Medianet Reference Guide - Cisco

More documents

Recommendations

Info

Auto Smartports Chapter 7 Medianet Auto Configuration Table 7-16 Configuration Example 7—Overridden Custom Macro Within the Switch Configuration ! macro auto execute CISCO_CUSTOM_EVENT ACCESS_VLAN=402 { if [[ $LINKUP -eq YES ]]; then conf t interface $INTERFACE exit end fi if [[ $LINKUP -eq NO ]]; then conf t interface $INTERFACE switchport access vlan $ACCESS_VLAN exit end fi } ! The overridden macro example simply places the switchport into VLAN 402 when it goes into a link down state. Note that the VLAN can either be hardcoded into the overridden macro or passed in via a variable declaration as shown in this example. Security Considerations CDP and LLDP are not considered to be secure protocols. They do not authenticate neighbors, nor make any attempt to conceal information via encryption. The only difficulty in crafting a CDP packet is that the checksum is calculated with a non-standard algorithm. Even this has been reversed engineered and published in public forums. As a result, CDP and LLDP offer an attractive vulnerability to users with mal-intent. For example, by simply sending in a CDP packet with the “S” bit (otherwise referred to as the switch bit) set in the capabilities TLV, the switch can be tricked into configuring a trunk port that will pass all VLANs and accept 802.1d BPDUs from the hacker. This could be used in man-in-the-middle (MIM) attacks on any VLAN in the switch. Below is an example of a CDP spoofing device that has set the switch bit. Notice that the platform is set to a DMP. An obvious give-away in this example is the host name, CDP Tool1, which was chosen to be obvious. Normally the host name would have been selected to make the device appear to be a legitimate DMP device. me-w-austin-3#sh cdp neigh g1/0/39 Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone, D - Remote, C - CVTA, M - Two-port Mac Relay Device ID Local Intrfce Holdtme Capability Platform Port ID CDP Tool1 Gig 1/0/39 30 S DMP 4305G eth0 Because the switch policy ignores the platform, this field can be used to make the entry appear to be legitimate while still tricking the switch to configure a trunk, as shown below. ! interface GigabitEthernet1/0/39 location civic-location-id 1 port-location floor 2 room Broken_Spoke 7-22 Medianet Reference Guide OL-22201-01
Chapter 7 Medianet Auto Configuration Auto Smartports switchport mode trunk srr-queue bandwidth share 1 30 35 5 queue-set 2 priority-queue out mls qos trust cos macro description CISCO_SWITCH_EVENT macro auto port sticky auto qos trust end Fortunately with Enhanced ASP macros, the user is allowed to disable specific scripts. The recommendation is to only enable host type macros. Switches, routers, and access-points are rarely attached to a network in a dynamic fashion. Therefore, ASP macros corresponding to these devices should be disabled where possible. As discussed previously, ASP allows the use of remote servers to provide macros. Secure sessions such as HTTPS should be used. If the MIM above is used in conjunction with an unsecured remote configuration, the network administrator has released full control of the device to the hacker. Authenticating Medianet Devices Device authentication has been an ongoing concern since the early days of wireless access. The topic is the subject of several books. A common approach is to enable 802.1x. This authentication method employs a supplicant located on the client device. If a device does not have a supplicant, as is the case with many printers, then the device can be allowed to bypass authentication based on its MAC address. This is known as MAC-Authentication-Bypass or MAB. As the name implies, this is not authentication, but a controlled way to bypass that requirement. Currently all ASP medianet devices must use MAB if device authentication is in use, since these devices do not support an 802.1x supplicant. With MAB the client’s MAC address is passed to a RADIUS server. The server authenticates the devices based solely on its MAC address and can pass back policy information to the switch. Administrators should recognize that MAC addresses are not privileged information. A user can assign a locally-administered MAC address. Another key point is that MAB and ASP can happen independently of one another. A device may use MAB to get through authentication and then use CDP to trigger and ASP event. Security policy must also consider each independently. A user could hijack the MAC address from a clientless IP phone, then spoof CDP to trigger the SWITCH_EVENT macro. The risk is greatly reduced by following the recommendation to turn off ASP support for static devices such as switches and routers. MAB with ASP can be configured as shown in the example in Table 7-17. Table 7-17 Configuration Example 7—MAB with ASP ! interface GigabitEthernet1/0/7 description me-austin-c1040 (new_home) switchport mode access authentication event fail action authorize vlan 301 authentication event no-response action authorize vlan 301 authentication host-mode multi-domain authentication order dot1x mab authentication priority dot1x mab authentication port-control auto mab eap end ! OL-22201-01 Medianet Reference Guide 7-23
Page 1 and 2:
Medianet Reference Guide Last Updat
Page 3:
About the Authors Solution Authors
Page 6 and 7:
Contents Application Intelligence a
Page 8 and 9:
Contents The Globalization of the W
Page 10 and 11:
Contents NetFlow Collector Consider
Page 12 and 13:
Contents viii Medianet Reference Gu
Page 14 and 15:
Business Drivers for Media Applicat
Page 16 and 17:
Business Drivers for Media Applicat
Page 18 and 19:
Challenges of Medianets Chapter 1 M
Page 20 and 21:
Challenges of Medianets Chapter 1 M
Page 22 and 23:
Solution Chapter 1 Medianet Archite
Page 24 and 25:
Page 26 and 27:
Page 28 and 29:
Page 30 and 31:
Page 32 and 33:
Page 34 and 35:
Page 36 and 37:
Page 38 and 39:
Page 40 and 41:
Page 42 and 43:
Page 44 and 45:
Page 46 and 47:
Conclusions Chapter 1 Medianet Arch
Page 48 and 49:
Related Documents Chapter 1 Mediane
Page 50 and 51:
Related Documents Chapter 1 Mediane
Page 52 and 53:
Measuring Bandwidth Chapter 2 Media
Page 54 and 55:
Packet Flow Malleability Chapter 2
Page 56 and 57:
Shapers Chapter 2 Medianet Bandwidt
Page 58 and 59:
Shapers versus Policers Chapter 2 M
Page 60 and 61:
Shapers versus Policers Chapter 2 M
Page 62 and 63:
Converged Video Chapter 2 Medianet
Page 64 and 65:
Bandwidth Over Subscription Chapter
Page 66 and 67:
Capacity Planning Chapter 2 Mediane
Page 68 and 69:
Load Balancing Chapter 2 Medianet B
Page 70 and 71:
EtherChannel Chapter 2 Medianet Ban
Page 72 and 73:
Bandwidth Conservation Chapter 2 Me
Page 74 and 75:
Summary Chapter 2 Medianet Bandwidt
Page 76 and 77:
Network Availability Chapter 3 Medi
Page 78 and 79:
Network Availability Chapter 3 Medi
Page 80 and 81:
Device Availability Technologies Ch
Page 82 and 83:
Device Availability Technologies Ch
Page 84 and 85:
Network Availability Technologies C
Page 86 and 87:
Page 88 and 89:
Page 90 and 91:
Page 92 and 93:
Page 94 and 95:
Page 96 and 97:
Page 98 and 99:
Page 100 and 101:
Page 102 and 103:
Page 104 and 105:
Operational Availability Technologi
Page 106 and 107:
Summary Chapter 3 Medianet Availabi
Page 108 and 109:
Drivers for QoS Design Evolution Ch
Page 110 and 111:
Page 112 and 113:
Page 114 and 115:
Page 116 and 117:
Page 118 and 119:
Page 120 and 121:
Page 122 and 123:
Cisco QoS Toolset Chapter 4 Mediane
Page 124 and 125:
Page 126 and 127:
Page 128 and 129:
Page 130 and 131:
Page 132 and 133:
Page 134 and 135:
Page 136 and 137:
Enterprise Medianet Strategic QoS R
Page 138 and 139:
Page 140 and 141:
Page 142 and 143:
Page 144 and 145:
Page 146 and 147:
Page 148 and 149:
Page 150 and 151:
Page 152 and 153:
References Chapter 4 Medianet QoS D
Page 154 and 155:
References Chapter 4 Medianet QoS D
Page 156 and 157:
An Introduction to Securing a Media
Page 158 and 159:
Page 160 and 161:
Page 162 and 163:
Page 164 and 165:
Page 166 and 167:
Medianet Security Reference Documen
Page 168 and 169:
Medianet Security Reference Documen
Page 170 and 171:
Network-Embedded Management Functio
Page 172 and 173:
Page 174 and 175:
Page 176 and 177:
Page 178 and 179:
Page 180 and 181:
Cisco Network Analysis Module Chapt
Page 182 and 183:
Page 184 and 185:
Page 186 and 187:
Page 188 and 189:
Page 190 and 191:
Page 192 and 193:
Page 194 and 195:
Page 196 and 197:
Page 198 and 199:
Page 200 and 201:
Page 202 and 203:
Page 204 and 205:
Page 206 and 207:
Page 208 and 209:
Page 210 and 211:
Page 212 and 213:
Page 214 and 215:
Page 216 and 217:
Page 218 and 219:
Page 220 and 221:
Page 222 and 223: Cisco Network Analysis Module Chapt
Page 234 and 235: Application-Specific Management Fun
Page 250 and 251: Summary Chapter 6 Medianet Manageme
Page 252 and 253: Auto Smartports Chapter 7 Medianet
Page 276 and 277: Location Services Chapter 7 Mediane
Page 278 and 279: Summary Chapter 7 Medianet Auto Con
Page 280: References Chapter 7 Medianet Auto
show all

Medianet Reference Guide - Cisco

Create successful ePaper yourself

Delete template?

Save as template?