Home > Articles > On-Box Automation and Operations Tools

On-Box Automation and Operations Tools

Chapter Description

In this chapter from Programming and Automating Cisco Networks, authors Ryan Tischer and Jason Gooley cover the following on-box automation tools in greater detail; Auto SmartPorts, AutoConf, Auto Security, AutoQoS, Smart Call Home, Tcl Shell, and Embedded Event Manager (EEM)

Auto Security

Cisco Auto Security is a feature that, when applied, automatically configures some of the most common baseline campus switching security features. Some of these features include:

  • DHCP snooping

  • Dynamic ARP inspection (DAI)

  • Port Security

DHCP Snooping is a security feature that is designed to protect internally trusted DHCP servers and clients in your environment. DHCP Snooping works by verifying DHCP messages are received from only trusted DHCP servers within your campus environment. All messages from untrusted devices can be filtered or rate-limited, based on the desired configuration parameters. This security mechanism is to keep untrusted hosts from generating DHCP messages that could negatively impact your network. These DHCP messages can be malicious in nature or simply be the product of a misconfiguration. For example, a host computer has a DHCP server feature inadvertently turned on and is providing an unrouteable, incorrect IP address range to various devices in the environment. This will result in end hosts not being able to talk to the rest of the network. However, receiving a DHCP lease from any rogue server could be very problematic even if the IP address ranges are valid in your environment.

When enabled, the DHCP snooping feature keeps track of all devices sending and receiving DHCP messages. This information is stored in a table called the DHCP binding database. When DHCP messages are determined to be legitimate, they are processed normally. If for some reason the intercepted DHCP messages do not meet the proper criteria, the packets are discarded. This helps to protect your environment from DHCP snooping attacks.

Dynamic ARP inspection (DAI) is a feature that is used to prevent address resolution protocol (ARP) spoofing attacks. An ARP spoofing attack is when someone maliciously injects a duplicate MAC address onto a LAN in an attempt to redirect traffic to an alternate destination. DAI uses the DHCP binding database to verify that there is a valid layer 2 MAC address to layer 3 IP address binding before allowing any traffic to be forwarded on the segment. If it is determined that there is not such a valid mapping, the invalid ARP packets are discarded.

Port Security is a security feature that protects the network by setting dynamic or hard MAC address limits on specific switch ports. For example, the following list provides some of the Port Security features that are available in Catalyst switches.

  • Secure ports, based on statically assigned MAC addresses

  • Secure ports, based on dynamically learned MAC addresses

  • Limit dynamically learned MAC addresses—helps prevent CAM table flooding attacks

  • Shut down port when violation occurs

  • Restrict port and send SNMP trap when violation occurs

Enabling Auto Security on a Cisco Catalyst Switch

The following example illustrates how to enable Auto Security on a Catalyst switch with a single command.

Switch> enable
Switch# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Switch(config)# auto security
Switch(config)# end

To verify what interfaces the Auto Security configuration has been applied to, issue the show auto security command shown in the following output.

Switch# show auto security
Auto Security is Enabled globally

AutoSecurity is Enabled on below interface(s):
--------------------------------------------
   GigabitEthernet0/1

Switch#

Because GigabitEthernet0/1 is configured as an access port, the following snippet illustrates the configuration that is visible in the running-config under that specific interface.

Switch# show running-config interface GigabitEthernet0/1
Building configuration...

Current configuration : 85 bytes
!
interface GigabitEthernet0/1
 auto security-port host
 spanning-tree portfast
end

Switch#

In order to see the specific configuration that has been automatically applied to the Catalyst switch the show auto security configuration command must be issued. The following output depicts the steps necessary to verify the Auto Security configuration.

Switch# show auto security configuration
%AutoSecurity provides a single CLI config 'auto security'
 to enable Base-line security Features like
 DHCP snooping, ARP inspection and  Port-Security

Auto Security CLIs applied globally:
---------------------------------
ip dhcp snooping
ip dhcp snooping vlan 2-1005
no ip dhcp snooping information option
ip arp inspection vlan 2-1005
ip arp inspection validate src-mac dst-mac ip


Auto Security CLIs applied on Access Port:
----------------------------------------
switchport port-security maximum 2
switchport port-security maximum 1 vlan access
switchport port-security maximum 1 vlan voice
switchport port-security violation restrict
switchport port-security aging time 2
switchport port-security aging type inactivity
switchport port-security
ip arp inspection limit rate 100
ip dhcp snooping limit rate 100


Auto Security CLIs applied on Trunk Port:
--------------------------------------
ip dhcp snooping trust
ip arp inspection trust
switchport port-security maximum 100
switchport port-security violation restrict
switchport port-security

Switch#

As seen from the above configuration, Auto Security enables an entire baseline of security features on the Catalyst switch. All of these security features and settings have been streamlined into a single command. This automates the deployment of these features, which makes it easier to secure the campus LAN environment.

5. Quality of Service for Campus Architectures | Next Section Previous Section

There are currently no related articles. Please check back later.