Catalyst 5500 security

alain.desnoyers · ‎10-17-2001

I have a client that requires, that prior to accessing his Network external and internal users must log in to the switch which will in turn validate the users via Radius or Tacacs+ and establish a VLAN for the user.

Can this be done, is there a feature that allows the switch to do this. My understanding is that the only reason to log in to the switch wether it be unsecure or via Radius or Tacacs+ was to access the CLI.

The other thing the client wants is for the VLAN to be locked to the switch port,ip address, protocol,virtual port. I know the switch can perform protocol filtering but as far as I know it cannot specify an actual virtual port and only has ip permit lists which are useless.

Any comments

Thanks

r-simpson · ‎10-23-2001

I’m not aware of any way to do that. You might run it by your Cisco rep. Anyone out there doing anything similar?

maxoma · ‎10-25-2001

VLANs require static configurations per vlan. Other switches will only automatically know about the vlans if they run VTP, and you have configured trunking. Also, each subnet associated with a vlan (Cisco recommends only defining a 1-to-1 correlation between a vlan and a subnet) would have to get added into a router as a process that router is aware of. Also, most switches have a limit of 254 vlans or less (usually 64 for the access-level units). This doesn't even get to dealing with the TACACS+ concept and what server they are going to authenticate to.

You might want to look at this link

http://www.cisco.com/univercd/cc/td/doc/product/lan/c2900xl/29_35xu/scg/kivlan.htm#xtocid2442329

Does the client really know what they want? I can tell you about what we do here at Lockheed for security if you're interested.

Eric

Network Engineering

Lockheed Martin

martijnmichiel · ‎10-25-2001

Alain. I am from the Netherlands and I'll try my best English. I cannot give you a direct answer.

I always like to think in terms of purpuse.

1. acces/wan security

2. lan/resource security

If you break down the requirements, you'll notice some issues you can isolate. That issues can be solved with equipment that is build for authentication or separation.

Users that i do not trust? I will NOT give them a switch CLI login! Howmuch users seek access? Do I reprogram my central core switch for a small amount?

Say users use a PIX or access router to get access a to your lan. Auth. trough radius or... . then we need to isolate the tcp sessions from other trusted tcp sessions, there ar a lot of ways to that. Separate lan/s, dedicated or mutlihomed servers....

Lock to ports or vrtual ports? Talking physical separation again...

My point is stick with simple solutions that are easier to manage, change, monitor and troubleshoot.

Years of netwerking learnt me that a technical possible solution is NOT automatically a workable solution.

Why not separate roles.

Cheers martijn jansen

networking consultant

anthonyfg · ‎10-25-2001

Hi. We run two switches: a Catalyst 5000 and Cat6509. As another person has noted there are varying levels of security, and thus addressed separately.

1) On the physical layer, you could limit the MAC addresses of machines that can access the network using a database that the switch refers to. This way, a foreign machine cannot just plug their machine into the network without the MAC add. being in the database.

2) Secure user authentication could also be accomplished using RSA secure ID, if they are really paranoid!!!

Hope this helps.

Anthony

john.lau · ‎10-29-2001

Totally a guestimation here, but it sounds like there are two things which you might want to consider:

1. Enable port security.

Your last paragraph seems to suggest your client wants to control the ability of an attached device to rove from one switch port to another (they have access to the switch itself!?).

And then if you have an enterprise management system (Openview, CA, Tivoli), you can trap on if and when someone moves from one port to another.

2) Look into the "User Registration Tool" or module of CiscoWorks.

URT ties VLAN policies with things such as a Windws NT/2000 or Novell userid (or group). So you could configure everyone in the "Accounting" ADS forest or "Marketing" leaf to be on separate VLAN's, for example.

That would simplify user administration by linking physical/logical network access to network resource access. For example, if someone didn't login successfully to NDS or AD/NT, they could be placed onto some non-routed VLAN.

And if your client doesn't run Novell or Windows services, you can use group names or even go by individual MAC address.

Hope this helps.

alain.desnoyers · ‎10-31-2001

Thanks for your reply, I'm not well versed in security, so I would not have the slightest idea how to implement what you just said, besides my client is not going to pay thousands of dollars for CiscoWorks to be used on a very samll network, a bit of overkill.

I did find out that the client was envisioning having each PC after it boots up to prompt the user for a username and password (Authentication by SecureID Tokens) exactly what I get here at work when I boot my PC every morning I get a login screen. Not too sure how to implement this , I'm even more unsure about implementing this for external users as well, which is what the client had in mind.