cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
242
Views
0
Helpful
0
Comments
caesarkrit
Level 1
Level 1

Environment

  • Switch: Cisco Catalyst 9300
  • OS Version: IOS-XE 17.6.5
  • Network topology: Multi-floor, multi-switch environment

Objective

Good morning. I wanted to think/test a solution that would render computer traffic useless to stop the spread of malware while maintaining phone functionality in a network where phones are daisy-chained to computers. My goal is to stop all types of traffic except voice on the network, layer 3 and layer 2. Below is what I've tried, suggestions, and test results. I would be grateful if anyone has any knowledge, experience, ideas, or solutions they can share. 


I can talk more about the scenario if anyone wanted to get a better idea on why this is something I was looking to achieve. you can think of the network as a standard 3 tier architecture. one building as multiple floors, the basement is distribution/routing, and core routers are in dedicated buildings. each floor that's non basement has access layer 9300 switches running v17.6.5. I found that removing the 'data' vlan from the interfaces (no switchport access vlan 58) puts all of the interfaces in vlan 1 rather than render it useless, and that layer 2 traffic is still possible between the access switches. issuing the 'shutdown' command on an interface is what we currently do but that also renders phones useless, which I'm trying to keep. This job will be automated in scripts and run in a test environment. We also have tools like ISE, DNAC, Umbrella, and Prime.

Methods Tested and Proposed

1. Removal of Access VLAN Command (Tested)

Procedure:

  • Removed the command switchport access vlan 58 from interface configurations.

Results:

  • Phone traffic continued to function.
  • Computer traffic was initially rendered useless.
  • Further testing revealed that interfaces defaulted to VLAN 1, allowing potential inter-switch communication.

Conclusion: This method is not suitable for a multi-switch environment as it doesn't fully isolate layer2 traffic.

 

2. Quarantine VLAN Implementation (Proposed)

Procedure:

  1. Create a quarantine VLAN:
    vlan 999 name QUARANTINE
  2. Configure VACL for the quarantine VLAN:
    ip access-list extended QUARANTINE_ACL
    permit udp any any eq domain
    deny ip any any
    !
    vlan access-map QUARANTINE_MAP 10
    match ip address QUARANTINE_ACL
    action forward
    vlan access-map QUARANTINE_MAP 20
    action drop
    !
    vlan filter QUARANTINE_MAP vlan-list 999
  3. Modify access ports:
    interface range GigabitEthernet1/0/1-48
    switchport access vlan 999
    switchport voice vlan 100

Expected Results:

  • All data traffic is placed in the highly restricted quarantine VLAN.
  • Voice traffic remains unaffected in its separate VLAN.
  • Layer 2 communication is blocked within the quarantine VLAN.


3. Port Security with MAC Filtering (Proposed)

Procedure:

  1. Configure quarantine VLAN as in method 2.
    1. Configure quarantine VLAN as in method 2.
    2. Apply port security settings:
      interface GigabitEthernet1/0/1
      switchport mode access
      switchport access vlan 999
      switchport voice vlan 100
      switchport port-security s
      witchport port-security maximum 2
      switchport port-security violation restrict
      switchport port-security mac-address sticky
      switchport port-security mac-address sticky <phone_mac_address>
      spanning-tree portfast spanning-tree bpduguard enable
    3. Apply QoS policy:
      class-map match-all VOICE_TRAFFIC
      match cos 5
      !
      policy-map RESTRICT_DATA
      class VOICE_TRAFFIC
      set dscp ef
      police 128000 8000 exceed-action drop
      class class-default police 8000 1500 exceed-action drop
      !
      interface GigabitEthernet1/0/1
      service-policy input RESTRICT_DATA

    Expected Results:

    • Limits each port to two MAC addresses (phone and computer).
    • Severely restricts bandwidth for non-voice traffic.
    • Allows phones to function normally while limiting computer traffic. Apply port security settings:

 

Potential Issues and Considerations:

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: