ACI Microsegmentation – Cisco Network Security
Microsegmentation is a security requirement to reduce attack surfaces by minimizing the possibilities for lateral movement in the event of a security breach. With traditional networking technologies, this is very hard to accomplish. Network flow and categorized devices depend on functionality or criticality and segment them into zones, but ACI enables a new approach, by allowing degrees of flexibility and automation not possible with traditional network management and operations, making microsegmentation a distinct possibility. Cisco ACI microsegmentation (uSeg) enables you to automatically assign endpoints to logical security zones called endpoint groups. These EPGs are based on various network-based or virtual machine–based attributes. Microsegmentation with Cisco ACI supports virtual endpoints attached to the following: Cisco ACI Virtual Edge Cisco Application Virtual Switch (AVS) Microsoft vSwitch VMware vSphere Distributed Switch (VDS) Microsegmentation with network-based attributes also supports bare-metal environments. Note You can configure microsegmentation with Cisco ACI for physical and virtual endpoints,…
Apply or Remove VRF Contracts – Cisco Network Security
To apply contracts to all endpoint groups within a VRF, you can apply the contract directly to the VRF. This concept is also referred as a vzAny endpoint group. It simplified contract management by allowing the contract configuration for all endpoint groups within a VRF, also optimizing hardware resource consumption. For example, if a Cisco ACI administrator has 100 endpoint groups that are all part of the same VRF, he can apply the contracts to this one vzAny group under the VRF rather than to each endpoint group. Traditionally, VRF-wide contracts allow established traffic, allowing endpoint group contracts to define traffic in only one direction—from consumer to provider—without the need to have reverse port forwarding enabled for TCP traffic. Because all endpoint groups within 852the VRF allow established traffic, reverse port forwarding is unnecessary in the contract applied to the endpoint group directly. A quick trick to see if contracts,…
Create, Modify, or Remove Regular Contracts – Cisco Network Security
You can create or modify or remove tenant contracts to control traffic flow between endpoint groups. Only users with the administrator privilege can create, modify, or remove a contract. To create a contract using the ACI GUI, follow these steps: Step 1. On the menu bar, choose Tenants > ALL TENANTS. In the Work pane, choose Tenant_Name. Step 2. In the Navigation pane, choose Tenant_Name > Contracts. Step 3. In the Work pane, choose Actions > Create Contract. Step 4. In the Create Contract dialog box, perform the following actions: Enter a Contract Name. Choose a Contract Scope (optional). Choose a QoS Class (optional). Click + (the plus sign) next to the Subject to add a Contract Subject. In the Create Contract Subject dialog box, perform the following actions: Enter a Contract Subject Name. Click + in the Filter Chain field. Step 5. Click Update, click OK, and then click…
Cisco ACI Contracts – Cisco Network Security
Network and application security best practices are required to control traffic flows and permit specific traffic between two applications or devices. ACI contracts provide a way for the Cisco Application Centric Infrastructure (ACI) administrator to control traffic flow within the ACI fabric between endpoint groups (EPGs). These contracts are built using a provider-consumer model where one endpoint group provides the services it wants to offer, and another endpoint group consumes them. Contracts are assigned a scope of Global, Tenant, VRF, or Application Profile, which limit the accessibility of the contract (see Figure 18-8). Figure 18-8 Contract Component Contracts contain the following items: Subjects: A group of filters for a specific application or service. Filters: A technique to classify traffic based on Layer 2 to Layer 4 attributes (such as Ethernet type, protocol type, TCP flags, and ports). Actions: Tasks to be taken on the filtered traffic. The following actions are…
Modular QoS Command-Line Interface – Cisco Network Security
CoPP uses the Modular Quality of Service Command-Line Interface (MQC). MQC is a CLI structure that allows you to define a traffic class, create a traffic policy (policy map), and attach the traffic policy to an interface. The traffic policy contains the CoPP feature that will be applied to the traffic class. Steps to configure CoPP are as follows: Step 1. Define a traffic class using the class-map command. A traffic class is used to classify traffic. Example 18-24 shows how to create a new class-map called copp-sample-class. Example 18-24 NX-OS CoPP Class Map Configuration Switch(config)# class-map type control-plane copp-sample-class Step 2. Create a traffic policy using the policy-map command. A traffic policy (policy map) contains a traffic class and one or more CoPP features that will be applied to the traffic class. The CoPP features in the traffic policy determine how to treat the classified traffic. Step 3. Attach…
Nexus Control Plane Policing – Cisco Network Security
Nexus Series switches are deployed as data center and campus switches. A Nexus control plane CPU is the brain of the network and handles the maximum load of the network, which includes frequent bursts of control traffic, such as OSPF, OTV, ARP, LISP, BGP, and so on. Control Plane Policing (CoPP) protects the control plane and separates it from the data plane, which ensures network stability, reachability, and packet delivery. CoPP allows a policy map to be applied to the control plane. This policy map looks like a normal QoS policy and is applied to all traffic entering the switch from a nonmanagement port. A common attack vector for network devices is the denial-of-service (DoS) attack, where excessive traffic is directed at the device interfaces. Cisco NX-OS devices provide CoPP to prevent DoS attacks from impacting performance. Such attacks, which can be perpetrated either inadvertently or maliciously, typically involve high…
Nexus Port Secure MAC Address Maximum and Dynamic Address Aging – Cisco Network Security
By default, an interface can have only one secure MAC address. You can configure the maximum number of MAC addresses permitted per interface or per VLAN on an interface. Maximums apply to secure MAC addresses learned by any method: dynamic, sticky, or static. The following three limits can determine how many secure MAC addresses are permitted on an interface: System maximum: The device has a nonconfigurable limit of 8192 secure MAC addresses. If learning a new address would violate the device maximum, the device does not permit the new address to be learned, even if the interface or VLAN maximum has not been reached. Interface maximum: You can configure a maximum number of 1025 secure MAC addresses for each interface protected by port security. The default interface maximum is one address. The sum of all interface maximums on a switch cannot exceed the system maximum. VLAN maximum: You can configure…
Port Security – Cisco Network Security
Port security prevents rogue network extensions via hub or wireless access points (APs) from connecting to your switch. Because it limits the number of MAC addresses to a port, port security can also be used as a mechanism to prevent users from adding extensions to the IT-created network. For example, if a user plugs a computer or a device into a user-facing port or data port with port security defined for a single MAC address, the computer or device itself would occupy that MAC address and not allow any devices behind it to access the network, as shown in Figure 18-5. Generally, a configuration appropriate to stop MAC flooding is also appropriate to inhibit rogue access. Figure 18-5 Port Security Limits MAC Address to Prevent Rogue Access Port security also allows you to configure Layer 2 physical interfaces and Layer 2 port channel interfaces to allow inbound traffic from only…
DHCP Snooping Option 82 Data Insertion – Cisco Network Security
DHCP can centrally manage the IP address assignments for a large number of subscribers. When you enable Option 82, the device identifies a subscriber device that connects to the network (in addition to its MAC address). Multiple hosts on the subscriber LAN can connect to the same port on the access device and are uniquely identified. When you enable Option 82 on the Cisco NX-OS device, the following sequence of events occurs: 1. The host (DHCP client) generates a DHCP request and broadcasts it on the network. 2. When the Cisco NX-OS device receives the DHCP request, it adds the Option 82 information in the packet. The Option 82 information contains the device MAC address (the remote ID suboption) and the port identifier, vlan-mod-port, from which the packet is received (the circuit ID suboption). For hosts behind the port channel, the circuit ID is filled with the if_index of the…
DHCP Snooping Trusted and Untrusted Sources – Cisco Network Security
The DHCP snooping feature determines whether traffic sources are trusted or untrusted. An untrusted source may initiate traffic attacks or other hostile actions. To prevent such attacks, DHCP snooping filters messages from untrusted sources. In an enterprise network, a trusted source is a device that is under your administrative control. These devices include the switches, routers, and servers in the network. Any device beyond the firewall or outside the network is an untrusted source. Generally, host ports are treated as untrusted sources. In a service provider environment, any device that is not in the service provider network is an untrusted source (such as a customer switch); host ports are untrusted sources. In the Cisco NX-OS device, you can indicate that a source is trusted by configuring the trust state of its connecting interface. The default trust state of all interfaces is untrusted. You must configure DHCP server interfaces as trusted.…