Security Settings for dhcp snoop and other aspects (1)

We know the DHCP protocol and the protocol for managing network IP addresses. In the application of its server, we usually encounter related management knowledge. In terms of network security, DHCP is worth noting. Today, we will explain the vswitch security 802.1X, port-security, dhcp snoop, DAI, VACL, and span rspan.

Vswitch security 802.1X, port-security, dhcp snoop, DAI, VACL, SPAN RSPAN
Port bound to MAC: port-security
DHCP-based port and IP, MAC binding: ip source guard
DHCP-based ARP attack prevention: DAI
Prevent DHCP attacks: DHCP Snooping

All cisco LAN mitigation technologies are here!

Common Methods:

802.1X, port authentication, dot1x, also known as IBNS (Note: IBNS includes port-security): identity-based network security. Many names are annoying. when traffic comes to a port, it needs to interact with ACS and be authorized after authentication to access the network, provided that the CLIENT must support 802.1X mode, such as installing a software

Extensible Authentication Protocol Over Lan (EAPOL) uses this Protocol to transmit Authentication authorization information

Sample Configuration:

 
 

  
  
Router # configure terminal
  
  
Router (config) # aaa new-model
  
  
Router (config) # aaa authentication dot1x default group radius
  
  
Switch (config) # radius-server host 10.200.200.1 auth-port 1633 key radkey
  
  
Router (config) # dot1x system-auth-control to use the DOT1X Function
  
  
Router (config) # interface fa0/0
  
  
Router (config-if) # dot1x port-control auto
 
 

AUTO is a common method for normal authentication and authorization.

Forced authorization method: no authentication is passed, always available

Force-disauthorize mode: basically, this interface is closed and always unavailable.

Optional Configuration:

 
 

  
  
Switch(config)#interface fa0/3  
  
  
Switch(config-if)#dot1x reauthentication  
  
  
Switch(config-if)#dot1x timeout reauth-period 7200 
 
 

Two hours later.

 
 

  
  
Switch#dot1x re-authenticate interface fa0/3 
 
 

Now authenticate again. Note: if the session has been established, this mode will continue to meet.

 
 

  
  
Switch#dot1x initialize interface fa0/3 
 
 

Initialize authentication and disconnect the session

 
 

  
  
Switch(config)#interface fa0/3  
  
  
Switch(config-if)#dot1x timeout quiet-period 45 
 
 

The next authentication request can be initiated after 45 seconds

 
 

  
  
Switch (config) # interface fa0/3
  
  
Switch (config-if) # dot1x timeout tx-period 90 is 30 S by default
  
  
Switch (config-if) # dot1x max-req count 4
 
 

The client needs to enter authentication information to respond to the AAA Server through this port. If the switch does not receive this information from the user, the switch sends the re-transmission information to the client once every 30 seconds, four times in total.

 
 

  
  
Switch#configure terminal  
  
  
Switch(config)#interface fastethernet0/3  
  
  
Switch(config-if)#dot1x port-control auto  
  
  
Switch(config-if)#dot1x host-mode multi-host 
 
 

The default value is one host. When multiple host modes are used, AUTO authorization is required. When a host is successfully authorized, other hosts can access the network;

When authorization fails, such as re-authentication failure or log off, all hosts cannot use this port.

 
 

  
  
Switch#configure terminal  
  
  
Switch(config)#dot1x guest-vlan supplicant  
  
  
Switch(config)#interface fa0/3  
  
  
Switch(config-if)#dot1x guest-vlan 2 
 
 

Unauthorized access to VLAN2 provides flexibility