All Cisco-Network Study Notes: 01/06/09

VLAN Assignment cisco

VLAN Assignment 326

A added avant-garde anatomy of allotment is VLAN assignment.

VLAN appointment is accomplished with the adeptness of a arrangement to dynamically accredit a VLAN

to a client-connecting anchorage based on the affidavit process. Fundamentally, this ability

is based on the standards categorical in RFC 2868. By dynamically allotment VLAN values

to client-connecting ports based on the client’s accurate identity, the network

maintains the adeptness to accumulation users as per authoritative policy. This allows the angle of

groups and group-applicable action profiles to be agitated bottomward to the networking level. An

example of this would be if users in Accumulation A were accustomed complete access, while users

in Accumulation B were bound to accessing alone accessible assets and servers that held

nonconfidential information. Applying the adeptness to absolute admission by accident belief or levels

allows a arrangement ambassador to abbreviate all-embracing aegis acknowledgment and risk. Also, based

on the constant architectonics MAB promotes forth with 802.1X, both techniques can

automatically advantage any specialized action administration that are accessible to be deployed

with the aforementioned basal architecture.

No appropriate agreement on a about-face is bare to accomplish activating VLAN appointment with

802.1X or MAB. VLAN appointment is done by name with MAB, like it is with 802.1X.

This can abutment adjustable VLAN-management techniques for assorted Layer 2 or Layer 3

VTP architectures, which allows for adeptness amid abstracted Layer 2 domains. The

Summary 299

architecture additionally allows for behavior to be activated to groups or to a per-device level.

Depending on the appropriate need, either 802.1X accessories or MAB accessories can be managed on

a per-host basis.

Remember: On Cisco IOS-based switches, accomplish abiding you accredit AAA and specify the

authentication and allotment methods:

aaa new-model

aaa affidavit dot1x absence accumulation radius

aaa allotment arrangement absence accumulation radius

For an affidavit server, three accepted RADIUS attributes are required, as authentic by

RFC 2868:

[64] Tunnel-Type: “VLAN” (13)

[65] Tunnel-Medium-Type: “802” (6)

[81] Tunnel-Private-Group-ID: VLAN name

The capital allowances to dynamically allotment VLANs based on accurate character are to

apply accumulation aegis and admission policies.

These attributes can accredit any user associates of the accumulation configured for VLAN

assignment to be assigned. The VLAN (and name) charge be present on the about-face and be the

identical name of the agreement on the affidavit server. This includes white spaces

and capitalization. If any of these are not valid, a about-face denies authorization. A user might

provide a credential acceptance him to acquiesce admission to the arrangement on a VLAN.

However, if the about-face cannot verify the advice about the VLAN itself (through any

sort of VLAN name mismatch, typo, and so on), a about-face treats this as a user not providing

valid credentials.

By leveraging activating action enforcement, this completes the adeptness to differentiate

between 802.1X and 802.1X-clientless sessions on the network. Attaining avant-garde forms

of authorization, such as VLAN-Assignment, additionally increases the end-to-end appulse of IBNS

to accommodate admission control.

Summary

Through the use of IBNS technology, you can advance your arrangement aegis model. With

the accretion demands on today’s networks and the charge to allotment advice not only

within an organization, but with the alfresco world, security—along with arrangement access—

has become a top priority. Amount provided by IBNS includes befitting the outsiders out and

reducing abeyant arrangement attacks. This way, alone accustomed users can accretion network

access; crooked or anonymous users can be denied admission or accepted bedfellow access.

The IEEE 802.1X blueprint for port-based arrangement ascendancy has become the standard

method for Layer 2 affidavit access, not alone with wireless, but additionally with active ports.

802.1X is a amount technology basic in abutment of admission ascendancy to advance end-to-end

IBNS. One claiming in active topologies and IEEE 802.1X is how to abutment yesterday’s

300 Affiliate 17: Identity-Based Networking Services with 802.1X

cutting edge, which is now today’s legacy. Most bequest accessories (such as printers and VoIP

phones) and some arising accessories (such as IP aegis cameras) do not accept the ability

to abutment an 802.1X supplicant, but they charge be included in any common IBNS

architecture. MAB is not meant to alter 802.1X; instead, it is meant to acquiesce for an

alternate agency of affidavit back a host or accessory does not acknowledge to the network

access devices’ appeal for credentials. The IEEE 802.1X accepted and MAB allows for the

dynamic agreement of admission ports and implementing the accumulated aegis action on

the anchorage level. MAB addresses the adversity of deploying an 802.1X infrastructure

throughout a arrangement LAN. An 802.1X supplicant is appropriate to accredit to an

authentication server through a arrangement admission device. MAB allows accessories after this

802.1X adequacy to admission the arrangement and accomplish their adapted action while allowing

Layer 2 affidavit to action and participate in the activating deployment of network

policy.

The Guest-VLAN is additionally an advantage for accessories butterfingers of 802.1X. By accumulation MAB

and the Guest-VLAN, you can now differentiate amid clientless stations in abutment of

device-specific admission ascendancy as an appliance of IBNS. Also, the access-control methods

described in this affiliate accommodate assorted levels of user access, which makes it the first

element of arrangement security. Also, these admission levels can booty on added of a cast model,

with authoritative and bounded roles dictating area admission can be applied. Overall,

IBNS can advice abate all-embracing risk, add value, and abolish operational amount (while

promoting security) from your business because of its analytic arrangement overlay.

References

IEEE. IEEE P802.1X-REV/D11. Std for Local and Metropolitan Area Networks-Port-

Based Arrangement Admission Control. July 2004.

IETF. RFC 2868, “RADIUS Attributes for Tunnel Protocol Support.” July 2000.

IETF. RFC 3748, “Extensible Affidavit Protocol (EAP).” June 2004.

IETF. RFC 3579, “RADIUS (Remote Affidavit Dial In User Service) Abutment For

Extensible Affidavit Protocol (EAP).” September 2003.

IETF. RFC 3580, “IEEE 802.1X Remote Affidavit Dial In User Service (RADIUS)

Usage Guidelines.” September 2003.

Policy Enforcement

Authorization is the apotheosis of the adeptness to accomplish behavior on identities. Typically,

individuals are placed into a accumulation based on an alignment or role. The aegis policy

enforced is activated to the accumulation that has the account of easier management. Part of the IBNS

strategy is to accredit the adaptability of administration behavior or admission profiles to the network

based on a arrangement client’s accurate identity. The ambition is to booty the angle of group

management and behavior into the network. The best basal allotment in 802.1X or

MAB for IBNS is the adeptness to allow/disallow admission to the arrangement at the articulation layer.

MAB Operation

As adumbrated in above-mentioned sections for 802.1X deployments, abandoned EAPOL ascendancy frames

are about candy by about-face ports while 802.1X is maintained in an operating and

active state. However, this additionally agency that MAC addresses from any bend accessory adeptness not

be accepted until EAPOL frames are candy from it. These are the aegis allowances of

802.1X, and they do not change in any way with account to any MAB implementation.

Because it is noteworthy to this discussion, spanning timberline is not alike in a forwarding state

on the anchorage until it is accustomed through 802.1X.

There is no adverse adequacy for the Guest-VLAN. If the applicant on the wire cannot

speak 802.1X, the Guest-VLAN is enabled. Any accessory deployed into a Guest-VLAN

might be a apparatus on the arrangement that an ambassador does not charge or appetite to be placed

in a Guest-VLAN. Hence, the adeptness to apply differentiated casework based on the MAC

294 Chapter 17: Identity-Based Networking Casework with 802.1X

address abandoned is advantageous for identification purposes. Upstream, the Guest-VLAN

might additionally abandoned accept acceptance to bound resources, as authentic by the arrangement administrator.

Prior to MAB, a MAC abode adeptness abandoned be accepted to a about-face anchorage afterwards the anchorage is enabled

and placed into a Guest-VLAN. Also, afterwards a anchorage is enabled and placed into a Guest-

VLAN, no affidavit (other than EAPOL acceptance by a supplicant) takes abode on the

port directly, and the arrangement can apprentice any cardinal of MAC addresses on the anchorage by default

(which inherently does not accommodate security). Hence, there are limitations in attempting to

use the Guest-VLAN abstraction as a band-aid to accommodate acceptance for any managed non-802.1X

devices in the ambience of IBNS.

So, what is bare is a way to amend a about-face CAM table with a (single) MAC address

while not circumventing the bulk added from a port-based 802.1X band-aid to activate with.

MAB makes an accomplishment to advantage agnate efforts that are already activated to other

authentication schemes or mechanisms (802.1X/EAP). This makes deployments easier for

you to arrange and understand. MAB provides this controlled acceptance to accessories based on

their MAC address. MAB should acquiesce non-802.1X adjustable end accessories to be governed

by controlled acceptance to the arrangement in a cellophane abode application a prepopulated database

technique. The claim for enabling acceptance for audience that do not abutment 802.1X

supplicant functionality is applicative to IBNS, area a charge exists to accredit arrangement access

for all clients. It is analytical to IBNS for MAB to advantage activating action assignment. MAB

allows end users to accredit (without any supplied credentials). MAB is not advised to

directly accommodate a MAC abode acquirements capability, in abundant the aforementioned way, that 802.1X

does not anon accommodate a credential acquirements mechanism. It is to be provided alone as a

means of affidavit and enforcement. Although MAB requires some anatomy of a

provisioning process, the declared functionality is absolute of any absolute processes.

Alone, this action assumes MAC addresses are already known. MAB should afresh allow

clients that cannot/do not abutment 802.1X the all-important functionality to accommodate into an

IBNS strategy. Like 802.1X, MAB is advised for the acceptance band and to abode the need

for network-edge affidavit agnate in attributes and allowances to the functionality provided

by the IEEE 802.1X framework (without the claim for client-side code).

Much like the Guest-VLAN, MAB operates based on an 802.1X abeyance condition. After

a about-face anchorage can ascertain that an 802.1X supplicant is not present on the port, it avalanche back

to blockage the MAC abode (which is an affidavit abode of bottom security).

After timing out 802.1X on the port, a about-face can apprentice a MAC abode through classic

MAC acquirements techniques. Afterwards a MAC abode is learned, it is accurate in abundant the

same way an 802.1X supplicant would be authenticated. RADIUS is acclimated as an AAA

protocol for acceptance criteria, and the about-face acts as a proxy. Figure 17-7 illustrates a

complete operational breeze of MAB.

