Catalyst 3550 Security
Because the 3550 family of Catalyst switches uses the IOS-based command-line interface, the handling of the basic security features on the switch is virtually the same as it is on the router. By the time this book is released, the 3550 switches will even offer full support of routing protocol security. For now, use Access Control Lists (ACLs), covered in Chapter 16, to enforce remote administration security.
A few security concepts, however, remain specific to the Catalyst switch. Among them is the network security configuration with ACLs, mentioned in the preceding paragraph, and L2VPN, covered in Chapter 25, "Internet Service Provider Security Services." In this lesson, you concentrate on port-based traffic control configuration.
Lesson 15-4: Port-Based Traffic Control
This lesson discusses how to configure the port-based traffic control features on your switch. The lesson consists of the following configuration tasks:
- Configuring storm control
- Configuring protected ports
- Configuring port blocking
- Configuring port security
- Port security aging
Configuring Storm Control
A LAN storm takes place when packets overflow the LAN, causing unnecessary traffic and diminishing network stability. Storm control or the traffic suppression feature configured on a physical interface prevents switchports on a LAN from being overwhelmed by a broadcast, multicast, or unicast storm. Storm control screens the incoming traffic over a period of 1 second and compares the amount with the control level threshold if one exists. If the threshold is exceeded, additional traffic is blocked until the continuing monitoring determines that incoming traffic fell below the threshold level, and traffic is then allowed to be forwarded again.
The switch handles separate storm control thresholds for broadcast, multicast, and unicast traffic. Interestingly, when broadcast or unicast thresholds are reached, traffic is suppressed for only that specific type. On the other hand, when the multicast traffic rate exceeds the threshold, all incoming traffic, except spanning-tree packets, including broadcast and unicast, is throttled until the level drops below the specified threshold.
Storm control on an interface is enabled separately for each type of traffic. The configured threshold level is the percentage of total available bandwidth that you want to serve as a limit indicator. The percentage can be from 1 to 100, with an optional fraction. The higher the level, the more packets are allowed to pass through. The default is no storm control, which translates into 100 percent threshold. In contrast, a value of 0.0 means that all port traffic is blocked for a particular type. The syntax for configuring traffic suppression is as follows:
3550-A(config-if)#storm-control [broadcast | multicast | unicast] level level [.level]
Configuring Protected Ports
A protected port feature is used in those environments where no traffic can be forwarded between two ports on the same switch. This way, one neighbor connected to one port does not see the traffic that is generated by another neighbor connected to the second port. The blocking of traffic (unicast, broadcast, or multicast) only works when both ports are protected. When a protected port is communicating with an unprotected port, the traffic is forwarded in the usual manner. Once the ports are protected, traffic between them can only be forwarded by a Layer 3 device.
By default, the protected port feature is not enabled. You can configure protected ports on either a physical interface or an EtherChannel group. Once you enable the protected port feature on the latter, it is extended to all the group's ports. The following command sets port protection:
Configuring Port Blocking
The default behavior of a switch is to forward the packets with unknown destination MAC addresses to all its ports. This might not always be desirable, especially in terms of security. If you configure a port block feature, then depending on what type of traffic you specified, unicast or multicast packets are not forwarded from one port to another. Blocking unicast or multicast traffic is not automatically enabled, even on a protected port; you must manually define it.
As with the protected interface, you can configure blocking on a physical interface and an EtherChannel group. If blocking is configured on an EtherChannel, it applies to all ports in the group. To block unknown multicast or unicast packets from a port, use the following command:
3550-A(config-if)#switchport block [multicast | unicast]
Configuring Port Security
The port security feature is used to limit access to an interface to only those devices whose MAC address is identified as allowed and as long as the maximum number of allowed addresses is not already reached. In other words, if a port that is configured as secure recognizes that a station is trying to gain access, it checks whether the configured maximum number of secure MAC addresses has been exceeded. If it has not, the port checks the table of secure MAC addresses, and if the MAC address in question is not there yet, the port learns it and marks it as secure. If the preset maximum number has been reached, and the MAC address is not a member of the secure addresses, a security violation is noted. Similarly, the violation occurs when a device whose MAC address is known as secure on one secure port tries to access another secure port.
To configure a secure port, first set the physical interface's mode to "access" because an interface in the default mode cannot be configured as a secure port:
3550-B(config-if)#switchport mode access
Then, enable port security on that interface by using the following command:
Placement of the following three commands is optional because the exact commands you choose depend on the desired functional effect. The following command specifies the maximum number of secure MAC addresses for the interface (the number ranges from 1 to 128, with 128 being default):
3550-B(config-if)#switchport port-security maximum value
Next, you can configure the interface to take one of the following actions in case of a security violation:
The protect keyword causes the packets with unknown source addresses to be dropped when the maximum threshold is reached.
The restrict keyword increments a violation counter.
The shutdown keyword, the default, deactivates the port immediately and sends an SNMP trap notification.
3550-B(config-if)#switchport port-security violation [protect | restrict | shutdown]
If a secure port has been shut down as a result of a security violation, you can bring it out of this state by entering the errdisable recovery cause psecure-violation global configuration command, or you can manually reenable it by entering the shutdown and no shut down interface configuration commands.
Finally, to enter a secure MAC address for the interface, use the following command. If the number of manually defined addresses is less than the configured maximum, the rest are learned dynamically.
3550-B(config-if)#switchport port-security mac-address mac-address
Port Security Aging
You can define an optional security-aging feature to cause all secure addresses to become obsolete without having to manually remove each of them. The types of aging mechanisms are as follows:
AbsoluteSpecifies an aging period after which the secure addresses on that port are deleted
InactivityDiscards secure addresses only if they have been inactive for the specified aging time
The aging time command includes a number of arguments. The static keyword involves the manually configured addresses for the interface. The time keyword specifies the aging time, ranging from 0 to 1440 minutes. The type identifier indicates either absolute or inactivity, as follows:
3550-B(config-if)#switchport port-security aging [static] time time type [absolute | inactivity]
The following examples display the outputs from a number of show commands on both switches that assist in the verification and monitoring of port-based traffic control.
Example 15-22 captures a portion of the 3550-A running configuration for interface FastEthernet0/1.
Example 15-22 Running Configuration of 3550-A
interface FastEthernet0/1 switchport mode access switchport port-security maximum 2 switchport port-security mac-address 1000.2000.3000 switchport port-security violation protect switchport port-security aging time 600 no ip address storm-control broadcast level 10.00 storm-control multicast level 10.00 storm-control unicast level 10.00
Example 15-23 shows a portion of the 3550-B running configuration for interface FastEthernet0/2.
Example 15-23 Running Configuration of 3550-B
interface FastEthernet0/2 switchport mode dynamic auto switchport block multicast switchport block unicast no ip address
Example 15-24 shows the output of the show interfaces fastEthernet switchport command for the 0/1 and 0/2 ports.
Example 15-24 The show interfaces fastEthernet switchport Command Output
3550-A#show interfaces fastEthernet 0/1 switchport Name: Fa0/1 Switchport: Enabled Administrative Mode: static access Operational Mode: up Administrative Trunking Encapsulation: negotiate Negotiation of Trunking: Off Access Mode VLAN: 1 (default) Trunking Native Mode VLAN: 1 (default) Trunking VLANs Enabled: ALL Pruning VLANs Enabled: 2-1001 Protected: false Unknown unicast blocked: disabled Unknown multicast blocked: disabled Voice VLAN: none (Inactive) Appliance trust: none 3550-A#show interfaces fastEthernet 0/2 switchport Name: Fa0/2 Switchport: Enabled Administrative Mode: dynamic auto Operational Mode: down Administrative Trunking Encapsulation: negotiate Negotiation of Trunking: On Access Mode VLAN: 1 (default) Trunking Native Mode VLAN: 1 (default) Trunking VLANs Enabled: ALL Pruning VLANs Enabled: 2-1001 Protected: false Unknown unicast blocked: enabled Unknown multicast blocked: enabled
Example 15-25 shows the output of the show storm-control command. You can use this command to view your storm control configuration per port.
Example 15-25 The show storm-control Command Output
3550-A#show storm-control Interface Filter State Level Current --------- ------------- ------- ------- Fa0/1 Forwarding 10.00% 0.00% Fa0/2 inactive 100.00% N/A Fa0/3 inactive 100.00% N/A Fa0/4 inactive 100.00% N/A Fa0/5 inactive 100.00% N/A Fa0/6 inactive 100.00% N/A Fa0/7 inactive 100.00% N/A Fa0/8 inactive 100.00% N/A Fa0/9 inactive 100.00% N/A Fa0/10 inactive 100.00% N/A
Example 15-26 shows the ports configured as secure.
Example 15-26 The show port-security Command Output
3550-A#show port-security address Secure Mac Address Table ------------------------------------------------------------ Vlan Mac Address Type Ports ---- ----------- ---- ----- 1 1000.2000.3000 SecureConfigured Fa0/1