Cisco Bound MAC Address

The following three options are available in Cisco, and Scenario 1 and Scenario 2 implement the same functionality, which is to bind a specific host's MAC address (the NIC hardware address) on the specific switch port. Scenario 3 is the MAC address (NIC hardware address) and IP address of the specific host that is bound on the specific switch port.

1. Protocol Port-based MAC address binding


For example, the Cisco 2950 Switch, login into the switch, enter the management password into the configuration mode, type the command:


Ng=1 cellpadding=0 width= "80%" Align=left bgcolor= #ccccccborder =0> switch#config Terminal # Enter configuration mode

Switch (config) # Interface fastethernet 0/1 # Enter the specific port configuration mode

Switch (config-if) #Switchport port-secruity # Configure port security mode

Switch (config-if) switchport port-security mac-address mac (host MAC address)

# Configure the MAC address of the host to which the port is bound

Switch (config-if) no switchport port-security Mac-address mac (host MAC address)

# Remove the MAC address of the bound host


Note: The above command set a port on the switch to bind a specific MAC address, so that only this host can use the network, if the host computer network card is replaced or other PCs want to use the network through this port is not available, unless you delete or modify the port bound on the MAC address, to normal use.


Note: The above features are available for Cisco 2950, 3550, 4500, 6500 series Switches


2. Scenario 2--extended access list based on MAC address


Switch (config) Mac Access-list extended MAC10

# define a MAC address access control list and name the list named MAC10

Switch (config) permit host 0009.6BC4.D4BF any

# A host that defines a MAC address of 0009.6BC4.D4BF can access any host

Switch (config) permit any host 0009.6BC4.D4BF

# define all hosts that can access a host with MAC address 0009.6BC4.D4BF

Switch (config-if) interface fa0/20 #进入配置具体端口的模式

Switch (config-if) Mac Access-group MAC10 in

# Apply an access list named MAC10 on the port (that is, the access policy we defined earlier)

Switch (config) no Mac Access-list extended MAC10

# Clear the access list named MAC10


This feature is roughly the same as the application, but it is a port-based access control list limit for Mac addresses that can qualify specific source MAC addresses and destination address ranges.


Note: The above features can be implemented on Cisco 2950, 3550, 4500, 6500 series switches, but it is important to note that 2950 and 3550 require the switch to run an enhanced software image (enhanced image).


3. The MAC address binding of the scenario 3--ip address


You can only use App 1 or 2 with the IP-based access control list combination to achieve the IP-MAC binding feature.


Switch (config) Mac Access-list extended MAC10

# define a MAC address access control list and name the list named MAC10

Switch (config) permit host 0009.6BC4.D4BF any

# A host that defines a MAC address of 0009.6BC4.D4BF can access any host

Switch (config) permit any host 0009.6BC4.D4BF

# define all hosts that can access a host with MAC address 0009.6BC4.D4BF

Switch (config) Ip Access-list extended IP10

# define an IP address access control list and name the list named IP10

Switch (config) Permit 192.168.0.1 0.0.0.0any

# A host that defines an IP address of 192.168.0.1 can access any host

Switch (config) Permit any 192.168.0.1 0.0.0.0

# define all hosts can access hosts with IP address 192.168.0.1

Switch (config-if) interface fa0/20

#进入配置具体端口的模式

Switch (config-if) Mac Access-group MAC10 in

# Apply an access list named MAC10 on the port (that is, the access policy we defined earlier)

Switch (config-if) Ip Access-group IP10 in

# Apply an access list named IP10 on the port (that is, the access policy we defined earlier)

Switch (config) no Mac Access-list extended MAC10

# Clear the access list named MAC10

Switch (config) no Ip access-group IP10 in

# Clear the access list named IP10


The above mentioned application 1 is based on the host MAC address and switch port binding, Scenario 2 is a MAC address-based access control list, the first two scenarios can achieve the same function. If the IP and MAC address binding can only be implemented according to the scenario, you can combine scenario 1 or Scenario 2 with the IP Access control list to achieve your desired effect, as required.

2 related issues that can be solved using DHCP snooping, DAI, IP Sourceguard Technology
1. Protect against DHCP attacks with dhcpsnooping
1.1 Common issues with DHCP management:
The use of DHCPServer can automatically set the network IP address, mask, Gateway, DNS, WINS and other network parameters, simplify the user network settings, improve management efficiency. However, in the use of DHCP management there are some other network managers compared problems, common are:
DHCPServer's impersonation.
dhcpserver Dos attacks.
• Some users randomly specify addresses, causing network address conflicts.
Due to the operating mechanism of DHCP, usually the server and client do not have authentication mechanism, if there are more than one DHCP server on the network will cause the network to become chaotic. Because the user accidentally configured the DHCP server caused by the network confusion is very common, the foot can be seen intentionally artificial destruction of the simplicity. Usually a hacker attack is the first to run out of IP addresses that the normal DHCP server can allocate, and then impersonate a legitimate DHCP server. The most covert and dangerous method is that hackers use an impersonated DHCP server to assign users to a modified DNS server, which is very bad when users are not aware of a pre-configured fake financial website or e-commerce site and cheat user accounts and passwords.
1.2 DHCP Snooping Technology Overview
Dhcpsnooping technology is a DHCP security feature that filters untrusted DHCP information by establishing and maintaining DHCP snooping binding tables, which refer to DHCP information from untrusted zones. The DHCP snooping binding table contains information such as the user's MAC address, IP address, lease duration, Vlan-id interface, and so on, in the untrusted zone, as shown in the following table:
S3560#SH IP DHCP snooping binding
MacAddress IpAddress Lease (sec) Type VLAN Interface
------------------  ---------------  ----------  -------------  ----  --------------------
08:00:46:ac:70:b8 172.16.2.11 692092 dhcp-snooping 2 fastethernet0/47
Total number of bindings:1
This table not only solves the DHCP user's IP and port tracking location problem, provides convenience for user management, but also supplies dynamic ARP detection dai) and IP Source guard.



1.3 Precautionary approach
Define the trust and untrusted ports on the switch, intercept and sniff DHCP packets that do not trust the port, and drop off the abnormal DHCP packets from these ports. Using a unique MAC address on the specified port for each DHCP request through the port security settings of the switch, the DHCP server usually determines the client MAC address through the CHADDR segment of the message in the DHCP request, usually the same address as the client's real IP, but if the attacker does not modify the client's MAC while modifying a DHCP message in CHADDR, implementing a Dos attack, Port Security does not work, and DHCP snooping technology can check the CHADDR field in the DHCP request message to determine whether the field matches the DHCP sniffer table, Prevents attackers from modifying CHADDR in DHCP messages.
2. Using dynamic Arpinspection (DAI) technology to protect against ARP spoofing/MITM (Man-in-the-middle) attacks
1.1 MITM (Man-in-the-middle) Attack principle
According to the design of the ARP protocol, in order to reduce the excessive ARP data communication on the network, a host will insert it into its own ARP cache table even if the received ARP response is not requested by itself, thus creating the possibility of "ARP spoofing". If hackers want to snoop on the same network between the two host communication (even through the switch connected), he will send each of the two hosts an ARP reply packet, so that both hosts "mistakenly" think the other's MAC address is the third party's hacker host, so that the two sides seemingly "direct" communication connection, is actually done indirectly through the host where the hacker resides. On the one hand, hackers get the desired communication content, on the other hand, only need to change some information in the packet, successful forwarding work can be done. In this sniffer mode, the hacker host is not required to set up the network card promiscuous mode, because the communication between the packets are physically sent to the hacker's relay host.
1.2 Precautionary approach
Cisco DYNAMICARP Inspection (DAI) provides bindings for IP addresses and MAC addresses on the switch, and dynamically establishes binding relationships. DAI is based on the dhcpsnooping binding table and can be implemented statically by adding ARP access-list to individual machines that do not use DHCP. DAI is configured for VLANs and can be turned off for interfaces within the same VLAN. The number of ARP request messages for a port can be controlled by Dai. These techniques can be used to guard against "man-in-the-middle" attacks.
1.3 After configuring the Dai effect:
• On the interface where Dai technology is configured, the client cannot access the network with the specified address address.
• Because Dai checks the IP and Mac correspondence in the DHCP snooping binding table, it cannot implement a man-in-the-middle attack and the attack tool fails.
• Due to the speed limit of the ARP request message, the client is unable to conduct the IP scan, detection, etc., if these behaviors occur, the switch immediately alarm or cut off the scanning machine directly.
• After the user obtains the IP address, the user cannot modify the IP or the Mac, if the user simultaneously modifies the IP and the Mac must be the network internal legitimate IP and the Mac, can use the IP Source Guard technology mentioned below to guard against this kind of modification.



3. Using IP sourceguard technology to prevent IP/MAC spoofing
The IP Source Guard technology Configuration supports configuration on the switch only on the 2-tier port, with the following mechanism to protect against IP/MAC spoofing:
• IP Source Guard uses DHCP sooping to bind table information.
• Configured on the switch port and takes effect on that port.
• The operating mechanism is similar to DAI, but the IP source guard does not only check the ARP messages, all messages that are defined by the IP source guard check port are detected.
• IP Source Guard checks whether the IP address and MAC address of the traffic passed by the interface are in the DHCP sooping binding table and blocks the traffic if it is not in the binding table. Note If you need to check the MAC requires the DHCP server to support option 82 while enabling the router to support option 82 information.
By configuring Ipsource Guard on the switch:
• Can filter out illegal IP address, including user deliberately modified and viruses, attacks and other causes.
• Resolve IP address conflict issues.
• Provides a dynamic set of ip+mac+port tables and bindings, for servers that do not use DHCP, and for some special cases machines can be used to manually add correspondence related to the binding table using global commands statically.
• Configure the IP Sourceguard interface to initially block all non-DHCP traffic.
In summary by configuring the above characteristics of the Cisco switch, not only solves some typical attacks and virus prevention problems, but also provides a new idea for the traditional IP address management.
The traditional use of DHCP server to manage client IP addresses has been addressed through several of the above technologies:
• Intentionally do not use manually specifying static IP addresses and DHCP assigning address conflicts
• Configure DHCP Server
• Problems encountered with statically specified IP
• Do not use assigned IP addresses and server or other address conflicts
• Not easy to locate IP addresses and specific switch port correspondence tables
Important servers and computers that use static addresses can be statically bound Ip+mac, Ip+mac+port, manually configured Dai and IP sourceguard binding table entries to protect these devices while also preventing attacks from these devices.

Cisco Bound MAC Address