Network management skills: control traffic based on MAC addresses

Welcome to the network technology community forum and interact with 2 million technical staff to enter the current enterprise network. The network speed to the desktop is getting faster and faster. Although this brings a good application experience to users, it also brings great security risks. If the traffic from the user (whether intentionally or unintentionally) is malicious, the enterprise's network may

Welcome to the network technology community forum, and interact with 2 million technical staff> enter the current enterprise network, and the network speed to the desktop is getting faster and faster. Although this brings a good application experience to users, it also brings great security risks. If the traffic from the user (whether intentionally or unintentionally) is malicious, the enterprise's network may

Welcome to the network technology community forum and interact with 2 million technical staff> enter

In the current enterprise network, the network speed to the desktop is getting faster and faster. Although this brings a good application experience to users, it also brings great security risks. If the traffic from the user (whether intentionally or unintentionally) is malicious, the enterprise's network may be congested or the DOS network may be interrupted. Therefore, in the era of fast Ethernet, network administrators should pay more attention to the security of desktop access. The simplest security principle is to allow only authorized users or legitimate users to access the enterprise's network and deny any other unauthorized access. In many network devices, you can control the traffic through the MAC address to ensure the security of the enterprise network.

　　1. control traffic by controlling the number of MAC addresses learned by the switch

Cisco switches have an important security feature that allows traffic based on host MAC addresses. In this way, port security of network devices such as switches can be greatly improved. What is the allow traffic function based on the host MAC address? To put it simply, the number of MAC addresses of specific trees allowed by a single port. That is to say, the number of host MAC addresses allowed to be recorded in the MAC address table of the port. If the value exceeds, the switch rejects the conversion. This mechanism can effectively ensure port security.

For example, an enterprise now has meeting rooms, employee offices, and other places. For normal deployment, each switch interface can learn a lot of MAC addresses. If the network speed of each customer segment was not fast in the past, it would be okay. However, if most desktops achieve fast Ethernet or gibit Ethernet connections, the situation will be different. Even if it is not intended by the employee, the client may still be used as a zombie by hackers without the user's knowledge. At this time, it may bring great security risks to the enterprise network. At this time, the author suggests that the network administrator can improve port security through the "allow traffic based on host MAC address" function. For example, you can know one learned MAC address for the general user, and limit the meeting room port to 20 MAC addresses (you can adjust the number of participants according to the number of participants ). The root purpose of this setting is to allow only authorized users to use networks that can use the enterprise and reject any unauthorized users.

　　Ii. Enable rules and handle violation rules

It is relatively easy to enable the "allow traffic based on host MAC addresses" function on a Cisco switch. For example, run the set port security command. This command can be used to configure the maximum number of MAC addresses allowed for each port. The specific configuration is relatively simple, and I will not elaborate on it too much. I want to explain how the vswitch handles the traffic if the traffic of subsequent users violates this rule. I once again stressed that this is very important. This is of great value to the establishment of enterprise security networks and the resolution of subsequent faults.

First, let's take a look at the situations in which traffic will violate these two security principles? Generally, there are two reasons. 1. unauthorized access, that is, the data frame received by the security port is not authorized by the Administrator; 2. After the switch port has learned the maximum number of MAC addresses allowed, the switch system receives new data frames. For any of the above reasons, the port security rules are eventually violated. In the end, they will be "punished ". The switch is automatically detected. When any illegal data frame is detected, timely measures are taken to ensure the security of the enterprise network.

Next, let's analyze what the switch will do. The switch may take any of the following measures to detect the above violations at any time. First, DISABLE the port permanently or set it to ERR-DISABLE in a period to DISABLE its data communication capabilities. The second is the limit, that is, the port will still work normally, but the data traffic from the unauthorized host will be discarded. Third, protection: when the number of MAC addresses allowed to be learned on the vswitch port exceeds the limit, the vswitch still forwards data normally, but only discards the data frame of the new host in the future. The Network Administrator selects any actions. But which method is better? There is no unified answer. Generally, you need to select a vswitch based on its location. For example, if the location of a vswitch is critical and a key server group vswitch is true, it is best to restrict the selection of candidates so that server operations are not affected by any violation of rules. On the contrary, if the switch is in the switch layer, it is better to disable the switch, but it must be used with a timer. In this case, the switch will automatically adjust when the user terminal is moved without authorization, and the Administrator does not need to re-establish the connection for manual intervention. If you are on a switch that is only based on IOS software, we recommend that you use this protection policy.

In short, what measures should be taken when the user's data frame violates the established rules? There is usually no unified answer. This mainly depends on the experience of the network administrator. If you select it, you can get twice the result with half the effort. On the contrary, if the choice is inappropriate, it is possible that the stone may be lifted to hit your own feet. In general, network administrators need to choose from the switch location, network environment, and enterprise security needs.

　　Iii. Precautions for enabling this function

If you want to enable the "allow traffic based on host MAC address" security measure in a Cisco device-Based Switching Network, pay attention to the following.

Note that the maximum number of MAC addresses allowed by the interface varies depending on the Cisco switch model. For example, for a common 6500 series switch, it supports up to 1025 MAC addresses (one of the default MAC addresses and 1024 General MAC addresses ). The number of MAC addresses supported by a vswitch varies greatly depending on the vswitch model. Therefore, if you need this function when purchasing a vswitch, you need to consider this parameter.

In fact, it should be noted that the number of MAC addresses supported by the switch port varies greatly, and the MAC Address Allocation Method varies greatly. For vswitches of the 6500 series, there are generally two common allocation methods. One way is to assign 1025 MAC addresses to one of the ports, and then assign a MAC address to other ports. Another way is to assign 201 MAC addresses to a port, 701 MAC addresses to the second port, and 125 MAC addresses to the third port, a mac address is assigned to all the remaining ports. There is no unified standard answer here to make the allocation more reasonable. In general, network administrators are required to determine the security requirements of enterprise networks.

　　4. Best steps to enable "allow traffic based on host MAC addresses"

How can we use this function more effectively? Based on the author's management experience, the following five steps are required.

First, evaluate the port for enabling port security. In practice, it is not necessary to enable the allow traffic function based on the host MAC address for all ports. For some ports that are often used for maintenance, you do not need to enable this function. Therefore, the network administrator must evaluate the need to enable a port-like security mechanism first. To determine the port to use port security technology.

Second, configure the dynamic learning host MAC address for the port requiring port security. When necessary, you can also configure the duration for Dynamically Learning MAC addresses. Generally, you can use the set port security age name.

Third, develop behaviors against security. That is, based on the actual situation of the enterprise, such as the switch location, security requirements, and other factors, to consider whether to adopt "prohibited" measures or "protection" or "restriction" measures. The default setting is "permanently disabled ". This is an extreme option. In general, I suggest you change it.

The fourth option is an option, but it is an option recommended by the author. That is, if the network administrator selects "Disable", it is best to enable the timer function at the same time. That is to say, how long does it take to disable the port. Because sometimes users may have no intention to offend this rule. Therefore, this port cannot be permanently closed. As long as it can ensure that the normal use of the network is not affected, it can still be opened.

5. Tracking. When any violation occurs, the switch will leave a trace in the system log. The network administrator must also view logs frequently. If an exception is found, if a host often violates a certain principle, the cause of this host needs to be traced. Whether the user is malicious or has become a zombie of others.