Cisco Sg3008 Manual
Have a look at the manual Cisco Sg3008 Manual online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
Security Denial of Service Prevention 364 Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 18 -User Defined—Enter a port number. -All Por ts—Select to indicate that all ports are filtered. STEP 4Click Apply. The SYN filter is defined, and the Running Configuration file is updated. SYN Rate Protection The SYN Rate Protection page enables limiting the number of SYN packets received on the ingress port. This can mitigate the effect of a SYN flood against servers, by rate limiting the number of new connections opened to handle packets. This feature is only available when the device is in Layer 2 system mode. To define SYN rate protection: STEP 1Click Security > Denial of Service Prevention > SYN Rate Protection. This page appears the SYN rate protection currently defined per interface. STEP 2Click Add. STEP 3Enter the parameters. •Interface—Select the interface on which the rate protection is being defined. •IP Address—Enter the IP address for which the SYN rate protection is defined or select All Addresses. If you enter the IP address, enter either the mask or prefix length. •Network Mask—Select the format for the subnet mask for the source IP address, and enter a value in one of the field: -Mask—Select the subnet to which the source IP address belongs and enter the subnet mask in dotted decimal format. -Prefix Length—Select the Prefix Length and enter the number of bits that comprise the source IP address prefix. •SYN Rate Limit—Enter the number of SYN packets that be received.
Security Denial of Service Prevention Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 365 18 STEP 4Click Apply. The SYN rate protection is defined, and the Running Configuration is updated. ICMP Filtering The ICMP Filtering page enables the blocking of ICMP packets from certain sources. This can reduce the load on the network in case of an ICMP attack. To define ICMP filtering: STEP 1Click Security > Denial of Service Prevention > ICMP Filtering. STEP 2Click Add. STEP 3Enter the parameters. •Interface—Select the interface on which the ICMP filtering is being defined. •IP Address—Enter the IPv4 address for which the ICMP packet filtering is activated or select All Addresses to block ICMP packets from all source addresses. If you enter the IP address, enter either the mask or prefix length. •Network Mask—Select the format for the subnet mask for the source IP address, and enter a value in one of the field: -Mask—Select the subnet to which the source IP address belongs and enter the subnet mask in dotted decimal format. -Prefix Length—Select the Prefix Length and enter the number of bits that comprise the source IP address prefix. STEP 4Click Apply. The ICMP filtering is defined, and the Running Configuration is updated. IP Fragmented Filtering The IP Fragmented page enables blocking fragmented IP packets. To configure fragmented IP blocking: STEP 1Click Security > Denial of Service Prevention > IP Fragments Filtering. STEP 2Click Add. STEP 3Enter the parameters.
Security DHCP Snooping 366 Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 18 •Interface—Select the interface on which the IP fragmentation is being defined. •IP Address—Enter an IP network from which the fragmented IP packets is filtered or select All Addresses to block IP fragmented packets from all addresses. If you enter the IP address, enter either the mask or prefix length. •Network Mask—Select the format for the subnet mask for the source IP address, and enter a value in one of the field: -Mask—Select the subnet to which the source IP address belongs and enter the subnet mask in dotted decimal format. -Prefix Length—Select the Prefix Length and enter the number of bits that comprise the source IP address prefix. STEP 4Click Apply. The IP fragmentation is defined, and the Running Configuration file is updated. DHCP Snooping See DHCPv4 Snooping/Relay. IP Source Guard IP Source Guard is a security feature that can be used to prevent traffic attacks caused when a host tries to use the IP address of its neighbor. When IP Source Guard is enabled, the device only transmits client IP traffic to IP addresses contained in the DHCP Snooping Binding database. This includes both addresses added by DHCP Snooping and manually-added entries. If the packet matches an entry in the database, the device forwards it. If not, it is dropped. Interactions with Other Features The following points are relevant to IP Source Guard:
Security IP Source Guard Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 367 18 •DHCP Snooping must be globally enabled in order to enable IP Source Guard on an interface. •IP source guard can be active on an interface only if: -DHCP Snooping is enabled on at least one of the ports VLANs -The interface is DHCP untrusted. All packets on trusted ports are for warded. •If a port is DHCP trusted, filtering of static IP addresses can be configured, even though IP Source Guard is not active in that condition by enabling IP Source Guard on the port. •When the ports status changes from DHCP untrusted to DHCP trusted, the static IP address filtering entries remain in the Binding database, but they become inactive. •Port security cannot be enabled if source IP and MAC address filtering is configured on a port. •IP Source Guard uses TCAM resources and requires a single TCAM rule per IP Source Guard address entry. If the number of IP Source Guard entries exceeds the number of available TCAM rules, the extra addresses are inactive. Filtering If IP Source Guard is enabled on a port then: •DHCP packets allowed by DHCP Snooping are permitted. •If source IP address filtering is enabled: -IPv4 traffic: Only traffic with a source IP address that is associated with the port is permitted. -Non IPv4 traffic: Permitted (Including ARP packets).
Security IP Source Guard 368 Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 18 Configuring IP Source Guard Work Flow To configure IP Source Guard: STEP 1Enable DHCP Snooping in the IP Configuration > DHCP > Properties page or in the Security > DHCP Snooping > Properties page. STEP 2Define the VLANs on which DHCP Snooping is enabled in the IP Configuration > DHCP > Interface Settings page. STEP 3Configure interfaces as trusted or untrusted in the IP Configuration > DHCP > DHCP Snooping Interface page. STEP 4Enable IP Source Guard in the Security > IP Source Guard > Properties page. STEP 5Enable IP Source Guard on the untrusted inter faces as required in the Securit y > IP Source Guard > Interface Settings page. STEP 6View entries to the Binding database in the Security > IP Source Guard > Binding Database page. Enabling IP Source Guard To enable IP Source Guard globally: STEP 1Click Security > IP Source Guard > Properties. STEP 2Select Enable to enable IP Source Guard globally. Configuring IP Source Guard on Interfaces If IP Source Guard is enabled on an untrusted port/LAG, DHCP packets, allowed by DHCP Snooping, are transmitted. If source IP address filtering is enabled, packet transmission is permitted as follows: •IPv4 traffic — Only IPv4 traffic with a source IP address that is associated with the specific port is permitted. •Non IPv4 traffic — All non-IPv4 traffic is permitted. See Interactions with Other Features for more information about enabling IP Source Guard on interfaces. To configure IP Source Guard on interfaces:
Security IP Source Guard Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 369 18 STEP 1Click Security > IP Source Guard > Interface Settings. STEP 2Select port/LAG from the Filter field and click Go. The ports/LAGs on this unit are displayed along with the following: •IP Source Guard —Indicates whether IP Source Guard is enabled on the port. •DHCP Snooping Trusted Interface—Indicates whether this is a DHCP trusted interface. STEP 3Select the port/LAG and click Edit. Select Enable in the IP Source Guard field to enable IP Source Guard on the interface. STEP 4Click Apply to copy the setting to the Running Configuration file. Binding Database IP Source Guard uses the DHCP Snooping Binding database to check packets from untrusted ports. If the device attempts to write too many entries to the DHCP Snooping Binding database, the excessive entries are maintained in an inactive status. Entries are deleted when their lease time expires and so inactive entries may be made active. See DHCPv4 Snooping/Relay. NOTEThe Binding Database page only displays the entries in the DHCP Snooping Binding database defined on IP-Source-Guard-enabled ports. To view the DHCP Snooping Binding database and see TCAM usage, set Insert Inactive: STEP 1Click Security > IP Source Guard > Binding Database. STEP 2The DHCP Snooping Binding database uses TCAM resources for managing the database. Complete the Insert Inactive field to select how frequently the device should attempt to activate inactive entries. It has the following options: •Retry Frequency—The frequency with which the TCAM resources are checked. •Never-Never try to reactivate inactive addresses. STEP 3Click Apply to save the above changes to the Running Configuration and/or Retr y Now to check TCAM resources.
Security ARP Inspection 370 Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 18 The entries in the Binding database are displayed: •VLAN ID—VLAN on which packet is expected. •MAC Address—MAC address to be matched. •IP Address—IP address to be matched. •Interface—Interface on which packet is expected. •Status—Displays whether interface is active. •Type—Displays whether entry is dynamic or static. •Reason—If the interface is not active, displays the reason. The following reasons are possible: -No Problem—Interface is active. -No Snoop VL AN—DHCP Snooping is not enabled on the VLAN. -Tr u s t e d Por t—Port has become trusted. -Resource Problem—TCAM resources are exhausted. To see a subset of these entries, enter the relevant search criteria and click Go. ARP Inspection ARP enables IP communication within a Layer 2 Broadcast domain by mapping IP addresses to a MAC addresses. A malicious user can attack hosts, switches, and routers connected to a Layer 2 network by poisoning the ARP caches of systems connected to the subnet and by intercepting traffic intended for other hosts on the subnet. This can happen because ARP allows a gratuitous reply from a host even if an ARP request was not received. After the attack, all traffic from the device under attack flows through the attackers computer and then to the router, switch, or host.
Security ARP Inspection Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 371 18 The following shows an example of ARP cache poisoning. ARP Cache Poisoning Hosts A, B, and C are connected to the switch on interfaces A, B and C, all of which are on the same subnet. Their IP, MAC addresses are shown in parentheses; for example, Host A uses IP address IA and MAC address MA. When Host A needs to communicate with Host B at the IP layer, it broadcasts an ARP request for the MAC address associated with IP address IB. Host B responds with an ARP reply. The switch and Host A update their ARP cache with the MAC and IP of Host B. Host C can poison the ARP caches of the switch, Host A, and Host B by broadcasting forged ARP responses with bindings for a host with an IP address of IA (or IB) and a MAC address of MC. Hosts with poisoned ARP caches use the MAC address MC as the destination MAC address for traffic intended for IA or IB, which enables Host C intercepts that traffic. Because Host C knows the true MAC addresses associated with IA and IB, it can forward the intercepted traffic to those hosts by using the correct MAC address as the destination. Host C has inserted itself into the traffic stream from Host A to Host B, the classic man-in-the-middle attack. How ARP Prevents Cache Poisoning The ARP inspection feature relates to interfaces as either trusted or untrusted (see Security > ARP Inspection > Interface Setting page). Interfaces are classified by the user as follows:
Security ARP Inspection 372 Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 18 •Trusted — Packets are not inspected. •Untrusted —Packets are inspected as described above. ARP inspection is performed only on untrusted interfaces. ARP packets that are received on the trusted interface are simply forwarded. Upon packet arrival on untrusted interfaces the following logic is implemented: •Search the ARP access control rules for the packets IP/MAC addresses. If the IP address is found and the MAC address in the list matches the packets MAC address, then the packet is valid; otherwise it is not. •If the packets IP address was not found, and DHCP Snooping is enabled for the packet’s VLAN, search the DHCP Snooping Binding database for the packets pair. If the pair was found, and the MAC address and the interface in the database match the packets MAC address and ingress interface, the packet is valid. •If the packets IP address was not found in the ARP access control rules or in the DHCP Snooping Binding database the packet is invalid and is dropped. A SYSLOG message is generated. •If a packet is valid, it is forwarded and the ARP cache is updated. If the ARP Packet Validation option is selected (Properties page), the following additional validation checks are performed: •Source MAC — Compares the packet’s source MAC address in the Ethernet header against the sender ’s MAC address in the ARP request. This check is performed on both ARP requests and responses. •Destination MAC — Compares the packet’s destination MAC address in the Ethernet header against the destination interface’s MAC address. This check is performed for ARP responses. •IP Addresses — Compares the ARP body for invalid and unexpected IP addresses. Addresses include 0.0.0.0, 255.255.255.255, and all IP Multicast addresses. Packets with invalid ARP Inspection bindings are logged and dropped. Up to 1024 entries can be defined in the ARP Access Control table.
Security ARP Inspection Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 373 18 Interaction Between ARP Inspection and DHCP Snooping If DHCP Snooping is enabled, ARP Inspection uses the DHCP Snooping Binding database in addition to the ARP access control rules. If DHCP Snooping is not enabled, only the ARP access control rules are used. ARP Defaults The following table describes the ARP defaults: ARP Inspection Work Flow To configure ARP Inspection: STEP 1Enable ARP Inspection and configure various options in the Security > ARP Inspection > Properties page. STEP 2Configure interfaces as ARP trusted or untrusted in the Security > ARP Inspection > Interface Setting page. STEP 3Add rules in the Security > ARP Inspection > ARP Access Control and ARP Access Control Rules pages. STEP 4Define the VLANs on which ARP Inspection is enabled and the Access Control Rules for each VLAN in the Security > ARP Inspection > VLAN Settings page. Defining ARP Inspection Properties To configure ARP Inspection: Option Default State Dynamic ARP Inspection Not enabled. ARP Packet Validation Not enabled ARP Inspection Enabled on VLANNot enabled Log Buffer Interval SYSLOG message generation for dropped packets is enabled at 5 seconds interval