Cisco 3550 Switch MAC Address Access Control list

Mar.26, 2009 in IT Technology

Network management at work, usually encounter such a situation: some users in violation of management rules, modify their own private IP address, in order to achieve access restricted resources. Such behavior not only undermines the information security rules, but also probably because the address network communications failures caused by the conflict.

Network administrators might try to use after the above such as the various technical means to solve this problem, but the effect may not be ideal: First of all technical means can not fully prevent the occurrence of this phenomenon, followed by an increase of the complexity of management and cost. Curb this situation so the most effective method is a means of administration, which is the technical means can not be replaced.

Introduction of these management tools at our first look at prior to a simulated environment: SERVER workstation PC and connect to a Cisco Catalyst 3550 switch on, and they belong to different VLAN, through 3550 to carry out the routing of communications (with switch configuration):

Hostname Cisco3550

interface GigabitEthernet0/11 description Connect to PC

interface GigabitEthernet0/12 description Connect to SERVER switchport access vlan 2

Interface Vlan1

P address 1.1.1.254 255.255.255.0

Interface Vlan2

P address 2.1.1.254 255.255.255.0

If you do not need to do permissions restrictions only to prevent IP address conflicts, the best program possible are the use of DHCP.DHCP server settings for the user IP address, subnet mask, gateway, DNS and other parameters, easy to use, but also save IP addresses. Cisco equipment set up at DPCP can refer to: “Cisco router on DHCP configuration explain the entire process.” Static distribution and settings will require more administrative overhead, if the user does not make trouble, then because of the user name and IP address-one correspondence, to maintain more convenient, the following assumptions were used in the management methods are static.

Test 1. VLAN1 only assumptions permit IP 1.1.1.1 Access Server: 2.1.1.1, to prohibit all other visits.

Restricted methods: the use of IP Access Control List

Interface Vlan1

P address 1.1.1.254 255.255.255.0

P access-group 100 in

access-list 100 permit ip host 1.1.1.1 host 2.1.1.1

Breakthrough Methods: illegal users will be changed to IP address 1.1.1.1 to access their own Server. Unauthorized users to seize the address 1.1.1.1 will cause IP address conflicts. If the user will set the gateway IP address of the IP, will also affect the entire VLAN communications. By modifying the Windows settings to prevent users to modify the “network” property, but this method can also easily be a breakthrough.

Test 2. At one of the basic test to add a static ARP on binding can prevent IP address theft.

Implementation methods: the test at one of the basic configuration settings on arp 1.1.1.1 0001.0001.1111 ARPA

Attention to the following order is wrong, because ARP are three-port parameters (routing) port instead of two (exchange) port:

arp 1.1.1.1 0001.0001.1111 ARPA GigabitEthernet0/11

Set up after the finish, if the illegal users put the address changed to 1.1.1.1, it is sent to the router packet to normal, but back from the target server 2.1.1.1 packets at routers on the forward time, the target MAC address of the total are set to 0001.0001.1111, unauthorized users should not receive.

Similar approach: the use of “ARP SERVER” according to a certain time interval network all host broadcasting right IP-MAC mapping table

Breakthrough Methods: MAC address is easy to amend in the Windows network connection settings modify the network card configuration, in the “advanced” page to find Network Address set to the specified value can be.

Test 3. The use of Port Secure

Principle: If the limits specified port can only be a specific MAC address of the machine, the user to alter the MAC address of the port will enter the status is unavailable.

Set Method:

Interface g 0 / 1

Switchport mode access

Switchport port-security

Set up after the completion of the first switch port connected to PC on the MAC address will be recorded into the switch and become the only port able to use the MAC address. If the PC replacement MAC address, the default will be used by port under shutdown status, unable to communicate with network connectivity.

Can use the command to provide a safety means for dealing with conflicts:

sw port-security violation [protect | restrict | shutdown]

protect discarded from the illegal source address of the packet, not alarm

restrict discarded from the illegal source address of the packet, send syslog alerts

shutdown (default) turn off port, to send SNMP trap, Syslog alarm, unless the administrator of orders shut / no shut, otherwise the ports deal has been down status.

Breakthrough Method: the proxy server. Users within the same VLAN can access the external host agent is installed on the server, through agent visit.

Test 4. The use of VLAN, PVLAN user isolation

Principle: The authorized users and non-authorized users to a different division of the VLAN, and use the access control list limit communications between VLAN. You can also use the same VLAN isolation PVLAN certain direct communication between the hosts should not … …

Interface range g 0 / 10

Description Connect to PC1

Switchport access vlan 7

Interface range g 0 / 11

Description Connect to PC2

Switchport access vlan 8

Special way: switch also supports the Cisco 3550 switches at the second floor (exchange) port settings on mac / ip access control list, the following settings will enable the f0 / 1 port on the PC can only use the ip address of 1.1.1.1 and the mac address 0000.0c31 . ba9b, otherwise the network communication is not normal.

Ac access-list extended macacl

Permit host 0000.0c31.ba9b any

Permit any host 0000.0c31.ba9b

Interface FastEthernet0 / 1

O ip address

P access-group ipacl in

Ac access-group macacl in

P access-list extended ipacl

Permit ip any host 1.1.1.1

Permit ip host 1.1.1.1 any

Breakthrough Method: The user went to authorized users of the machines on the visit

This is a breakthrough in atypical methods, there is no good solution.

Other possible restrictions on methods:

1. Certification agent: the user access to specific resources to be at on a web page enter your username and password, or barrier

2.802.1x: users through 802.1x authentication at the same time by the DHCP server IP address distribution, or barrier

3.PPPoE: users need to install PPPoE client software, use the username and password to use the network

Discussion Update: Maying called a friend after reading this article to a BBS Posts hair asked: “How to set up the router to filter out a specific mac address traffic? Do not want to use the mac address of the host through the router! . ”

This relatively new requirement. When you against a MAC address filtering, when the action happened at the second level. The general implementation of the router is the third layer routing task, only a few circumstances when the only bridge to do to enter the MAC address filtering, so this kind of filtering at the best settings on the second floor of the exchange equipment.

However, this calls for a router is not impossible for the mission, wheat using the following configuration to achieve the required effect:

p cef / / Rate-limit necessary support cef, router probably is not enabled by default cef interface Ethernet0 / 0 ip address 192.168.1.254 255.255.255.0 rate-limit input access-group rate-limit 100 8000 1500 2000 conform-action drop exceed-action drop / / If the source MAC address for a specified value discarded (all other permit) access-list rate-limit 100 0001.0001. abcd / / to limit the MAC addresses

At this time attention should be paid to the target workstation should not arrive before the router after the other three devices, or MAC address will be changed.

Discussion update: Maying Friends ask: “My router is a Cisco 1720, do not support CEF, how do?”

Cisco 1720 router can support the CEF, but the requirement is 12.0 (3) T for more than IP PLUS version of the software, 12.2 (11) YV from standard IP software can also support CEF. If the router IOS software version is currently not enough, necessary upgrade.

You can also use bridging (IRB) approach to the solution, this method required only 12.0 (2) T over the standard version of software IP. Configuration is as follows:

Bridge irb / / Enable IRB support

Interface Ethernet0 / 0

o ip address / / routing done on the logical port BVI 1

Bridge-group 1 / / add one bridging group

Interface BVI1

p address 192.168.1.254 255.255.255.0 / / for the bridging group of 1 to provide routing

bridge 1 protocol ieee / / run the spanning tree protocol to prevent loops

Bridge 1 route ip / / routing IP traffic

Bridge 1 address 0001.0001.abcd discard

/ / Throw away from the MAC address of packets 0001.0001.abcd

Tags: Access Control List

Welcome

Hi, Visitor.
Welcome To My Blog. It's The IT Certification World. Let's Work Together!

Recent Posts
Blogroll
Archives
- September 2010 (1)
- June 2010 (3)
- May 2010 (11)
- April 2010 (1)
- March 2010 (7)
- January 2010 (4)
- November 2009 (1)
- October 2009 (4)
- September 2009 (4)
- August 2009 (2)
- July 2009 (13)
- June 2009 (17)
- May 2009 (8)
- April 2009 (24)
- March 2009 (58)
- February 2009 (70)
- January 2009 (28)
- December 2008 (43)
- November 2008 (21)

IT Certification

Including any IT exam information

Cisco 3550 Switch MAC Address Access Control list

Leave a Reply

Welcome

Categories

Recent Posts

Blogroll

Archives