Switches, Hubs, and Modems
cancel
Showing results for 
Search instead for 
Did you mean: 

Implementing security with 2800's and 2600's

SOLVED
Go to solution
Joseph L. Casale
Regular Advisor

Implementing security with 2800's and 2600's

I have a need to implement security for host access through a pix firewall. Problem is that if a host simply changed its IP it could leverage the access designed for that different host group in my intended setup. I do not have access to a router, which leads me to implement any solution at my switch level. I can mitigate port access securely in my scenario so is their a solution to this problem using a feature set of these two switches to prevent a host on one port from simply changing its IP and maintaining access?

Thanks
8 REPLIES
Matt Hobbs
Honored Contributor
Solution

Re: Implementing security with 2800's and 2600's

You're in luck.

IP lockdown: Available on Series 2600 and 2800 switches only, this feature enables restriction
of incoming traffic on a port to a specific IP address/subnet, and denies all other traffic
on that port.

You may need to update to a more recent version of firmware for this feature. Refer to the release notes on how to use it.
Joseph L. Casale
Regular Advisor

Re: Implementing security with 2800's and 2600's

My pdf's and firmware are a few revs behind, nice .

Thanks!
Joseph L. Casale
Regular Advisor

Re: Implementing security with 2800's and 2600's

Matt,
Reading up on this in the Access Security Guide leaves me a bit unsure with how to proceed.

If for example my network was small and every resource existed on 192.168.100.0/24, would it be acceptable to change the scope to 192.168.0.129->254 and setup IP Lockdown to 192.168.0.128/25 as an example? If I understand how lockdown works, it only concerns itself with the IP and not subnet/broadcast address of the host?

Thanks!
Matt Hobbs
Honored Contributor

Re: Implementing security with 2800's and 2600's

Yes that would be fine. If you wanted to do individual addresses for each port you would use the /32 mask. Remembering of course that whatever you configure it needs to be the same for that 8 port block.

You could also look at dynamic IP lockdown which works in conjunction with DHCP snooping. That way when the client receives it's address via DHCP it gets locked to that particular address only. If a user tries to set a static address they will not get access to the network. The main advantage of this is that a regular user can move between ports on the switch and you'll still receive the maximum protection against any IP spoofing since it will be using a /32 bit mask internally to lock it to that port.

I think your /25 method should be sufficient for your requirements.
Joseph L. Casale
Regular Advisor

Re: Implementing security with 2800's and 2600's

Matt,
I would much prefer to use the Dynamic IP Lockdown feature, but I can only find reference to the static IP Lockdown in the Access Security Guide pdf.

Do you know where this is mentioned?

Thanks!
Matt Hobbs
Honored Contributor

Re: Implementing security with 2800's and 2600's

Joseph L. Casale
Regular Advisor

Re: Implementing security with 2800's and 2600's

Matt,
In my scenario I have two 2650's chained with fiber and a 2824 trunked off two ports of the last 2650. This 2824 has the DHCP server connected to it via a trunked pair as well. If I trust the trunk that the DHCP server uses, how do I allow the two 2650's to see DHCP acknowledgments, do I need to trust the two GBIC ports the 2650's use to connect?

Also, the doc's suggest an 8 ip/port max memory, am I correct in assuming this does not factor in when switches are chained/trunked together?

Thanks!
Matt Hobbs
Honored Contributor

Re: Implementing security with 2800's and 2600's

Generally you will trust your port your DHCP server is on, and also the switch-to-switch links. Only the client ports will be untrusted.

Any resource maximums will be per switch.