My description primarily focuses on Cisco Nexus 3000 series switches (as I discovered, this series has limited features). I tested everything on a Cisco Nexus 3172T switch. Before this article, I recommend reviewing the previous Cisco IOS 24 - security of communication on ports.
Traffic Storm Control
Link to one of the official documentations Cisco Nexus 3000 Series NX-OS Layer 2 Switching Configuration Guide, Release 7.x - Configuring Traffic Storm Control. The configuration of Storm Control is done identically as in IOS.
SWITCH(config-if)#storm-control broadcast level 10
Only the display of configuration data is different.
SWITCH#show interface counters storm-control
[Action] S - Shut (Err Disable), T - Trap
--------------------------------------------------------------------------------
Port UcastSupp % McastSupp % BcastSupp % TotalSuppDiscards Action
--------------------------------------------------------------------------------
Eth1/1 100.00 10.00 10.00 0 [--]
Eth1/2 100.00 10.00 10.00 0 [--]
Port Security
The Cisco Nexus 3000 series does not support the Port Security feature. However, if we use IP Source Guard, it should replace even MAC address checking. Higher series, such as 5000, already support it. It's necessary to globally enable this feature. Link to one of the official documentations Cisco Nexus 5500 Series NX-OS Security Configuration Guide, Release 7.x - Configuring Port Security.
SWITCH(config)#feature port-security
To replace Port Security, we could use MAC ACL Cisco IOS 8 - ACL - Access Control List.
SWITCH(config)#mac access-list TestACL SWITCH(config-mac-acl)#permit host 00c0.4f00.0000 any
And apply it to the port as a Port ACL.
SWITCH(config)#interface ethernet 1/1 SWITCH(config-if)#mac port access-group TestACL
Or alternatively on a VLAN as a VLAN map Cisco IOS 20 - VLAN access-map - VLAN map - VACL.
The problem is that the Cisco Nexus 3000 series doesn't support MAC ACL either.
DHCP Snooping
DHCP Snooping is again configured the same way as in IOS. Link to one of the official documentations Cisco Nexus 3000 Series NX-OS Security Configuration Guide, Release 7.x - Configuring DHCP Snooping.
First, we must enable the DHCP feature and then we use the usual commands to turn on DHCP Snooping for certain VLANs and we can set some ports as trusted.
SWITCH(config)#feature dhcp SWITCH(config)#ip dhcp snooping SWITCH(config)#ip dhcp snooping vlan 1-3967 SWITCH(config)#interface Eth1/1 SWITCH(config-if)#ip dhcp snooping trust
Displaying configuration information is again similar.
SWITCH#show ip dhcp snooping Switch DHCP snooping is enabled DHCP snooping is configured on the following VLANs: 1-3967 DHCP snooping is operational on the following VLANs: 1,100 Insertion of Option 82 is disabled Verification of MAC address is enabled DHCP snooping trust is configured on the following interfaces: Interface Trusted ------------ -------
DHCP Snooping Binding Database
In this area, there has been quite a significant change compared to IOS, and I would say it's simpler or at least clearer. In IOS, I mentioned that I find the use of DHCP Snooping Binding versus IP Source Binding confusing. On Nexus, this is combined. We don't configure an agent and records are not saved to a special file. The database can have a maximum of 2000 records.
A static record is inserted with a command that looks more like a static record for IP Source Guard, but it has a reversed syntax compared to IOS. And it's saved to the running configuration.
SWITCH(config)#ip source binding 192.168.100.10 1234.abcd.1234 vlan 100 interface Eth1/1
Note: Nexus is slightly better than IOS, but unfortunately only by a little. Records are not overwritten, but an error is displayed. This happens if we enter different MAC addresses for the same IP address in the same VLAN (VIP address that starts on different servers). Or if we want to enter the same combination of MAC address and IP address on a different port (virtual that can travel in a cluster to different nodes). However, we can create multiple records for one MAC address with different IP addresses (server has multiple IP addresses on one interface, like VIP).
The listing of records from the database is, however, again the same.
SWITCH#show ip dhcp snooping binding MacAddress IpAddress Lease(Sec) Type VLAN Interface ----------------- --------------- -------- ---------- ---- ------------- 12:34:ab:cd:12:34 192.168.100.10 infinite static 100 ethernet1/1
IP Source Guard
The security feature IP Source Guard is related to DHCP Snooping (and previous notes) and directly requires that DHCP Snooping is turned on. It's configured per interface and works as a traffic filter that only allows packets with matching MAC and IP address values, according to the Binding DB (dynamic from DHCP Snooping Binding Database and static IP Source Binding). Generally, the principle is the same as with IOS switches.
Interestingly, in the documentation for the Cisco Nexus 3000 series, I didn't find any description of the IP Source Guard function. The description is found in higher series, for example Cisco Nexus 5500 Series NX-OS Security Configuration Guide, Release 7.x - Configuring IP Source Guard, but it works the same on Nexus 3000 as well.
We perform the configuration on the port, it works for me on Port Channel too, and so far it seems to work within Virtual Port Channel as well (I didn't fully understand the documentation, but it might not be supported). The syntax is slightly different than on IOS and we don't use the keyword port-security at all, MAC address checking is always performed.
SWITCH(config)#interface Eth1/1 SWITCH(config-if)#ip verify source dhcp-snooping-vlan
We've shown how to enter a static record in the DHCP Snooping section, as well as how to list the table of records. Similar to IOS, we can list the ports where IP Source Guard is configured.
SWITCH#show ip verify source
IP source guard excluded vlans:
------------------------------------------------------
none
-----------------------------------
IP source guard is enabled on the following interfaces:
------------------------------------------------------
ethernet1/1
IP source guard operational entries:
-----------------------------------
Interface Filter-mode IP-address Mac-address Vlan
------------ ----------- ---------- -------------- ----
ethernet1/1 active 192.168.100.10 12:34:ab:cd:12:34 100
Dynamic ARP Inspection (DAI)
The basic functioning of Dynamic ARP Inspection is the same as on IOS. There's no option to use an ARP ACL filter (on the Nexus 3000 series, higher ones already support it), but only records from the DHCP Snooping Binding Database are always used. Whether dynamic or statically entered, as we described above. This also means that DHCP Snooping must be turned on for DAI to be used. Also, ARP frame rate limiting is not performed. Description in the official documentation Cisco Nexus 3000 Series NX-OS Security Configuration Guide, Release 7.x - Configuring Dynamic ARP Inspection.
The configuration involves turning it on for selected VLANs and possibly setting some ports as trusted, where checking is not performed.
SWITCH(config)#ip arp inspection vlan 100,200 SWITCH(config)#interface Eth1/1 SWITCH(config-if)#ip arp inspection trust
We can also turn on extended checks in the same way.
SWITCH(config)#ip arp inspection validate src-mac dst-mac ip
To display information about the set DAI, the same commands are used as for IOS, only the output format is slightly different.
SWITCH#show ip arp inspection Source Mac Validation : Disabled Destination Mac Validation : Disabled IP Address Validation : Disabled Vlan : 100 ----------- Configuration : Enabled Operation State : Active DHCP logging options : Deny ARP Req Forwarded = 3206 ARP Res Forwarded = 2616 ARP Req Dropped = 3 ARP Res Dropped = 0 DHCP Drops = 3 DHCP Permits = 5822 SMAC Fails-ARP Req = 0 SMAC Fails-ARP Res = 0 DMAC Fails-ARP Res = 0 IP Fails-ARP Req = 0 IP Fails-ARP Res = 0 SWITCH#show ip arp inspection interfaces Interface Trust State ------------- ----------- ethernet1/1 Trusted ethernet1/5 Trusted SWITCH#show ip arp inspection statistics vlan 100 Vlan : 100 ----------- ARP Req Forwarded = 2 ARP Res Forwarded = 1 ARP Req Dropped = 0 ARP Res Dropped = 0 DHCP Drops = 0 DHCP Permits = 3 SMAC Fails-ARP Req = 0 SMAC Fails-ARP Res = 0 DMAC Fails-ARP Res = 0 IP Fails-ARP Req = 0 IP Fails-ARP Res = 0 SWITCH#show ip arp inspection vlan 100 Source Mac Validation : Disabled Destination Mac Validation : Disabled IP Address Validation : Disabled Vlan : 100 ----------- Configuration : Enabled Operation State : Active DHCP logging options : All
Logging
There's also a change in logging, and in my opinion, quite significant. By default, all denied/dropped packets are recorded in the logging buffer. But they are no longer recorded in the system log (it doesn't generate a system message). So I don't know how to then pass the information to Syslog.
For the logging buffer, we can set its size (default is 32). When it's full, the oldest messages start to be overwritten.
SWITCH(config)#ip arp inspection log-buffer entries 100
We can display the contents of the buffer including the settings. Interestingly, there's also a Syslog Rate item visible here. There are quite a few errors in the official documentation, for example, there are examples of logged messages to the system log that are not created on Nexus (probably it's a copy from IOS documentation).
SWITCH#show ip arp inspection log Syslog Buffer Size : 32 Syslog Rate : 5 entries per 1 seconds Tue Nov 1 17:23:30 2016 DHCP-SNOOP-DENY: ARP Req on ethernet1/1:vlan 100 source 192.168.100.10/12:34:ab:cd:12:34 dest 192.168.100.1/00:00:00:00:00: 00 eth src mac: 12:34:ab:cd:12:34 eth dst mac: 00:12:34:ab:cd:12 Wed Nov 2 11:22:55 2016 DHCP-SNOOP-PERMIT: ARP Req on ethernet1/1:vlan 100 source 192.168.100.10/58:20:b1:e1:13:d8 dest 192.168.100.1/00:00:00:00:0 0:00 eth src mac: 58:20:b1:e1:13:d8 eth dst mac: 00:12:34:ab:cd:12
Log content can be manually deleted.
SWITCH#clear ip arp inspection log
We can also enable extended logging for packets corresponding to DHCP bindings.
SWITCH(config)#ip arp inspection vlan 100 logging dhcp-bindings all
There are no comments yet.