Wednesday 24 October 2012

16 - Campus Security - STP Attacks and Other Security Considerations



Alot of this i already covered in the CCNA-S exam, so some brief notes:



there is nothing to stop someone bring in there own switch and becoming root bridge of the network,

so we have 2 major features:
any port set for port-fast, should be set as bpdu-guard - if it detects a bpdu
it will shut down the port (as we have declard this a port-fast ie a host, there shold
not be any bpdu's)


To enable this:

inter fas0/1
spanning-tree bpduguard enable




enable same way as you would any port-security feat ..... shut, no shut


Also have a system for the good ports - to prevent a mis-configured switch from becoming the root.


We can enable root-guard
on any port connected to a switch that is NOT to become a root, this feature you would
only enable on the root switch and/or backup root switch.


inter fa0/2
spanning-tree guard root

means there will never be a switch that connects to this port, will ever become the root

but when it shuts down a port it doesn't go into err-disable, it becomes a inconstant port





17 - Campus Security - VACLs




VACL - can also redirect traffic! - more common use for using vacl



3550
only allow you to permit and deny, whereas the 6500

it could:
match this subnet and redirect it to an IPS sensor/blade etc


vlan 10
vlan 30

very similar to route-maps .... sequencing etc


access-list 10
permit 10.1.10.0 0.0.0.255


mac access-list extended SERVER
permit any host 1111.1111.2222


access-list 30
permit 10.1.30.0 0.0.0.255


vlan access-map <NAME> demo <seq number>
match ip address 10
action forward
vlan access-map demo 20
action drop

As you can see very simialar to route-map (match and set etc)



NOW TO APPLY IT

vlan filter demo vlan-list 10 (can use - or commons etc)

vlan access-map demo1 10
match ip address 30
action forward
vlan access-map demo1 20
action drop


vlan filter demo1 vlan-list 30 


SO as you can see, its a simple demo, BUT you can use extended access-lists and combine
them all together in the vlan access-maps


PACLs
access-list applied to a port (Layer2, ie no no switchport, otherwise its just an ACL on a port)

can only be applied inbound (like the asic of the switch)
int fa0/3
ip access-group 1 in

or do mac access-group <name> in


Posted by at No comments:
Subscribe to: Posts (Atom)