Manualshelf

Leaflet

ManualsBrandsCisco ManualsSwitchesCisco Catalyst 6509-NEB-A Switch
81828384858687888990
89
OL-11615-01
available, MD5 authentication should be used instead because it does not reveal any key information.
MD5 authentication helps prevent the insertion of bogus routers into the routing domain, prevents the
injection of forged routing updates, and in addition it ensures the integrity of routing updates.
IS-IS, EIGRP and RIPv2 offer the additional function of key chains. A key chain is a series of keys with
lifetimes, and which are used in sequence. This decreases the likelihood of keys being compromised.
BGP and OSPF support MD5 authentication, but they do not currently support MD5 key chains, although
work on this is in progress.
Enabling TTL security check is another valuable practice because it helps mitigate multi-hop attacks.
TTP security check is currently available on BGP only. However, the support of this feature will be
extended to other routing protocols such as OSPF and EIGRP.
Another important security practice is to avoid using interior gateway protocols with external routing
domains, such as extranets, to customers or business partners. It is a better practice to use an exterior
gateway protocol such as BGP, or even static routes. BGP is designed to handle the rapid changes
involved in dealing with routing information outside the local network administrator's control. In
addition, BGP allows the definition of flexible route filtering policies.
Route filtering is another highly recommended security practice because it protects the network from the
accidental or intentional injection of invalid routing information. Route filtering should be implemented
at the edge routers connecting to the Internet and extranets and, ideally, inside the network at topological
boundaries.
Filtering at the extranet edge routers should be aggressive, only allowing the minimum necessary, rather
than accepting everything except a few selected networks. These filters should deny all external routes
by default, and only permit just those necessary to reach the intended networks. It is also recommended
to make sure outside peers do not advertise again your own routes to other peers. While there is no way
to guarantee this, using BGP you can tag the routes you advertise to your extranet peers with the
NO_EXPORT community, which instructs their routers not to advertise the route to any of their external
peers.
Filtering at the Internet edge follows other requirements that differ from the ones governing filtering at
the extranet edge. At the Internet edge routers, ingress route filtering should be designed to permit most
routes, and deny only a specific set of routes. The routes you typically want to deny are your own
networks, private address, and special use networks and bogons.
Route filtering should also be deployed within a network, at topological edges and redistribution points,
to prevent false routing information from being injected. Typically, consider filtering routing
information coming from remote sites back to a central location (or data center), and filtering routing
information coming from any open areas of the network, such as lab networks.
Deploying Catalyst Integrated Security
The section, Catalyst Integrated Security, page 27 introduces the advanced security features available on
Catalyst 6500 and 4500 Series switches. As some of these features rely on each other, it is critical to
understand their dependencies prior to deployment. This section describes the relationship between
some of these advanced features, and provides the recommended deployment guidelines.
Port security is a valuable feature that should be enabled on ports connecting to non-switching devices
like workstations and servers. Port Security helps mitigate MAC flooding and other Layer 2 Content
Addressable Memory (CAM) overflow attacks by only allowing packets with trusted MAC addresses.
When deploying port security on ports connecting to IP phones, ports should be configured to allow at
least three MAC addresses: one for the workstation, one for the phone on the voice VLAN, and one for
the phone on the native VLAN for CDP. In addition, the violation action should be set to “restrict” to
prevent the port from being taken down entirely when a violation occurs.