Filtering the VLAN Traffic

So it ended up I decided to do a recap on VLAN access control lists (ACL’s) before I got back into Spanning Tree. I also covered Private VLAN’s tonight but will come back to them some other time for the blog.

Over the years I have had lots of dealing with port and router based ACL’s, but VLAN based ACL’s I only came across when I started studying for my CCNP. And I already have plans to use them to limit the traffic on some of our more sensitive network segments.

Now if you know you VACL set up, here is the point to stop reading, what follows is a run through of the config, with some description of the steps.

Still with me? OK lets get to it.

The first step in creating a VACL’s is in fact to create some “standard” ACL’s first, these will be used to classify what traffic is filtered once the VACL is applied. the VACL will accept two types of access lists as arguments IP and MAC, so lets set some up.

(config)#access-list 100 permit ip host 172.168.5.5 any

(config)#mac access-list extended MAC-ACL
(config-ext-mac)#permit any host b7d4.5f6d.8e31

So two simple ACL’s created, now you can you the IP access list command and create named access lists as will if you wish.

So now we need to create the VACL and add these lists to it.

(config)#vlan access-map <name> 10
(config-map)#match ip address 100
(config-map)#action drop
(config-map)#vlan access-map <name> 20
(config-map)#match mac-address MAC-ACL
(config-map)#action drop
(config-map)#vlan access-map <name>30
(config-map)#action forward

Notice by default if a VACL is configured on a VLAN is a packet does not match the VACL it will be dropped. As we can see each section in the VACL has a sequence number, a match statement (can have more than one) and an action to take. In this set up any traffic that matches the two ACL’s we set up will be dropped. By adding a sequence with out any match statement and only an action, we have set up a “catch all”  situation, just like you may do with a “standard ACL when you enter “permit any any”.

So there we have it the VACL all set up and ready to go, now its just a case of applying it to a VLAN or two.

(config)#vlan filter <name> vlan-list 10

And there you have it, now any traffic passing across the switch on the configured VLAN’s will be subject to the statements in you VACL. I think there great for adding that extra layer of security to your network, and keeping traffic where it should be.

OK so not an exciting post tonight, but I will get back to STP tomorrow and I can tell you from past experience how not to configure it.

Night all and take care.

503 Errors and CBT nuggets

I was just trying to find a plug in to allow mobile phones to better browse the site when I came across the 503 error below.

Something has gone wrong with our servers. It’s probably Matt’s fault.

We’ve just been notified of the problem.

Hopefully this should be fixed ASAP, so kindly reload in a minute and things should be back to normal.

Don’t you love it when people take that little extra time to personalise a site, almost makes you glad it went down so you get to see it. Well its back up now so I will be looking to add mobile support soon as well.

On a different note, it appears CBT nuggets has just released the CCNP ROUTE videos… If you haven’t come across CBT nuggets then you are missing out, (unless of course you are not a geek and actually have a life 😉 ) but for us Geeks we know CBT as one of the best sources of IT training around. As soon as the SWITCH exam is out the way, I will be heading on over there for my copy. Mean while your find the link to there site in the menu to your right.

OK back again to studying, and planning my next Tech post.

Enjoy your night, evening, morning or what ever the time is in your part of the world.

Admin and Email

Well today I have spent trying to tidy up the admin side of things, adding in google analytics’s and tidying up the links pages. Still more to do but I am working as well you know..

One thing I came across was that email is not working. After playing around for a bit I came to two conclusions, First the PHP solution is not for me, so I decided to go SMTP. Only then to remember my wonderful company firewall policy (that I wrote), don’t allow email to be sent. Still at least I know where I stand with it now and been finding out more about this word press as I go. Time to go home now so will have to wait till tomorrow to open up the port for this server. Until then I don’t get email alerts but I am sure I will survive.

Home to study and maybe another post later about Spanning Trees and stuff.

Keep happy people.

DHCP snooping and Option 82

OK time to get on with it. And seeing as I have just been brushing up on switch security what better place to start.

Not going to tell you how to configure DHCP snooping or show you my lab set up, there are plenty of great documents on the net you can find for that, www.cisco.com/dhcp-cconfig for instance.  But I suposes theres no harm in a quick recap about what DHCP snooping is and why it is used.

Really the hint is in the name, when enabled on a Switch, any DHCP packets, (both requests and replies) the switch listens in on and can filter and in some cases altered. The main function is of course to prevent rogue DHCP servers from being placed on the network, so in its most basic set up, you simple enable it on a switch and mark all ports on the uplink path to the DHCP server as trusted, this will allow DHCP responce packets to be sent down this path. Easy hey!? You can add in limiters to how many request packets a untrusted port can send to the DHCP server to prevent DoS attacks on the DHCP servers, and there are other options of course (always is in IT), but prevention of DoS attacks and prevention of Rogue DHCP servers are the two biggie’s.

What DHCP snooping also does of course as it reads the DHCP packets passing through its ports, is to build up a data base of what IP address and  MAC address have been assigned by DHCP to which Switch port. This can then be used for IP source guard, this works by assigning an ACL on a per port basics that restricts the source IP address in packets, to the IP stored in the DHCP snooping database. And for Dynamic ARP inspection, where the ARP packets are filtered by the switch to insure the information contained in them matches the information gained from DHCP snooping.

So by combining DHCP snooping with IP source guard, Dynamic ARP inspection and port-security, you can mitigate many of the Layer 2 switch based attacks.

The one thing that really interested me when I was going through DHCP snooping was the setting to enable option 82. It was kind of mentioned in passing in the CCNP course material, so I had a little look up about what it was. Well this seemed simple enough, when the switch recives an incoming DHCP request packet from the switch it adds in some information. namely the switch port the client is connected on , the vlan it is assigned to and the id of the switch adding the information. This Document sums it up nicely. And then you read that this information can be used by the DHCP server for how it assigns address, and can be stored by the DHCP agent. I thought hey… cool.. So I enable this option, turn on support on the windows 2003 DHCP servers, and BING!! I would have a list of DNS name, IP address, MAC address, and switch and port location.. But sadly it seems windows 2003 does not support this option.. poor form if you ask me.

It got me thinking though, ways to trace a client device to a physical location. Not just what area of a building by down to the switch port it is connected to. This can be very useful for tracing PC’s with problems on the network, or trace back were strange traffic is coming from, and the quicker you can do it the better.

There the manual way of course, use the CAM tables and show commands to trace a MAC address back to its switch port. You first of course have to resolve the DNS name back to the MAC. Then at the other end you could enable 802.1x port-based authentication, and run a CISCO ACS server to do the authentication. Run a report on the ACS server  and it will give you all the information you need.

My personal solution was to use Kiwi cat tools to run an audit on all the switch devices and build up a database of MAC address to switch ports. I already have a data base of DNS names – MAC address from our auditing software and it was a 5 minute job to set up the link between them.

So from looking at DHCP Snooping, to ways to monitor the network. All in a days studying :). Now one more run though of the config for this on my lab and then its on to practising MSTP’s.

Well there you have it, first real post, now to see what the general public think.

Take care all.

Well Looking a bit better

OK so I haven’t really got much further with an actually interesting blog.. But I have spent some constructive time playing word press, working out how to do a few things and started population the links.

For any one interested in the particulars this blog is running on a DELL GX280, running UNBUNTU server. (now don’t you all feel much better for knowing that). My next step is to work out how to back up this site, my old website was simply copy the folder, but I feel with SQL this might not be quite as straight forward. I am also trying to work out how to create posts on multiply pages? if any one knows I would be always grateful.

Well I’m going back to looking at a back up solution, but fear no the first real post will be here soon.

DevilWAH