation restrictswitchport port-security mac-address stickyswitchport port-security mac-address sticky <phone_mac_address>spanning-tree portfast spanning-tree bpduguard enable
- Apply QoS policy:class-map match-all VOICE_TRAFFICmatch cos 5!policy-map RESTRICT_DATAclass VOICE_TRAFFICset dscp efpolice 128000 8000 exceed-action dropclass class-default police 8000 1500 exceed-action drop!interface GigabitEthernet1/0/1service-policy input RESTRICT_DATA
Expected Results:
- Limits each port to two MAC addresses (phone and computer).
- Severely restricts bandwidth for non-voice traffic.
- Allows phones to function normally while limiting computer traffic. Apply port security settings:
Potential Issues and Considerations: