Configure access control for the MAC address of a vswitch on a Cisco 3550 Router

Source: Internet
Author: User

This article describes how to configure a vswitch for a CISCO 3550 router and how to configure access control for a MAC address.

In network management, users often encounter this situation: some users violate management regulations and modify their own IP addresses without permission to access restricted resources. Such behavior not only undermines information security rules, but may also cause network communication Faults due to address conflicts.

The network administrator may try to solve this problem by using various technical means described in the following article, but the effect is not necessarily satisfactory: first, the technical means cannot completely prevent this phenomenon, the second step is to increase the complexity and cost of management. Therefore, the most effective way to curb this phenomenon is administrative means, which cannot be replaced by technical means.

Before introducing these management methods, let's look at a simulated environment: the workstation PC and SERVER are connected to a Cisco Catalyst 3550 switch, which belong to different VLANs, use the 3550 route function for Communication (with vswitch configuration ):

Hostname Cisco3550

!

Interface GigabitEthernet0/11 description Connect to PC

!

Interface GigabitEthernet0/12 description Connect to SERVER switchport access vlan 2

!

Interface Vlan1

P address 1.1.1.254 255.255.255.0

!

Interface Vlan2

P address 2.1.1.254 255.255.255.0

If you do not need permission restrictions, but want to prevent IP address conflicts, the best solution may be to use DHCP. the DHCP server can set parameters such as IP address, subnet mask, gateway, and DNS for users, which is convenient to use and saves IP addresses. For details about how to set DPCP on a Cisco device, refer to "full explanation of DHCP configuration on a Cisco router". static allocation and configuration require a lot of management overhead. If users do not mess up, the user names and IP addresses correspond one by one to make maintenance easier. The following assumes that static management is used.

Test 1. If VLAN1 only allows IP 1.1.1.1 to access Server 2.1.1.1, all other accesses are prohibited.

Restriction method: use IP Address Access Control List

Interface Vlan1

P address 1.1.1.254 255.255.255.0

P accesskeyid 100 in

Access-list 100 permit ip host 1.1.1.1 host 2.1.1.1

Breakthrough method: An invalid user can change the IP address to 1.1.1.1 to access the Server. An invalid user can seize the IP address 1.1.1.1, which may cause an IP address conflict. If you set the IP address to the IP address of the gateway, the communication of the entire VLAN will also be affected. By modifying Windows Settings, you can prevent users from modifying the "network" attribute, but this method is also easy to break through.

Test 2. Adding static ARP binding to test 1 can prevent IP address theft.

Implementation Method: Configure arp 1.1.1.1 0001.0001.1111 ARPA based on test 1.

Note that the following command is incorrect because the ARP port parameter is a layer-3 (route) port rather than a layer-2 (switch) Port:

Arp 1.1.1.1 0001.0001.1111 ARPA GigabitEthernet0/11

After the configuration is complete, if an invalid user changes the address to 1.1.1.1, the packet sent to the router is normal, but when the packet returned from the target server 2.1.1.1 is forwarded on the router, the target MAC address is always set to 0001.0001.1111, which cannot be received by illegal users.

Similarly: Use arp server to broadcast the correct IP-MAC ing tables for all hosts within the CIDR block at a certain interval

Breakthrough method: it is easy to modify the MAC Address. In the Windows Network connection settings, modify the NIC configuration. On the "advanced" Page, find the Network Address set to the specified value.

Test 3. Use Port Secure

Principle: if the specified port is restricted to machines with a specific MAC address, the user changes the MAC address port to unavailable.

Setting method:

Interface g 0/1

Switchport mode access

Switchport port-security

After the configuration is complete, the MAC address of the first connected PC on the vswitch port is recorded in the vswitch and becomes the only MAC address that can use the port. If the MAC address of the PC is changed, the port is shut down by default and cannot be connected to the network.

