Configuring the Switching Infrastructure for Mirage NAC Appliances

Transcription

1 Configuring the Switching Infrastructure for Mirage NAC Appliances Executive Summary The purpose of this document is to explain how to configure the switch for use with the Mirage NAC appliance. Aside from deciding on where to deploy the Mirage NAC device, configuring the switch is one of the most important parts of deployment. The Mirage NAC device can be installed in two modes (a) Mirror Mode or (b) broadcast mode and this document covers only Mirror Mode. This document is broken into two sections. The first section discusses the Mirage NAC device and its needs in respect to the switch. The second section discusses how to configure Cisco switches for mirroring. Intended Audience This document is applicable to Mirage Networks customers and partners looking to integrate the Mirage NAC appliances into an existing network. General familiarity with the Mirage Networks technology and line of products is assumed.. Background The Mirage NAC Appliance is designed to be deployed out-of-band meaning that it can analyze traffic that traverses the network without having to be placed within a critical data path. Therefore, it is strongly recommended that the switch ports connected to the appliance be configured as Switched Port Analyzer (SPAN) ports or mirror ports. The Mirage NAC Appliance requires full read-write access to the ARP (Address Resolution Protocol) Horizon of each protected address range. In the event that the switch's mirror port connected to the Mirage NAC appliance is read-only it can be configured to pair with a read-write Ethernet port. For the purposes of this document, port pairing configurations are assumed, since that is the case for the majority of switches. Each segment's logical port(s) must be enabled and, in cases with read-only ports, paired with a writable port for the Mirage NAC appliance to begin monitoring network traffic on the segment. Information displayed is the state of the port, MAC Address, Read/Write State, Paired With state and the Segment Name. The Mirage NAC device is capable of monitoring and protecting one to thirty-two VLANs. In the case of monitoring and protecting more than one VLAN the switch has to be configured with two trunk ports to the Mirage NAC device with 80.Q encapsulation. One of these trunk ports will be defined as the SPAN destination or mirror destination. The reason for the 80.Q encapsulation is to ensure the Mirage NAC device is able to see the multiple VLANs on both the read-only and writable ports. VLAN- Virtual Local Area Network - A logical, or administratively configured, LAN or broadcast domain that is defined by software rather than by fixed, physical port connections. Qtag - The Institute of Electrical and Electronics Engineers (IEEE) standard 80.Q enables VLAN traffic to span many broadcast domains or switches. It does this by inserting a special Qtag that carries a VLAN identifier (VID) into each Ethernet frame. This tagged traffic carries VLAN membership information between switches, thus enabling a VLAN to span multiple switches. Configuring Common Switches for use with Mirage NAC Cisco switch configurations Cisco switches primarily come in two flavors, CatOS (Catalyst OS) and IOS (Internetworking OS). Cisco's flag ship 00 series switch can run either CatOS or IOS. Smaller switches like the 90 and the 0 all run IOS. Here is a breakdown of the Cisco Switches IOS CatOS 90 Series xxx Series SupII and 00 Series 0 Series 000 and 00 Series

2 0 Series 0 Series 00 Series Sup II and above 00 Series running IOS Configuration of the Mirage NAC appliance and network layer depends on the overall deployment mode. This port has the standard configuration on the switch that is similar to any workstation that is being plugged in. In a Mirrored deployment, two ports are used. This is because one port is used for the Mirror/SPAN and another. The second port is configured so the Mirage NAC device can write back into the networks that are configured for the mirror/span. Connection Reference Diagram The reference diagram below will be used for all following examples of configuring mirroring on Cisco switching gear. As shown in the diagram, interface ETH of the appliance is the mirror destination port, connected to port / of the switch. Interface ETH of the appliance is the writing interaction port and connected to port /8 of the switch. The VLAN access layer below the switch to which the appliance is connected carries 0 user VLANs, numbered -. CatOS Reference Configure an 80.q trunk for both ports that will be plugged into the Mirage NAC device set trunk mod/port [ on off desirable auto nonegotiate] dotq vlans Verify the trunking configuration. show trunk [ mod/port] Remove VLANs from the allowed VLANs list for a trunk. Add specific VLANs to the allowed VLANs list for a trunk. clear trunk mod/port vlans set trunk mod/port vlans Verify the allowed VLANs list for the trunk. show trunk [ mod/port] Configure the SPAN source and destination ports Verify the SPAN configuration. set span {srcmod/srcports src_vlans sc0} {destmod/destport*} [rx tx both] [inpkts {enable disable}] [learning {enable disable}] [multicast {enable disable}]* [filter vlans...] [create] show span IOS Reference

3 Selects the LAN port to configure. Configure the both ports the will be plugged into the Mirage NAC device as a Trunk. Configures the encapsulation, which configures the Layer switching port as either an ISL or 80.Q trunk. Configures the trunk not to use DTP. Router(config)# interface typeconfiguring the Switching Infrastructure for Mirage NAC Appliances^^ slot/port Router(config-if)# switchport trunk encapsulation { isl dotq } Configure the mirror source vlans Router(config)# monitor session session_number source {{ single_interface interface_list interface_range mixed_interface_list single_vlan vlan_list vlan_range mixed_vlan_list} [ rx tx both]} { remote vlan rspan_vlan_id}}ex: monitor session source vlan 0, 0, 0 both Configure the destination port of the mirror Verify Mirroring configuration Verify Trunking configuration Router(config)# monitor session session_number destination { single_interface interface_list interface_range mixed_interface_list} { remote vlan rspan_vlan_id}}ex: monitor session destination interface fa/8 Router# show monitor Router# show interface interface trunk Configuring Cisco 00 series switches Depending upon configuration, the Cisco 00 platform is capable of running either a hybrid of CatOS on the switching engine and IOS on the routing engine (Hybrid Mode); or of running IOS on both (Native Mode). While the syntactical elements of configuring mirroring differ according to the mode, both modes require that the mirror destination port must be configured as an unconditional trunk prior to configuring the mirroring session in order to encapsulate the mirrored traffic correctly. CatOS Example Ensure the Mirage NAC is turned on Plug Ethernet on the appliance into port / of the switch. Plug Ethernet on the appliance into port /8 of the switch.. Configure an 80.q trunk for the mirror destination port. Configure an 80.q trunk for the writing interaction port. set trunk / on nonegotiate dotq - set trunk /8 on nonegotiate dotq - Verify the trunking configuration for the mirror destination port. show trunk / Verify the trunking configuration for the mirror destination port. show trunk /8 8 Configure the SPAN source and destination ports Verify the SPAN configuration. set span - both [create] show span

4 00 Series switches with IOS Example Ensure the Mirage NAC is turned on Plug Ethernet on the appliance into port / of the switch. Plug Ethernet on the appliance into port /8 of the switch.. Configure the mirror destination port as an unconditional trunk with dotq encapsulation and no DTP carrying VLANs - Configure the writing interaction port as an unconditional trunk with dotq encapsulation and no DTP carrying VLANs - Router(config)# interface gigabit / Router(config-if)# switchport trunk encapsulation d otq vlan none vlan add - Router(config)# interface gigabit /8 Router(config-if)# switchport trunk encapsulation d otq vlan none vlan add - Verify trunking configuration for the mirror destination port. Router# show interface gigabit / trunk Verify trunking configuration for the writing interaction port Router# show interface gigabit /8 trunk Configure the source of the mirror Router(config)# monitor session source vlans Configure the destination port of the mirror Router(config)# monitor session destination interface gigabit/ Verify configuration Router# show monitor Reboot the Mirage NAC appliance Configuring 00 Series switches with IOS For the 00 series switches, the encapsulation of the mirror destination port is set as part of the monitor session command; therefore no interface-level configuration for the mirror destination port is required. 00 IOS Example Ensure the Mirage NAC is turned off Plug Ethernet on the appliance appliance into port / of the switch. Plug Ethernet of the appliance into port /8 of the switch..

5 Configure the writing interaction port as an unconditional trunk with dotq encapsulation and no DTP carrying VLANs - Verify the trunking configuration of the writing interaction port Router(config)# interface gigabit /8 Router(config-if)# switchport trunk encapsulation d otq vlan none vlan add - Router# show interface gigabit /8 trunk Configure the mirror source vlans Router(config)# monitor session source vlan - both Configure the destination port of the mirror Verify configuration Router(config)# monitor session destination interface gigabit /8 encapsulation dotq Router# show monitor Configuring 0/0 Series switches with IOS The 0 and 0 series switches do not support unconditional tagging of mirrored traffic. Instead, they support only replicating the presence/format of the tag contained in the source frame. In order to work within this limitation, deployments with 0 and 0 series switches should focus on mirroring ports rather than VLANs and mirroring only trunked uplink ports. 00 IOS Example Ensure the Mirage NAC is turned off Plug Ethernet on the appliance appliance into port / of the switch. Plug Ethernet of the appliance into port /8 of the switch.. Configure the writing interaction port as an unconditional trunk with dotq encapsulation and no DTP carrying VLANs - Verify the trunking configuration of the writing interaction port Configure the mirror source ports Configure the destination port of the mirror Verify configuration Router(config)# interface gigabit /8 Router(config-if)# switchport trunk encapsulation d otq vlan none vlan add - Router# show interface gigabit /8 trunk Router(config)# monitor session source interface gigabitethernet /, gigabitethernet /8 both Router(config)# monitor session destination interface gigabit /8 encapsulation dotq Router# show monitor Port Verification on the Mirage NAC device The command line interface provides access to the topology.pl script that checks and reports on the low-level topology discovery processes. This script provides insight into both the segment creation and interface discovery portions of the topology probe packets. The script is run without any arguments, and consists of two basic sections. The first section lists which interfaces are active under which segment. The second section lists which interfaces see topology discovery packets sent by the other. Running topology.pl in all of the examples outlined above would yield the following output:

6 topology.pl Segments to interfaces : [eth, eth, eth] : [eth0] : [eth., eth.] : [eth., eth.] : [eth., eth.] 8: [eth.8, eth.8] 9: [eth.9, eth.9] 0: [eth.0, eth.0] : [eth., eth.] : [eth., eth.] : [eth., eth.] : [eth., eth.] : [eth., eth.] : [eth., eth.] : [eth., eth.] 8: [eth.8, eth.8] 9: [eth.9, eth.9] 0: [eth.0, eth.0] : [eth., eth.] : [eth., eth.] : [eth., eth.] : [eth., eth.] : [eth., eth.] : [eth., eth.] : [eth., eth.] 8: [eth.8, eth.8] 9: [eth.9, eth.9] 0: [eth.0, eth.0] : [eth., eth.] : [eth., eth.] : [eth., eth.] : [eth., eth.] : [eth., eth.] Interface sees: eth0: [] eth: [eth, eth, eth] eth: [] eth: [eth, eth, eth] eth. [eth.] eth. [] eth. [eth.] eth. [] eth. [eth.] eth. [] eth. [eth.] eth. [] eth.8 [eth.8] eth.8 [] eth.9 [eth.9] eth.9 [] eth.0 [eth.0] eth.0 [] eth. [eth.] eth. [] eth. [eth.] eth. [] eth. [eth.] eth. [] eth. [eth.] eth. [] eth. [eth.] eth. [] eth. [eth.] eth. : [] [support@]$ Note that for the purposes of interface grouping, the logical OR condition is met, since the ETH.xxx interfaces ''sees'' the ETH.xxx interfaces and the ETH.xxx interfaces see the ETH.xxx interfaces. All ETH.xxx interfaces should be flagged as "Read Only" and paired with the corresponding ETH.xxx interface. Likewise, all ETH.xxx interfaces should be flagged as "Read Only" and paired with the corresponding ETH.xxx interface.