Environment
- Switch: Cisco Catalyst 9300
- OS Version: IOS-XE 17.6.5
- Network topology: Multi-floor, multi-switch environment
Objective
Good morning. I wanted to think/test a solution that would render computer traffic useless to stop the spread of malware while maintaining phone functionality in a network where phones are daisy-chained to computers. My goal is to stop all types of traffic except voice on the network, layer 3 and layer 2. Below is what I've tried, suggestions, and test results. I would be grateful if anyone has any knowledge, experience, ideas, or solutions they can share.
I can talk more about the scenario if anyone wanted to get a better idea on why this is something I was looking to achieve. you can think of the network as a standard 3 tier architecture. one building as multiple floors, the basement is distribution/routing, and core routers are in dedicated buildings. each floor that's non basement has access layer 9300 switches running v17.6.5. I found that removing the 'data' vlan from the interfaces (no switchport access vlan 58) puts all of the interfaces in vlan 1 rather than render it useless, and that layer 2 traffic is still possible between the access switches. issuing the 'shutdown' command on an interface is what we currently do but that also renders phones useless, which I'm trying to keep. This job will be automated in scripts and run in a test environment. We also have tools like ISE, DNAC, Umbrella, and Prime.
Methods Tested and Proposed
1. Removal of Access VLAN Command (Tested)
Procedure:
- Removed the command switchport access vlan 58 from interface configurations.
Results:
- Phone traffic continued to function.
- Computer traffic was initially rendered useless.
- Further testing revealed that interfaces defaulted to VLAN 1, allowing potential inter-switch communication.
Conclusion: This method is not suitable for a multi-switch environment as it doesn't fully isolate layer2 traffic.
2. Quarantine VLAN Implementation (Proposed)
Procedure:
- Create a quarantine VLAN:
- Configure VACL for the quarantine VLAN:
ip access-list extended QUARANTINE_ACL
permit udp any any eq domain
deny ip any any
!
vlan access-map QUARANTINE_MAP 10
match ip address QUARANTINE_ACL
action forward
vlan access-map QUARANTINE_MAP 20
action drop
!
vlan filter QUARANTINE_MAP vlan-list 999
- Modify access ports:
interface range GigabitEthernet1/0/1-48
switchport access vlan 999
switchport voice vlan 100
Expected Results:
- All data traffic is placed in the highly restricted quarantine VLAN.
- Voice traffic remains unaffected in its separate VLAN.
- Layer 2 communication is blocked within the quarantine VLAN.
3. Port Security with MAC Filtering (Proposed)
Procedure:
- Configure quarantine VLAN as in method 2.
- Configure quarantine VLAN as in method 2.
- Apply port security settings:
interface GigabitEthernet1/0/1
switchport mode access
switchport access vlan 999
switchport voice vlan 100
switchport port-security s
witchport port-security maximum 2
switchport port-security violation restrict
switchport port-security mac-address sticky
switchport port-security mac-address sticky <phone_mac_address>
spanning-tree portfast spanning-tree bpduguard enable
- Apply QoS policy:
class-map match-all VOICE_TRAFFIC
match cos 5
!
policy-map RESTRICT_DATA
class VOICE_TRAFFIC
set dscp ef
police 128000 8000 exceed-action drop
class class-default police 8000 1500 exceed-action drop
!
interface GigabitEthernet1/0/1
service-policy input RESTRICT_DATA
Expected Results:
- Limits each port to two MAC addresses (phone and computer).
- Severely restricts bandwidth for non-voice traffic.
- Allows phones to function normally while limiting computer traffic. Apply port security settings:
Potential Issues and Considerations: