Cisco Nexus DHCP Snooping, Storm Control, ACL and MAC ACL Security Guide
This is Part 5 of the Cisco Nexus NX-OS Security Series.
In this guide we combine:
- Part 6 - DHCP Snooping
- Part 7 - Storm Control
- Part 8 - IP ACL Security
- Part 9 - MAC ACL Security
This lab focuses heavily on securing Layer 2 and Layer 3 switching environments inside enterprise and data center infrastructures.
Previous Parts
- Part 1 - Cisco Nexus VLAN and Trunk Configuration
- Part 2 - Cisco Nexus Static Port-Channel Configuration
- Part 3 - Cisco Nexus LACP Port-Channel Configuration
- Part 4 - Cisco Nexus SVI and Port Security
Next Part
Table of Contents
- 1. DHCP Snooping Overview
- 2. Enable DHCP Feature
- 3. Configure DHCP Snooping
- 4. Understanding Storm Control
- 5. Configure Storm Control
- 6. Understanding IP ACLs
- 7. Configure ACL for Telnet and SSH
- 8. Understanding MAC ACLs
- 9. Configure MAC ACL Security
- 10. Security Mathematics
- 11. Modern Security Best Practices
- 12. Verification Commands
- 13. Troubleshooting
- 14. Related Articles
1. DHCP Snooping Overview
DHCP Snooping is a Layer 2 security feature that protects switches from rogue DHCP servers.
Why DHCP Snooping Matters
- Prevents fake DHCP servers
- Blocks malicious IP assignments
- Protects default gateway information
- Stops man-in-the-middle attacks
- Builds trusted DHCP infrastructure
How DHCP Snooping Works
The switch classifies interfaces as:
- Trusted
- Untrusted
Only trusted ports can send DHCP server replies.
2. Enable DHCP Feature
NX-OS requires the DHCP feature to be enabled first.
NX-01 Configuration
configure terminal
feature dhcp
end
3. Configure DHCP Snooping
The DHCP server is connected to:
\[ Ethernet1/5 \]
on NX-01.
We must:
- Enable DHCP Snooping globally
- Enable DHCP Snooping for VLANs 10 and 20
- Trust interface E1/5
NX-01 Configuration
configure terminal
ip dhcp snooping
ip dhcp snooping vlan 10
ip dhcp snooping vlan 20
interface ethernet1/5
ip dhcp snooping trust
end
Security Logic
If:
\[ Port = Trusted \]
Then:
\[ DHCP\ Replies = Allowed \]
Otherwise:
\[ DHCP\ Replies = Dropped \]
Expected DHCP Snooping Behavior
| Packet Type | Trusted Port | Untrusted Port |
|---|---|---|
| DHCP Discover | Allowed | Allowed |
| DHCP Offer | Allowed | Blocked |
| DHCP ACK | Allowed | Blocked |
4. Understanding Storm Control
Storm Control protects switches from:
- Broadcast storms
- Multicast storms
- Unknown unicast floods
Broadcast storms can completely saturate a switch fabric.
Common Causes
- Layer 2 loops
- Malware
- Faulty NICs
- Rogue devices
- Network attacks
5. Configure Storm Control
Configure NX-02 interfaces:
- E1/7
- E1/8
to allow only:
\[ 50\% \]
of interface bandwidth for:
- Broadcast traffic
- Multicast traffic
NX-02 Configuration
configure terminal
interface ethernet1/7-8
storm-control broadcast level 50.00
storm-control multicast level 50.00
end
Bandwidth Mathematics
Suppose:
\[ Bandwidth = 1Gbps \]
Storm threshold:
\[ 50\% \]
Maximum allowed broadcast:
\[ 1Gbps \times 0.50 \]
\[ 500Mbps \]
Any traffic above:
\[ 500Mbps \]
gets dropped.
6. Understanding IP ACLs
ACL stands for:
Access Control List
ACLs filter traffic based on:
- Source IP
- Destination IP
- Protocol
- Port numbers
7. Configure ACL for Telnet and SSH
We will allow only:
- Telnet
- SSH
traffic inbound on:
\[ SVI\ VLAN\ 10 \]
on NX-03.
Important Correction
The original task contains a typo:
Ip access-group CONROL in
Correct ACL name:
CONTROL
NX-03 Configuration
configure terminal
ip access-list CONTROL
permit tcp any any eq 23
permit tcp any any eq 22
interface vlan10
ip access-group CONTROL in
end
Port Number Mathematics
Telnet:
\[ TCP\ Port = 23 \]
SSH:
\[ TCP\ Port = 22 \]
ACL allows:
\[ Port_{allowed} = \{22,23\} \]
Why SSH is Better Than Telnet
| Feature | Telnet | SSH |
|---|---|---|
| Encryption | No | Yes |
| Security | Weak | Strong |
| Modern Usage | Rare | Standard |
8. Understanding MAC ACLs
MAC ACLs filter traffic based on Layer 2 MAC addresses.
Unlike IP ACLs:
- No IP required
- Operates at Layer 2
- Excellent for local VLAN security
9. Configure MAC ACL Security
A malicious MAC address:
\[ 0001.0012.2222 \]
is generating a broadcast storm inside VLAN 10.
Traffic is entering:
\[ Ethernet1/6 \]
on NX-03.
We must block this MAC address using a MAC ACL.
NX-03 Configuration
configure terminal
mac access-list MAC-BLOCK-STORM
deny 0001.0012.2222 0000.0000.0000 any
permit any any
interface ethernet1/6
mac access-group MAC-BLOCK-STORM in
end
Important Note
The original configuration:
deny 0001.0012.2222 0.0.0 any
uses incorrect wildcard formatting.
Correct Nexus MAC ACL format:
deny 0001.0012.2222 0000.0000.0000 any
MAC ACL Logic
If:
\[ MAC_{source} = 0001.0012.2222 \]
Then:
\[ Traffic = Denied \]
Else:
\[ Traffic = Permitted \]
10. Security Mathematics
Broadcast Storm Calculation
Suppose:
\[ Broadcast\ Frames = 900Mbps \]
Storm Control Threshold:
\[ 500Mbps \]
Dropped traffic:
\[ 900 - 500 \]
\[ 400Mbps \]
The switch drops:
\[ 400Mbps \]
of excessive broadcast traffic.
ACL Matching Logic
ACLs process rules sequentially:
\[ Rule_1 \rightarrow Rule_2 \rightarrow Rule_3 \]
Once matched:
\[ Processing = Stop \]
This is called:
Top-Down ACL Processing
11. Modern Security Best Practices
Modern enterprise data centers usually combine:
- DHCP Snooping
- Dynamic ARP Inspection
- IP Source Guard
- 802.1X
- Microsegmentation
- MACsec
- TrustSec
Modern Secure Access Port Example
configure terminal
interface ethernet1/10
switchport
switchport mode access
switchport access vlan 10
spanning-tree port type edge
storm-control broadcast level 10.00
storm-control multicast level 10.00
switchport port-security
switchport port-security maximum 2
switchport port-security mac sticky
no shutdown
end
12. Verification Commands
DHCP Snooping Verification
show ip dhcp snooping
show ip dhcp snooping binding
Storm Control Verification
show storm-control
ACL Verification
show access-lists
show ip interface vlan 10
MAC ACL Verification
show mac access-list
show running-config interface ethernet1/6
CLI Output Example
Click to Expand Verification Output
NX-03# show access-lists IP access list CONTROL permit tcp any any eq telnet permit tcp any any eq ssh MAC access list MAC-BLOCK-STORM deny 0001.0012.2222 permit any any
13. Troubleshooting
Common DHCP Snooping Problems
- Trusted port missing
- Wrong VLAN configuration
- DHCP feature disabled
Common ACL Problems
- ACL applied in wrong direction
- Incorrect port numbers
- Missing permit statements
Common Storm Control Problems
- Threshold too low
- Legitimate multicast dropped
- Incorrect interface selection
Complete Final Configuration
configure terminal
feature dhcp
ip dhcp snooping
ip dhcp snooping vlan 10
ip dhcp snooping vlan 20
interface ethernet1/5
ip dhcp snooping trust
interface ethernet1/7-8
storm-control broadcast level 50.00
storm-control multicast level 50.00
ip access-list CONTROL
permit tcp any any eq 23
permit tcp any any eq 22
interface vlan10
ip access-group CONTROL in
mac access-list MAC-BLOCK-STORM
deny 0001.0012.2222 0000.0000.0000 any
permit any any
interface ethernet1/6
mac access-group MAC-BLOCK-STORM in
end
copy running-config startup-config
Key Takeaways
✔ DHCP Snooping protects against rogue DHCP servers.
✔ Trusted interfaces are critical in DHCP Snooping deployments.
✔ Storm Control prevents broadcast and multicast saturation.
✔ IP ACLs filter traffic using Layer 3 and Layer 4 information.
✔ MAC ACLs provide Layer 2 attack mitigation.
✔ Modern data centers combine multiple security layers simultaneously.
Conclusion
In this Cisco Nexus security guide, we implemented:
- DHCP Snooping
- Storm Control
- IP ACL filtering
- MAC ACL security
- Broadcast storm mitigation
- Layer 2 attack prevention
These technologies are fundamental for building secure and resilient enterprise and data center switching infrastructures.
No comments:
Post a Comment