2014年5月30日星期五

How to Set Switches on the IP-MAC Binding

Although in the TCP / IP networks, computers often need to set the IP address to communicate, in fact, the communication between computers is not via IP address, but by means of the MAC address of the network card. IP addresses only to be used to query the MAC address of the target computer which is to communicate.   

ARP protocol is used to notify corresponding MAC address of our own IP for other's computers, network equipment. There are one or more tables in the computer's cache ARJ for storing IP address and parsed Ethernet MAC address. The corresponding MAC address will retain in the ARP cache after one computer was communicated with another IP address computer. So the next time when communicate with the same IP address, it will use the cache MAC addresses directly instead of querying the MAC address.

Under a switched network, the switch also maintains a MAC address table, and then sends data to the target computer according to MAC address. 

Why do we need to bind MAC and IP Address? IP address is very easy to modify while MAC address is stored in the EEPROM of the card, and only the card's MAC address is determined. Therefore, in order to prevent insider from doing illegal IP embezzlement (for example: embezzle the higher IP address authority to get the information outside the permission) we can bind the internal network IP address and MAC address, and the embezzlement will be failed due to the unmatched MAC address even if the embezzler changed the IP address. What’s more, we can find corresponding user of the network card according to the MAC address and then find out the embezzler due to the only certainty of MAC address.

Currently, the MAC address and IP address binding techniques has been adopted to the internal network of many companies. Here we will introduce the IP and MAC binding programs of the Cisco switch.

There are three options as below to choose as to the Cisco, and the function of option 1 and 2 is the same, that is to say, bind the specific host MAC address (network card hardware address) to the specific switch port. Option 3 is simultaneously binding the specific host MAC address (network card hardware address) and IP address to the specific host port on the switch.

Option 1 - Based on MAC address binding on port

Take Cisco 2950 switch for example, to log into the switch, enter the administrative password into the configuration mode, and then input the command:

Switch#config terminal
Enter into the configuration mode
Switch(config)# Interface fastethernet 0/1
Enter into the specific port configuration mode
Switch(config-if)#Switchport port-secruity
Configure port security mode
Switch(config-if )switchport port-security mac-address MAC (MAC address of the mainframe)
Configure the port to bind the host's MAC address
Switch(config-if )no switchport port-security mac-address MAC (MAC address of the host computer)
Delete the binding host's MAC address

Note:
These functions apply to Cisco 2950,3550,4500,6500 Series Switches

Option 2 - based on extended access lists of MAC addresses

Switch(config)Mac access-list extended MAC10
 Define a MAC address access control list and name the list to be MAC10  
Switch(config)permit host 0009.6bc4.d4bf any
Define the host MAC address 0009.6bc4.d4bf  to access any host computers
Switch(config)permit any host 0009.6bc4.d4bf
Define all host computers to access the host MAC address 0009.6bc4.d4bf
Switch(config-if )interface Fa0/20
# Enter into specific interface configuration mode
Switch(config-if )mac access-group MAC10 in
Apply to access list with the name of MAC 10 on the port (that is the access policies we defined before)
Switch(config)no mac access-list extended MAC10
Clear the access list which named MAC 10

Note:
The above functions can be achieved on Cisco 2960,3560,4500,6500 Series switches, however, the 2960, 3560 switches need the Enhanced Image.



Only the combination between option 1 or 2 and the based ACL (access control lists) of IP can achieve the IP-MAC binding function.   
Switch(config)Mac access-list extended MAC10
Define a MAC address access control list and name the list to be MAC10
Switch(config)permit host 0009.6bc4.d4bf any
Define the host MAC address 0009.6bc4.d4bf  to access any host computers
Switch(config)permit any host 0009.6bc4.d4bf
Define all host computers to access the host MAC address 0009.6bc4.d4bf
Switch(config)Ip access-list extended IP10
Define a IP address access control list and name the list to be IP10
Switch(config)Permit 192.168.0.1 0.0.0.0 any
Define the host of 192.168.0.1 IP address to access any host computers
Permit any 192.168.0.1 0.0.0.0
Define all host computers to access the host of 192.168.0.1 IP address
Switch(config-if )interface Fa0/20
# Enter into specific interface configuration mode
Switch(config-if )mac access-group MAC10 in
Apply to access list with the name of MAC 10 on the port (that is the access policies we defined before)
Switch(config-if )Ip access-group IP10 in
Apply to access list with the name of IP10 on the port (that is the access policies we defined before)
Switch(config)no mac access-list extended MAC10
Clear the access list which named MAC10
Switch(config)no Ip access-group IP10 in
Clear the access list which na med IP10

The above mentioned option 1 is based on the binding between MAC address of host computer and switch ports, Option 2 is based on the MAC address access control list, the functions of the first two schemes can be achieved the same. The IP and MAC address binding can be achieved if you do as the Option 3. You can combine Option 1 or 2 with ACL (access control lists) to realize what you want.

Note:
The above functions can be achieved on Cisco 2960,3560,4500,6500 Series switches, however, the 2960, 3560 switches need the Enhanced Image.

Note:

Apparently, the binding between MAC address and IP address can avoid embezzlement of internal IP addresses, however, in fact, there are a lot of defects between the binding and can not really avoid the embezzlement of the internal IP addresses due to the layers of protocols and network card drivers and other technologies.

More related:

FAQ for Cisco Integrated Services Router Generation 2


2014年5月14日星期三

Cisco 3650 Series Switches Overview

The Cisco Catalyst 3650 Switch delivers converged wired and wireless access on a single platform, creating an uncompromised user experience in any workspace. The converged system provides a single platform for wired and wireless networkwide visibility for faster troubleshooting, advanced security and quality of service (QoS) control, maximum resiliency with fast stateful recovery, and scale with distributed wired and wireless data plane.


Cisco Catalyst 3650 Highlights

• Built on Cisco Unified Access Data Plane (UADP) application-specific integrated
circuit (ASIC) with programmability to support Cisco ONE Enterprise Networks
Architecture and software-defined networking (SDN)
• Integrated wireless LAN controller functionality
• Native Flexible NetFlow (FnF) on all ports
• Granular, hierarchical bandwidth management
• Cisco TrustSec support

Cisco Catalyst 3650 Primary Features

• Integrated wireless LAN controller capability with:
-Up to 40G of wireless capacity per switch (48-port models)
-Support for up to 25 access points and 1000 wireless clients on each switch or stack
• 24 and 48 10/100/1000 data and Power over Ethernet Plus (PoE+) models with
Energy-Efficient Ethernet (EEE)
-Optional Cisco StackWise-160 technology provides scalability and resiliency with 160 Gbps of stack throughput (for additional wired and wireless capabilities, please visit the Cisco Catalyst 3850 Series Switches page)
-Fixed, built-in 4 x Gigabit Ethernet, 2 x 10 Gigabit Ethernet, or 4 x 10 Gigabit
Ethernet Small Form-Factor Pluggable (SFP) and SFP+ uplink ports
-Dual redundant power supplies and three modular fans, providing higher redundancy
-Full IEEE 802.3at (PoE+) with 30W power on all ports in 1 rack unit (RU) form factor
• Software support for IPv4 and IPv6 routing, multicast routing, modular QoS, FnF
Version 9, and advanced security features
• Single, consistent Cisco IOS XE Software image across all license levels, providing an easy upgrade path for access points and software features Enhanced limited lifetime warranty (E-LLW) with next business day (NBD) advance hardware replacement and 90-day access to Cisco Technical Assistance Center (TAC) support

Switch Configurations

The Cisco Catalyst 3650 Series Switches are available in LAN Base, IP Base, and IP Services feature sets. All switches ship with a default AC power supply. A DC power supply can be purchased as an option or spare. The base switch does not include any access point licenses.

StackWise-160 Technology

The Cisco Catalyst 3650 provides maximum data, power, and wireless resiliency using Cisco StackWise-160 technology, which is built on the highly successful industry-leading Cisco StackWise technology. The StackWise-160 technology provides optional stacking with 160 Gbps of bandwidth for providing resiliency within the stack. The stack behaves as a single switching unit that is managed by an active switch elected from one of the member switches. The active switch creates and updates all the switching, routing, and wireless tables. In an event of the active member failure, the standby member assumes the role of the active switch, continuing to keep the stack operational.

Cisco Catalyst 3650 Primary Advantages

Converged Wired and Wireless Platform

The Cisco Catalyst 3650 is a stackable platform that converges wired and wireless services on a Cisco IOS XE Software based platform. The CAPWAP tunnels from the access points terminate at the 3650 switch, enabling users to configure and apply software features such as QoS, security, and FnF across wired ports and wireless SSIDs on the same switch at the same time. The converged wired and wireless platform supports the Cisco Unified Access solution. With “one policy, one management, one network,” the Cisco Catalyst 3650 and Cisco Unified Access help IT spend less time running the network and more time on business innovation.

Advanced Security

The Cisco Catalyst 3650 is hardware capable of supporting Cisco TrustSec functionality. Cisco TrustSec uses the device and user credentials acquired during authentication for classifying the packets by security groups as they enter the network with scalability and simplified management. The classification is maintained through the network by the security group tag (SGT) and through integration with the Cisco Identity Services Engine. The Cisco Catalyst 3650 is also hardware-ready for link layer MACsec encryption, which provides networkwide encryption to protect data traffic across the network.

Application Visibility and Control (AVC)

With the native support for FnF on all the ports, the Cisco Catalyst 3650 can monitor both east-west and north-south wired traffic at the same time. The Cisco Catalyst 3650 switch terminates the wireless CAPWAP tunnels from the access point, providing full visibility into the wireless traffic at the switch. Because the wireless traffic is now visible at the switch, it is possible to identify wireless traffic using FnF and prioritize the traffic using advanced QoS capabilities for an improved user experience and faster troubleshooting.

SmartOperations

The Cisco Catalyst 3650 supports Cisco Catalyst SmartOperations. SmartOperations features such as Auto Smartports, Auto QoS, and Smart Install reduce deployment time by automating most of the basic switch and port configurations.

Foundation for Cisco ONE Enterprise Networks Architecture

The Cisco Catalyst 3650 is built on the UADP ASIC, which provides wire-rate hardware performance with software programmability. The UADP ASIC features a programmable data plane, enabling deployment of SDN services and support of future software features over the product lifetime. The Cisco Catalyst 3650 supports the Cisco ONE Enterprise Networks Architecture for openness, programmability, and operational simplicity.

Reduced Total Cost of Ownership

The Cisco Catalyst 3650 reduces the total cost of ownership and provides superior investment protection through:
• Built-in wireless controller functionality
• Optional stacking
• Support for fixed GE or 10 GE uplink
• Support for IP Base and IP Services software options
• Dual redundant power supply and three individual fans to help ensure high availability
• E-LLW with NBD advance hardware replacement and 90-day access to Cisco TAC support

More related: