- Index
- Preface
- Product Overview
- Command-Line Interfaces
- Configuring the Switch for the First Time
- Configuring a Supervisor Engine 32 PISA
- Configuring NSF with SSO Supervisor Engine Redundancy
- Configuring RPR Supervisor Engine Redundancy
- Configuring Interfaces
- Configuring Layer 2 Ethernet Interfaces
- Configuring Flex Links
- Configuring Layer 3 and Layer 2 EtherChannel
- Configuring VLAN Trunking Protocol (VTP)
- Configuring VLANs
- Configuring Private VLANs (PVLANs)
- Configuring Cisco IP Phone Support
- Configuring IEEE 802.1Q Tunneling
- Configuring Layer 2 Protocol Tunneling (L2PT)
- Configuring STP and MST
- Configuring STP Features
- Configuring Layer 3 Interfaces
- Configuring UDE and UDLR
- Configuring PFC3BXL and PFC3B Multiprotocol Label Switching (MPLS)
- Configuring IPv4 Multicast VPN Support
- Configuring IP Unicast Layer 3 Switching
- Configuring IPv6 Multicast Layer 3 Switching
- Configuring IPv4 Multicast Layer 3 Switching
- Configuring MLDv2 Snooping
- Configuring IGMP Snooping
- Configuring PIM Snooping
- Configuring Router-Port Group Management Protocol (RGMP)
- Configuring Network Security
- Understanding Cisco IOS ACL Support
- Configuring VLAN ACLs (VACLs)
- Configuring Denial of Service (DoS) Protection
- Configuring DHCP Snooping
- Configuring Dynamic ARP Inspection (DAI)
- Configuring Traffic-Storm Control
- Configuring Unknown Unicast and Multicast Flood Blocking
- Configuring PFC QoS
- Configuring PFC3BXL or PFC3B Mode MPLS QoS
- Configuring PFC QoS Statistics Data Export
- Configuring Network Admission Control (NAC)
- Configuring 802.1X Port-Based Authentication
- Configuring Port Security
- Configuring Cisco Discovery Protocol (CDP)
- Configuring UniDirectional Link Detection (UDLD)
- Configuring the NetFlow Table
- Configuring NetFlow Data Export (NDE)
- Configuring Local SPAN, Remote SPAN (RSPAN), and Encapsulated RSPAN
- Configuring SNMP IfIndex Persistence
- Power Management and Environmental Monitoring
- Configuring Online Diagnostics
- Configuring Top N Utility Reports
- Using the Layer 2 Traceroute Utility
- Online Diagnostic Tests
- Acronyms
Configuring Network Security
This chapter contains network security information unique to the Catalyst 6500 series switches, which supplements the network security information and procedures in these publications:
•
Cisco IOS Security Configuration Guide, Release 12.2, at this URL:
http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/fsecur_c.html
•Cisco IOS Security Command Reference, Release 12.2, at this URL
http://www.cisco.com/en/US/docs/ios/12_2/security/command/reference/fsecur_r.html
Note For complete syntax and usage information for the commands used in this chapter, refer to these publications:
•The Catalyst Supervisor Engine 32 PISA Cisco IOS Command Reference, Release 12.2ZY, at this URL:
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/command/reference/cmdref.html
•The Release 12.2 publications at this URL:
This chapter consists of these sections:
•Configuring MAC Address-Based Traffic Blocking
•Configuring Unicast Reverse Path Forwarding Check
Configuring MAC Address-Based Traffic Blocking
To block all traffic to or from a MAC address in a specified VLAN, perform this task:
This example shows how to block all traffic to or from MAC address 0050.3e8d.6400 in VLAN 12:
Router# configure terminal
Router(config)# mac-address-table static 0050.3e8d.6400 vlan 12 drop
Configuring TCP Intercept
TCP intercept flows are processed in hardware.
For configuration procedures, refer to the Cisco IOS Security Configuration Guide, Release 12.2, "Traffic Filtering and Firewalls," "Configuring TCP Intercept (Preventing Denial-of-Service Attacks)," at this URL:
http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scfdenl.html
Configuring Unicast Reverse Path Forwarding Check
These sections describe configuring Cisco IOS Unicast Reverse Path Forwarding check (Unicast RPF check):
•Understanding PFC3B Unicast RPF Check Support
•Unicast RPF Check Guidelines and Restrictions
•Configuring Unicast RPF Check
Understanding PFC3B Unicast RPF Check Support
For a complete explanation of how Unicast RPF check works, refer to the Cisco IOS Security Configuration Guide, Release 12.2, "Other Security Features," "Configuring Unicast Reverse Path Forwarding" at this URL:
http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scfrpf.html
The PFC3B provides hardware support for RPF check of traffic from multiple interfaces.
With strict-method Unicast RPF check, the PFC3B supports two parallel paths for all prefixes in the routing table, and up to four parallel paths for prefixes reached through any of four user-configurable RPF interface groups (each interface group can contain four interfaces).
With loose-method Unicast RPF check (also known as exist-only method), the PFC3B supports up to eight reverse-path interfaces (the Cisco IOS software is limited to eight reverse paths in the routing table).
There are four methods of performing Unicast RPF check in Cisco IOS:
•Strict Unicast RPF check
•Strict Unicast RPF check with allow-default
•Loose Unicast RPF check
•Loose Unicast RPF check with allow-default
You configure Unicast RPF check on a per-interface basis, but the PFC3B supports only one Unicast RPF method for all interfaces that have Unicast RPF check enabled. When you configure an interface to use a Unicast RPF method that is different from the currently configured method, all other interfaces in the system that have Unicast RPF check enabled use the new method.
Unicast RPF Check Guidelines and Restrictions
When configuring Unicast RPF check, follow these guidelines and restrictions:
•If you configure Unicast RPF check to filter with an ACL, the PFC3B determines whether or not traffic matches the ACL. The PFC3B sends the traffic denied by the RPF ACL to the PISA for the Unicast RPF check. Packets permitted by the ACL are forwarded in hardware without a Unicast RPF check (CSCdz35099).
•Because the packets in a denial-of-service attack typically match the deny ACE and are sent to the PISA for the Unicast RPF check, they can overload the PISA.
•The PFC3B provides hardware support for traffic that does not match the Unicast RPF check ACL, but that does match an input security ACL.
•The PFC3B does not provide hardware support for the Unicast RPF check for policy-based routing (PBR) traffic. (CSCea53554)
Configuring Unicast RPF Check
These sections describe how to configure Unicast RPF check:
•Configuring the Unicast RPF Check Mode
•Configuring the Multiple-Path Unicast RPF Check Mode on a PFC3B
Configuring the Unicast RPF Check Mode
There are two Unicast RPF check modes:
•Strict check mode, which verifies that the source IP address exists in the FIB table and verifies that the source IP address is reachable through the input port.
•Exist-only check mode, which only verifies that the source IP address exists in the FIB table.
Note The most recently configured mode is automatically applied to all ports configured for Unicast RPF check.
To configure Unicast RPF check mode, perform this task:
|
|
|
|
|---|---|---|
Step 1 |
Router(config)# interface {{vlan vlan_ID} | {type1 slot/port} | {port-channel number}} |
Selects an interface to configure. Note |
Step 2 |
Router(config-if)# ip verify unicast source reachable-via {rx | any} [allow-default] [list] |
Configures the Unicast RPF check mode. |
Router(config-if)# no ip verify unicast |
Reverts to the default Unicast RPF check mode. |
|
Step 3 |
Router(config-if)# exit |
Exits interface configuration mode. |
Step 4 |
Router# show mls cef ip rpf |
Verifies the configuration. |
1 type = ethernet, fastethernet, gigabitethernet, or tengigabitethernet |
When configuring the Unicast RPF check mode, note the following information:
•Use the rx keyword to enable strict check mode.
•Use the any keyword to enable exist-only check mode.
•Use the allow-default keyword to allow use of the default route for RPF verification.
•Use the list option to identify an access list.
–If the access list denies network access, spoofed packets are dropped at the port.
–If the access list permits network access, spoofed packets are forwarded to the destination address. Forwarded packets are counted in the interface statistics.
–If the access list includes the logging action, information about the spoofed packets is sent to the log server.
Note When you enter the ip verify unicast source reachable-via command, the Unicast RPF check mode changes on all ports in the switch.
This example shows how to enable Unicast RPF exist-only check mode on Gigabit Ethernet port 4/1:
Router(config)# interface gigabitethernet 4/1
Router(config-if)# ip verify unicast source reachable-via any
Router(config-if)# end
Router#
This example shows how to enable Unicast RPF strict check mode on Gigabit Ethernet port 4/2:
Router(config)# interface gigabitethernet 4/2
Router(config-if)# ip verify unicast source reachable-via rx
Router(config-if)# end
Router#
This example shows how to verify the configuration:
Router# show running-config interface gigabitethernet 4/2
Building configuration...
Current configuration : 114 bytes
!
interface GigabitEthernet4/2
ip address 42.0.0.1 255.0.0.0
ip verify unicast reverse-path
no cdp enable
end
Router# show running-config interface gigabitethernet 4/1
Building configuration...
Current configuration : 114 bytes
!
interface GigabitEthernet4/1
ip address 41.0.0.1 255.0.0.0
ip verify unicast reverse-path 
(RPF mode on g4/1 also changed to strict-check RPF mode)
no cdp enable
end
Router#
Configuring the Multiple-Path Unicast RPF Check Mode on a PFC3B
To configure the multiple-path Unicast RPF check mode on a PFC3B, perform this task:
When configuring the multiple path RPF check mode, note the following information:
•punt mode (default)—The PFC3B performs the Unicast RPF check in hardware for up to two interfaces per prefix. Packets arriving on any additional interfaces are redirected (punted) to the PISA for Unicast RPF check in software.
•pass mode—The PFC3B performs the Unicast RPF check in hardware for single-path and two-path prefixes. Unicast RPF check is disabled for packets coming from multipath prefixes with three or more reverse-path interfaces (these packets always pass the Unicast RPF check).
•interface-group mode—The PFC3B performs the Unicast RPF check in hardware for single-path and two-path prefixes. The PFC3B also performs the Unicast RPF check for up to four additional interfaces per prefix through user-configured multipath Unicast RPF check interface groups. Unicast RPF check is disabled for packets coming from other multipath prefixes that have three or more reverse-path interfaces (these packets always pass the Unicast RPF check).
This example shows how to configure punt as the multiple path RPF check mode:
Router(config)# mls ip cef rpf mpath punt
Configuring Multiple-Path Interface Groups on a PFC3B
To configure multiple-path Unicast RPF interface groups on a PFC3B, perform this task:
This example shows how to configure interface group 2:
Router(config)# mls ip cef rpf interface-group 2 fastethernet 3/3 fastethernet 3/4 fastethernet 3/5 fastethernet 3/6
Enabling Self-Pinging
With Unicast RPF check enabled, by default the switch cannot ping itself.
To enable self-pinging, perform this task:
|
|
|
|
|---|---|---|
Step 1 |
Router(config)# interface {{vlan vlan_ID} | {type1 slot/port} | {port-channel number}} |
Selects the interface to configure. |
Step 2 |
Router(config-if)# ip verify unicast source reachable-via any allow-self-ping |
Enables the switch to ping itself or a secondary address. |
Router(config-if)# no ip verify unicast source reachable-via any allow-self-ping |
Disables self-pinging. |
|
Step 3 |
Router(config-if)# exit |
Exits interface configuration mode. |
1 type = ethernet, fastethernet, gigabitethernet, or tengigabitethernet |
This example shows how to enable self-pinging:
Router(config)# interface gigabitethernet 4/1
Router(config-if)# ip verify unicast source reachable-via any allow-self-ping
Router(config-if)# end
Feedback