Configuring Network Security

Creating and Implementing Access Control Lists (ACLs)

MAC ACLs

IP ACLs

Support for DHCP Snooping

Support for Router Advertisement (RA) Guard

Creating and Implementing Access Control Lists (ACLs)

Access Control Lists (ACLs) allow you to configure basic traffic filtering for IP addresses and MAC addresses. The ACL controls if routed packets are forwarded or blocked on the network. The packet is examined by the switch and then determines if the packet is forwarded or dropped based on the criteria configured in the ACLs. ONVL supports Layer 2 (MAC) or Layer 3 (IP) ACLs.

ACL criteria can be based on source or destination addresses or the protocol type. ONVL supports UDP, TCP, IGMP, and IP protocols.

You can use ACLs to restrict contents of routing updates or provide traffic flow control. ACLs can allow one host to access part of your network and prevent another host from accessing the same area. You can also use ACLs to decide what types of traffic are forwarded or blocked.

If you need more background on ACLs and using them on your network, refer to the many networking resources available.

MAC ACLs

Using MAC ACLs to Deny Network Traffic

You can create ACLs based on MAC addresses to deny network traffic from a specific source. MAC addresses are Layer 2 protocols and most often assigned by the hardware manufacturer. Figure 1 MAC ACL Blocking Access shows an example of a MAC address and Ethernet type that you want to block from the network.

Figure 1:

MAC_ACL_blocking_access.png

MAC ACL Blocking Access

See  to review the example configuration.

Using MAC ACLs to Allow Network Traffic

So now that you’ve blocked the MAC address, let’s reverse the scenario and allow IPv4 network traffic from the MAC address to the network.

Figure 2:

MAC_ACL_allowing_access.png

MAC ACL Allowing Access

See Configuring a MAC ACL to Allow Network Traffic to review the example configuration.

Configuring a MAC ACL to Allow Network Traffic

To allow IPv4 network traffic from MAC address, 01:80:c2:00:00:0X, for the scope fabric, create the MAC ACL, allow-MAC, using the following syntax:

CLI network-admin@switch > acl-mac-create name allow-mac action permit src-mac 01:80:c2:00:00:0X ether-type ipv4 scope fabric

To review the configuration, use the acl-mac-show command:

CLI network-admin@switch > acl-mac-show name deny-mac layout vertical

name:                        deny-mac

id:                          b000015:12

action:                      deny

src-mac:                     01:80:c2:00:00:0X

dst-mac:                     00:00:00:00:00:00

dst-mac-mask:                aa:aa:aa:aa:aa:aa

ether-type:                  ipv4

vlan:                        0

scope:                       fabric

port:                        0

 

To delete the ACL configuration, use the acl-mac-delete command.

To modify the ACL configuration, use the acl-mac-modify command.

Configuring a MAC ACL to Deny Network Traffic

To deny IPv4 network traffic from MAC address, 01:80:c2:00:00:0X, for the scope fabric, create the MAC ACL, deny-MAC, using the following syntax:

CLI network-admin@switch > acl-mac-create name deny-mac action deny src-mac 01:80:c2:00:00:0X ether-type ipv4 scope fabric

To review the configuration, use the acl-mac-show command:

CLI network-admin@switch > acl-mac-show name deny-mac layout vertical

name:                        deny-mac

id:                          b000015:12

action:                      deny

src-mac:                     01:80:c2:00:00:0X

dst-mac:                     00:00:00:00:00:00

dst-mac-mask:                aa:aa:aa:aa:aa:aa

ether-type:                  ipv4

vlan:                        0

scope:                       fabric

port:                        0

 

Figure 3:IP ACL Allowing HTTP Traffic

ACL_blocking_external_access_corrected.png

IP ACLs

Using a Deny IP ACL to Block Network Traffic

In this example, a network is shown with a Finance server on one part of the network, and an Engineering server on another part. You want to block the Engineering server from the Finance server in order to protect company sensitive information. See Configuring an Internal Deny ACL to review the configuration sample.

Figure 1:

IP_acl_internal_servers.png

 Network Example - IP ACL for Internal Servers

Or you may discover that an external source is attempting to access your network, and ping your servers for IP addresses. You can use an ACL to block the specific source using an IP ACL.

Figure 2:IP ACL Blocking External Access

ACL_blocking_external_access.png

 

See Configuring an External Deny ACL to review the configuration example.

Using IP ACLs to Allow Network Traffic

In the same manner, you can allow specific traffic to a destination such as the external server in Figure 2 IP ACL Blocking External Access. To allow HTTP traffic to 209.225.113.24, see Configuring an External Allow IP ACL to review the configuration example.

Configuring IP ACLs

From Figure 1 Network Example - IP ACL for Internal Servers, the following information is available:

Configuring an Internal Deny ACL

Let’s configure the ACL for denying traffic from the Engineering server to the HR server and name the ACL, deny-hr:

CLI network-admin@switch > acl-ip-create name deny-hr action deny scope local src-ip 192.168.10.2 src-ip-mask 24 dst-ip 192.168.200.3 dst-ip-netmask 24 proto ip src-port 55 dst-port 33 vlan 1505

To review the configuration, use the acl-ip-show command:

CLI network-admin@switch > acl-ip-show name deny-hr layout vertical

name:                  deny-ip

id:                    b00011:20

action:                deny

proto:                 ip

src-ip:                192.168.10.2/24

src-port:              55

dst-ip:                192.168.200.3/24

dst-port:              33

vlan:                  1505

scope:                 local

port:                  0

Now, when you attempt to access the Finance server from the Engineering server, the packets are dropped.

Configuring an External Deny ACL

From Figure 2 IP ACL Blocking External Access, you can see the following information:

To configure an ACL to deny traffic from the external server, use the acl-ip-create command to create an ACL named deny-external:

CLI network-admin@switch > >acl-ip-create name deny-external scope fabric src-ip 209.255.113.24/28

To review the configuration, use the acl-ip-show command:

CLI network-admin@switch > acl-ip-show name deny-external layout vertical

name:               deny-external

id:                 b000022:20

action:             deny

proto:              tcp

src-ip:             209.225.113.24/28

src-port:           0

dst-ip:             ::/0

dst-port:           0

vlan:               0

scope:              fabric

port:               0

Configuring an External Allow IP ACL

To allow HTTP traffic to the external server, 209.225.113.24 with a netmask of 255.255.255.240 and a scope of fabric, you can create an IP ACL called allow-http using the following syntax:

CLI network-admin@switch > acl-ip-create name allow-http permit scope fabric src-ip 0.0.0.0. src-ip-mask 255.255.255.255 dst-ip 209.225.113.24 dst-ip-mask 255.255.255.240 protocol tcp dst-port 57

To review the configuration, use the acl-ip-show command:

CLI network-admin@switch > >acl-ip-show name allow-http layout vertical

name:               allow-http

id:                 b000025:20

action:             allow

proto:              tcp

src-ip:             0.0.0.0/255.255.255.255

src-port:           0

dst-ip:             209.225.113.24/28

dst-port:           57

vlan:               0

scope:              fabric

port:               0

 

To delete the ACL configuration, use the acl-ip-delete command.

To modify the ACL configuration, use the acl-ip-modify command.

Support for DHCP Snooping

DHCP snooping is a security feature which allows the network to avoid denial-of-service (DoS)attacks from rogue DHCP servers. Trusted ports are defined to connect to the known DHCP servers. DHCP snooping also maintains a mapping table for current assignments.

In a DHCP packet flow, there are the following packet types:

Netvisor must snoop the DHCP packets in order to leverage this feature, and achieves this by installing a copy-to-cpu vFlow with the parameter, bw-max, to set packet rate limits.

A trusted port is a port receiving the DHCP server messages from a trusted DHCP server. Any DHCP server message, such as OFFER/ACKNOWLEDGE, received from trusted ports are valid. Ports not specifically configured as trusted are untrusted ports. Netvisor drops any DHCP server message received from an untrusted port, and ensures that a rogue DHCP server cannot assign IP addresses to devices on your network.

Enable DHCP snooping and specify the list of trusted server ports using the following set of commands:

(CLI network-admin@Spine1)>dhcp—filter-create name name-string trusted-ports port-list

name name-string

Specify a name for the filter.

trusted-ports port-list

Specify a list of trusted ports.

 

 

(CLI network-admin@Spine1)>dhcp-filter-modify name name-string trusted-ports port-list

name name-string

Specify the name of the filter to modify.

trusted-ports port-list

Specify a list of trusted ports.

 

CLI network-admin@Spine1)>dhcp-filter-delete name name-string

name name-string

Specify the name of the filter to delete.

 

(CLI network-admin@Spine1)>dhcp-filter-show name name-string trusted-ports port-list vlan vlan-list

name name-string

Displays the name of the filter.

trusted-ports port-list

Displays a list of trusted ports.

vlan vlan-list

Displays a list of VLANs.

 

In order to drop the packets from rogue DHCP servers, connected through untrusted ports, Netvisor has a new system vFlow, DHCP-LOG-DROP.

The vFlow sends the packets to the CPU, to track the untrusted server messages, and then drop the untrusted DHCP server packets. This is set to a higher precedence than the DHCP trusted ports vFlow. The vFlow includes the untrusted port list for the ingress port.

Untrusted ports typically connect to hosts where DHCP clients can send messages, and Netvisor ensures the

DHCP messages are rate limited using dhcp CPU class. All the DHCP messages use the dhcp CPU class. The existing command for cpu-class-modify is used:

CLI (network-admin@Spine1)>cpu-class-modify name dhcp rate-limit rate-limit-number 

 

The show output for the command, dhcp-lease-show, has two new parameters to display trusted and rogue DHCP servers:

CLI (network-admin@Spine1)>dhcp-lease-show trusted-server|no-trusted-server

 

CLI (network-admin@Spine1)>dhcp-lease-show

switch        ip                  mac               port vnet vlan db-state  server

------------- ------------------- ----------------- ---- ---- ---- --------- ------

Spine1        6053:23a7:0:0:200:: 00:12:c0:80:1f:b8 9         1    unknown

 

server-ip  server-port trusted-server last-msg

---------- ----------- -------------- --------

10.1.1.100 65          no             offer

 

Log messages indicate the presence of an unknown or rogue DHCP servers:

DHCP server message received from untrusted port=<x> server-ip=<ip-addr>

Support for Router Advertisement (RA) Guard

The IPv6 RA Guard feature provides support for allowing the network administrator to block or reject unwanted or rogue RA guard messages arriving at the network device platform. RAs are used by devices to announce themselves on the link. The IPv6 RA Guard feature analyzes these RAs and filters out RAs sent by unauthorized devices. In host mode, all RA and router redirect messages are not allowed on the port. The RA Guard feature compares configuration information on the Layer 2 (L2) device with the information found in the received RA frame. Once the L2 device validates the content of the RA frame and router redirect frame against the configuration, it forwards the RA to the unicast or multicast destination. If the device does not validate the RA frame content, Netvisor drops the RA.


 

Informational Note:  Internal ports and cluster ports are not blacklisted.

ra-guard.png

 

Figure 1: Route Advertisement (RA) Configuration

In Figure 1, the Layer 2 device receives a RA from the router and floods the RA on the ports. The attacker host, attempting to gain control over the network, sends a misleading RA with different prefixes, link-local or global IP addresses.The host assumes the attacker to be the router, based on priority or arrival order. When you configure RA Guard, you can disallow any RAs sent from ports connected to host ports using RA policies. Netvisor whitelists the RA sent by the router, the source IP address, from the port and prefixes using the policies defined by the configuration.

To configure the RA Guard feature, follow these steps:

1. Create an access list using the command, access-list-create.

2. Create a prefix list using the command, prefix-list-create.

3. Create the IPv6 security profile using the command, ipv6secu­rity-raguard-create.

 

This creates two vFlows for RA Guard:

Netvisor receives the RAs and examines the packets and takes the necessary action based on the access and prefix lists or port and VLAN policies. Netvisor now accepts the RA and floods it back to all ports.

There are new commands to support this feature:

access-list-create

name name-string

Specify a name for the access list.

scope scope 

Specify if the scope is local or fabric.

access-list-delete name name-string

access-list-show

switch   name scope

-------- ---- -----

dorado03 test local

 

access-list-ip-add

name name-string

Specify a name for the access list.

ip ip-address

Specify the IP address for the access list.

access-list-ip-delete name name-string ip ip-address

 

access-list-ip-show

switch   name ip      

-------- ---- -------

dorado03 test 1.1.1.4

 

prefix-list-create

name name-string

Specify a name for the prefix list.

scope scope 

Specify if the scope is local or fabric.

prefix-list-delete name name-string

prefix-list-show

name name-string

Displays the name for the prefix list.

scope scope 

Displays if the scope is local or fabric.

prefix-list-network-add

name name-string

Specify the name for the prefix network list.

network ip-address

Specify the IP address for the network.

netmask netmask

Specify the netmask.

prefix-list-network-delete name name-string

prefix-list-network-show

name name-string

Displays the name for the prefix network list.

network ip-address

Displays the IP address for the network.

netmask netmask

Displays the netmask.

ipv6security-raguard-create

name name-string

Specify the RA policy name.

device host|router

Specify the type of device as host or router.

router-priority low|medium|high

Specify the router priority as low, medium, or high.

access-list name-string

Specify the access list name.

prefix-list name-string

Specify the prefix list name.

ipv6security-raguard-delete

name name-string

Specify the RA policy name.

ipv6security-raguard-modify

name name-string

Specify the RA policy name.

device host|router

Specify the type of device as host or router.

router-priority low|medium|high

Specify the router priority as low, medium, or high.

access-list name-string

Specify the access list name.

prefix-list name-string

Specify the prefix list name.

ipv6security-raguard-show

name name-string

Displays the RA policy name.

device host|router

Displays the type of device as host or router.

router-priority low|medium|high

Displays the router priority as low, medium, or high.

access-list name-string

Displays the access list name.

prefix-list name-string

Displays the prefix list name.

ipv6security-raguard-port-add

name name-string

Specify the name of the RA Guard policy to add ports.

ports port-list

Specify the list of ports to add to the policy.

ipv6security-raguard-port-remove

name name-string

Specify the name of the RA Guard policy to remove ports.

ports port-list

Specify the list of ports to remove from the policy.

ipv6security-raguard-port-show

name name-string

Displays the name of the RA Guard policy.

ports port-list

Displays the list of ports.

ipv6security-raguard-vlan-add

name name-string

Specify the name of the RA Guard policy to add VLANs.

vlans vlan-id

Specify the VLANs to add to the policy.

ipv6security-raguard-vlan-remove

name name-string

Specify the name of the RA Guard policy to remove VLANs.

vlans vlan-id

Specify the VLANs to remove from the policy.

ipv6security-raguard-vlan-show

name name-string

Displays the name of the RA Guard policy to add VLANs.

vlans vlan-id

Displays the VLANs to add to the policy.