CCIE Security V4 Technology Labs  Section 2: Threat

Identification and Mitigation


Port Blocking on a Switch
Last updated: May 3, 2013

Task
Configure port Fa0/13 and Fa0/15 of SW1 as static access ports in VLAN13.
Ensure that direct traffic between Fa0/13 and Fa0/15 is disallowed without using any type of ACL
filtering.
Traffic between any other two hosts from VLAN13 attached to SW1 should be allowed.
Additionally, configure SW1 to protect R1 from unknown unicast flooding attacks.

Overview
Protected ports are used to prevent traffic from being exchanged at layer 2 between two or more
ports that are in the same VLAN. Traffic received in a protected port cannot be sent out another
protected port, but traffic received in a protected port can be sent out a non-protected port. This
feature is a much smaller subset of the Private VLAN feature, also called Private VLAN Edge, and
cannot span between multiple physical switches.

Note that the configuration affects only data plane traffic that is hardware switched; for example,
control-plane data such as PIM packets are allowed between protected ports because these are
CPU/software switched.

When the switch receives a frame with a destination MAC address for which it does not have an
entry in its database, it forwards that frame on all ports where the VLAN that the frame was received
on is allowed, except for the port it was received on. This might be seen as a security issue
because hosts may receive traffic that is not destined to them, or as a possible attack because a
high volume of such traffic may overwhelm all hosts in that VLAN. You can configure switches so
that unicast traffic received with a yet-unknown destination MAC address is not forwarded out on
specific ports. Although you can perform the same for multicast traffic, it only affects purely layer 2
multicast, which makes sense because a MAC address for a layer 3 multicast traffic will always be
unknown to the switch (it never appears as source MAC address in packets). This is enabled at the
interface level by using command switchport block {unicast|multicast}.

Configuration
SW1:
 interface range FastEthernet0/13 , FastEthernet0/15
switchport mode access
switchport access vlan 13
switchport protected
no shutdown
!
interface FastEthernet0/1
switchport block unicast

Verification
Verify that both ports are configured as protected and R1 is protected from unknown unicast
flooding attacks.

Rack1SW1#show interfaces fastEthernet0/13 switchport | i Protected

Protected: true
!
!
Rack1SW1#show interfaces fastEthernet0/15 switchport | i Protected
Protected: true
!
!
Rack1SW1#show interfaces fastEthernet0/1 switchport | i block
Unknown unicast blocked: enabled
Unknown multicast blocked: disabled

On these ports, Ethernet0/1 interfaces of ASA1 and ASA2 are connected; configure these with IP
addresses from VLAN13 and verify that traffic between them is disallowed, while traffic to other
hosts in VLAN13 is allowed.

ASA1:

interface Ethernet0/1
nameif VLAN13
ip address 136.1.13.11 255.255.255.0
no shutdown

ASA2:
 interface Ethernet0/1
nameif VLAN13
ip address 136.1.13.12 255.255.255.0
no shutdown

Verify connectivity in VLAN13.

Rack1ASA1#ping 136.1.13.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 136.1.13.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
!
!
Rack1ASA1# ping 136.1.13.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 136.1.13.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
!
!
Rack1ASA1# ping 136.1.13.12
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 136.1.13.12, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)