Forwarding Plane Security – Layer 2 Security

Latest reply: Dec 12, 2018 09:30:59 3143 3 3 2

Forwarding Plane Security – Layer 2 Security

The target of security protection for administrator login (management plane) and CPU (control plane) is to ensure the correct traffic forwarding at the forwarding plane. Layer 2 and Layer 3 traffic can be successfully forwarded only when the forwarding entries on the switch are correct. The Layer 2 forwarding table is the MAC address table. The switch searches for the outbound interfaces for packets in the MAC address table. If no entry is found, the packets are broadcast. Broadcast storm is a common problem on the Layer 2 networks. How to ensure the security of forwarding table and suppress broadcast storm is a challenge to Layer 2 security. The following sections describe Layer 2 security in the two aspects.

1.1 How to Ensure Forwarding Table Security

The switch provides different methods to ensure forwarding table security in different scenarios. For example, MAC flapping prevention and port security can ensure MAC address table security by binding MAC addresses to ports. DHCP snooping records DHCP authentication information of users to ensure secure access of dynamic users.

1.1.1 MAC Address Flapping Prevention

An interface starts MAC address entry learning once receiving a packet. When a switch learns a MAC address entry of an authorized user from an interface, and receives an attack packet from another interface, MAC address entries cannot be correctly learned, and Layer 2 forwarding is abnormal.

Figure 1-1 shows a typical scenario. An unauthorized user sends a packet to the switch by using the gateway address as the source MAC address in the packet. The outbound interface matching MAC1 flaps from IF1 to IF2. When user hosts send packets to the gateway, the incorrect outbound interface IF2 is found in the MAC address table. Therefore, user packets cannot be forwarded to the gateway, causing an error in Layer 2 forwarding.

Figure 1-1 MAC address flapping prevention

20170331152326180001.png

 

S series switches provide two methods to prevent MAC address flapping:

Ø  Configure static MAC address entries: Bind the gateway MAC address to interfaces manually, so that the gateway MAC address will not flap. If the gateway MAC address is unknown or unfixed, this method is not suitable. The configuration on the S series switch is as follows:

[SwitchA] mac-address static 3-3-3 gigabitethernet 0/0/10 vlan 4   //Assume that the gateway MAC address is 3-3-3 and interface is GE0/0/10. Bind the interface to MAC address in the broadcast domain of VLAN 4.

Ø  Configure MAC address learning priority: Increase the MAC address learning priority of IF1 to be higher than that of IF2. When IF2 receives a packet with source MAC address MAC1, it does not learn the MAC address entry. In this situation, MAC address flapping will not occur. The configuration on the S series switch is as follows:

[SwitchA] interface gigabitethernet 0/0/10   //Interface connected to the gateway

[SwitchA-GigabitEthernet0/0/10] mac-learning priority 3   //Set the MAC address learning priority on the interface to the maximum value 3.

Note: Some models of S series switches do not support the configuration of MAC address learning priority. For these models, you can configure MAC spoofing to set the gateway interface as a trusted interface. This can also prevent MAC address flapping. The configuration is as follows:

[SwitchA] mac-spoofing-defend enable   //Enable MAC Spoofing globally.

[SwitchA] interface gigabitethernet 0/0/10   //Interface connected to the gateway.

[SwitchA-GigabitEthernet0/0/10] mac-spoofing-defend enable   //Configure the interface as a trusted interface.

1.1.2 Port Security

Port security is a feature that ensures forwarding table security. After port security is enabled, the MAC address learned on the interface is converted into a secure MAC entry. Thus the MAC address is bound to the interface. The user with this MAC address can access through only the bound interface.

Port security can limit the number of MAC address entries on an interface to control the number of access users. That is, only the users accessing the switch earlier can go online. This can also prevent MAC address table overflow caused by blackhole MAC address entries.

However, port security cannot check validity of users. That is, the unauthorized users can also go online only if they access the switch earlier.

Figure 1-2 Port security application scenario

20170331152327224002.png

 

On a company's network shown in Figure 1-2, the administrator needs to prevent unauthorized users from sending the packets with variable source MAC addresses and prevent them from using forged MAC addresses to access the network. Therefore, the administrator requires that only three users connect to one interface, and the users can only access fixed interfaces.

To implement security policies, you can configure port security on GE0/0/1 of switch A. When unauthorized users want to access this interface, an alarm is reported. The configuration on the S series switch is as follows:

[SwitchA] interface gigabitethernet 0/0/1

[SwitchA-GigabitEthernet0/0/1] port-security enable   //Enable port security on the interface.

[SwitchA-GigabitEthernet0/0/1] port-security max-mac-num 3   //Set the maximum number of MAC addresses bound to an interface to 3. After port security is enabled, only one MAC address can be bound to an interface by default.

[SwitchA-GigabitEthernet0/0/1] port-security mac-address sticky   //Enable sticky MAC. After the switch restarts with configuration saved, the binding of interface and MAC address still exists.

Note: When the number of secure MAC entries converted by port security reaches the upper limit, port security takes punishment actions if unauthorized users want to access the switch. The switch supports three punishment actions.

Action

Description

protect

Drop the packets of which the source MAC addresses are not included in the MAC address table.

restrict

Drop the packets of which the source MAC addresses are not included in the MAC address table, and report an alarm to notify the administrator. This is the default action.

shutdown

Shut down the interface. The interface can only be recovered manually.

 

1.1.3 DHCP Snooping

DHCP snooping ensures the security of the DHCP protocol. It ensures that the DHCP clients can obtain IP addresses from the correct DHCP server and prevents DHCP attacks.

To understand how DHCP snooping prevent DHCP attacks, DHCP is a key concept.

On an IPv4 network, IP addresses are allocated to clients using DHCP in the client/server model. The DHCP client sends a request to the DHCP server, and the server returns IP address information to the client, including IP address, default gateway, and DNS server.

Figure 1-3 DHCP networking

20170331152328421003.png

 

In Figure 1-3, a DHCP network contains two roles:

l   DHCP client: obtains an IP address using DHCP. For example, the IP phone and PC are clients.

l   DHCP server: allocates IP addresses to DHCP clients.

Based on the client/server model of DHCP, unauthorized users may initiate the following types of attacks.

Figure 1-4 Typical DHCP attacks

20170331152329456004.png

 

Attack Type

Mechanism

Bogus DHCP server attack

An unauthorized user poses as the DHCP server to allocate an incorrect IP address to the client. The client fails to access the network.

Bogus DHCP packet attack

An authorized user sends a DHCP request packet to the server to request for IP address renewal. An unauthorized user poses as an authorized user to continuously send DHCP request packets to the server, requesting for IP address renewal. As a result, the expired IP addresses cannot be reclaimed, and new authorized users cannot obtain IP addresses.

An authorized user sends a DHCP release packet to the server to request for IP address release. The unauthorized user poses as an authorized user to send DHCP release packets to the server. As a result, the authorized users are forced to go offline.

DHCP flood attack

An unauthorized user sends a large number of DHCP packets within a short period of time. The DHCP server cannot handle valid packets, and fails to allocate IP addresses to clients.

DHCP server DoS attack

An unauthorized user maliciously requests for IP addresses. All the IP addresses on the DHCP server are exhausted, and the server cannot allocate IP addresses to authorized users.

The DHCP server verifies the clients' MAC addresses based on the Client Hardware Address (CHADDR) field in DHCP request packets. The unauthorized user sends the DHCP packets with variable CHADDR fields to the server. All the IP addresses on the DHCP server are exhausted, and the server cannot allocate IP addresses to authorized users.

 

DHCP snooping can defend against these types of attacks. Generally, DHCP snooping is configured on the access switch.

Attack Type

Defense

Bogus DHCP server attack

The interface connected the access switch to the DHCP server is configured as a trusted interface. Only the trusted interface can receive and forward DHCP packets.

Bogus DHCP packet attack

When DHCP server allocates IP addresses to clients, the DHCP snooping binding table is generated based on the DHCP packets. the binding table records the MAC addresses, IP addresses, lease time, VLAN ID, and interface information. Then the server verifies the DHCP packets and binding entries and drops invalid packets.

DHCP flood attack

The rate of DHCP packets sent to the CPU is limited.

DHCP server DoS attack

The number of DHCP snooping binding entries is limited, so the number of access users is also limited. When the number of users reaches the specified value, no user can obtain IP addresses through this interface.

The device checks the consistency between the MAC address in DHCP request packet header and the CHADDR field in DHCP packet data field. If they are inconsistent, the device drops the packet.

 

The following is an example for configuring DHCP snooping.

Figure 1-5 DHCP Snooping networking

20170331152329387005.png

 

In Figure 1-5, DHCP client 1 and DHCP client 2 request for IP addresses through switch A from the DHCP server. Configure DHCP snooping on switch A to prevent the following attacks:

l   Bogus DHCP server attack

l   Bogus DHCP packet attack

l   DHCP flood attack

l   DHCP server DoS attack

 

The configuration on the S series switch is as follows:

1.         Enable DHCP snooping globally and on the interface.

[SwitchA] dhcp enable   //Enable DHCP globally.

[SwitchA] dhcp snooping enable

[SwitchA] interface gigabitethernet 0/0/1

[SwitchA-GigabitEthernet0/0/1] dhcp snooping enable

[SwitchA-GigabitEthernet0/0/1] quit

[SwitchA] interface gigabitethernet 0/0/2

[SwitchA-GigabitEthernet0/0/2] dhcp snooping enable

[SwitchA-GigabitEthernet0/0/2] quit

2.         Configure the interface connected to the DHCP server as a trusted interface to prevent bogus DHCP server attack.

[SwitchA] interface gigabitethernet 0/0/10

[SwitchA-GigabitEthernet0/0/10] dhcp snooping enable

[SwitchA-GigabitEthernet0/0/10] dhcp snooping trusted

[SwitchA-GigabitEthernet0/0/10] quit

3.         Configure DHCP packet check against the binding table to prevent bogus DHCP packet attacks.

[SwitchA] dhcp enable

[SwitchA] dhcp snooping check dhcp-request enable vlan 10   //Configure user check in VLAN 10.

4.         Set the maximum number of DHCP packets sent to the CPU to prevent DHCP flood attacks.

[SwitchA] dhcp snooping check dhcp-rate enable   //Enable check on the rate of DHCP packets sent to the CPU.

[SwitchA] dhcp snooping check dhcp-rate 90   //Set the maximum number of DHCP packets that can be processed per second to 90.

5.         Set the maximum number of DHCP snooping binding entries and enable consistency check on the source MAC address in DHCP request packet header and CHADDR field, to prevent DHCP server DoS attacks.

[SwitchA] dhcp snooping max-user-number 2 vlan 10   //Set the maximum number of access users in VLAN 10 to 2.

[SwitchA] dhcp snooping check dhcp-chaddr enable vlan 10

1.2 How to Suppress Broadcast Storm

What is broadcast storm?

There are too many broadcast, unknown multicast, and unknown unicast packets on the network or a loop occurs on the network.

Why does broadcast storm occur?

Layer 2 forwarding is implemented based on MAC address table. If no outbound interface matching the MAC address of a packet is found in the MAC address table, the packet is forwarded to all interfaces in the VLAN, causing broadcast storm.

How is broadcast storm suppressed?

The key to suppress broadcast storm is to find out outbound interfaces for packets. Then the packets are unicast forwarded. In actual application, broadcast storm cannot be completely resolved due to the limitation in MAC address specification and Layer 2 forwarding. We can only minimize the impact of broadcast storm.

The switch provides two methods: 1. Suppress traffic based on different dimensions. 2. Block port or change the interface status to error-down.

1.2.1 Traffic Suppression

Traffic suppression can be performed in three dimensions.

Function

Description

Limit traffic rate based on interface

Suppress three types of packets in the inbound direction of an interface, in percentage, pps, or bps.

Limit traffic rate based on VLAN

Suppress three types of packets in the inbound direction in a VLAN, in bps.

Block traffic based on interface

Block three types of packets in the outbound direction of an interface.

 

The following is typical scenario and configuration.

Figure 1-6 Traffic suppression

20170331152330574006.png

 

In Figure 1-6, switch A is an aggregation switch. Users in VLAN 10 and VLAN 20 access the switch through GE0/0/1. Users in VLAN 30 access the network through GE0/0/2. Only a fixed user accesses the network through GE0/0/3. This user requires high security, and does not want to receive broadcast, unknown multicast, and unknown unicast packets.

Configuration Roadmap

l   Users connected to GE0/0/1 belong to different VLANs. Configure traffic suppression based on VLAN.

l   Users connected to GE0/0/2 belong to the same VLAN. Configure traffic suppression for this interface.

l   The user connected to GE0/0/3 requires a high security. Block the broadcast, unknown multicast, and unknown unicast packets on this interface.

Procedure

1.         Limit the rate of broadcast, unknown multicast, and unknown unicast packets in each VLAN.

[SwitchA] qos car qoscar1 cir 1000   //Configure the QoS profile and set the CIR to 1000 kbit/s.

[SwitchA] vlan 10

[SwitchA-vlan10] broadcast-suppression qoscar1   //Apply the QoS profile to the VLAN view and set the CIR for broadcast packets to 1000 kbit/s.

[SwitchA-vlan10] multicast-suppression qoscar1   //Apply the QoS profile to the VLAN view and set the CIR for unknown multicast packets to 1000 kbit/s.

[SwitchA-vlan10] unicast-suppression qoscar1   //Apply the QoS profile to the VLAN view and set the CIR for unknown unicast packets to 1000 kbit/s.

note

l  If the keyword share is specified when the QoS profile is applied to VLAN, the total CIR for broadcast, unknown multicast, and unknown unicast packets is 1000 kbit/s.

l  The preceding configuration applies to modular switches. For fixed switches, set the suppression rate limit in the VLAN (QoS profile is not required).

2.         Limit the rate of broadcast, unknown multicast, and unknown unicast packets on an interface.

[SwitchA] interface gigabitethernet 0/0/2

[SwitchA-GigabitEthernet0/0/2] broadcast-suppression 5   //Set the broadcast rate to 5% of the interface bandwidth.

[SwitchA-GigabitEthernet0/0/2] multicast-suppression 5   //Set the unknown multicast rate to 5% of the interface bandwidth.

[SwitchA-GigabitEthernet0/0/2] unicast-suppression 5   //Set the unknown unicast rate to 5% of the interface bandwidth.

note

Traffic suppression based on interface can be configured in three modes: percentage, pps, and bps. The configurations of other two modes are as follows:

broadcast-suppression { percent-value | cir cir-value [ cbs cbs-value ] | packets packets-per-second }

multicast-suppression { percent-value | cir cir-value [ cbs cbs-value ] | packets packets-per-second }

unicast-suppression { percent-value | cir cir-value [ cbs cbs-value ] | packets packets-per-second }

3.         Block the broadcast, unknown multicast, and unknown unicast packets based on interface.

[SwitchA] interface gigabitethernet 0/0/3

[SwitchA-GigabitEthernet0/0/3] broadcast-suppression block outbound   //Block broadcast packets.

[SwitchA-GigabitEthernet0/0/3] multicast-suppression block outbound   //Block unknown multicast packets.

[SwitchA-GigabitEthernet0/0/3] unicast-suppression block outbound   //Block unknown unicast packets.

1.2.2 Storm Control

In addition to limiting the rate of broadcast, unknown multicast, and unknown unicast packets, storm control can take punishment action on the interface when the rate exceeds threshold.

l   Block port

If the average rate of any type of packets within a check period exceeds the upper threshold, the interface is blocked.

If the average rate of the packets within a check period falls below the lower threshold, the interface is unblocked.

l   Change the interface state to error-down

If the average rate of any type of packets within a check period exceeds the upper threshold, the interface state is changed to error-down.

By default, the error-down interface will not automatically recover. You must run the restart command to manually recover it.

If the automatic recovery time is set before an interface enters the error-down state, the interface can automatically recover after the time expires.

Configuration

[SwitchA] error-down auto-recovery cause storm-control interval 20   //Set the automatic recovery time to 20s. An interface will be recovered 20s after its state is changed to error-down by storm control.

[SwitchA] interface gigabitethernet 0/0/5

[SwitchA-GigabitEthernet0/0/5] storm-control broadcast min-rate 1000 max-rate 2000   //Set the punishment threshold for broadcast packets.

[SwitchA-GigabitEthernet0/0/5] storm-control action error-down   //Set the punishment action to error down.

[SwitchA-GigabitEthernet0/0/5] quit

[SwitchA] interface gigabitethernet 0/0/6

[SwitchA-GigabitEthernet0/0/6] storm-control multicast min-rate percent 5 max-rate percent  20   //Set the punishment threshold for unknown multicast packets.

[SwitchA-GigabitEthernet0/0/6] storm-control action block    //Set the punishment action to block.

 

This article describes security protection on Layer 2 networks supported by S series switches. In next article, we will discuss the security protection on Layer 3 networks.

 

Security Issues - Issue 1 Security Holistic View
Security Issues - Issue 2 Management Plane Security
Security Issues - Issue 3 Control Plane Security
Security Issues - Issue 4 Forwarding Plane Security – Layer 2 Security
Security Issues - Issue 5 Forwarding Plane Security – Layer 3 Security

 

本帖最后由 交换机在江湖 于 2017-08-11 02:41 编辑
  • x
  • convention:

gululu
Admin Created Apr 1, 2017 02:27:33 Helpful(0) Helpful(0)

thanks!
  • x
  • convention:

Come on!
Harendra
Created Dec 3, 2018 11:33:04 Helpful(0) Helpful(0)

very helpful
  • x
  • convention:

EdeninRealMadrid
Created Dec 12, 2018 09:30:59 Helpful(0) Helpful(0)

Its hard
  • x
  • convention:

Reply

Reply
You need to log in to reply to the post Login | Register

Notice Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Login and enjoy all the member benefits

Login and enjoy all the member benefits

Login