2900 100/GigE Switch: IP based ACLs for each port possible

Discussion in 'Cisco' started by Jens Benecke, Oct 17, 2003.

  1. Jens Benecke

    Jens Benecke Guest

    Hi,

    we have recently upgraded our 3com superstack based "notwork" to Cisco 2900
    switches connected by GigE fiber. Now about half of our connected people
    are still using Windows, and although our firewall blocks just about
    everything harmful from outside (except for SSH), the occasional
    worm-infected laptop always wreaks havoc in our network. Our policy is to
    block worm-infected machines from the network at once, and also machines
    that generate more than 1G of traffic per week. But until now, we have done
    this manally.

    I'm looking for ways to

    a) configure ACLs like "Port fe0/xx may only be used by IP xx.xxx.xx.xx"
    b) configure ACLs by port, e.g. "deny outbound ip port 135 on port fe0/xx"
    c) configure alerts, so our SNMP tools on our server can detect specific
    activity on the switches (e.g. a lot of traffic on one specific IP port
    and/or altogether) and react accordingly.

    I don't care about non-IP traffic (e.g. IPX), because it is not relevant in
    our network It may be allowed or not allowerd, whatever.

    Any ideas? Any help would be appreciated.
    Thank you!

    --
    Jens Benecke
    http://www.hitchhikers.de - Europaweite Mitfahrzentrale
    http://www.rb-hosting.de - Webhosting mit Extras - SSH - Günstiger Traffic
     
    Jens Benecke, Oct 17, 2003
    #1
    1. Advertising

  2. In article <bmop9c$p31o1$-berlin.de>,
    Jens Benecke <> wrote:

    Please turn off MIME quoted-printable before posting!

    :we have recently upgraded our 3com superstack based "notwork" to Cisco 2900
    :switches connected by GigE fiber.

    :I'm looking for ways to

    :a) configure ACLs like "Port fe0/xx may only be used by IP xx.xxx.xx.xx"

    IP addresses are Layer 3 entities. A 2900 switch is Layer 2 only.

    The only Cisco model that starts with 29 that has Layer 3 capability
    is the C2948G-L3, which is not at all the same as anything else in
    the 29xx series (including not the same as the C2948G.)

    :b) configure ACLs by port, e.g. "deny outbound ip port 135 on port fe0/xx"

    Layer 3 again. On Cisco devices, Layer 3 ACLs are only applied to
    Layer 3 transititions (i.e., routing), and cannot be applied to filter
    packets while staying in the same subnet.


    :c) configure alerts, so our SNMP tools on our server can detect specific
    :activity on the switches (e.g. a lot of traffic on one specific IP port
    :and/or altogether) and react accordingly.

    That might be possible. What exact model and software release are you
    running? Without digging too deeply into the documentation, it
    appears that you might have a chance of doing that with a
    2950 series with the SI image, but not with the 2900XL. It would
    not surprise me, though, if SNMP traps required the EI image, which
    I gather require the 3550 series to run.
    --
    Everyone has a "Good Cause" for which they are prepared to Spam.
    -- Roberson's Law of the Internet
     
    Walter Roberson, Oct 17, 2003
    #2
    1. Advertising

  3. Hi Walter,

    I'll have to correct you on some points if you do not mind :)

    Although IP addresses ARE Layer 3 entities, more and more switches (L2) are
    capable of filtering based on L3/4 information. An example of this is the
    Cisco Catalyst 2950 series switches. On these switches (some commands
    require EI image) you can create (extended) access-lists the same way you do
    on Cisco routers or higher-end switches.
    Catalyst 2900 series switches support SNMP traps.

    Erik


    "Walter Roberson" <-cnrc.gc.ca> wrote in message
    news:bmp8i3$9lb$...
    > In article <bmop9c$p31o1$-berlin.de>,
    > Jens Benecke <> wrote:
    >
    > Please turn off MIME quoted-printable before posting!
    >
    > :we have recently upgraded our 3com superstack based "notwork" to Cisco

    2900
    > :switches connected by GigE fiber.
    >
    > :I'm looking for ways to
    >
    > :a) configure ACLs like "Port fe0/xx may only be used by IP xx.xxx.xx.xx"
    >
    > IP addresses are Layer 3 entities. A 2900 switch is Layer 2 only.
    >
    > The only Cisco model that starts with 29 that has Layer 3 capability
    > is the C2948G-L3, which is not at all the same as anything else in
    > the 29xx series (including not the same as the C2948G.)
    >
    > :b) configure ACLs by port, e.g. "deny outbound ip port 135 on port

    fe0/xx"
    >
    > Layer 3 again. On Cisco devices, Layer 3 ACLs are only applied to
    > Layer 3 transititions (i.e., routing), and cannot be applied to filter
    > packets while staying in the same subnet.
    >
    >
    > :c) configure alerts, so our SNMP tools on our server can detect specific
    > :activity on the switches (e.g. a lot of traffic on one specific IP port
    > :and/or altogether) and react accordingly.
    >
    > That might be possible. What exact model and software release are you
    > running? Without digging too deeply into the documentation, it
    > appears that you might have a chance of doing that with a
    > 2950 series with the SI image, but not with the 2900XL. It would
    > not surprise me, though, if SNMP traps required the EI image, which
    > I gather require the 3550 series to run.
    > --
    > Everyone has a "Good Cause" for which they are prepared to Spam.
    > -- Roberson's Law of the Internet
     
    Erik Tamminga, Oct 18, 2003
    #3
  4. Jens Benecke

    Jens Benecke Guest

    Walter Roberson wrote:

    > In article <bmop9c$p31o1$-berlin.de>,
    > Jens Benecke <> wrote:
    >
    > Please turn off MIME quoted-printable before posting!


    Hi,

    I have a choice of 8-bit posting and quoted-printable. The latter is the
    only (safe) way to get umlauts etc. across the wire without mangling, some
    hosts/clients don't seem to like 8-bit characters.

    I'm not yet sure what is the smaller evil, but I'll turn off quoted
    printable for now. Would you in the meantime use the usual quoting
    character ("> ") instead of ":"? :)

    > :we have recently upgraded our 3com superstack based "notwork" to Cisco
    > :2900 switches connected by GigE fiber.
    >
    > :I'm looking for ways to
    >
    > :a) configure ACLs like "Port fe0/xx may only be used by IP xx.xxx.xx.xx"
    > IP addresses are Layer 3 entities. A 2900 switch is Layer 2 only.


    I thought some Layer 2 switches were able to do IP. I didn't find anything
    in the Cisco docs though.

    > :b) configure ACLs by port, e.g. "deny outbound ip port 135 on port
    > :fe0/xx"
    >
    > Layer 3 again. On Cisco devices, Layer 3 ACLs are only applied to
    > Layer 3 transititions (i.e., routing), and cannot be applied to filter
    > packets while staying in the same subnet.


    Pity. But thanks.

    > :c) configure alerts, so our SNMP tools on our server can detect specific
    > :activity on the switches (e.g. a lot of traffic on one specific IP port
    > :and/or altogether) and react accordingly.
    >
    > That might be possible. What exact model and software release are you
    > running? Without digging too deeply into the documentation, it


    swa61#show version
    Cisco Internetwork Operating System Software
    IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(13)EA1, RELEASE
    SOFTWARE (fc1)
    Copyright (c) 1986-2003 by cisco Systems, Inc.
    Compiled Tue 04-Mar-03 02:14 by yenanh
    Image text-base: 0x80010000, data-base: 0x805A8000

    ROM: Bootstrap program is CALHOUN boot loader

    swa61 uptime is 6 weeks, 2 days, 22 hours, 8 minutes
    System returned to ROM by power-on
    System image file is "flash:/c2950-i6q4l2-mz.121-13.EA1.bin"

    cisco WS-C2950SX-24 (RC32300) processor (revision F0) with 20839K bytes of
    memory.
    Processor board ID FHK0729Y0XA
    Last reset from system-reset
    Running Standard Image
    24 FastEthernet/IEEE 802.3 interface(s)
    2 Gigabit Ethernet/IEEE 802.3 interface(s)

    32K bytes of flash-simulated non-volatile configuration memory.
    Base ethernet MAC Address: 00:0D:65:AD:92:00
    Motherboard assembly number: 73-8135-06
    Power supply part number: 34-0965-01
    Motherboard serial number: FOC07290UWJ
    Power supply serial number: DAB07278SRE
    Model revision number: F0
    Motherboard revision number: A0
    Model number: WS-C2950SX-24
    System serial number: FHK0729Y0XA
    Configuration register is 0xF

    > appears that you might have a chance of doing that with a
    > 2950 series with the SI image, but not with the 2900XL. It would
    > not surprise me, though, if SNMP traps required the EI image, which
    > I gather require the 3550 series to run.


    I would really appreciate if you could tell me where to RTFM. :)


    --
    Jens Benecke
    http://www.hitchhikers.de - Europaweite Mitfahrzentrale
    http://www.rb-hosting.de - Webhosting mit Extras - SSH - Günstiger Traffic
     
    Jens Benecke, Oct 18, 2003
    #4
  5. Jens Benecke

    Jens Benecke Guest

    Erik Tamminga wrote:

    > Hi Walter,
    >
    > I'll have to correct you on some points if you do not mind :)
    >
    > Although IP addresses ARE Layer 3 entities, more and more switches (L2)
    > are capable of filtering based on L3/4 information. An example of this is
    > the Cisco Catalyst 2950 series switches. On these switches (some commands
    > require EI image) you can create (extended) access-lists the same way you
    > do on Cisco routers or higher-end switches.
    > Catalyst 2900 series switches support SNMP traps.


    We do seem to have 2950 series switches (see reply to Walter Robertson).
    I didn't find anything about filtering based on IP / ports in the docs
    though. Could you point me in the right direction? That'd be great.

    Thanks!


    --
    Jens Benecke
    http://www.hitchhikers.de - Europaweite Mitfahrzentrale
    http://www.rb-hosting.de - Webhosting mit Extras - SSH - Günstiger Traffic
     
    Jens Benecke, Oct 18, 2003
    #5
  6. In article <bmsae3$q0u7n$-berlin.de>,
    Jens Benecke <> wrote:
    :I'm not yet sure what is the smaller evil, but I'll turn off quoted
    :printable for now.

    Thank you. It was a nuisance to have to edit every line before to get
    rid of the "= " at the end.

    :Would you in the meantime use the usual quoting
    :character ("> ") instead of ":"? :)

    There is no standard for quoting character. I have researched this,
    and ">" is merely the default presented by some software. Even the
    material in news.announce.newusers does not present '>' as desirable,
    let alone standard.

    I use alternative characters in order to make the different quoting
    levels more apparent. It's a nuisance to have to mentally count '>'
    to figure out who said what. If one uses a different character per level,
    then the different levels are immediately recognizable.


    :I thought some Layer 2 switches were able to do IP.

    By definition, if it does IP then it isn't a Layer 2 switch; it
    might be a "Layer 3 switch", a "Layer 3/4 Switch", a "Multilayer Switch",
    but not a "Layer 2 switch".


    :System image file is "flash:/c2950-i6q4l2-mz.121-13.EA1.bin"

    That's the 12.1(13)EA1 release for CAT2950, with the
    "CAT2950 EI AND SI IOS IMAGE". I can't tell from that whether you have
    the EI or SI image. Hmmm, I'm going to have to look again at your
    posting to see if I can discern more information.


    There's a security advisory about that image: it is vulnerable to
    the IPv4 Denial of Service attack. It is recommended that you
    upgrade to at least 12.1(13)EA1c . Hmmm; I don't see a plain EA1 mentioned
    so it is possible you've already done the upgrade.

    http://www.cisco.com/en/US/customer/products/products_security_advisory09186a00801a34c2.shtml


    Looking at the feature list, I see there are IP access lists,
    and there are RMON alarms. I'll see what more I can track down.
    --
    Live it up, rip it up, why so lazy?
    Give it out, dish it out, let's go crazy, yeah!
    -- Supertramp (The USENET Song)
     
    Walter Roberson, Oct 18, 2003
    #6
  7. In article <bmsae3$q0u7n$-berlin.de>,
    Jens Benecke <> wrote:
    |> :I'm looking for ways to

    |> :a) configure ACLs like "Port fe0/xx may only be used by IP xx.xxx.xx.xx"
    |> IP addresses are Layer 3 entities. A 2900 switch is Layer 2 only.

    :cisco WS-C2950SX-24 (RC32300) processor (revision F0) with 20839K bytes of
    :memory.

    http://www.cisco.com/en/US/customer...628/products_qanda_item09186a008014db7b.shtml

    The SX-24 always has SI software and is not upgradable to EI.

    In the below, ACP is "Access Control Parameters":

    Port-based ACPs, available only on Cisco EI Software, restrict
    sensitive portions of the network by denying packets based on source
    and destination MAC addresses, IP addresses, or TCP/UDP ports.


    The sorts of SNMP alarms you were hoping for might only be supported
    on the 2955.

    http://www.cisco.com/en/US/products/hw/switches/ps628/prod_command_reference_list.html

    The possible 2950 alarms are at
    http://www.cisco.com/en/US/products...eference_chapter09186a008014f302.html#2996087

    --
    Ceci, ce n'est pas une idée.
     
    Walter Roberson, Oct 18, 2003
    #7
  8. > :I thought some Layer 2 switches were able to do IP.
    >
    > By definition, if it does IP then it isn't a Layer 2 switch; it
    > might be a "Layer 3 switch", a "Layer 3/4 Switch", a "Multilayer Switch",
    > but not a "Layer 2 switch".
    >


    Only if "it does IP" means: it uses IP-addresses to find out to what port to
    send the frame/packet to.

    What makes a switch a Layer 2 or Layer 3 switch is the way the switch
    decides where to direct traffic to.Not the capabilities it has to do
    intelligent filtering or not.
    Layer 2 switches only decide where to send frames to based on layer 2
    information (mac-addresses, vlan tags, ...)
    Layer 3 or Multi-layer switches have the capability to also look at higher
    layer information (ip addresses, layer4 port information, ect.) and base the
    forwarding on this information.
    As long as a Layer-2 switch does not use layer-3/4/... information to base
    it's forwarding algorithm on, it's a layer-2 switch.
     
    Erik Tamminga, Oct 19, 2003
    #8
  9. Hi,

    Have a look at the following configuration section:

    http://www.cisco.com/en/US/products...figuration_guide_chapter09186a008007e8ed.html

    Erik

    "Jens Benecke" <> wrote in message
    news:bmsah1$q0u7n$-berlin.de...
    > Erik Tamminga wrote:
    >
    > > Hi Walter,
    > >
    > > I'll have to correct you on some points if you do not mind :)
    > >
    > > Although IP addresses ARE Layer 3 entities, more and more switches (L2)
    > > are capable of filtering based on L3/4 information. An example of this

    is
    > > the Cisco Catalyst 2950 series switches. On these switches (some

    commands
    > > require EI image) you can create (extended) access-lists the same way

    you
    > > do on Cisco routers or higher-end switches.
    > > Catalyst 2900 series switches support SNMP traps.

    >
    > We do seem to have 2950 series switches (see reply to Walter Robertson).
    > I didn't find anything about filtering based on IP / ports in the docs
    > though. Could you point me in the right direction? That'd be great.
    >
    > Thanks!
    >
    >
    > --
    > Jens Benecke
    > http://www.hitchhikers.de - Europaweite Mitfahrzentrale
    > http://www.rb-hosting.de - Webhosting mit Extras - SSH - Günstiger Traffic
    >
    >
     
    Erik Tamminga, Oct 19, 2003
    #9
  10. In article <bmu305$pop$1.nb.home.nl>,
    Erik Tamminga <> wrote:
    :Have a look at the following configuration section:

    :http://www.cisco.com/en/US/products...figuration_guide_chapter09186a008007e8ed.html

    Including the line right near the top,

    "To use the features described in this chapter, you must have the
    enhanced software image installed on your switch."

    The 2950SX are documented as being restricted to SI.
    --
    When your posts are all alone / and a user's on the phone/
    there's one place to check -- / Upstream!
    When you're in a hurry / and propagation is a worry/
    there's a place you can post -- / Upstream!
     
    Walter Roberson, Oct 19, 2003
    #10
  11. Sorry, missed that "detail" :(

    Erik

    "Walter Roberson" <-cnrc.gc.ca> wrote in message
    news:bmudpg$l1v$...
    > In article <bmu305$pop$1.nb.home.nl>,
    > Erik Tamminga <> wrote:
    > :Have a look at the following configuration section:
    >
    >

    :http://www.cisco.com/en/US/products/hw/switches/ps628/products_configuratio
    n_guide_chapter09186a008007e8ed.html
    >
    > Including the line right near the top,
    >
    > "To use the features described in this chapter, you must have the
    > enhanced software image installed on your switch."
    >
    > The 2950SX are documented as being restricted to SI.
    > --
    > When your posts are all alone / and a user's on the phone/
    > there's one place to check -- / Upstream!
    > When you're in a hurry / and propagation is a worry/
    > there's a place you can post -- / Upstream!
     
    Erik Tamminga, Oct 19, 2003
    #11
  12. Jens Benecke

    Jens Benecke Guest

    Walter Roberson wrote:

    > "To use the features described in this chapter, you must have the
    > enhanced software image installed on your switch."
    >
    > The 2950SX are documented as being restricted to SI.


    Is it possible to install the enhanced software image onto our switches?
    If so, could we do it ourselves and would it cost money for the license?

    I posted a detailed description of it earlier in this thread.


    Thank you!


    --
    Jens Benecke
    http://www.hitchhikers.de - Europaweite Mitfahrzentrale
    http://www.rb-hosting.de - Webhosting mit Extras - SSH - Günstiger Traffic
     
    Jens Benecke, Oct 21, 2003
    #12
  13. In article <bn3iqu$sj7n2$-berlin.de>,
    Jens Benecke <> wrote:
    :Walter Roberson wrote:
    :> The 2950SX are documented as being restricted to SI.

    :Is it possible to install the enhanced software image onto our switches?
    :If so, could we do it ourselves and would it cost money for the license?

    I don't know if the factory could do it, but the product literature
    for the 2950 models says that -none- of them are upgradable. On
    the other hand, the product table does list -one- type of 2950
    (NOT the 2950SX) as being upgradable to EI.

    There are two different images available for the 2950 series
    [ignoring the 'crypto' images], one of which is SI-only,
    and the other of which is for "standard or enhanced image". That
    tells me that either SI vs EI is a licensing matter, or else that
    the image detects the hardware and forces SI or EI behaviour as
    considered appropriate. Possibly -both- are true -- possibly it
    detects the hardware and only allows a license upgrade on some
    hardware. Hard to say due to the contradiction in the documentation.
    --
    "Infinity is like a stuffed walrus I can hold in the palm of my hand.
    Don't do anything with infinity you wouldn't do with a stuffed walrus."
    -- Dr. Fletcher, Va. Polytechnic Inst. and St. Univ.
     
    Walter Roberson, Oct 21, 2003
    #13
  14. "Walter Roberson" <-cnrc.gc.ca> wrote in message
    news:bn3n4v$5ab$...
    > :Is it possible to install the enhanced software image onto our switches?
    > :If so, could we do it ourselves and would it cost money for the license?
    >
    > I don't know if the factory could do it, but the product literature
    > for the 2950 models says that -none- of them are upgradable. On


    According to the documentation it is not upgradable.

    > and the other of which is for "standard or enhanced image". That
    > tells me that either SI vs EI is a licensing matter, or else that
    > the image detects the hardware and forces SI or EI behaviour as
    > considered appropriate


    The software detects the device type and select the mode of
    operation. So the same image runs as EI in some models and
    SI in some other models.

    It is not a matter of image changing and/or licensing. Unfortunately
    so, upgrading might be a nice possibility in some cases.
    --
    Harri
     
    Harri Suomalainen, Oct 22, 2003
    #14
  15. Not that it is relevant, but the version of software you are using has a
    bug. You will see millions of multiple collisions on the VLAN interfaces.
    I found this using an OptiView, you can see the stats with any SNMP util -
    its in the Transmission section.


    "Jens Benecke" <> wrote in message
    news:bmsae3$q0u7n$-berlin.de...
    > Walter Roberson wrote:
    >
    > > In article <bmop9c$p31o1$-berlin.de>,
    > > Jens Benecke <> wrote:
    > >
    > > Please turn off MIME quoted-printable before posting!

    >
    > Hi,
    >
    > I have a choice of 8-bit posting and quoted-printable. The latter is the
    > only (safe) way to get umlauts etc. across the wire without mangling, some
    > hosts/clients don't seem to like 8-bit characters.
    >
    > I'm not yet sure what is the smaller evil, but I'll turn off quoted
    > printable for now. Would you in the meantime use the usual quoting
    > character ("> ") instead of ":"? :)
    >
    > > :we have recently upgraded our 3com superstack based "notwork" to Cisco
    > > :2900 switches connected by GigE fiber.
    > >
    > > :I'm looking for ways to
    > >
    > > :a) configure ACLs like "Port fe0/xx may only be used by IP

    xx.xxx.xx.xx"
    > > IP addresses are Layer 3 entities. A 2900 switch is Layer 2 only.

    >
    > I thought some Layer 2 switches were able to do IP. I didn't find anything
    > in the Cisco docs though.
    >
    > > :b) configure ACLs by port, e.g. "deny outbound ip port 135 on port
    > > :fe0/xx"
    > >
    > > Layer 3 again. On Cisco devices, Layer 3 ACLs are only applied to
    > > Layer 3 transititions (i.e., routing), and cannot be applied to filter
    > > packets while staying in the same subnet.

    >
    > Pity. But thanks.
    >
    > > :c) configure alerts, so our SNMP tools on our server can detect

    specific
    > > :activity on the switches (e.g. a lot of traffic on one specific IP port
    > > :and/or altogether) and react accordingly.
    > >
    > > That might be possible. What exact model and software release are you
    > > running? Without digging too deeply into the documentation, it

    >
    > swa61#show version
    > Cisco Internetwork Operating System Software
    > IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(13)EA1, RELEASE
    > SOFTWARE (fc1)
    > Copyright (c) 1986-2003 by cisco Systems, Inc.
    > Compiled Tue 04-Mar-03 02:14 by yenanh
    > Image text-base: 0x80010000, data-base: 0x805A8000
    >
    > ROM: Bootstrap program is CALHOUN boot loader
    >
    > swa61 uptime is 6 weeks, 2 days, 22 hours, 8 minutes
    > System returned to ROM by power-on
    > System image file is "flash:/c2950-i6q4l2-mz.121-13.EA1.bin"
    >
    > cisco WS-C2950SX-24 (RC32300) processor (revision F0) with 20839K bytes of
    > memory.
    > Processor board ID FHK0729Y0XA
    > Last reset from system-reset
    > Running Standard Image
    > 24 FastEthernet/IEEE 802.3 interface(s)
    > 2 Gigabit Ethernet/IEEE 802.3 interface(s)
    >
    > 32K bytes of flash-simulated non-volatile configuration memory.
    > Base ethernet MAC Address: 00:0D:65:AD:92:00
    > Motherboard assembly number: 73-8135-06
    > Power supply part number: 34-0965-01
    > Motherboard serial number: FOC07290UWJ
    > Power supply serial number: DAB07278SRE
    > Model revision number: F0
    > Motherboard revision number: A0
    > Model number: WS-C2950SX-24
    > System serial number: FHK0729Y0XA
    > Configuration register is 0xF
    >
    > > appears that you might have a chance of doing that with a
    > > 2950 series with the SI image, but not with the 2900XL. It would
    > > not surprise me, though, if SNMP traps required the EI image, which
    > > I gather require the 3550 series to run.

    >
    > I would really appreciate if you could tell me where to RTFM. :)
    >
    >
    > --
    > Jens Benecke
    > http://www.hitchhikers.de - Europaweite Mitfahrzentrale
    > http://www.rb-hosting.de - Webhosting mit Extras - SSH - Günstiger Traffic
    >
    >
     
    Richard Foster, Nov 26, 2003
    #15
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Rick
    Replies:
    0
    Views:
    506
  2. Replies:
    0
    Views:
    706
  3. Replies:
    4
    Views:
    9,080
  4. Giuen
    Replies:
    0
    Views:
    1,465
    Giuen
    Sep 12, 2008
  5. Replies:
    3
    Views:
    794
    alexd
    Feb 23, 2010
Loading...

Share This Page