Cisco Auto Security is a feature that, when applied, automatically configures some of the most common baseline campus switching security features. Some of these features include:
Dynamic ARP inspection (DAI)
DHCP Snooping is a security feature that is designed to protect internally trusted DHCP servers and clients in your environment. DHCP Snooping works by verifying DHCP messages are received from only trusted DHCP servers within your campus environment. All messages from untrusted devices can be filtered or rate-limited, based on the desired configuration parameters. This security mechanism is to keep untrusted hosts from generating DHCP messages that could negatively impact your network. These DHCP messages can be malicious in nature or simply be the product of a misconfiguration. For example, a host computer has a DHCP server feature inadvertently turned on and is providing an unrouteable, incorrect IP address range to various devices in the environment. This will result in end hosts not being able to talk to the rest of the network. However, receiving a DHCP lease from any rogue server could be very problematic even if the IP address ranges are valid in your environment.
When enabled, the DHCP snooping feature keeps track of all devices sending and receiving DHCP messages. This information is stored in a table called the DHCP binding database. When DHCP messages are determined to be legitimate, they are processed normally. If for some reason the intercepted DHCP messages do not meet the proper criteria, the packets are discarded. This helps to protect your environment from DHCP snooping attacks.
Dynamic ARP inspection (DAI) is a feature that is used to prevent address resolution protocol (ARP) spoofing attacks. An ARP spoofing attack is when someone maliciously injects a duplicate MAC address onto a LAN in an attempt to redirect traffic to an alternate destination. DAI uses the DHCP binding database to verify that there is a valid layer 2 MAC address to layer 3 IP address binding before allowing any traffic to be forwarded on the segment. If it is determined that there is not such a valid mapping, the invalid ARP packets are discarded.
Port Security is a security feature that protects the network by setting dynamic or hard MAC address limits on specific switch ports. For example, the following list provides some of the Port Security features that are available in Catalyst switches.
Secure ports, based on statically assigned MAC addresses
Secure ports, based on dynamically learned MAC addresses
Limit dynamically learned MAC addresses—helps prevent CAM table flooding attacks
Shut down port when violation occurs
Restrict port and send SNMP trap when violation occurs
Enabling Auto Security on a Cisco Catalyst Switch
The following example illustrates how to enable Auto Security on a Catalyst switch with a single command.
Switch> enable Switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch(config)# auto security Switch(config)# end
To verify what interfaces the Auto Security configuration has been applied to, issue the show auto security command shown in the following output.
Switch# show auto security Auto Security is Enabled globally AutoSecurity is Enabled on below interface(s): -------------------------------------------- GigabitEthernet0/1 Switch#
Because GigabitEthernet0/1 is configured as an access port, the following snippet illustrates the configuration that is visible in the running-config under that specific interface.
Switch# show running-config interface GigabitEthernet0/1 Building configuration... Current configuration : 85 bytes ! interface GigabitEthernet0/1 auto security-port host spanning-tree portfast end Switch#
In order to see the specific configuration that has been automatically applied to the Catalyst switch the show auto security configuration command must be issued. The following output depicts the steps necessary to verify the Auto Security configuration.
Switch# show auto security configuration %AutoSecurity provides a single CLI config 'auto security' to enable Base-line security Features like DHCP snooping, ARP inspection and Port-Security Auto Security CLIs applied globally: --------------------------------- ip dhcp snooping ip dhcp snooping vlan 2-1005 no ip dhcp snooping information option ip arp inspection vlan 2-1005 ip arp inspection validate src-mac dst-mac ip Auto Security CLIs applied on Access Port: ---------------------------------------- switchport port-security maximum 2 switchport port-security maximum 1 vlan access switchport port-security maximum 1 vlan voice switchport port-security violation restrict switchport port-security aging time 2 switchport port-security aging type inactivity switchport port-security ip arp inspection limit rate 100 ip dhcp snooping limit rate 100 Auto Security CLIs applied on Trunk Port: -------------------------------------- ip dhcp snooping trust ip arp inspection trust switchport port-security maximum 100 switchport port-security violation restrict switchport port-security Switch#
As seen from the above configuration, Auto Security enables an entire baseline of security features on the Catalyst switch. All of these security features and settings have been streamlined into a single command. This automates the deployment of these features, which makes it easier to secure the campus LAN environment.