Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
632
Views
0
Helpful
2
Replies

Network Isolation: Rendering Data Traffic Useless, Maintaining Voice

caesarkrit
Level 1
Level 1

‎07-30-2024 07:36 AM

Environment

  • Switch: Cisco Catalyst 9300
  • OS Version: IOS-XE 17.6.5
  • Network topology: Multi-floor, multi-switch environment

Objective

Good morning. I wanted to think/test a solution that would render computer traffic useless to stop the spread of malware while maintaining phone functionality in a network where phones are daisy-chained to computers. My goal is to stop all types of traffic except voice on the network, layer 3 and layer 2. Below is what I've tried, suggestions, and test results. I would be grateful if anyone has any knowledge, experience, ideas, or solutions they can share. 


I can talk more about the scenario if anyone wanted to get a better idea on why this is something I was looking to achieve. you can think of the network as a standard 3 tier architecture. one building as multiple floors, the basement is distribution/routing, and core routers are in dedicated buildings. each floor that's non basement has access layer 9300 switches running v17.6.5. I found that removing the 'data' vlan from the interfaces (no switchport access vlan 58) puts all of the interfaces in vlan 1 rather than render it useless, and that layer 2 traffic is still possible between the access switches. issuing the 'shutdown' command on an interface is what we currently do but that also renders phones useless, which I'm trying to keep. This job will be automated in scripts and run in a test environment. We also have tools like ISE, DNAC, Umbrella, and Prime.

Methods Tested and Proposed

1. Removal of Access VLAN Command (Tested)

Procedure:

  • Removed the command switchport access vlan 58 from interface configurations.

Results:

  • Phone traffic continued to function.
  • Computer traffic was initially rendered useless.
  • Further testing revealed that interfaces defaulted to VLAN 1, allowing potential inter-switch communication.

Conclusion: This method is not suitable for a multi-switch environment as it doesn't fully isolate layer2 traffic.

 

2. Quarantine VLAN Implementation (Proposed)

Procedure:

  1. Create a quarantine VLAN:
    vlan 999 name QUARANTINE
  2. Configure VACL for the quarantine VLAN:
    ip access-list extended QUARANTINE_ACL
    permit udp any any eq domain
    deny ip any any
    !
    vlan access-map QUARANTINE_MAP 10
    match ip address QUARANTINE_ACL
    action forward
    vlan access-map QUARANTINE_MAP 20
    action drop
    !
    vlan filter QUARANTINE_MAP vlan-list 999
  3. Modify access ports:
    interface range GigabitEthernet1/0/1-48
    switchport access vlan 999
    switchport voice vlan 100

Expected Results:

  • All data traffic is placed in the highly restricted quarantine VLAN.
  • Voice traffic remains unaffected in its separate VLAN.
  • Layer 2 communication is blocked within the quarantine VLAN.


3. Port Security with MAC Filtering (Proposed)

Procedure:

  1. Configure quarantine VLAN as in method 2.
    1. Configure quarantine VLAN as in method 2.
    2. Apply port security settings:
      interface GigabitEthernet1/0/1
      switchport mode access
      switchport access vlan 999
      switchport voice vlan 100
      switchport port-security s
      witchport port-security maximum 2
      switchport port-security violation restrict
      switchport port-security mac-address sticky
      switchport port-security mac-address sticky <phone_mac_address>
      spanning-tree portfast spanning-tree bpduguard enable
    3. Apply QoS policy:
      class-map match-all VOICE_TRAFFIC
      match cos 5
      !
      policy-map RESTRICT_DATA
      class VOICE_TRAFFIC
      set dscp ef
      police 128000 8000 exceed-action drop
      class class-default police 8000 1500 exceed-action drop
      !
      interface GigabitEthernet1/0/1
      service-policy input RESTRICT_DATA

    Expected Results:

    • Limits each port to two MAC addresses (phone and computer).
    • Severely restricts bandwidth for non-voice traffic.
    • Allows phones to function normally while limiting computer traffic. Apply port security settings:
Labels:
0 Helpful
2 Replies 2

Giuseppe Larosa
Hall of Fame
Hall of Fame

‎08-22-2024 02:39 AM

Hello @caesarkrit ,

you can try to use a quarantine VLAN , a VLAN without L3 services configured on it should be enough for your purposes even wiithout the suggested VACL configuration.

Option 1 will put the ports in access vlan 1 the default VLAN and it is not recommended for security reasons.

Option 3: use of port security is likely too difficult to manage.

Hope to help

Giuseppe

 

0 Helpful

Joseph W. Doherty
Hall of Fame
Hall of Fame

‎08-22-2024 09:34 AM

Perhaps a variation of a policy-map, below, used for ingress, either on edge ports, SVIs or transit ports.

Assuming a SVI for a particular VLAN we wish to block:

service-policy SVI_Example !this implicitly restricts policy to just one VLAN
 class class-default
  drop !drop often not supported or not supported within class-default
!alternative to drop - unsure you need the drops for violate and exceed actions
  police cir 8000
   conform-action drop 
   exceed-action drop 
   violate-action drop

interface vlan # !data vlan
 service-policy input SVI_Example

!on an inteface where you need to exclude VoIP - define a class to match it, but with no execution statements

service-policy VoIP_Example !possible edge port example
 class VoIP
 class class-default
  . . .

!and if using policy on transit link, match VLAN(s) you want to drop

(config)#class-map VLAN_drop
#match ?
  access-group         Access group
  any                  Any packets
  application          Application to match
  cac                  Call Admission Control
  class-map            Class map
  cos                  IEEE 802.1Q/ISL class of service/user priority values
  destination-address  Destination address
  discard-class        Discard behavior identifier
  dscp                 Match DSCP in IPv4 and IPv6 packets
  fr-de                Match on Frame-relay DE bit
  fr-dlci              Match on fr-dlci
  input-interface      Select an input interface to match
  ip                   IP specific values
  metadata             Metadata to match
  mpls                 Multi Protocol Label Switching specific values
  not                  Negate this match result
  packet               Layer 3 Packet length
  precedence           Match Precedence in IPv4 and IPv6 packets
  protocol             Protocol
  qos-group            Qos-group
  security-group       Security group
  service              Service Instance to match
  source-address       Source address
  vlan                 VLANs to match

!most likely matching on input-interface, vlan, (not DSCP EF), access-group, etc.

service-policy VoIP_Example !possible edge port example
 class VLAN_drop
  . . .

Policy-map are often thought of just for QoS, but "QoS" can drop undesired traffic.

0 Helpful
Customers Also Viewed These Support Documents
Top