Metro Ethernet Security Ulf Vinneras CCIE 6798 © 2002, Cisco Systems, Inc. All rights reserved. 1 Agenda Metro Ethernet Security • Feature Overview • Box security SNMP, pwd recovery, telnet/consol • Networking protocols IGP, EGP, HSRP, VRRP, Spanning-tree, cdp, ip spoofing • User protection Security between users Ulf Vinneras CCIE 6798 © 2003, Cisco Systems, Inc. All rightsreserved. 222 Feature overview Private vlan Ulf Vinneras CCIE 6798 © 2002, Cisco Systems, Inc. All rights reserved. 3 Private vlan Metro Ethernet Security • To get more efficiency when creating the ip-subnets, there is a need to have large vlans (especially if using real ip addresses) • From a security perspective, it would be best if every user belongs to his own subnet Ulf Vinneras CCIE 6798 © 2003, Cisco Systems, Inc. All rightsreserved. 444 Private vlan Metro Ethernet Security SINGLE SUBNET PRIVATE VLAN 1 1 1 2 2 3 3 3 x AAcccceessss LLaayyeerr 22 Ulf Vinneras CCIE 6798 © 2003, Cisco Systems, Inc. All rightsreserved. 555 Private vlan, limitations Metro Ethernet Security • For security reasons, private VLAN interface learned ARP entries do not age out. • This is a problem in a DHCP environment If a customer shuts down his pc it is not possible to assign “his old” ip address to a new customer. This is however possible to turn off from 12.1.11E MSFC: dr1.row2.lab(config)# int vlan 310 dr1.row2.lab(config-if)# Description public part of pvlan dr1.row2.lab(config-if)# no ip pvlan-sticky-arp http://www.cisco.com/warp/public/cc/pd/si/casi/ca6000/prodlit/1687_pp.htm Ulf Vinneras CCIE 6798 © 2003, Cisco Systems, Inc. All rightsreserved. 666 Feature overview Private vlan edge Ulf Vinneras CCIE 6798 © 2002, Cisco Systems, Inc. All rights reserved. 7 Private vlan edge Metro Ethernet Security • A one box only version of the pvlan feature • Modes are uplink or user-ports, can’t span over several devices interface GigabitEthernet0/1 description ******uplink ****** /* no pvlan edge config needed, all ports that doesn’t have port protected configured will automatically be seen as uplink if we have port protected on at least one port on the switch */ Uplink Uplink interface FastEthernet0/2 description ****** clientport ****** port protected Ulf Vinneras CCIE 6798 © 2003, Cisco Systems, Inc. All rightsreserved. 888 Pvlan / edge, neighbour communication? Metro Ethernet Security • This is an ISP service, we can’t live with a limitation where two customers connected to the same switch can’t talk to each other! • Local proxy arp Answer on behalf of someone else MSFC: dr1.ank1.se(config)# interface vlan 30 dr1.ank1.se(config-if)# ip local-proxy-arp Ulf Vinneras CCIE 6798 © 2003, Cisco Systems, Inc. All rightsreserved. 999 Pvlan / edge, neighbour cont 1 Metro Ethernet Security • For local data traffic, between users on the same switch, all data will go via the router Ip 1.1.1.1 0030.b635.d7d0 6500 running local proxy arp Local proxy arp kicks in, answer with: Ip 1.1.1.11 has mac 0030.b635.d7d0 2950 running port protect Arp for 1.1.1.11 100 Mb switch owned by the customer Ip 1.1.1.11 0007.0eb4.20b7 Ip 1.1.1.10 0003.478e.73fd Ulf Vinneras CCIE 6798 © 2003, Cisco Systems, Inc. All rightsreserved. 111000
Description: