Saturday, November 14, 2009

ISRs CISF DSCP & dynamic ARP


The only WLC that does not map WLAN traffic directly to a physical/logical interface at Layer 2 are ISR based WLC modules

ISRs do not have access to all the IOS & IPS features. IP traffic from the WLAN clients must be directed in and out of specific ISR service module interfaces using IOS VRF features on the router.

CISF is currently only available on the access switch – benefits obtained only if the traffic from the wireless attacker goes through the switch.

The primary difference between an LAP & a standard client is that the DSCP value of a LAP should be trusted.

Port security – if response is shutdown, port goes into err-disable. If response is restrict, traffic with unknown source MAC addresses is dropped
    - not recommended on H-REAP AP ports or WLC

Dynamic ARP inspection – DAI is enabled on the access switch on a per-VLAN basis. This prevents ARP poisoning that may lead to MIM attacks. When DAI is configured on a VLAN, and ARP rate limiter is configured globally to prevent flooding of ARP requests coming from a certain port. The default value is 15 packets/sec. When the limit is reached, the port is disabled.

Turn off ARP rate limiter on AP switchports
     IP ARP inspection limit none

IP source guard - when enabled on an interface of the access switch, IP source guard dynamically creates a per port access list (PACL) based on the contents of the DHCP snooping binding table. There is an option (port security) to filter the incoming address, also using the MAC address in the DHCP snooping binding table.

No comments:

Post a Comment