Working with Accessories Incapable of 802.1X 295

Figure 17-7 MAB Operation

As Figure 17-7 illustrates, MAB abandoned initiates afterwards an 802.1X timeout. MAB afresh requires

a capricious bulk of time for the end base to attack to accelerate cartage into the arrangement for

the MAC to be abstruse by the switch. Afterwards this occurs, RADIUS is accomplished to the backend,

asking if the MAC should be accustomed arrangement access.

After a host/device fails to accumulation 802.1X affidavit credentials, the network-access

device takes the abstruse MAC abode and easily it off to the affidavit server as both

the username and password. If the host/device fails to accredit at this level, a user can

optionally be placed into a agreed Guest-VLAN and, at this time, other

authentication methods can be attempted. Alternatively, the Guest-VLAN can be acclimated as a

means to abutment a accessories action of MAC abode through scanning techniques or

captive aperture techniques, if end users are applicative to the accessories gluttonous to be

authenticated. Ultimately, if the host/device passes with MAB credentials, the user can then

be placed into the configured VLAN and admission an IP abode to activate its desired

functions. Operationally, MAB abundantly relies on an 802.1X abeyance condition; this timeout

is configurable. See the section, “802.1X Guest-VLAN Timing,” for abeyance specifics.

Optionally, activating action can be downloaded from RADIUS the aforementioned way this can be

achieved with 802.1X in the anatomy of VLAN assignment. This allows for consistent

processing of affidavit appearance to be activated in a constant manner. Activating policy

downloaded from an affidavit server includes any adequacy currently accessible with

802.1X on the acceptance about-face in catechism (such as per-user ACLs, VLAN assignment, and

so on). Also, the authority of the accustomed affair is activated on the about-face in abundant the

same way it is activated with 802.1X. This administration is accomplished by akin the traffic

Client

EAPOL-Request (Identity)

D = 01.80.c2.00.00.03

EAPOL-Request (Identity)

D = 01.80.c2.00.00.03

EAPOL-Request (Identity)

D = 01.80.c2.00.00.03

EAPOL-Timeout

Initiate MAB

Learn MAC Variable

Port Enabled

RADIUS-Access

Request

RADIUS-Access

30 Seconds

Upon Linkup

Dot1x/MAB RADIUS

00.0a.95.7f.de.06

296 Chapter 17: Identity-Based Networking Casework with 802.1X

originating on the accurate anchorage to appear from abandoned the accustomed MAC address. With

MAB, by default, abandoned one host can be accurate and bound bottomward per port. Any new

MAC abode that is apparent to attack to canyon cartage on a anchorage is advised as a aegis violation.

Like 802.1X, MAB is a port-based feature; it is appropriate to be discretely enabled on ports.

The afterward represents specific anchorage configurations with MAB added:

interface FastEthernet0/1

switchport acceptance vlan 2

switchport approach access

dot1x mac-auth-bypass

dot1x pae authenticator

dot1x port-control auto

MAB activates back 802.1X times out cat-and-mouse for an EAPOL packet on the wire. The

802.1X accompaniment apparatus enters a cat-and-mouse accompaniment and relinquishes ascendancy over to MAB to begin

device allotment aloft this abeyance occurring. MAB runs irenic and does not

transmit any packets to ascertain devices. Again, the albatross lies with the attached

device to accelerate traffic. If a accessory sends no traffic, technically, a anchorage could be alert for

packets always afterwards MAB activates. Back packets admission on a anchorage area MAB is active,

this after-effects in the about-face forwarding packets to the CPU. The antecedent MAC abode is

gleaned off the packet and forwarded to the MAB action for authentication. The trigger

packet itself is bare for affair accompaniment creation. Any time MAB activates, if an EAPOL

packet is detected on the wire (such as an EAPOL-Start from an 802.1X supplicant),

802.1X never relinquishes ascendancy over to MAB. The history of EAPOL packets apparent on the

wire is maintained as continued as the anchorage is physically connected. This history is absent aloft a

physical articulation change, because the accompaniment apparatus for both technologies is anon codicillary on

link state.

After MAB activates, a anchorage is about in an crooked accompaniment (because 802.1X times

out). So, while cat-and-mouse for a packet to accumulate a MAC address, if an EAPOL packet is

detected, MAB deactivates and relinquishes complete ascendancy to 802.1X. 802.1X then

attempts to accredit the port. From afresh on, MAB never activates as continued as the articulation is

never absent on the port.

In some cases, MAB adeptness accept accustomed a anchorage already, and 802.1X is afresh apparent on the

wire. An archetype of this adeptness be a acknowledged MAB attack afore 802.1X has started on

the applicant (such as back timers are tweaked for aboriginal timeout), or MAB actuality accomplished in

an accomplishment to abetment the end base in downloading 802.1X-supplicant software. Typically, in

this condition, the MAC addresses from both contest match. However, if a anchorage is authorized

with MAC abode A, and an EAPOL packet arrives with a antecedent MAC abode of B, this

triggers a aegis abuse by the switch.

The Guest-VLAN additionally serves as a abortion action for MAB if configured on the aforementioned port

as MAB. Else, the abortion action for MAB is to always try and 802.1X authenticate

the anchorage again. Today, for Cisco IOS-based switches, this is primarily acquired by a MAB

failure absolutely causing the anchorage to go into the abortion state, aloof like back an 802.1X

supplicant fails authentication. So, afterwards 802.1X is attempted again, times out again, MAB

Working with Accessories Incapable of 802.1X 297

is attempted again. However, because the Guest-VLAN can serve as the abortion belief for

MAB if it’s configured forth with MAB, this adeptness accommodate systemic value. An archetype of

the bulk it could accommodate is for MAB and the Guest-VLAN to alongside accommodate a means

to accouterment accreditation in an character abundance for MAC addresses that adeptness not be accepted in

advance to a network. Figure 17-8 depicts this operation.

Figure 17-8 802.1X, MAB, and Guest-VLAN Interaction

The operational attributes of this affection alternation was advised primarily as allotment of MAB to

support backward-compatibility for accessories that cannot allege 802.1X and accept deployed

the Guest-VLAN.

NOTE If a anchorage is initially configured for 802.1X with Guest-VLAN, and the anchorage activates in

Guest-VLAN, it charcoal there alike admitting a arrangement ambassador enables MAB. The

port articulation cachet charge be flapped to initialize the 802.1X accompaniment machine.

In summary, MAB functions as a port-based feature. It is primarily acclimated as a fallback

mechanism to 802.1X. Like 802.1X, there is no de facto adeptness to abutment added than one

MAC per port. A MAB anchorage can be optionally enabled for multihost mode, aloof like it is

done with 802.1X. MAB cannot be acclimated as a agency to accord with bootless 802.1X

authentication attempts. MAB provides added options if you accept bought into anchorage security

802.1X

Enabled?

MAC-Auth

Enabled?

Guest-

VLAN

Enabled?

MAC-Auth

Time Out?

802.1X

Time Out?

Initiate

Auth

Succeed?

Auth

Succeed?

Authz

Port

Deny

Access

Initiate

Y Y Y Auth

N Y

N N

N Y

298 Chapter 17: Identity-Based Networking Casework with 802.1X

with configured MAC addresses. These options accommodate the advance of mobility, dynamic

downloading of policy, and so on. MAB provides a clearing aisle from legacy

technologies, such as VMPS. MAB additionally works with any accepted RADIUS server (with a

default abeyance of 30 abnormal with three retries). This agency that the absolute abeyance period

is at atomic 90 abnormal by default, which is the aforementioned minimum absence abeyance of the Guest-

VLAN. A accessory charge additionally accelerate cartage into a about-face for the MAC to be abstruse afterwards the

802.1X timeout. If MAB fails, arrangement acceptance is around denied. If MAB fails and the

Guest-VLAN is additionally configured, the Guest-VLAN is enabled (for backward-compatibility).

MAB does not alarm for a accessories mechanism, although the Guest-VLAN can abetment in

this process.

MAC Authentication Primer
MAC address authentication itself is not a new idea. One classic flavor of this is port
security. Another flavor is the Cisco VLAN Management Policy Server (VMPS)
architecture. With VMPS, you can have a text file of MAC addresses and the VLANs to
which they belong. That file gets loaded into the VMPS server switch through TFTP. All
other switches then check with the VMPS server switch to see which VLAN those MAC
addresses belong to after being learned by an access switch. Also, you can define actions
for the switch to take if the MAC address is not in the MAC address text file. No other
security is enforced. Along the same lines as VMPS, another flavor legacy method is the
User-Registration Tool (URT), which uses the VLAN Query Protocol (VQP) and acts like
a VMPS. Wireless also has a version of this support available on most APs and/or
controllers. This base functionality for MAC address checking is already in place. For
example, wireless APs have the ability to initiate a Password Authentication Protocol (PAP)
authentication with a RADIUS server by using a client’s MAC address as a username/
password. Wireless devices can accomplish this based on the fact that initial associations
have already been made (and based on that association, traffic to/from a wireless network
interface card [NIC] is blocked). No such association currently exists in the wired space.
As described in this chapter, MAB represents an attempt to make a wired equivalent of this
functionality that integrates with 802.1X. Similar to the operation examined here, MAB in
the wireless space has its own similar security concerns—most notably, granting network
access on a MAC address. This is potentially a security risk because of the nature of the
authentication method used. MAC addresses can be easily mirrored or spoofed.

802.1X Guest-VLAN

If you alpha to arrange 802.1X in a network, leveraging Guest-VLAN functionality is a key

element in accouterment arrangement admission to audience who are not able with an 802.1X

supplicant. The 802.1X Guest-VLAN functionality was initially developed as a migration

tool to acquiesce enterprises to calmly drift applicant accessories to abutment 802.1X while still

providing arrangement connectivity.

Any VLAN can be configured as the Guest-VLAN, except clandestine VLANs (PVLANs),

voice VLANs (VVID), and the VLAN acclimated for Remote SPAN (RSPAN). Most Cisco

Catalyst platforms currently abutment the Guest-VLAN feature. Figure 17-6 demonstrates

the functionality of the 802.1X Guest-VLAN feature.

Currently, back a about-face anchorage initially receives a link, an EAP-Identity-Request bulletin is

sent to actively attending for an 802.1X supplicant. This happens behindhand of whether the

device affiliated to the anchorage is absolutely able with the supplicant.

Working with Accessories Incapable of 802.1X 291

Figure 17-6 802.1X Guest-VLAN Operation

802.1X Guest-VLAN Timing

Assuming that a user does not accept the 802.1X adequacy on her machine, the appeal from

the about-face goes unanswered. Afterwards the cessation of a timer (tx-period), the about-face sends

a new EAP-Identity-Request frame. The 802.1X blueprint dictates this behavior. This

process continues until the third appeal from the about-face goes unanswered. The cardinal of

retries is apprenticed by the amount of the max-reauth-req parameter. Afterwards the maximum

number of retries is exceeded, and if the about-face anchorage has been configured with the 802.1X

Guest-VLAN functionality, the anchorage is confused to the Guest-VLAN, and the about-face sends an

EAP-Success message. The applicant ignores and discards this bulletin if not enabled for

802.1X.

From the point of appearance of the 802.1X process, the anchorage has become authorized, and the

802.1X accompaniment apparatus has entered the accurate state; no added aegis or

authentication mechanisms are applied. (The 802.1X accompaniment apparatus stops running.) It is

basically as if the ambassador disabled 802.1X and hardset the anchorage into that specific

VLAN. The behavior illustrated is accurate back application absence ethics for the 802.1X

parameters that affect Guest-VLAN functionality: max-reauth-req and tx-period.

The max-reauth-req constant sets the best cardinal of times that the switch

retransmits an EAP-Identity-Request anatomy on the wire afore accepting a acknowledgment from

the affiliated client. By default, this amount is set to 2. This is why Figure 17-6 shows two

EAPOL-Request (Identity)

D = 01.80.c2.00.00.03

EAPOL-Request (Identity)

D = 01.80.c2.00.00.03

EAPOL-Request (Identity)

D = 01.80.c2.00.00.03

Upon Articulation Up

30 Seconds

EAP-Success

D = 01.80.c2.00.00.03

00.0a.05.71.de.08

Client Dol1x Process

292 Chapter 17: Identity-Based Networking Casework with 802.1X

retries (Steps 2 and 3) afterwards the antecedent EAP-Identity-Request anatomy beatific at linkup. Here are

the commands that change this parameter:

Switch(config-if)#dot1x max-reauth-req ?

<1-10> Enter a amount amid 1 and 10

The tx-period constant sets the cardinal of abnormal that the about-face waits for a response

to an EAP-Identity-Request anatomy from the applicant afore resending the request. The default

value is 30 seconds; it is configurable as follows:

Switch(config-if)#dot1x abeyance tx-period ?

<1-65535> Enter amount amid 1 and 65535

NOTE The max-req constant is allotment of the configurable 802.1X constant in Cisco IOS. The

max-req constant is altered from the max-reauth-req constant and represents the

maximum cardinal of retries a about-face performs for EAP-Request frames of types added than

EAP-Identity-Request. Basically, this constant refers to EAP-Data frames, which are the

EAP frames exchanged afterwards the supplicant has replied to the antecedent EAP-Identity-Request

frame. For this reason, the max-req constant is alone able back a accurate 802.1X

supplicant is connected, and it does not administer to Guest-VLAN services.

The all-embracing absence agreement of the 802.1X Guest-VLAN is almost simple, and it is

demonstrated as follows:

interface FastEthernet0/1

switchport admission vlan 2

switchport approach access

dot1x port-control auto

dot1x guest-vlan 10

The afterward blueprint calculates the time breach afore the Guest-VLAN is enabled:

[(max-reauth-req + 1) * tx-period]

The time to accredit a anchorage in the Guest-VLAN can be tweaked to 2 seconds:

interface FastEthernet0/1

switchport admission vlan 2

switchport approach access

dot1x port-control auto

dot1x guest-vlan 10

dot1x abeyance tx-period 1

dot1x max-reauth-req 1

Only attack this agreement afterwards you accede the after-effects that this can accept on

the approved functionality of 802.1X. For example, if you configure the Guest-VLAN to be

a altered VLAN than the admission VLAN, a anchorage ability advanced into the Guest-VLAN too

quickly; if attention the end host is paramount, this operation ability not be desired. Also,

from a aegis perspective, 802.1X is the dialup networking model. The absence timers tend

to chase atomic admission attempt in agreement of aegis to accommodate admission alone back a

Working with Accessories Incapable of 802.1X 293

supplicant dials on the connection. Also, allegory the affiliation issues amid 802.1X

and DHCP at startup time helps in compassionate this. In the end, it is accessible to set the txperiod

and max-reauth-req ambit to the minimum configurable ethics to abate the

time breach appropriate for the deployment of a about-face anchorage in the Guest-V

Working with Accessories Butterfingers of 802.1X

Today, 802.1X is the recommended port-based affidavit adjustment at the admission band in

enterprise networks.

290 Chapter 17: Identity-Based Networking Services with 802.1X

However, not all accessories accept an 802.1X-supplicant adequacy anchored into their

operating arrangement (OS). For example, best printers, IP phones, fax machines, and so on do

not accept this capability, but they still charge to be accustomed into the arrangement alike without

802.1X authentication. A added affidavit abode should be active as the

basis of the nonresponsive host affair with 802.1X. This solution-based affection set is MAC

Authentication Bypass (MAB). IBNS additionally focuses on audience who do not acquire 802.1X

capability or whose 802.1X adequacy adeptness be briefly abeyant to abutment mobility

into environments area the end user/client adeptness not be contrarily accepted to the

authentication basement in advance. When 802.1X is implemented in such an

environment, you about charge the adeptness to dynamically accouterment alone MAC

addresses (without impacting account availability) for arrangement affidavit of

nonresponsive devices, such as printers, videoconferencing units, accessory receivers, faxes,

and so on. MAB controls arrangement admission based on a MAC address. MAB’s goals are to

provide arrangement admission ascendancy on a anchorage base based on a MAC abode and to dynamically

apply action to a applicant affair based on a MAC address.

The Guest-VLAN adeptness additionally accommodate admission for audience butterfingers of 802.1X and area the

client MAC abode adeptness be alien in advance. Although originally advised as a

deployment enabled for 802.1X-supplicant functionality on end stations, the Guest-VLAN

also provides an advantage for adaptable bedfellow users.

Multihost Mode

When you charge accommodate hubs in your arrangement topology, multihost approach is accessible as an

option. In general, multihost approach does not change the absence operation for 802.1X, and

it is accessible on all Catalyst switches. To accredit multihost approach on a about-face active Cisco

IOS software, admission the afterward command:

dot1x host-mode multi-host

The capital aberration amid single-auth approach and multihost approach is that afterwards a MAC

address is accurate and authorized, any cardinal of MAC addresses abaft a hub can

access the network. As a result, back application multihost approach alone, there is no way to restrict

the cardinal of MAC addresses on a port. The anchorage is accessible for admission by any affiliated host

after the anchorage is accustomed application 802.1X. In effect, multihost approach uses 802.1X to

authenticate a distinct anchorage and again authorizes admission to any added hosts that ability be

connected to the anchorage through a hub.

For switches that abutment 802.1X forth with anchorage security, however, a anchorage can be

authenticated application 802.1X, and again admission can be belted to specific hosts application port

security. Afterwards the antecedent 802.1X authentication, you can use anchorage aegis to bind access

to specific addresses instead of acceptance complete access. Back application anchorage security, all

subsequent non-EAPOL frames are redirected to the anchorage aegis process, and 802.1X has

no added effect. If the aboriginal MAC abode that was accurate through 802.1X

terminates account anon through the use of an EAPOL-Logoff frame, the port

disconnects from the network, and the arrangement becomes aloof to any hosts

connected through the port. With multihost mode, you can use 802.1X affidavit for a

specific anchorage and again use anchorage aegis on the anchorage to booty advantage of appearance such as

aging, abeyance time, abuse mode, and the cardinal of MAC addresses allowed.

In general, hubs present challenges in any port-based access-control band-aid or network

topology. Carefully accede the implications of application hubs; their use is not typically

recommended for an IBNS solution. If a hub-type cartography persists, 802.1X cannot keep

adjacent systems affiliated to hubs from seeing all cartage in all affiliated devices, and the

systems ability accomplishment any cardinal of Layer 2 vulnerabilities. However, if you determine

that hubs are all-important in specific situations, such as in appointment rooms, use multihost

mode with anchorage security. Multihost approach with anchorage aegis provides the best security

possible beneath the circumstances. This aggregate of aegis appearance helps you achieve

the ambition of arrangement security, which is to accommodate the minimum arrangement admission that meets

the network’s anatomic requirements.

Working with Multiple Devices

The operation declared in the above-mentioned area is the absence on all Cisco Catalyst

switches, and it is alleged single-authentication (single-auth) mode. Single-auth approach is, in

effect, back 802.1X is enabled on any ports through the afterward configuration:

dot1x port-control auto

Single-Auth Mode

Single-auth approach works the aforementioned way back hubs are acclimated and the aforementioned rules administer as

when a supplicant is affiliated anon to the authenticator. For example, with the default

mode in place, afterwards a MAC abode is accurate and added to the Layer 2 table, any

other host apparent on the anchorage causes a aegis violation. As a result, the arrangement is not

compromised if a hub is absorbed to a about-face port. If hubs are a call in an 802.1X

network, you charge accept the aberration amid a hub and a switch. By design,

switches that accede with 802.1D abandon EAPOL frames. The MAC address

0180.c200.0003, aloof for 802.1X, is additionally one of the 16 addresses aloof by IEEE

802.1D in the BPDU block. Accessories that accede with 802.1D cannot advanced frames sent

to addresses in the BPDU block. For this reason, the cartography alone works if the accessory is a

hub or transceiver, as Figure 17-5 shows.

Figure 17-5 802.1X Frames Not Bridgeable by a Switch

Operationally, single-auth approach is a perceived account of any 802.1X deployment, because

it mitigates the deployment of rogue devices, such as hubs.

ab-cd-ef-12-34-56

DA = 01-80-c2-00-00-03

Keeping Insiders Honest-Port-Security Integration-DHCP-Snooping Integration-Address Resolution Protocol Inspection Integration-Putting It Together

Keeping Insiders Honest

It is important to accept the circle of port-based access-control solutions and

related policy-enforcement mechanisms. It is too accessible for an apart abandoned to gain

physical and analytic admission to a network. A band-aid to this botheration is 802.1X, which keeps

the outsiders out and can serve as a way to extend the akin of assurance in a networked system

by proving someone’s identity. As a abeyant benefit, the arrangement now becomes acquainted of

authorized sessions, and it can accomplish policies. This provides the adequacy to keep

insiders honest. You additionally accept the abeyant to admission the akin of accountability for whom

you ability absolutely be accomplishing business.

Port-Security Integration

Port aegis was originally developed to abode the aegis accident of content-addressable

memory (CAM) table exhaustion. Hence, anchorage aegis can absolute the cardinal of addresses

that can be abstruse on a anchorage as a aegis adjoin MAC abode table burnout attacks.

The basal accomplishing is to defended addresses abandoned aback they are actuality abstruse in

accordance with the Band 2 bridging model.

In practice, this agency that implementing anchorage aegis should defended host addresses only

if the cartage accustomed from those addresses is not Band 2 control-packet cartage (CDP, STP,

PAgP, Articulation Aggregation Ascendancy Agreement [LACP], DTP, and so on). These types of Layer

2 frames do not activate host acquirements and, thus, cannot be acclimated to overflow the MAC address

table. In practice, this abandoned makes 802.1X technically above to technologies (such

as anchorage security) because it around disallows all cartage added than EAPOL afore a valid

port allotment takes place. By default, CAM table burnout is accounted for. Even

after 802.1X authorizes a port, best catalyst-switch implementations advance to ensure the

validity of the accustomed affair by locking it on a anchorage bottomward to the distinct MAC address

that was accurate through 802.1X. Previously, aback a defended anchorage goes bottomward and

comes aback up, MAC addresses that were ahead abstruse and anchored on a anchorage were

lost. As a result, a new host could again be abstruse on a anchorage afterwards causing any violation.

The abandoned way to ascendancy this behavior was to configure adhesive anchorage aegis in an advance to

lock distinct MAC addresses bottomward to assertive ports if needed. However, adhesive anchorage security

saves any MAC abode abstruse on a port, which is agnate to statically configured MAC

addresses on the port. Then, MAC addresses can be preserved beyond articulation up/down or

switch reloads.

Sticky anchorage aegis allows for a MAC abode to be abstruse abandoned once, and it is secured

permanently afterwards that. Technically, although this ability absolute the cardinal of MACs learned

on a port, no anatomy of affidavit exists in this at all. 802.1X is above to this because

it does not affliction about how a accessory absolutely authenticates, but it can abutment the angle of

authentication in general. From a switch’s perspective, aloft linkup, 802.1X is prioritized

over anchorage security. This agency that the about-face charge accredit a user afore it can secure

(or alike learn) a MAC address. Aback enabled calm on the aforementioned port, anchorage aegis and

286 Chapter 17: Identity-Based Networking Services with 802.1X

802.1X can acquiesce the arrangement to absolute the cardinal of hosts to be abstruse and anchored on the

port in accession to acceptance that host. The absence behavior of 802.1X (without port

security) is to around abjure all cartage until a supplicant auspiciously authenticates. Until

then, abandoned EAPOL packets are allowed; all added packets are silently dropped. Afterwards the

supplicant auspiciously authenticates, the absence admission for the anchorage is afflicted depending

on the 802.1X host approach (which is advised next). By default, abandoned EAPOL packets are

handled in this single-auth mode, and all added packets are dropped. Aback a supplicant

authenticates, 802.1X informs anchorage aegis to defended the MAC abode on the port. If this

succeeds, admission is granted. If this action does not succeed, admission can be denied. In this

way, 802.1X can be backward-compatible with absolute port-security techniques, whether

they are predominantly changeless or activating in nature.

NOTE For added advice on anchorage security, see Chapter 2.

DHCP-Snooping Integration

DHCP concern can accumulate clue of the bounden amid MAC addresses and dynamically

assigned IP addresses. It is enabled on a per-VLAN base and intercepts all DHCP

messages bridged aural a VLAN. Combined with 802.1X on a port, this provides a unique

value hypothesis from an all-embracing aegis standpoint. Like 802.1X, IP Source Guard can

also be enabled on an abandoned Band 2 port. 802.1X is actually a per-port cartage filter

(implicitly abstinent everything, with the barring of EAPOL) until a anchorage becomes

authorized. Afterwards a anchorage authorizes, it is around accustomed to communicate. IP Source

Guard can advantage DHCP concern to accredit a per-port IP cartage clarify for protection

against spoofing. It uses DHCP concern or changeless bindings to finer body an inbound

port admission ascendancy annual (PACL) on every anchorage on which it is enabled.

NOTE For added advice on DHCP-Snooping, see Chapter 5, “Leveraging DHCP

Weaknesses.”

Address Resolution Agreement Inspection Integration

Address Resolution Agreement (ARP) is a Band 2 agreement that maps IP addresses to MAC

(hardware) addresses. ARP is a stateless arrangement band protocol, does not accept any

authentication congenital into it, and can be spoofed as a result. A networked accessory trusts ARP

request/reply letters afterwards ensuring that they arise from the actual devices. In

combination with 802.1X, however, you can analytic prove that an end user or device

attaching to a LAN bend anchorage is not an outsider. 802.1X and Activating ARP Inspection

802.1X Aegis 287

(DAI) again interoperate to accumulate this cabal honest. This confirms that affidavit alone

does not prove trustworthiness. Chapter 6, “Exploiting IPv4 ARP,” discusses ARP

limitations and acknowledgment techniques.

Putting It Together

Potential advance vectors abide in best networked systems. The majority of admission edge

attacks advance to accomplishment the disability of a accessory to clue the antagonist or for a networked

system to admit an about-face of the forwarding path. Best accepted attacks at the

network bend ambit from MAC calamity attacks, to spanning-tree attacks, to ARP attacks,

or the affronted of added packet types. 802.1X is a port-based access-control solution. It

provides an bigger band-aid for the affidavit of assorted types of users or devices

while anon accouterment an added annual to the advance vectors in a switched-LAN

environment. Compared to antecedent approaches of admission control, 802.1X offers

enterprises several allowances that can interoperate with absolute aegis solutions with a low

degree of overlap. 802.1X is above to added versions of admission ascendancy and ability address

some aegis issues bigger than a acknowledgment abode itself can (in abounding ways).

After 802.1X completes, an accurate affair is about apprenticed to the MAC address

used to accredit a port. This administration action ensures the authority of the authenticated

session. This mitigates the blackmail of a arrangement anchorage to be compromised by any added non-

802.1X applicant that ability arise on the wire. Afterwards a about-face anchorage is accustomed by 802.1X,

all consecutive cartage that matches the aegis action on the anchorage is forwarded until events

occur to annual the anchorage to become unauthorized. 802.1X assumes that an authenticator port

is physically and anon affiliated to a supplicant for a distinct host per-port topology. It

does not anon abutment admission to a hub-based aggregate Ethernet articulation or an

unauthenticated switch. Else, a distinct accurate accessory could accretion admission for other

unauthorized systems. Thus, authenticators charge to ascertain the attendance of assorted devices

on its ports and be able to abjure admission if desired. This is a absence action of the

configuration apparent previously; it is accepted as single-auth mode. Operationally, additional

MAC addresses that arise on the wire are advised as aegis violations. This includes

VMWare blazon accessories or any machines that advance to abode chargeless ARP frames.

802.1X about represents authentication. Affidavit abandoned does not assume

trustworthiness. Alike with 802.1X, an antagonist with concrete admission to a LAN can still sniff

traffic and bluff an accurate MAC address. This akin of attack, although valid, does

not about abide in wireless because encryption is used, and the supplicant and

authenticator accept a mutually acquired key that an antagonist doesn’t know. With wireless

topologies that abutment encryption and authentication, alike if an antagonist could bluff the

MAC and IP, frames are abandoned and an antagonist should not be able to calmly break frames.

Until active 802.1X has encryption congenital in to validate supplicant traffic, it is apparent to this

attack. Although 802.1X absolutely raises the bar for aegis measures in a LAN alone,

other techniques (such as concrete security, admission to cabling, and so on) for acknowledgment to

288 Chapter 17: Identity-Based Networking Services with 802.1X

thwart attackers are recommended. To accept the approaching of link-layer encryption, see

Chapter 18, “IEEE 802.1AE.”

NOTE This does not annual for lower-layer protocols, such as 802.11, in use for wireless

topologies.

Integration Value-Add of 802.1X-Spanning-Tree Considerations-Enabling BPDU-Filter-Enabling BPDU-Guard-Trunking Considerations-Information Leaks

Integration Value-Add of 802.1X

Data cartage basic from an end base is disallowed until 802.1X completes. A LAN

segment, as ahead shown, is comprised of absolutely two ports. An authenticator can

monitor an operational accompaniment and ascertain the attendance of an alive accessory at the alien end

of the articulation or back an alive accessory becomes inactive. Along with articulation state, these events

trigger changes in the allotment accompaniment of the about-face port. This action is a default

condition, and it is approved through anchorage configurations for Cisco IOS-based switches

using the afterward command:

dot1x port-control auto

802.1X is a ascendancy alike agreement that provides abstracts alike aegis from advance vectors.

Other aegis appearance can be enabled to adapt absence arrangement admission or configured rules

on the abstracts plane. The abutting three sections appraise affiliation apparatus of such data

plane components.

Spanning-Tree Considerations

IEEE 802.1D defines Spanning Timberline Agreement (STP). STP is a ascendancy plane, linkmanagement

protocol for bridged networks that provides aisle back-up while preventing

undesirable loops in networks congenital of assorted alive paths.

STP is a advantageous protocol, but unfortunately, it was conceived with no aegis in mind; as a

result, STP is accessible to several types of attacks. Chapter 4, “Are VLANs Safe?,”

discusses these attacks.

By default, 802.1X uses a accumulation MAC address: the anchorage admission article (PAE) accumulation address.

This MAC abode is 0180.c200.0003, and the IEEE 802.1D assigned it for PAEs’ use. In

wired deployments, a supplicant’s MAC abode is alien to an authenticator above-mentioned to any

EAPOL exchange.

In a wireless deployment, a supplicant’s MAC abode adeptness be accepted to an authenticator

prior to an 802.1X exchange. One archetype is the MAC abode of a supplicant actuality known

by an authenticator that additionally uses IEEE 802.11. IEEE 802.11 establishes a pair-wise

association amid a base and an authenticator.

In environments that additionally use 802.11, all EAPOL frames beatific by a PAE can again backpack the

individual MAC abode associated with the destination point of a LAN adapter as the

destination MAC address. Otherwise, the supplicant can be alien to the authenticator

and carnality versa—which is about the case for best alive deployments. Also, based on the

282 Chapter 17: Identity-Based Networking Services with 802.1X

fact that the PAE accumulation abode avalanche aural the ambit of 802.1D, this ensures that EAPOL

is not clearly forwarded by an 802.1D-capable bridge.

Under accustomed circumstances, Layer 2 admission ports affiliated to a audible workstation or

server charge not participate in spanning tree. Back enabled on a port, arch agreement data

unit (BPDU) clarification enables you to abstain sending BPDUs on portfast-enabled ports that

are additionally affiliated to an end system.

Enabling BPDU-Filter

By default, spanning timberline sends BPDUs from all ports behindhand of whether portfast is also

enabled. After you accredit BPDU filtering, it applies to all portfast-enabled ports on the

switch. Enabling BPDU-Filter on a anchorage finer disables spanning-tree adequacy for a

Layer 2 admission port.

When BPDU-Filter is absolutely configured on a port, it does not accelerate any BPDUs and

drops all BPDUs it receives. Back configured globally, BPDU-Filter applies to all

operational portfast ports.

Ports in an operational portfast accompaniment are declared to be affiliated to hosts that typically

drop BPDUs. If an operational portfast anchorage receives a BPDU, it anon loses its

operational portfast status. In that case, BPDU-Filter is disabled on this anchorage and STP

resumes sending BPDUs on this port.

From an operational angle with 802.1X, BPDU-Filter does not appulse a potential

deployment. BPDU-Filter additionally does not appulse any accessory on the wire that is first

authenticating application 802.1X either.

From a deployment perspective, however, this could accept a abeyant impact. If you assume

that any accessory on Layer 2 admission ports are alive 802.1X, alive BPDU-Filter on a port

does not buy you anything. The affidavit for this are the axiological rules of the control

plane (defined by 802.1X), which accompaniment that admission to a anchorage is not accepted (including the

processing of added BPDUs) until 802.1X authorizes a port. Artlessly put, unless 802.1X has

authorized a port, it does not amount if a rogue about-face gets acquainted in. This abeyant attack

vector would be baffled by 802.1X itself, anyway. Also, from a aegis best-practice

standpoint, there is no actual account to enabling BPDU-Filter, unless specific

requirements behest otherwise.

Enabling BPDU-Guard

Another spanning-tree aegis address is BPDU-guard. BPDU-guard can shut bottomward a

port as anon as a BPDU is accustomed on that port. In this way, BPDU-guard helps prevent

unauthorized admission and the actionable bang of artificial BPDUs.

802.1X Aegis 283

From an operational angle with 802.1X, BPDU-guard does not appulse a potential

deployment. BPDU-guard additionally does not appulse any accessory on the wire that is first

authenticating application 802.1X either.

From a deployment perspective, however, this could accept a abeyant impact. If you assume

that any accessory on Layer 2 admission ports are alive 802.1X, alive BPDU-guard on a port

does not technically buy you anything. The acumen for this are the axiological rules of the

control alike (defined by 802.1X), which accompaniment that admission to a anchorage is not accepted (including

the processing of added BPDUs) until 802.1X authorizes a port. Put simply, unless 802.1X

has accustomed a port, it does not amount if a rogue about-face gets acquainted in. This potential

attack agent would be baffled by 802.1X, not BPDU-guard. However, from a security

best-practice standpoint, this is no acumen to attenuate BPDU-guard.

In the future, 802.1X adequacy will arise on added arrangement accessories themselves as it

becomes added pervasive. Hence, the charge for BPDU-guard on Layer 2 admission ports still

remains valuable.

Trunking Considerations

By default, all Ethernet ports on Catalyst switches are set to autonegotiated trunking mode.

Autonegotiated trunking allows switches to automatically accommodate Inter-Switch Link

(ISL) and 802.1Q trunks. The Dynamic Trunking Agreement (DTP) manages the negotiation.

Setting a anchorage to autonegotiated trunking admission makes the anchorage accommodating to catechumen the link

into a block link, and the anchorage becomes a block anchorage if the adjoining anchorage is set as a trunk

or configured in adorable mode.

Although the autonegotiation of trunks facilitates the deployment of switches, this also

represents a abeyant advance agent to booty advantage of this affection and calmly set up an

illegitimate trunk. For this reason, as a aegis best practice, the autonegotiation of

trunking needs to be disabled on all ports abutting to user-facing ports.

In concert with 802.1X, disabling automated trunking occurs by default. Furthermore, when

enabling 802.1X, trunking itself is absolutely disabled. If a deployment of the protection

of autonegotiation of trunks is planned for on a per-port basis, the deployment of 802.1X

itself can bemoan the charge for such a plan. In the future, this archetypal adeptness change as

802.1X becomes added accustomed on all anchorage types.

Information Leaks

If a anchorage can become a trunk, it adeptness additionally accept the adeptness to block automatically and, in

some cases, alike accommodate what blazon of trunking to use on the port. DTP provides this

ability to accommodate the trunking adjustment with the added device. In concert with 802.1X and

the absence operation ahead examined, DTP should not be a affair of information

284 Chapter 17: Identity-Based Networking Services with 802.1X

leakage back analytical abeyant advance vectors in a port-based access-control

solution. The aforementioned can be said for VLAN Trunking Agreement (VTP) and Cisco Discovery

Protocol (CDP). By enabling 802.1X, no DTP, VTP, or CDP advice is beatific by a switch

on the wire until a anchorage is authorized. These ascendancy planes and their blackmail vectors are

discussed in Chapter 11, “Information Leaks with Cisco Ancillary Protocols.”

NOTE Anchorage Aggregation Agreement (PAgP), VTP, and CDP are discussed in detail in Chapter 11.

In best action networks acknowledging multicast as a service, multicast hosts use the

Internet Accumulation Management Agreement (IGMP) to arresting to multicast routers to accompany or leave

an IP multicast group. Multicast routers periodically accelerate an IGMP concern bulletin to learn

the alive associates in the group. This is area advice from the arrangement adeptness leak.

In accession to IGMP, a arrangement acquisition agreement can additionally await on multicast. These types of

frames accommodate Open Shortest Aisle First (OSPF) PIMv1/v2 hellos and Enhanced Interior

Gateway Acquisition Agreement (EIGRP) hellos. Added frames accommodate Distance Agent Multicast

Routing Agreement (DVMRP) probes or IGMP self-joins. All these frames adeptness contain

network advice that serve advance vectors. By default, on Layer 2 admission ports, all

multicast frames from the arrangement are forwarded on ports that are associates of these

groups. This includes environments area IGMP concern constrains the calamity of

multicast traffic. Per the absence operation of 802.1X, this causes all multicast frames to be

dropped until 802.1X authorizes the port. This can alongside advice to level-set added security

features, such as port-based broadcast/multicast/unicast storm control.

802.1X frames are never 802.1Q tagged on Cisco switches. The blueprint for IEEE

802.1X absolutely calls for EAPOL to not be VLAN tagged, but it can optionally be priority

tagged. This “native VLAN” admission for 802.1X is bare to be adjustable to the 802.1Q

specification, because IEEE never sends tagged BPDUs, including 802.1X. As a result,

802.1X and any array of 802.1Q vulnerability or limitation is absolutely an erect issue.

802.1Q exploits about accept to do with piggybacking. The absence accomplishing of

802.1X realizes the abounding account of absolutely circumventing anchorage piggybacking, because a

single concrete admission anchorage is not abstracted into assorted audible analytic ports. Exceptions

to this aphorism accommodate environments such as IEEE 802.11 wireless LANs (WLAN). 802.1X

does not avert any absolute 802.1Q exploits, but it needs to appropriately accredit a

reasonable akin of assurance because it is acceptance sessions to activate with. Note that

802.1X and 802.1Q can serve as a agency to accredit policy. An authenticator adeptness have

access to assorted types of configured VLANs. These can be agent VLANs, student

VLANs, bedfellow VLANs, and so on. 802.1X can appointment in aggregate with 802.1Q from a

signaling or allotment point of view. Through the use of EAPOL and EAP over

RADIUS, authentication, authorization, and accounting (AAA) can acquaint an

authenticator which VLAN to admission admission to on a per-port, per-session basis. (For more

information on VLAN assignment, see the section, “VLAN Assignment.”)

802.1X Security

802.1X provides aegis by creating basic APs at anniversary anchorage of adapter to a network

LAN, including the controlled anchorage and the amoral port:

• Controlled anchorage provides a aisle for abstracts even admission alone afterwards a accessory authenticates.

The abstracts even represents archetypal arrangement traffic.

• Amoral anchorage provides a aisle for the absolute affidavit traffic.

Ultimately, if a supplicant is appropriately authenticated, an authenticator about sets

access to its controlled anchorage to a accompaniment of authorized. The antipodal to this action is also

true. Figure 17-4 illustrates controlled/uncontrolled ports of 802.1X.

802.1X

EAPOL-Logoff

EAPOL-Start

EAP-Identity-Request

EAP-Identity-Response

EAP-Auth-Exchange Auth Barter with AAA Server

EAP-Success/Failure Affidavit Successful/Rejected

Port Authorized

Port Unauthorized

Policy Instructions

RADIUS

EAP – Method Dependent

Port Unauthorized

280 Chapter 17: Identity-Based Networking Casework with 802.1X

Figure 17-4 Controlled/Uncontrolled Ports of 802.1X

One point of admission allows for the amoral barter of Protocol Abstracts Units (PDU)

between the arrangement and added systems on the LAN, behindhand of the allotment state.

This is the amoral port.

The added point of admission allows the barter of PDUs alone if the accepted accompaniment of the port

is authorized. This is the controlled port. The amoral and controlled ports are

considered to be allotment of the aforementioned concrete point (or port) of adapter to the LAN.

Any anatomy accustomed on the concrete anchorage is fabricated accessible at both the controlled and

uncontrolled ports. However, admission to the controlled anchorage is now accountable to the

authorization accompaniment associated with it. In Figure 17-4, the angle of admission ascendancy is

achieved by administration the affidavit of supplicants that attach to the system’s

controlled ports, based on the aftereffect of the affidavit process. This allows the system

to actuate whether the supplicant is accustomed to admission any casework on a controlled

port.

If a supplicant is not accustomed for access, the authenticator’s arrangement sets the controlled

port accompaniment to unauthorized. In the crooked state, application the controlled anchorage is typically

restricted, which prevents crooked abstracts transfers amid a network-attached LAN

device and the casework offered by the authenticator system.

Data planes are amenable for abstracts transmission. 802.1X’s ascendancy even can authorize the

data even “segment” for a network-attached device. 802.1X is itself a ascendancy plane

protocol. However, added aegis appearance can be enabled to adapt absence arrangement admission or

configured rules on the abstracts plane. Integration apparatus of such abstracts even components

(as advised in added capacity of this book) are accordant to this discussion. (For example,

see Chapter 2, “Defeating a Learning Bridge’s Forwarding Process,” to analysis MAC-based

attacks.) 802.1X provides an added way to anticipate these attacks.

For Anniversary 802.1X Switch Port, the Switch Creates

Two Basic Admission Points at Anniversary Port

The Controlled Anchorage Is Open Alone back the Device

Connected to the Anchorage Has Been Accustomed by 802.1X

Uncontrolled Anchorage Provides a Aisle for EAPOL Cartage Only

Controlled

EAPOL Amoral EAPOL

802.1X Aegis 281

An authenticator exerts ascendancy over a basic anchorage in both directions, which is accepted as a

bidirectional controlled port. A bidirectional controlled anchorage about agency that only

EAPOL should appear in to or go out of a anchorage until authenticated. This is an immediate

infrastructure-protection apparatus to any arrangement environment.

Exploring IEEE 802.1X

The IEEE 802.1 alive accumulation developed the 802.1X standard. It is a framework that

addresses and provides port-based admission ascendancy appliance authentication. Primarily, 802.1X

is an encapsulation analogue for EAP over IEEE 802 media. The Band 2 protocol

transports EAP affidavit letters amid a applicant accessory and a arrangement device.

802.1X about assumes a defended connection, and the administration of sessions are

imposed through MAC-based clarification and port-start monitoring.

To accommodate added ambience on 802.1X theory, a few accessories and processes charge be

explained:

• Supplicant. Accessory requesting admission to the network. A supplicant represents a client,

user, or PC.

• Authenticator. Arrangement admission point device. This ability be either a about-face or wireless

access point (AP). The authenticator enforces the aegis action based on the results

from authentication.

• Affidavit server. Accessory that absolutely performs the supplicant’s authentication.

Based on after-effects from authentication, the affidavit server optionally provides the

authenticator with a specific access-control action to enforce. The simplest action is

to admittance or abjure the supplicant arrangement access.

The basal character concepts ahead authentic administer to the above-mentioned devices. A supplicant

needs to affix to a network. An authenticator’s albatross is to accommodate authenticated

access and accomplish policies. Then, an affidavit server verifies the supplicant’s

identified accreditation and instructs an authenticator on an antecedent account to provide.

802.1X specifies a agreement framework for acceptance a accessory that is affiliated to a

port. When a host connects to the LAN anchorage on a switch, the host’s actuality is

determined by the about-face anchorage according to the agreement that 802.1X specifies. Assume that

this is done afore any added casework offered by the about-face are fabricated accessible on that port.

Until the affidavit is complete, alone EAPOL ascendancy frames can be candy on a

port. No abstracts even cartage is about accustomed until the anchorage is authorized. Figure 17-2

illustrates this model.

278 Chapter 17: Identity-Based Networking Casework with 802.1X

Figure 17-2 Port-Based Admission Ascendancy with 802.1X

Figure 17-2 shows the operation of port-based admission ascendancy and the aftereffect of creating two

distinct credibility of admission to an authenticator’s point of adapter to the LAN.

802.1X begins with a anchorage of an authenticator abrogating arrangement admission at the anchorage level.

An antecedent EAP barter (defined by RFC 3748) is again accomplished amid the supplicant

and authenticator. The EAP adjustment is again adjourned or anon acclimated amid the

supplicant and affidavit server for the absolute authentication. The EAP bulletin is

transported through 802.1X at the articulation band to acquiesce the supplicant and authenticator to

converse.

Typically, RADIUS is acclimated at the appliance band to acquiesce the authenticator to

communicate with the affidavit server. The absolute affidavit chat is

between the supplicant and affidavit server via EAP, however. The authenticator is

typically an EAP aqueduct and, ultimately, it enforces arrangement policy, as Figure 17-3 shows.

As Figure 17-3 illustrates, RADIUS acts as the carriage for EAP from the authenticator to

the affidavit server. (RFC 3579 provides a acceptance guideline for how RADIUS must

support EAP amid these devices.) RADIUS additionally carries aback any action instructions to

an authenticator in the anatomy of attribute-value pairs. (RFC 3580 provides acceptance guidelines

for how 802.1X authenticators charge use RADIUS.)

• MS AD

• LDAP

• NDS

• ODBC

• Switch

• Router

• WLAN AP

• Desktop/Laptop

• LP Phone

• WLAN AP

• Switch

• IAS

• ACS

• Any IETF RADIUS Server

Identity

Store/Management

Authenticator

Request for Service

(Connectivity)

Backend Authentication

Support

Supplicant Affidavit Server

Identity Store

Integration

802.1X Aegis 279

Figure 17-3 EAP with 802.1X and RADIUS

802.1X

EAPOL-Logoff

EAPOL-Start

EAP-Identity-Request

EAP-Identity-Response

EAP-Auth-Exchange Auth Barter with AAA Server

EAP-Success/Failure Affidavit Successful/Rejected

Port Authorized

Port Unauthorized

Policy Instructions

RADIUS

EAP – Adjustment Dependent

Port Unauthorized

Discovering Extensible Affidavit Protocol

Port-based arrangement admission ascendancy uses the concrete admission characteristics of IEEE 802

LAN infrastructures. These infrastructures advantage the Extensible Affidavit Protocol

(EAP) to backpack approximate affidavit information, not the affidavit adjustment itself.

EAP is an encapsulation agreement with no annex on IP, and it can run over any link

layer, including IEEE 802 media. EAP transports affidavit advice in the anatomy of

EAP payloads. EAP additionally establishes and manages the affidavit connection, and it

allows for affidavit by encapsulating assorted types of affidavit exchanges.

EAP over LANs (EAPOL) is the agreement in IEEE 802.1X. Figure 17-1 shows this framing

format.

276 Chapter 17: Identity-Based Networking Services with 802.1X

Figure 17-1 EAPOL Framing Format

EAP provides a agency for authentication. The alternative of an EAP adjustment is potentially

the best difficult and important accommodation apropos the deployment of port-based access

control. Prevalent EAP types accommodate the following:

• EAP-MD5. Uses bulletin abstract algorithm 5 (MD5)-based claiming acknowledgment for

authentication

• EAP-MSCHAPv2. Uses username/password MSCHAPv2 challenge-response

authentication

• EAP-TLS. Uses x.509 v3 public-key basement (PKI)-issued certificates and the

Transport Layer Aegis (TLS) apparatus for able alternate authentication

• PEAP. Combines server-side certificates with some added authentication, such as

passwords, and tunnels added EAP types in an encrypted adit (TLS), abundant like webbased

SSL

• EAP-FAST. Designed to not crave certificates; tunnels added EAP types in an

encrypted tunnel

EAP rose out of the charge to abate the complication of relationships amid systems and

the accretion charge for added busy and defended affidavit methods. However, not

every applicant accessory supports every EAP affidavit adjustment accessible and not every EAP

server supports every method. In fact, best arrangement accessories are aqueduct for relaying EAP

from a applicant to an EAP server.

DST

MAC

SRC

MAC Blazon Data FCS

Packet Body

N Byte

Packet Length

2 Byte

Packet Type

1 Byte

Protocol Version

1 Byte

Packet Type

EAP Packet (0)

EAPOL Key (3)

EAPOL Logoff (2)

EAPOL Start (1)

Packet Description

Both the Supplicant and the Authenticator Send this

Packet

It’s Used During Affidavit and Contains MD5 or TLS

Information Required to Complete the Authentication

Process

Sent by Supplicant When It Starts Affidavit Process

Sent by Supplicant When It Wants to

Terminate the 802.1X Session

Sent by Switch to the Supplicant and Contains

a Key Used During TLS Authentication

Exploring IEEE 802.1X 277

Several factors drive the best of an EAP method, such as the following:

• Abutment of EAP methods on audience and servers.

• Arrangement aegis policy, such as alternate authentication.

• Backend agenda basement support. Not every character abundance supports all EAP

types.

The best of an EAP blazon ultimately drives the apparatus of a port-based network

access ascendancy band-aid and aggregate abroad in an affidavit infrastructure.

Basic Character Concepts

IBNS provides basal concepts through user and/or accessory authentication, and it provides

LAN media independence, including identification, authentication, and authorization.

Identification

An client’s character is represented by a agenda identifier aural the ambience of a trusted

domain. The identifier is about acclimated as a arrow to a set of rights or permissions and

allows for applicant differentiation. An identifier can physically attending like annihilation and be

present at any OSI archetypal band in a networking environment. A arrangement uses authenticated

digital identifiers to accommodate allotment capability. An character is advantageous for accounting

and as a arrow to an applicative policy.

Authentication

Authentication is the action of establishing and acknowledging the character of a client

requesting services. Affidavit is appropriate back establishing corresponding

authorization, and it’s alone as able as the adjustment of analysis used.

Discovering Extensible Affidavit Protocol 275

Authorization

Authorization is authentic as rights to casework with a domain, and it can appear at any layer

of the OSI model.

Authorization after affidavit is meaningless.

Along with 802.1X, IBNS provides these basal concepts through user and/or device

authentication and provides for LAN media independence.

Technically, users charge to be accurate back accessing the LAN either by traditional

point-to-point media into a about-face or through a wireless network. Typically, alone those

machines or users accustomed by an alignment should be accustomed access.

IBNS additionally helps to activate defining what users or accessories can do back they get network

access through differentiated admission control. Affidavit additionally provides immediate

accountability for a arrangement to apperceive who attains arrangement access, in accession to when,

where, and how they can attain service.

Identity-Based Networking Services with 802.1X -Foundation

Identity-Based Networking

Services with 802.1X

The Cisco Identity-Based Networking Services (IBNS) is a technology band-aid that can

improve the aegis of concrete and analytic admission to LANs. IBNS incorporates all the

capabilities authentic in the IEEE 802.1X affidavit standard, and it provides

enhancements to accomplish 802.1X technology accessible to deploy. In accession to 802.1X, IBNS

focuses on added affidavit techniques and affiliation with added advanced

technologies. Ultimately, IBNS delivers LAN admission control. The mechanisms to provide

this ascendancy are codicillary on identification, authentication, and authorization. For IBNS,

identity claims charge be absolute through authentication, while accouterment differentiated

service levels.

When it comes to IBNS, chase these three best practices (or principles) for security,

authorization, and visibility:

• Keep outsiders out per authentic aegis action in abutment of efforts to control

rogue devices. This helps assure adjoin fraud, annexation of service, and eliminates

unauthorized access. In today’s networking environments, there are methods for an

unsecured accessory or user to accretion arrangement access. Aegis perimeters are diminishing

with adaptable users, onsite visitors, accomplice connections, and on-demand technologies.

• Keep assembly honest. A arrangement anchorage can be accustomed through assorted levels. So,

controlling area a user can go and what he can do all the way to the bend becomes

compelling to consider.

• Increase afterimage with who plugs into a networked environment. This enables

businesses to bigger apperceive who they absolutely do business with and provides

accountability for a LAN ambiance in abutment of any arrangement analysis or reporting

infrastructure.

Foundation

There are accretion demands aloft today’s networks with the charge to allotment information

within an alignment and with vendors or customers. Along with arrangement access, security

has become the top priority. Preventing counterfeit devices, such as unauthorized

hubs, and rogue accessories from accessing a arrangement while affair the needs of a flexible

environment are now paramount.

274 Chapter 17: Identity-Based Networking Services with 802.1X

Additionally, enterprises charge to abbreviate the adverse appulse of alien users by requiring

them to admission the arrangement through a gateway. Then, users can be operationally categorized

in abutment of aerial admission control. The IEEE 802.1X accepted helps install the dialup

networking archetypal into a LAN media for such admission ascendancy to arrangement layers rather than

to a distinct domain. The 802.1X accepted for port-based arrangement ascendancy has become the

standard adjustment for Layer 2 affidavit access—not alone with wireless, but with the

wired ports. It is additionally a amount technology basic in abutment of port-based admission control.

802.1X allows the activating agreement of admission ports and accouterments the corporate

security action on the anchorage level. An 802.1X supplicant represents a user or accessory needing

to attain account from a arrangement system. It is appropriate to accredit to an authentication

server through a arrangement admission device. 802.1X can additionally accommodate admission ascendancy on multiple

levels of user access, which makes it the aboriginal aspect of arrangement security. 802.1X helps

reduce all-embracing risk, adds value, and removes operational amount from a business because of its

logical arrangement bury while announcement security. Corporate strategies that require

network-access ascendancy charge to accommodate 802.1X.

Exploring TCAM

A TCAM is a content-addressable anamnesis area anniversary bit is accustomed to abundance a 0, 1, or a

don’t-care value—the ternary accomplishment comes from the actuality that three altered types of

values can be stored. You can anticipate of a CAM as a about-face random-access memory: Abstracts is

provided and an abode is returned. Don’t affliction $.25 comedy an important role in ACL lookups

because ACLs frequently avoid portions of an IP address. For example, if an ACL is

interested in analogous cartage from 192.168.2.0/24, it does not affliction about the low-order

byte. (The subnet affectation is 24 $.25 long, while an absolute IP abode is 32 $.25 long.) From a

logical standpoint, a TCAM is organized as a accumulating of masks with several values

associated to them. A affectation is a bit map that says, “Match the aboriginal 24 $.25 of the IP address,”

or “Match all 32 $.25 of the IP address,” or again, “Match the abounding 32 $.25 of the antecedent IP

but do not affliction about the destination IP.” Several ethics are associated with anniversary mask.

Values represent IP addresses that accept that mask. For example, if the affectation says, “First

24-bit of the IP address,” the ethics associated with that access in the TCAM could be all

ACL entries that admittance or abjure /24 antecedent subnets. Figure 16-7 shows this concept.

1 1

0 0

0000

0000100 0000101 ... ... ... 1101111

11111

Technology Behind Fast ACL Lookups 269

Figure 16-7 TCAM: Masks and Values

Referring to Figure 16-7, accede the ACL apparent in Archetype 16-2.

With this ACL, the TCAM contains two masks: Bout all 32 $.25 of the antecedent IP address,

and bout the aboriginal 24 $.25 of the antecedent IP. IP abode 8.1.1.1 is associated with the first

mask, while IP prefix 8.1.1.0/24 is stored with the additional mask. The actual affectation bits

are don’t-care bits, agnate to the destination IP address, anchorage numbers, and so on.

They are apparent as don’t-care $.25 because the ACL is not absorbed in analogous them (that

is, the any keyword in the ACL). Anniversary arrangement credibility to a aftereffect in case of a hit. A result

can be “permit,” “deny,” “capture,” “redirect,” and so on. Referring to the ACL in

Example 16-2, a lookup for antecedent IP abode 8.1.1.1 allotment a admittance result. On the other

hand, a lookup for antecedent IP 8.1.1.8 after-effects in the packet actuality denied because it does not

match the abounding 32-bit access for 8.1.1.1.

You can acquisition an accomplished online advertence on TCAM architectonics at Cisco.com (http://

tinyurl.com/2sefej).

Example 16-2 ACL Programmed in the TCAM per Figure 16-7

access-list 101 admittance ip host 8.1.1.1 any

access-list 101 abjure ip 8.1.1.0 255.255.255.0 any

access-list 101 abjure ip host 8.2.1.1 any

Mask Number One Antecedent IP = 8.1.1.1

Match Condition:

All 32 $.25 of Source

IP Address

Mask Number Two

Match Condition:

Most Significant

24 $.25 of

Source IP Address

Don’t Care: All

Remaining Bits

Don’t Care: All

Remaining Bits

Source IP = 8.2.1.1

Masks Patterns

Result: Permit

Result: Deny

Source IP = 8.1.1.X Result: Deny

Empty 3

Empty 4

Empty 5

Empty 6

Empty 7

Empty 8

Empty 2

Empty 3

Empty 4

Empty 5

Empty 6

Empty 7

Empty 8

270 Chapter 16: Wire Acceleration Access Control Lists

Summary

Modern LAN switches are able of administration millions of aegis access-list lookups per

second in a stateless manner. That is, they do not advance affiliation annal for traffic

permitted by the ACL, clashing stateful firewalls, for example. With a wire acceleration switchbased

ACL, abstracts is candy on a packet-per-packet base rather than on a per-flow basis

in the case of a firewall. To calibration to the numbers appropriate by cartage volumes begin in large

LAN networks, best LAN about-face accouterments architectures await on ASICs or on specific

memory structures and circuits. An archetype of such a technology is the Cisco TCAM. The

lighting-fast processing acceleration offered by those architectures can be advantageously

leveraged to accompaniment added aegis accessories in the arrangement to action aegis in depth.

Technology Abaft Fast ACL Lookups

How do avant-garde LAN switches accomplish ACL lookups millions of times per second? An

ACL lookup is, in and out of itself, a rather simple operation: IPv4 packets attach to a welldefined

binary packet format, with fixed-size addresses consistently begin at the aforementioned offset.

Because IPv4 addresses are defined application aloof 4 bytes, analytic for a specific address

requires aloof a few operations back the able abstracts anatomy is used. Most algorithm-based

software solutions for abode lookups apply abstracts structures alleged tries. (The spelling

comes from the chat retrieval.) In a nutshell, a trie is a timberline area aberration decisions are

taken based on ethics of alternating $.25 in the address, as Figure 16-6 shows.

It Is Possible to Combine the Use of RACL and VACL at the Aforementioned Time for Layer 3 Switched Packets

Layer 3 Input Interface

IP Abode 10.10.50.1

Layer 3 Output Interface

IP Abode 10.10.60.1

Input RACL Output RACL

Packet Bridged Packet Bridged

Packet Routed

Layer 2 Interface

in VLAN 50

Layer 2 Interface in VLAN 60

Input VACL Output VACL

Data Data

Layer 2 Engine

Routing Engine

268 Chapter 16: Wire Acceleration Admission Control Lists

Figure 16-6 Binary Search Tree

Many altered types of copse and tries exist, and optimizing the algorithms acclimated for address

lookups is an alive acreage of computer-science research. However, it is safe to say that

performing these algorithms application approved off-the-shelf processors with almost slow

memory admission does not crop tens of millions of lookups per second.

The abstruse abaft the raw acceleration displayed by today’s LAN switches usually consists of

employing either packet lookup ASICs or addition blazon of cyberbanking circuit, alleged ternary

content-addressable anamnesis (TCAM). Sometimes, the accouterments architectonics relies on a

combination of both.

1 1

0 0

0000

0000100 0000101 ... ... ... 1101111

11111

Working with PACL

Working with PACL

A PACL is a blazon of admission account that is mapped to a concrete anchorage central a VLAN. Typically,

a VLAN is composed of abounding concrete ports. A PACL provides you with the extra

granularity to clarify cartage on a specific concrete port. Think of it as a port-based VACL.

Inside VLAN 20, for example, there could be bristles ports, anniversary with a altered PACL, and

one administering VACL that applies to all cartage to and from VLAN 20. Similarly to a VACL,

a PACL applies to both Layer 2 and Layer 3 forwarded packets. When accessible on a LAN

switch, PACLs usually booty antecedence over all added configured ACLs.

Working with VACL

VLAN-based ACLs fabricated their addition on LAN switches some time afterwards RACLs.

VACLs accommodate the adequacy to clarify cartage amid hosts amid in the aforementioned VLAN.

They administer to IP and non-IP cartage alike. For example, application VACLs, it is accessible to permit

or abjure cartage based on its antecedent or destination MAC address. Naturally, IP addresses,

User Datagram Protocol (UDP), and TCP ports can additionally be acclimated as a addition criteria.

Contrary to a VACL, a RACL cannot bout intra-VLAN cartage because cartage between

hosts central a accepted VLAN does not alteration through a baffled interface at all.

Figure 16-2 shows the VACL concept.

Figure 16-2 VACL Example

NOTE VACLs about chase the aforementioned architecture as RACLs; it’s aloof their operation assumption that

differs.

VACLs are acceptable to accommodate admission ascendancy for an absolute VLAN in one shot. For

example, if you appetite to anticipate all users in VLAN 20 from surfing the Internet, administer a

VACL on VLAN 20 to abjure all sources from communicating to any destination application TCP

port 80. Notice that we are not applying the VACL to specific ports in VLAN 20, but rather

to cartage entering and abrogation the about-face through VLAN 20. Although VACLs and RACLs

might arise to be carefully related, the key aberration amid them is that a RACL is

unable to bout cartage that is Layer 2 switched amid two ports central the aforementioned VLAN,

while a VACL can.

Unlike RACLs, VACLs are directionless. That is, they bout admission and departure cartage to

and from the VLAN. Figure 16-3 illustrates how they administer to cartage entering and exiting

the VLAN.

VACL Applied to Cartage Bridged Within a VLAN

VLAN 10

VACL Switch

266 Chapter 16: Wire Speed Admission Ascendancy Lists

Figure 16-3 VACLs Are Directionless

A VACL acclimated in affiliation with the abduction advantage is frequently acclimated to accelerate specific

traffic from a VLAN to a arrangement analyzer, as Figure 16-4 shows, for example. Acknowledgment to

the careful VACL bout syntax, alone a atom of the absolute cartage in alteration through the

VLAN is beatific to the analyzer.

Figure 16-4 VACL Capture

Oftentimes, the cardinal of port-mirroring sessions accessible per about-face is limited.

Therefore, a VACL abduction presents an advantageous addition to anchorage mirroring.

Furthermore, anchorage apery unselectively copies all cartage from a anchorage or VLAN to another,

while a VACL abduction offers added granularity (thanks to the ACL match).

It is accessible to amalgamate both RACLs and VACLs on a accustomed VLAN, as Figure 16-5 shows.

This aggregate gives you the adaptability to ascendancy both intra-VLAN bridged cartage and

traffic baffled alfresco of the VLAN.

Packets Arriving on Layer 2

Interface Have the VACL

Processed on Admission and

Egress

VACL Applied at Admission VACL Applied at Egress

Switch

Destination

Source

Capture Port

The VACL Abduction Is Especially Useful for

Forwarding Packets for Inspection by a LAN

Analyzer or Intrusion Prevention System

Intrusion Prevention System

VLAN 10

VACL Capture

Switch

Technology Behind Fast ACL Lookups 267

Figure 16-5 Combining RACLs and VACLs

It Is Accessible to Amalgamate the Use of RACL and VACL at the Aforementioned Time for Layer 3 Switched Packets

Layer 3 Input Interface

IP Abode 10.10.50.1

Layer 3 Output Interface

IP Abode 10.10.60.1

Input RACL Output RACL

Packet Bridged Packet Bridged

Packet Routed

Layer 2 Interface

in VLAN 50

Layer 2 Interface in VLAN 60

Input VACL Output VACL

Data Data

Layer 2 Engine

Working with RACL

RACLs administer to cartage baffled by the switch. Although this ability complete like an oxymoron,

today, best switches cannot alone arch traffic, but they can additionally avenue it—oftentimes doing

so at wire speed.

The ACL provided in Example 16-1 is a RACL. You can administer RACLs on about-face virtual

interfaces (SVI), which is an interface central a VLAN configured with an IP address

and acclimated by hosts in the VLAN to avenue the VLAN or on concrete Layer 3 interfaces.

Figure 16-1 represents a RACL implemented amid two SVIs (VLAN 10 and VLAN 20).

SVIs booty the anatomy of interface VLAN x in Cisco IOS terminology. The IP address

configured on the SVI in VLAN x is acclimated as a absence aperture by hosts in VLAN x.

Figure 16-1 RACL Example

Subnet A Subnet B

int vlan10

Switch

access-group 100 in

access-list 100 admittance subnet A subnet B

RACL, VACL, and PACL: Abounding Types of ACLs

ACLs begin on Ethernet switches generally appear in abounding shapes and forms, mostly because

of the differences in accouterments and software architectures on those platforms, but also

because the functionality provided by ACLs has acquired over time. You are acceptable to come

across three types of ACLs on an Ethernet switch:

• Router ACL (RACL). An IP-based ACL that is activated to a baffled interface. It is the

most accepted blazon of ACL. The ACL acclimated in Archetype 16-1 is a RACL.

• VLAN ACL (VACL). Applies to cartage entering and abrogation a VLAN. It is globally

applied to all ports in a accustomed VLAN. It can clarify both on Layer 2 belief (MAC

addresses) and Layer 3 and 4 parameters, aloof like a RACL.

• Port-based ACL (PACL). A VACL activated to an alone about-face anchorage central a

VLAN.

Several switches additionally address with options to accomplish added operations on packets than the

standard permit/deny. For example, it is accepted for LAN switches to accommodate the

capability to abduction cartage akin by an ACL and accelerate it off a abduction anchorage area a traffic

analyzer resides. Addition blazon of activity includes redirecting analogous cartage from its

incoming anchorage to addition port.

Table 16-1 summarizes the differences and nuances of the three ACL types, which are

detailed in the afterward sections.

Table 16-1 VACL/RACL/PACL: Summary

RACL VACL PACL

Permits or denies the

movement of cartage between

Layer 3 subnets

Permits or denies the

movement of cartage between

Layer 3 subnets/VLANs or

within a VLAN

Permits or denies the

movement of cartage between

Layer 3 subnets/VLANs or

within a VLAN

Applied as an ascribe or output

policy to a Layer 3 interface

Applied as a action to a

VLAN interface; inherently

applied to both entering and

outbound traffic

Applied as a action to a Layer

2 about-face anchorage interface;

applied for entering traffic

only

Protecting the Basement Using ACLs

In an accomplishment to assure switches and routers from assorted risks—both adventitious and

malicious—infrastructure-protection ACLs charge to be deployed at arrangement admission points.

These ACLs abjure admission from alien sources to all basement addresses, such as

router interfaces. At the aforementioned time, these ACLs admittance accepted alteration cartage to flow

uninterrupted through the infrastructure. A accepted set of ACLs consists of filtering

addresses that accept no business entering the network. Those are, for example, addresses

defined in RFC 1918 and RFC 3330.

Data accustomed by a router can be disconnected into two ample categories:

• Cartage that passes through the about-face or router

• Cartage destined to the about-face or router

In accustomed operations, the all-inclusive majority of cartage flows through the basement to reach

its ultimate destination. However, several cases abide area the router processor or switch

processor (RP/SP) charge anon handle data, best conspicuously acquisition protocols, alien router

access (such as Secure Shell [SSH]), and arrangement administration cartage (such as Simple

Network Administration Protocol [SNMP]). In addition, protocols such as ICMP and IP

options can crave absolute processing by the RP/SP. Best often, absolute admission to the

infrastructure should be acceptable alone back it’s accomplished from centralized sources. There are

a few notable exceptions, such as Border Gateway Protocol (BGP) peering; protocols that

terminate on the RP/SP, such as all-encompassing acquisition encapsulation [GRE]; and potentially

262 Chapter 16: Wire Speed Admission Ascendancy Lists

limited ICMP packets for connectivity testing, such as echo-request or ICMP unreachables

and Time to Live (TTL) asleep letters for able traceroute operation.

NOTE ICMP is generally acclimated for simple DoS attacks; it should alone be acceptable from external

sources, if necessary.

Although the abstracts even of best switches can handle millions and millions of packets per

second, the aforementioned does not authority accurate as far as the ascendancy even is concerned. The abstracts plane

is usually fabricated up of ASICs congenital to about-face packets from one anchorage to addition as fast as

possible. The ascendancy plane, on the added hand, is generally comprised of all-encompassing all-purpose

processors. Excessive cartage destined to the ascendancy even can calmly beat the switch,

which causes aerial CPU acceptance that ultimately after-effects in causeless and unpredictable

behavior. By clarification admission to basement accessories from alien sources, many

external risks associated with a absolute about-face or router advance are mitigated. Externally

sourced attacks can no best admission basement equipment. Archetype 16-1 shows a

common admission ambit clarification ACL.

Example 16-1 IPv4 Basement Aegis ACL

!--- Anti-spoofing entries first

!--- Abjure special-use abode sources.

!--- Refer to RFC 3330 for added appropriate use addresses.

access-list 100 abjure ip host 0.0.0.0 any

access-list 100 abjure ip 127.0.0.0 0.255.255.255 any

access-list 100 abjure ip 192.0.2.0 0.0.0.255 any

access-list 100 abjure ip 224.0.0.0 31.255.255.255 any

!--- Filter RFC 1918 space.

access-list 100 abjure ip 10.0.0.0 0.255.255.255 any

access-list 100 abjure ip 172.16.0.0 0.15.255.255 any

access-list 100 abjure ip 192.168.0.0 0.0.255.255 any

!--- Abjure your IP amplitude as antecedent from entering your network.

access-list 100 abjure ip YOUR_IP_RANGE any

!--- Admittance BGP.

access-list 100 admittance tcp host bgp_peer host router_ip eq bgp

access-list 100 admittance tcp host bgp_peer eq bgp host router_ip

!--- Abjure admission to centralized basement addresses.

access-list 100 abjure ip any INTERNAL_INFRASTRUCTURE_ADDRESSES

!--- Admittance alteration traffic.

access-list 100 admittance ip any any

RACL, VACL, and PACL: Many Types of ACLs 263

The ACL in Archetype 16-1 provides a acceptable starting arrangement for basement protection.

Naturally, adapt it to fit your arrangement environment. For added advice on applying

ingress ACLs, see RFC 2267.

State or No State?

State or No State?

Imagine your arrangement is beneath advance from a massive bulk of spoofed HTTP traffic. This

might, for example, be cartage aggravating to ability your capital Internet web server application random

source IP addresses, with baby packets advancing in at a aerial rate.

Another accepted advance book consists of sending a ample cardinal of Internet Control

Message Protocol (ICMP) packets. The aftermost affair you appetite in these advance cases is to fill

the affiliation table of the ambit firewall.

Both scenarios highlight a specificity accepted to around all firewalls: They maintain

state—state for connections. Maintaining a affiliation accompaniment isn’t a adorable affection in

these cases, because stateful accessories accept a absolute in agreement of circumstantial admission they

can handle. After the affiliation table is full, 18-carat accepted cartage is denied by

collateral damage. This action is accepted as abnegation of account (DoS). This is where

firewalls lose a point adjoin stateless devices, such as switches processing ACLs.

Therefore, ACLs accommodate themselves able-bodied to prefirewall ambit clarification or to assure the

infrastructure itself. At the end of the day, allotment amid a firewall and an admission list

isn’t consistently necessary; they both accompaniment anniversary other.

ACLs or Firewalls?

ACLs or Firewalls?

If switches are able to analysis millions of admission packets per additional adjoin ACLs, what

good are firewalls? Put addition way, the catechism is, “What is the aberration amid an

ACL and a firewall?,” or, “Where can I administer ACLs?” The acknowledgment depends on the protection

level you appetite to accommodate and the blazon of attacks you are acceptable to face. ACLs ascendancy which

protocols and/or ports a host can use to ability a target, and that is appealing abundant it. They are

often referred to as “Layer 3 or Layer 4 ACLs” for that reason. Unlike best firewalls, ACLs

behave in a stateless manner. Admission cartage is arrested adjoin the ACL on a packet-perpacket

basis and either alone or acceptable according to the activity that a user chooses. A

stateful firewall, on the added hand, checks admission cartage adjoin a action (which is

actually agnate in appearance and anatomy to an ACL) and creates a affiliation almanac if the traffic

is permitted. Subsequent packets that accord to this affiliation are automatically permitted

without rechecking the ACL. Although this allows for accomplished advertisement and logging (for

example, a firewall makes it accessible to accommodate admission and accounting logs on a per-connection

basis), it comes with assertive drawbacks.