Cat4500 HA and other security related question

alertforce · ‎01-27-2010

Hi, I am planning to setup the following infra:

02 x Cat4507 switch, each with 02 x Supervisor Engine IV, as core switches

1 at each building

10 x Cat2960 switch, each with 02 x uplink cables, to each of the core switch, 5 per building, as edge switch.

I would like to know can the following be achieved:

Can I register all the network devices (PC, printer) to the core switch, and send out alarm (SNMP packets) when one of the following occur: A non-registered device is plugged into the network; a registered device is disconnected from the network

Send out alarm when bandwidth utilization hit a certain level (between edge switch uplink and core switch, or between end point network device and edge switch network port)

As for link redundancy, I should be using Spanning Tree?

Thanks.

Pat

sachinraja · ‎01-27-2010

Hi Pat

Yess. YOu would need spanning tree for sure.. Since your edge switches connect to both your core switches , the uplink trunks should work in Active/standby mode,, Hence u would need spanning tree to prevent loops on the network. you can probably think of enabling the first switch to be the root of half of the vlans (by changing priority) and the second core to be the root of other vlans.. by doing this you effectively load share traffic across both the trunk links.. incase of a failure of one uplink, the other link would take the traffic...

and with regards to SNMP traps ? the most important thing is what network management system are you using ? here is what i think:

1 ) non-registered device is plugged into the network -how do u define non-registered devices ? Are these rogue devices like hubs ? standard/best practice is to have all the unused ports shut, so that as an admin you would know when a device goes in (to unshut the ports).. if you want some kind of automated checking, you can use 802.1x authentication to validate the PC's connecting to the network.. without successful authentication, the devices wont get onto the network.. im not sure a network management system of SNMP trap would be helpful in this regard.. switch can do send port up/down info, but not sure how that will be helpful in your case..

2) a registered device is disconnected from the network - you can bind your network devices and other critical servers onto the network management system.. and monitor them thro ICMP.. when a network device is removed from the network, ICMP fails, and your NMS can trap this.. i dont think it is a good idea to scan all registered devices (like PCs, printers etc)...

3) Send out alarm when bandwidth utilization hit a certain level - am sure this dependent on the network mgmt software you are using... switches can send bandwidth reports or netflow exports to NMS device.. it depends on the NMS device to fetch this data, and trigger an alarm when it reaches a particular level.. for eg simple tools like PRTG, MRTG can map and show the bandwidth details offline.. not sure if it triggers alarms.. other high end network mgmt systems can surely do this..

Hope this helps.. all the best..

Raj

alertforce · ‎01-29-2010

Hi Raj,

I an planning to use Ciscoworks LAN Manager for the network managment.

For non-registered devices I am referring to devices like PC, if I am using the ports shut on the edge switch, a PC is being unlugged from the port and a rogue PC is plugged in, will the rogue PC be able to access the network?

Thanks.

Pat

sachinraja · ‎01-29-2010

Hi Alex

For non-registered devices I am referring to devices like PC, if I am using the ports shut on the edge switch, a PC is being unlugged from the port and a rogue PC is plugged in, will the rogue PC be able to access the network?

Yes... the Rogue PC will be able to access the network.. if you want to authenticate users getting onto the network, you need to implement 802.1x... when you enable dot1x , you will have a 802.1x client, which will prompt for a username password.. with radius authentication (integrated with active directory) you can provide access to the user PC. this will make sure all PCs connected to the ntework are authenticated... if you need guidance on how to configure 802.1x refer to CCO or get back to us... for devices like printers, you can have them placed onto a seperate VLAN..

802.1x also provides guest VLAN , authentication failure vlan concepts.. guests who do not have dot1x clients, can be put under an isolated vlan, called guest vlan, and can be given access only to internet.. they will not be able to access the internal network when on guest vlan..

You can also restrict user PC with regards to MAC addresses.. Layer 2 security feature called Port security will make this work.. for eg, your production PC has xxxx.xxxx.xxxx MAC, and you have another PC with a.a.a.a MAC, this will not work.. but the biggest disadvantage is administering the whole thing.. if you have 1000 PCs, you will need to have 1000 statements, and manage each port with MAC.. you can also do dynamic mac restriction...

if you need to provide more access restrictions, like checking the software installed, windows patches etc, NAC is the way to go !

Do let us know if you have anymore queries on this..

Hope this helps.. all the best

Raj