Appendix B: Securing Ethernet Switches
This appendix covers security features that are available and can be used on the Catalyst series Ethernet switches. Security topics for the Catalyst switches are configuring management access to the switch, controlling Telnet, and Simple Network Management Protocol (SNMP) access, configuring the switch to support the AAA architecture, and configuring private virtual local area networks (VLANS) and port security.
The Catalyst line of Ethernet switches has multiple command−line interfaces (CLI); each has a different look and feel depending on which model of switch you are working on. The two most predominant versions of operating system code in use today are the CatOS XDI version and the Native IOS mode version. An in−depth discussion of each of these versions is beyond the scope of this book; however, configuration command examples for each version will be displayed where applicable.
Configuring Management Access
When a Catalyst switch is first received from Cisco, it does not have any passwords configured. This can present a major security risk because anyone with physical access to the switch can establish a connection to it simply by plugging into the console port and pressing the Enter key.
Note The password configured on a switch by default is the Enter key. This is true for both EXEC mode and privileged mode.
The first step any administrator should perform when configuring a Catalyst switch is to configure passwords for both the EXEC mode and privileged mode access on the switch. This helps to complement any other physical security measures that have been taken as a result of the enterprise's security policy. To configure management passwords on the Catalyst switch using CatOS XDI code, use the following commands:
1.Use the set password command to define a password for EXEC mode access into the switch. The password that is configured using this command can be from 0 to 30 characters in length.
2.Use the set enablepass command to define a password for privileged mode access on the switch. The password that is configured using this command can be from 0 to 30 characters in length.
The following listing displays an example of configuring the EXEC mode password and the privileged mode password for a Catalyst switch using CatOS code:
Cat−6509> (enable) set password Enter old password:
Enter new password: Retype new password: Password changed.
!
Cat−6509> (enable) set enablepass Enter old password:
Enter new password: Retype new password: Password changed.
Cat−6509> (enable)
272
The Native IOS mode code that runs on many newer switches is a blend of Layer 2 code and Layer 3 code all rolled up into one version. The Native IOS mode code creates an environment in which Catalyst switches can be configured and managed through the familiar IOS user interface that runs on most routers.
To configure a password on a Catalyst switch that is using Native IOS use the commands in the following steps:
1. Use this command to enter into line configuration mode:
line <con | aux | vty> line−number
2.Use the password <password> command to define the password for each line on the router.
3.To configure enable mode access you can use one of two commands, enable password <password> or enable secret level <level> <password>. Both commands accomplish the same thing; they allow access to enable mode. However, the enable secret password is considered to be more secure because it uses a one−way encryption scheme based on the MD5 hashing function.
The following listing displays an example of configuring the line password and enable passwords on a Catalyst switch using Native IOS:
Cat−6509#config t
Cat−6509(config)#enable secret Secret@Password
Cat−6509(config)#line con 0
Cat−6509(config−line)#login
Cat−6509(config−line)#password thisissecure
Configuring Port Security
Port security is used to block input to an Ethernet, FastEthernet, or Gigabit Ethernet port when the MAC address of the station attempting to access the port is different from any of the MAC addresses specified for that port. When a packet is received on a port with port security enabled, the source MAC address of the packet is compared with the secure MAC address configured for the port. If the MAC address of the device attached to the port differs from the secure MAC address configured for the port, a security violation occurs and the port can be configured to go into shutdown mode or restrictive mode. If the security violation is configured to transition the port into shutdown mode, the port is permanently disabled or disabled for only a specified time. The default action of shutdown mode is for the port to shut down permanently. If the security violation is configured to transition the port into restrictive mode, the port will remain enabled during the security violation and only drop packets that are coming in from insecure hosts.
Warning If you configure a port in restrictive mode and the MAC address on a device that is connected to the port is already configured as a secure MAC address on another port on the switch, the port in restrictive mode shuts down instead of restricting traffic from that device.
The secure MAC address of the port can be configured statically, or the port can be configured to dynamically learn the MAC address of the device connected to the switch via the port. There are a few restrictions to configuring port security. Certain rules exist that pertain to configuring port security on a Cisco Catalyst switch:
273
∙Port security cannot be enabled on a port that is performing trunking.
∙Port security cannot be enabled on a destination Switched Port Analyzer (SPAN) port.
∙Content−Addressable Memory (CAM) entries cannot be configured for a port on which port security is enabled. Use the set cam <dynamic | static | permanent> command to enter CAM entries into the switch.
To configure port security for a switch using CatOS code, use the following commands: 1. Use this command to enable dynamic port security on the specified port:
set port security <mod_num/port_num> enable
2.Use this command to statically define the MAC address of the device connected via the secure port:
set port security mod_num/port_num enable <mac_address>
3.Use this command to define the length of time a dynamically learned address on the port specified within the command is secured:
set port security <mod_num/port_num> age <time>
4. Use this command to define the action a port should take when a security violation occurs:
set port security <mod_num/port_num> violation <shutdown | − restrict>
The shutdown parameter disables the port permanently or for a specified period time that is configured with the next command. The restrict parameter drops all packets from an insecure source but the port remains enabled.
5.Use this command to define the amount of time a port remains disabled as a result of a security violation:
set port security <mod_num/port_num> shutdown <time>
If this command is not configured, the default time is set to permanent and the port must be manually reenabled.
Here is an example of configuring port security on a switch that is using CatOS code:
Cat−6509 (enable) set port security 4/48 enable
Cat−6509 (enable) set port security 5/3 enable 00−d0−b7−53−40−bb
Cat−6509 (enable) set port security 4/48 age 360
Cat−6509 (enable) set port security 4/48 violation restrict
Cat−6509 (enable) set port security 5/3 violation shutdown
Cat−6509 (enable) set port security 5/3 shutdown 360
The commands used to enable port security for Catalyst switches that are using Native IOS code are not as robust as the commands available via the CatOS code. To configure port security for a switch that is using Native IOS code, use the following commands:
1. Use this command to select the interface on which port security should be configured:
interface <ethernet | fastethernet | gigEthernet> <slot/port>
2.Use this command to define the action the port should take in the event of a violation condition:
port security action <shutdown | trap>
274
The shutdown parameter will disable the port in the event of a security violation. The trap parameter will send an SNMP trap message in the event of a security violation.
3. Use this command to define the maximum MAC address count for the port:
port security max−mac−count <count>
The following code is an example of configuring port security on a switch that is using Native IOS code:
Cat−6509#config t
Cat−6509(config)#interface fast0/42
Cat−6509(config−if)#port security action shutdown
Cat−6509(config−if)#port security max−mac−count 1
Cat−6509(config−if)#end
Configuring Permit Lists
The IP permit list is a feature of the CatOS that permits authorized Telnet and SNMP access to the switch only from authorized source IP addresses. IP permit lists do not affect traffic that is transiting the switch or that is locally originated by the switch. IP permit lists only affect inbound Telnet and SNMP traffic with a destination address as that of the management address of the switch.
Each IP permit entry consists of an IP address and subnet mask pair that is permitted Telnet or SNMP access. If a mask for an IP permit list entry is not specified, or if a hostname is entered instead of an IP address, the mask has an implicit value equal to all 1s, which effectively means match according to host address. There is a limit on the number of permit entries that can be configured on the switch; the maximum is 100 entries.
To configure IP permit lists on a switch running CatOS code, use the following commands:
1. Use this command to enable the IP permit list for Telnet, SNMP, or SSH access:
set ip permit enable <telnet | snmp | ssh>
2. Use this command to specify the IP addresses that are added to the permit list:
set ip permit <ip_address> <mask> <telnet | snmp | ssh | all>
Figure B.1 displays a small network that has devices, which need network management access to the switch. Telnet access into the switch should be allowed from any machine within the network. The following code is an example of configuring an IP permit list for the Catalyst switch in Figure B.1 using CatOS code:
set ip permit enable telnet set ip permit enable snmp
set ip permit 192.168.0.0 255.255.0.0 telnet set ip permit 192.168.24.12 snmp
set ip permit 192.168.24.15 snmp set ip permit 192.168.24.16 snmp set ip permit 192.168.40.250 snmp
275