Network Access Control and Cisco Switches

Recently I´m getting more and more integrated in my companies security tasks. One of the areas is the Network-Access-Control, which we are a handling with an ARP-Guard from ISL.

The ARP-Guard is an Appliance which supervises the attached network devices in our corporate network. Basically it has a database of known MAC-Addresses setup into different groups – such as clients, unsupported etc.

Additional it has snmp access to all switches in our network, making it able to scan their MAC tables. Without getting too detailed, the way it works can be described as following:

  1. (Event) A host connects.
  2. (Rule) the ARP-Guard detects it, and looks up rules for the particular event (for example: unknown MAC-Address on normal client port). This is done by snmp read-access
  3. (Reaction) the ARP-Guard is forcing an action based on the ruleset (for example: shutdown of port, movement to another VLAN). This is done by snmp write-access.

 

For Phase 1 there are two opportunities on how to detect new devices in the network:

  • The ARP-Guard triggers scheduled checks of the switches´ MAC table.
  • The switch sends SNMP traps to the ARP-Guard whenever the link status of a port changes.

A good practice can be to use both methods. Why? Because it gives you best performance and ensure security. If traps are not enabled, you may have cases where a new device connects right after the scheduled check is finished – thus it has full network access as long as the set scheduling time plus the reaction time of the ARP-Guard. In our case it gave us a hard time troubleshooting, because the 1st level support was complaining about varying reaction times.

On the other hand the scheduled check can ensure that devices don´t connect undetected – consider network problems or snmp deamon failures.

In this article I want to describe my experience with setting up the SNMP configuration on cisco switches. Even though the configuration is not that difficult, you may run into some trouble (as I did).

First of all, the snmp deamon on the cisco has to run. By standard the SNMP deamon on cisco switches is running. However, it can be manually deactivated by entering no snmp-server (so you should check your configuration for that line and make sure it is NOT there).

After that the snmp configuration can be started. Three things have to be done:

  • Set up SNMP Communities
  • Enable the needed SNMP traps
  • Define a SNMP receiver (the ARP-Guard in my case)

 

Set-up SNMP Communities

In global conf mode (config terminal):

snmp-server community <CommunityString> RO 1
snmp-server community <CommunityString> RW 1

The first community is Read-Only (RO) and is used by the ARP-Guard for scanning the MAC-Address-Table.

The second community is Read-Write (RW) and is used by the ARP-Guard for applying the reaction on the switch (VLAN switch or shutdown f.e.)

The numbers behind the RO/RW tag are for defining an access-list which includes all hosts/subnets which shall be allowed to access the switch via SNMP. Watch out: If you don´t want to define access-lists for SNMP you should leave the number out (otherwise the ARP-Guard gets blocked and won´t work).

 

Enable the needed SNMP traps

snmp-server enable traps snmp linkdown linkup

This one enables the ‘linkup’ and ‘linkdown‘ SNMP traps. However it may be usefull to activate mac-notification. I will probably cover that in a later article.

 

Define a SNMP receiver

snmp-server host X.X.X.X <CommunityStringArpGuard> snmp

Defines are target for the SNMP ‘linkup’ and ‘linkdown’ traps. The SNMP-Community String has to match the Listen-Community in the ARP-Guard.

 

Troubleshooting

Following commands were set on some network interfaces:

no logging event link-status
no snmp trap link-status

They prevent the switch from sending traps.

 

Another source for problems can be, that the traps are send over the wrong interface (so the ARP blocks or ignores them). You can set the interface with the command

snmp-server trap-source <vlan/interface>

 

Advertisements

About sitweak
Monitoring, Network, Firewall, Mobile Security. I´m totally into that stuff!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: