04-16-2013 12:45 AM - edited 03-07-2019 12:50 PM
Hello,
I going to be locking down a remote sites LAN as currently it has no real security implemented, any suggestions would be most welcome, as I want to stop man in the middle attacks (mac spoofing), DHCP servers being installed on untrusted ports. I want to create a template I can use for all other offices. This what I plan to do:
They have 4 3750s:
I have already configured:
Not really to do with security but VTP is enabled with pruning.
Thanks
Solved! Go to Solution.
04-16-2013 01:48 AM
Hello
Not really to do with security but VTP is enabled with pruning - Use vtp3 (if applicable) and apply passwords ( option to hide them in Vtp 3
2)
int x/x ( protects against unauthorized hubs/switches)
switchport host (disable cdp - access port)
switchport port-security maximum 1
switchport port-security aging type inactivity
switchport port-security violation shutdown
spanning-tree portfast bpduguard enable
Automatically recovers from a voilation and ages out mac address on port
errdisable recovery cause bpduguard
errdisable recovery cause psecure-violation
errdisable recovery interval 150
res
Paul
Please don't forget to rate any posts that have been helpful.
Thanks.
04-16-2013 01:48 AM
Hello
Not really to do with security but VTP is enabled with pruning - Use vtp3 (if applicable) and apply passwords ( option to hide them in Vtp 3
2)
int x/x ( protects against unauthorized hubs/switches)
switchport host (disable cdp - access port)
switchport port-security maximum 1
switchport port-security aging type inactivity
switchport port-security violation shutdown
spanning-tree portfast bpduguard enable
Automatically recovers from a voilation and ages out mac address on port
errdisable recovery cause bpduguard
errdisable recovery cause psecure-violation
errdisable recovery interval 150
res
Paul
Please don't forget to rate any posts that have been helpful.
Thanks.
04-16-2013 02:48 AM
Hi,
Thanks for you quick and great reply, here is my response
1.) Do you normally put shutdown ports also into a unroutable (black-hole) vlan or just leave them as administrativiely down?
2.) so you set ports as hosts ports instead of access ports and only allow 1 mac address which will clear from the mac table after 150 seconds?
3.) So BPDU guard will cover host ports from and STP change either root or some other type? Use root guard on trunk ports from root switch (designated)?
4.) Sure on trunks I have to make these trusted and any official DHCP server ports. I think I have had to use the option 82 before too, I need to check my notes.
5.) Will disbale CDP globally and enable on specific ports only (VOIP)
Thanks
04-16-2013 02:56 AM
You've got 3750? Investigate auto smartport (ASP) or use 802.1x.
Beats the heck out of "shutdown un-used ports". I've seen this line before and I've seen it being implemented for only a few months.
04-16-2013 04:26 AM
Hey Leolaohoo,
THese are 3560's, I've used 802.1x for port security, but never managed to get Win XP/7 to seamlessly authenticate using Windows Radius/ Active Directory. I have got it working where the user puts in a radius username and password and it authenticates them then they can have to log into the Domain using their AD credentials. I'm sure there is a way so their AD credentials can do it all.
04-16-2013 03:06 AM
Hello,
1) most secure method - so if the port was acidently enabled it wont allow access to anythiing
2)NO - these are access port with addtional port-security enabled
3) Correct - and on switch ports you dont want tha port to become a root port for another switch
Note: the most secure method on tying down your lan is to implements 802.1x port based authentication (IBNS -identiry based network services)
res
Paul
Please don't forget to rate any posts that have been helpful.
Thanks.
04-16-2013 04:34 AM
Hi,
1.) Great I understand.
2.) A Typical port looks like this, so if I just enable the host option will that be ok?
interface FastEthernet0/4
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
3.) 802.1x is great, I got this working in my home lab, but just couldn't get it to work at work using our Windows 2008 NPS Radius server which talks to our Active Directory. I wanted users to be able to get to their control-alt-delete screen and log in once using their Active Directory credentials only.
I just want to create a template to use everywhere, maybe 802.1x is a phase 2.
04-16-2013 04:43 AM
Hello,
Sorry misunderstood - the switchport host command is an in bult macro puts port into access mode apply's portfast with channel-group disabled.
Your port config is fine- just add the port-security as stated above.
res
Paul
Please don't forget to rate any posts that have been helpful.
Thanks.
04-16-2013 04:51 AM
Thanks, This what I did, you are right about the host option, I create a new vlan for the un-used ports called Vlan 666 it is not an SVI:
3560_1(config-if)#switchport host
switchport mode will be set to access
spanning-tree portfast will be enabled
channel group will be disabled
interface FastEthernet0/1
switchport access vlan 666
switchport mode access
shutdown
spanning-tree portfast
spanning-tree bpduguard enable
sh vlan bri
666 Black-hole active Fa0/1
Hope fully this looks ok to you? Lots of work to do for me at many sites, but exciting.
04-16-2013 04:59 AM
Forgot to ask what is this doing?
Is it allowing 1 user only then when Idle shutdown?
2)
int x/x ( protects against unauthorized hubs/switches)
switchport host (disable cdp - access port)
switchport port-security maximum 1
switchport port-security aging type inactivity
switchport port-security violation shutdown
spanning-tree portfast bpduguard enable
Automatically recovers from a voilation and ages out mac address on port
errdisable recovery cause bpduguard
errdisable recovery cause psecure-violation
errdisable recovery interval 150
04-16-2013 06:46 AM
Hello
It allows only one mac-address per port (protects against hubs which dont have bpdu's ) and if an violation occurs it will errdisable
Bpuguard for unauthorized switches ( which send bpdu's)
In either case the ios will then try to re enable the port every 150 seconds if violation has ceased,
regards to the mac security, if port has been idle the associated mac address will age out will port will be able to receive a new host.
res
Paul
Please don't forget to rate any posts that have been helpful.
Thanks.
04-16-2013 09:19 AM
Thanks,
Looks like one port has a hub, so i will have to leave that port. Problem is we have a few laptop users that hot desk (move around), so one mac address may be difficult, unless I can lock the port down to 1 address and this ages out when the computer disconnects?
04-17-2013 02:10 AM
Andy
Please don't forget to rate any posts that have been helpful.
Thanks.
04-17-2013 02:44 AM
Just one think as I'm being dense today, regarding the mac-address security.
If 1 port is locked down to 1 mac address how long will it be before a new user can use that port? I'm just think if a roaming laptop user goes home and the next day or in the next 10 mins someone plugs their own laptop in and they can't access the network.
Would allowing 2 mac address be best or 1 only and age out after a min or 2? I just wnat to stop mac flooding.
Kind regards
04-19-2013 03:53 AM
Hello,
I'm going to use this:
int x/x ( protects against unauthorized hubs/switches)
switchport host (disable cdp - access port)
switchport port-security maximum 1
switchport port-security aging type inactivity
switchport port-security violation shutdown
spanning-tree portfast bpduguard enable
So when a user unplugs their laptop how long will it be before a new user can use that port?
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide