Written by Alexei Spirin Wednesday, 02 January :06 - Last Updated Wednesday, 02 January :24

Similar documents
Catalyst 4500 Series IOS Commands

Catalyst 4500 Series IOS Commands

Switch and Wireless LAN Controller Configuration Required to Support Cisco ISE Functions

Figure 1 - Controller-Initiated Web Login Flow

Cisco Virtual Office: Easy VPN Deployment Guide

IEEE 802.1X Multiple Authentication

Configuring IEEE 802.1x Port-Based Authentication

Command Guide of WGSW-28040

Configure IBNS 2.0 for Single-Host and Multi- Domain Scenarios

-1- Command Guide of SGS T2X

CISCO SWITCH BEST PRACTICES GUIDE

Extreme Management Center

Configuring 802.1X Port-Based Authentication

FiberstoreOS. Security Configuration Guide

Configuring IEEE 802.1x Port-Based Authentication

Configuring IEEE 802.1x Port-Based Authentication

Chapter 10 Lab 10-2, Securing VLANs INSTRUCTOR VERSION

Configuring IEEE 802.1x Port-Based Authentication

Universal Switch Configuration for Cisco Identity Services Engine. Secure Access How-To Guide Series

UniNets CCNA Security LAB MANUAL UNiNets CCNA Cisco Certified Network Associate Security LAB MANUAL UniNets CCNA LAB MANUAL

Recommendations for Upgrading a Catalyst 2950 Switch to a Catalyst 2960 Switch

Configuring IEEE 802.1X Port-Based Authentication

Authorized CCNP. Student. LabManual SWITCH.

Configuring Auto Smartports Macros

Cisco and Molex Digital Building Solution Implementation Guide. October 2018

Cisco TrustSec How-To Guide: Global Switch Configuration

Lab 8.5.2: Troubleshooting Enterprise Networks 2

Massimiliano Sbaraglia

CCNA Routing & Switching

Cisco Certified Network Associate ( )

FSOS Security Configuration Guide

Configuring Web-Based Authentication

!! Configuration of RFS4000 version R!! version 2.3!! ip access-list BROADCAST-MULTICAST-CONTROL permit tcp any any rule-precedence 10

Symbols. Numerics INDEX

Controlled/uncontrolled port and port authorization status

CCNA Routing and Switching (NI )

Internetwork Expert s CCNA Security Bootcamp. Mitigating Layer 2 Attacks. Layer 2 Mitigation Overview

Selected Network Security Technologies

Table of Contents X Configuration 1-1

TEXTBOOK MAPPING CISCO COMPANION GUIDES

Example: Configuring IP Source Guard with Other EX Series Switch Features to Mitigate Address-Spoofing Attacks on Untrusted Access Interfaces

3Com Wireless LAN Mobility System Configuration and Deployment Guide

Catalyst 6500 Series Cisco IOS Commands

CCNA. Murlisona App. Hiralal Lane, Ravivar Karanja, Near Pethe High-School, ,

Configure Flexconnect ACL's on WLC

Auto Identity. Auto Identity. Finding Feature Information. Information About Auto Identity. Auto Identity Overview. Auto Identity, page 1

JetStream L2 Managed Switch

Configuring Web-Based Authentication

Example: Configuring IP Source Guard on a Data VLAN That Shares an Interface with a Voice VLAN

Cisco IOS Commands for the Catalyst 4500 Series Switches

Lab 1-2Connecting to a Cisco Router or Switch via Console. Lab 1-6Basic Graphic Network Simulator v3 Configuration

TL-SG5428 TL-SG5412F. 24-Port Gigabit L2 Managed Switch with 4 SFP Slots. 12-Port Gigabit SFP L2 Managed Switch with 4 Combo 1000BASE-T Ports REV2.1.

Cisco IOS Commands for the Catalyst 4500 Series Switches

Security Commands. Consolidated Platform Command Reference, Cisco IOS XE 3.3SE (Catalyst 3850 Switches) OL

Configuring Web-Based Authentication

TL-SL5428E 24-Port 10/100Mbps + 4-Port Gigabit JetStream L2 Managed Switch

Network Edge Authentication Topology

DGS-1510 Series Gigabit Ethernet SmartPro Switch Web UI Reference Guide. Figure 9-1 Port Security Global Settings window

Appendix A Command Index

ActualTorrent. Professional company engaging Providing Valid Actual Torrent file for qualification exams.

CLI Guide. JetStream 8-Port Gigabit Smart Switch T1500G-10MPS/T1500G-8T (TL-SG2008) T1500G-10PS (TL-SG2210P) REV

Exam Topics Cross Reference

Design and Implementation Plan for Network Based on the ALOHA Point of Sale System. Proposed by Jedadiah Casey. Introduction

Configuring Web-Based Authentication

Appendix A Command Index A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

IEEE 802.1X RADIUS Accounting

Brocade ICX and Cisco IOS Deployment Guide

Configuring DHCP Features and IP Source Guard

P ART 3. Configuring the Infrastructure

With 802.1X port-based authentication, the devices in the network have specific roles.

Product features. Applications

CCNP (Routing & Switching and T.SHOOT)

CWA URL Redirect support on C891FW

CUDN PoP Switch Changes 2018

Cisco IOS Commands for the Catalyst 4500 Series Switches

External Web Authentication on Converged Access

Number: Passing Score: 800 Time Limit: 120 min File Version: 9.0. Cisco Questions & Answers

Posture Services on the Cisco ISE Configuration Guide Contents

Implementing Cisco IP Routing ( )

Table of Contents X Configuration 1-1

Contents. Introduction

Configure to Secure a Flexconnect AP Switchport with Dot1x

CCBOOTCAMP Webinar 3/15/2011 CCIE Security / RS x. Tim Rowley CCIE#25960, CCSI#33858, CISSP

Cisco IOS Commands for the Catalyst 4500 Series Switches

Actual4Test. Actual4test - actual test exam dumps-pass for IT exams

Configuring Network Admission Control

CCNP Switch Questions/Answers Securing Campus Infrastructure

Example: Setting Up 802.1X for Single Supplicant or Multiple Supplicant Configurations on an EX Series Switch

With 802.1X port-based authentication, the devices in the network have specific roles.

JUNIPER JN0-643 EXAM QUESTIONS & ANSWERS

Configure Devices Using Converged Access Deployment Templates for Campus and Branch Networks

-1- Command Guide of MGSW-28240F

UTC-NS P-4S Command Line Guide

IEEE 802.1X VLAN Assignment

User Handbook. Switch Series. Default Login Details. Version 1.0 Edition

Cisco IOS Quick Reference Guide for IBNS

> Technical Configuration Guide for Network Access with NSNA and TunnelGuard for Non-SSCP Switches

JetStream Gigabit Smart Switch

NAC: LDAP Integration with ACS Configuration Example

JSH2402GBM. Introduction. Main Features Combo Port Mixed Giga Ethernet SNMP Switch. Picture for reference

Transcription:

This is a pretty complex but robust switch configuration with almost maximum access layer security in mind. I call it L2-security and it includes: - 802.1x (used with Microsoft Radius service for user authentication) - DHCP Snooping - Dynamic Arp Inspection (DAI) - IP Source Guard (IPSG) - IntraVLAN ACL to block user to user traffic - IP phones restriction - Storm control - STP protection Used this configuration for more than one year. I don t recommend to use change vlan feature. Still pretty unstable with Win7&login scripts. VLAN assignment for users done via radius attributes (Tunnel-*). Hardware: Cisco 3750 Catalyst. Software: IOS 12.2(55)SE4 with advanced IP services license, standard radius service in Microsoft 2008 Server, Win7&WinXP as clients. PEAP with windows machine accounts authentication only (passwords). Standard Microsoft supplicant. Please note: If you just copy-paste it to your working enviroment it will effectively stops all users traffic not just because of 802.1x and ACL, but because DAI and IPSG require DHCP snooping database to be prefilled with live DCHP-requests. Introduce DHCP Snooping first and then other features. Switch: Complex L2-security config aaa new-model aaa group server radius raddc server 10.1.2.16 auth-port 1645 acct-port 1646 server 10.1.2.17 auth-port 1645 acct-port 1646 backoff exponential max-delay 3 backoff-retry 8 deadtime 5 aaa authentication dot1x default group raddc aaa authorization network default group raddc aaa accounting dot1x default start-stop group raddc ip dhcp excluded-address 10.1.8.1 10.1.8.15 ip dhcp pool Users network 10.1.8.0 255.255.255.0 default-router 10.1.8.1 domain-name corporate.local dns-server 10.1.2.16 10.1.2.17 ip dhcp excluded-address 10.1.15.1 10.1.15.15 ip dhcp pool IPT network 10.1.15.0 255.255.255.0 default-router 10.1.15.1 1 / 5