You can use the following command to set the security Conflict handling method:

Sw port-security violation [protect | restrict | shutdown]

Protect discards packets from an invalid source address without warning

Restrict discards packets from an Invalid Source Address and sends a syslog alarm.

Shutdown (default) closes the port and sends an SNMP trap or Syslog alarm. Unless the Administrator executes the command shut/no shut, the port is always down.

Breakthrough method: proxy server. A proxy server is installed on a host that can be accessed externally in the same VLAN and accessed through a proxy.

Test 4. Use VLAN and PVLAN to isolate users

Principle: divides authorized and non-authorized users into different VLANs, and uses the access control list to restrict communication between VLANs. You can also use PVLAN isolation to prevent direct communication between some hosts in the same VLAN ......

Interface range g 0/10

Description Connect to PC1

Switchport access vlan 7

Interface range g 0/11

Description Connect to PC2

Switchport access vlan 8

Special method: the Cisco 3550 switch can also set the mac/ip Access Control List on the second-layer (switch) port, the following settings enable the PC on port f0/1 to use IP address 1.1.1.1 and mac address 255.c31.ba9b. Otherwise, network communication is abnormal.

Ac access-list extended macacl

Permit host restart c31.ba9b any

Permit any host cannot exist c31.ba9b

Interface FastEthernet0/1

O ip address

P access-group ipacl in

Ac access-group macacl in

P access-list extended ipacl

Permit ip any host 1.1.1.1

Permit ip host 1.1.1.1 any

Breakthrough method: the user runs to the authorized user's machine for access

This is an atypical breakthrough method, and there is no good solution yet.

Other possible restrictions:

1. Authentication Proxy: a user must enter the user name and password on a webpage before accessing a specific resource; otherwise, the user cannot access

2.802.1x: the DHCP server allocates IP addresses when the user passes 802.1x authentication. Otherwise, the IP address cannot be obtained.

3. PPPoE: You must install the PPPoE client software and use the user name and password to log on to the network.

Discussion update: after reading this article, a friend named Maying sent a post to BBS asking: "How to set the traffic to filter out a specific mac address on the router? You do not want the host with this mac address to go through the router !".

This requirement is fresh. When you filter a MAC address, this action takes place on the second layer. Vrouters generally perform layer-3 routing tasks. They only filter the MAC addresses that enter when bridging in rare cases, therefore, it is best to set such filtering on a L2 switching device.

However, this requirement is not an impossible task for vrouters. The following configuration is used to achieve the required results:

P cef // Rate-limit requires cef support, the router may not have cef interface Ethernet0/0 ip address 192.168.1.254 255.255.255.0 rate-limit input access-group rate-limit 100 8000 1500 2000 conform-action drop exceed-action drop by default // if the source if the MAC address is a specified value, it is discarded (other values are allowed) access-list rate-limit 100 0001.0001.abcd // the MAC address to be restricted

At this time, you must note that the target workstation cannot pass through other three-tier devices until it reaches the vro; otherwise, the MAC address will be changed.

Discussion and update: Maying asked, "My vro is Cisco 1720 and does not support CEF. What should I do ?"

The Cisco 1720 vro can support CEF, but must be a 12.0 (3) or later ip plus version of the software. The 12.2 (11) YV standard IP version of the software can also support CEF. if the current IOS software version of the router is not enough, You need to upgrade it.

You can also use the bridge (IRB) method to solve the problem. This method only requires the 12.0 (2) TB or higher standard IP version software. The configuration is as follows:

Bridge irb // enable IRB support

Interface Ethernet0/0

O ip address // route to logical port BVI 1

Bridge-group 1 // join bridge group 1

!

Interface BVI1

P address 192.168.1.254 255.255.255.0 // provides a route for the Bridge Group 1

!

Bridge 1 protocol ieee // run the Spanning Tree protocol to Prevent Loops

Bridge 1 route ip // route IP traffic

Bridge 1 address 0001.0001.abcd discard

// Discard the packet from the MAC address 0001.0001.abcd.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.