CCNP3 v3

Module 9: Securing Multilayer Switched Networks

© 2002, Cisco Systems, Inc. All rights reserved. 1

 Security

This module adds new material to the CCNP 3 curriculum

It contains two main areas:
•Mechanisms for monitoring traffic in a multi-layer switched network
•Securing devices in a multi-layer switched network.

2
© 2002, Cisco Systems, Inc. All rights reserved.
 Monitoring network performance with SPAN &VSPAN

Switch Port Analyser (SPAN) is a method of monitoring network

traffic by copying source port or VLAN specific traffic to a destination
port for analysis
SPAN can be used to monitor all network traffic, including:
•Multicast and bridge protocol data unit (BPDU) packets;
•Cisco Discovery Protocol (CDP);
•VLAN Trunk Protocol (VTP);
•Dynamic Trunking Protocol (DTP);
•Spanning Tree Protocol (STP); and
•Port Aggregation Protocol (PagP) packets.
SPAN does not affect the switching of network traffic on source ports

3
© 2002, Cisco Systems, Inc. All rights reserved.
 Monitoring Network Performance with RSPAN

RSPAN is an implementation of SPAN designed to supports source

ports, source VLAN’s, and destination ports across different
switches
RSPAN uses reflector ports to enable RSPAN to reproduce traffic
from source ports residing on different switches to the destination
port
Like SPAN, RSPAN does not affect the switching of network traffic
on source ports

4
© 2002, Cisco Systems, Inc. All rights reserved.
 Modules for Improving network performance

Extra dataflow generated by monitored traffic puts additional load

on a networks switching bandwidth.
A trend towards integration of time sensitive Voice over IP and
interactive multimedia services into data networks further
exacerbates the situation.
The issues outlined above have been addressed by the introduction
of two modules for the 6500 series chassis:
•The Network Analysis Module (NAM) , containing features allowing it
to store and analyze multiple monitored traffic streams in real time.
•The Switch Fabric Module (SFM), designed to address the
requirement for increased switching bandwidth

5
© 2002, Cisco Systems, Inc. All rights reserved.
 The Network Analysis Module

The NAM is a LAN monitoring solution that should be deployed at

LAN aggregation points where it can have visibility of critical traffic
and virtual LAN’s (VLAN’s) .
The NAM provides remote monitoring functions based on RMON and
RMON2 Management Information Bases (MIB's).
It uses switched port analyser (SPAN) or remote SPAN (RSPAN) to
accept data from physical ports and VLANS
It simultaneously monitors multiple switch ports or VLAN’s and
provides separate RMON/RMON2 statistics for each data source.

6
© 2002, Cisco Systems, Inc. All rights reserved.
 The Switch Fabric Module

The Catalyst 6500 Series switch fabric module (SFM), in combination

with the Supervisor Engine 2, delivers an increase in available system
bandwidth from the default 32Gbps on the forwarding bus to 256
Gbps.
Key Features:
•The Switch Fabric Module enables 30 Mpps Cisco Express Forwarding
based central forwarding on Supervisor Engine 2
•The Switch Fabric Module enables up to 210 Mpps distributed
forwarding on DCF-enabled switch fabric modules
•The Switch Fabric Module supports advanced services such as quality
of service (QoS) and security in hardware via access control lists
(ACL's)

7
© 2002, Cisco Systems, Inc. All rights reserved.
 Basic security

Network security measures that were formerly handled by routers are

now increasingly applicable for switches which combine components
of layer 2 and 3 operation.
Security policies can now be applied at the distribution layer and at
the access layer within a switched / routed network.
Most access policies will outline the following information:
•Network device management issues such as physical security and
access control
•User access to the network
•Traffic-flow policies
•Route Filtering
•All of these policies are increasingly enforceable at all levels of the
switched network

8
© 2002, Cisco Systems, Inc. All rights reserved.
 Basic security

Other key topics in Basic Security:

•Physical security
•Out-of-band management
•In-band management
•Passwords and password encryption

9
© 2002, Cisco Systems, Inc. All rights reserved.
 Controlling management traffic

Access to in-band management sessions can be controlled and

protected using these features:
•Local user names options
•VLANs
•Access Control Lists (ACLs)
•Web-interface options
•Secure shell (SSH) session encryption
•Local user name options (can be used in combinations)
•username name secret encryptedpassword
•username name nopassword
•username name privilege level
•username name user-maxlinks number
•username name access-class ACL-number
10
© 2002, Cisco Systems, Inc. All rights reserved.
 Controlling management traffic

VLANs
Management traffic should have its own VLAN (I.e. the management
VLAN defined in the switch / router should not be shared with user
traffic)
Access Control Lists (ACLs)
Standard or extended access lists can be used to limit which hosts can
source sessions to VTY lines
Web interface
Enabled using ip http server
ip http port port-number can be used to change the TCP port
on which the switch / router listens for browser requests (default 80)
ip http access-class ACL-number can be used to bind a
standard access list to the http server process, limiting which hosts can
source sessions to the web management interface.
11
© 2002, Cisco Systems, Inc. All rights reserved.
 Encrypting communications using Secure SHell

Because TELNET packets are transmitted in clear-text, these packets

can be captured and their contents easily read
It is recommended that SSH encryption be configured as a minimum
for securing in-band management traffic where possible.
SSH ‘public/private key pairs’ for asymmetric encryption
The administrator generates a key-pair on SSH server (switch / router)
One half of the pair is ‘public’, and is openly shared. Public keys can
only be used to encrypt for transmission to the matching private key.
The other half is ‘private’, and is kept a secret by the SSH server.
Private keys can only decrypt packets from the matching public key.
The administrator opens an SSH session to the SSH server, is ‘offered’
a copy of the server’s public key, and can now send information that
only the SSH server can read.

12
© 2002, Cisco Systems, Inc. All rights reserved.
 Controlling user traffic

User traffic can be controlled using:

•Virtual LANs
•Port security
•Protected ports and private VLANs
•Access Control Lists (ACLs)

13
© 2002, Cisco Systems, Inc. All rights reserved.
 Controlling user traffic

The port security feature can be used to restrict input to an interface

•Uses MAC address information to control traffic
Protected ports and private VLANs control traffic within a switch
•Protected ports and private VLANs are conceptually the same
•Protected ports provides L2 isolation between ports in the same VLAN
(protected ports can not forward traffic to each other)
•Protected ports can communication normally with non-protected ports
•ACLs can be deployed to control management sessions for remote
control of the switch. The switch supports:
•Port ACLs access-control traffic entering a Layer 2 interface.
•Router ACLs access-control routed traffic between VLANs and are
applied to Layer 3 interfaces.
•VLAN ACLs or VLAN maps access-control all packets (bridged and
routed).
14
© 2002, Cisco Systems, Inc. All rights reserved.
 AAA, CiscoSecure ACS, RADIUS and TACACS+

AAA provides services for Authentication, Authorization and

Accounting
The CiscoSecure Access Control Server (ACS) is specialized
security software that runs on Windows 2000 .
•The CiscoSecure ACS software uses either the TACACS+ or the
RADIUS protocol to provide network security and tracking.
TACACS+ is a security application used with AAA and CiscoSecure
ACS that provides centralized validation of users attempting to gain
access to a router or network access server
•Cisco proprietary protocol
•More granular information and control than RADIUS
RADIUS is a distributed client/server system used with AAA that
secures networks against unauthorized access.
•Open standard protocol

15
© 2002, Cisco Systems, Inc. All rights reserved.
 802.1x port-based authentication

The IEEE 802.1X standard defines a client-server-based access

control and authentication protocol. With 802.1X port-based
authentication, the devices in the network have specific roles
Client—the device (workstation) that requests access to the LAN
and switch services and responds to requests from the switch.
 Authentication server—performs the actual authentication of the
client. Because the switch acts as the proxy, the authentication
service is transparent to the client.
Switch (edge switch or wireless access point)—controls the
physical access to the network based on the authentication status
of the client, requesting identity information from the authentication
server.

16
© 2002, Cisco Systems, Inc. All rights reserved.
 17
© 2002, Cisco Systems, Inc. All rights reserved.