option 150 ip 10.1.7.16 vlan 2 name Servers vlan 7 name CUCM vlan 8 name Users vlan 15 name IPT vlan 999 name Stub interface Vlan2 description Servers ip address 10.1.2.1 255.255.255.0 interface Vlan7 description CUCM ip address 10.1.7.1 255.255.255.0 interface Vlan8 description Users ip address 10.1.8.1 255.255.255.0 interface Vlan15 description IP phones ip address 10.1.15.1 255.255.255.0 ip access-group IPTin in ip dhcp snooping vlan 8,15 no ip dhcp snooping information option ip dhcp snooping database flash:dhcp_snooping_db.txt ip dhcp snooping ip arp inspection vlan 8,15 dot1x system-auth-control no dot1x logging verbose dot1x guest-vlan supplicant 2 / 5

spanning-tree mode rapid-pvst bpduguard default spanning-tree extend system-id spanning-tree vlan 1-4094 priority 8192 vlan access-map Users2Users 10 action forward match ip address Users2User_exception vlan access-map Users2Users 20 action drop match ip address Users2User vlan access-map Users2Users 30 action forward match ip address Users2Any vlan filter Users2Users vlan-list 8 interface range GigabitEthernet1/0/1-2 description Servers switchport access vlan 2 ip arp inspection trust ip dhcp snooping trust interface GigabitEthernet1/0/3 description CUCM switchport access vlan 7 ip arp inspection trust ip dhcp snooping trust interface range GigabitEthernet1/0/4-24 description Users switchport voice vlan 15 switchport voice detect cisco-phone 3 / 5

authentication event fail retry 0 action authorize vlan 999 authentication event no-response action authorize vlan 999 authentication port-control auto authentication violation restrict auto qos voip cisco-phone dot1x pae authenticator dot1x timeout tx-period 10 dot1x max-req 1 dot1x max-reauth-req 1 storm-control broadcast level 20.00 storm-control multicast level 20.00 spanning-tree bpdufilter enable spanning-tree bpduguard enable ip verify source ip dhcp snooping limit rate 100 ip access-list extended Users2User permit ip 10.1.8.0 0.0.0.255 10.1.8.0 0.0.0.255 ip access-list extended Users2Any permit ip 10.1.8.0 0.0.0.255 any permit ip any 10.1.8.0 0.0.0.255 ip access-list extended Users2User_exception permit udp any eq bootpc any eq bootps permit udp any eq bootps any eq bootpc ip access-list extended IPTin permit udp any eq bootps any eq bootpc permit udp any eq bootpc any eq bootps permit ip any 10.1.7.0 0.0.0.255 permit udp any any range 16384 32767 deny ip any any access-list 91 permit 10.1.2.16 access-list 91 permit 10.1.2.17 access-list 91 deny any log radius-server host 10.1.2.16 auth-port 1645 acct-port 1646 timeout 5 key PleaseChangeMe radius-server host 10.1.2.17 auth-port 1645 acct-port 1646 timeout 5 key PleaseChangeMe NTP is mandatory with DHCP Snooping 4 / 5

ntp access-group peer 91 ntp server 10.1.2.16 ntp server 10.1.2.17 5 / 5

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback