DK - Engineer's Notebook Routing and Switching: 2016

The enable password can be set using “enable password” or “enable secret” commands

SW2(config)#enable password yourpassword
SW2(config)#enable secret yoursecretpassword

The “enable secret” command encrypts the password in the configuration without the “service password-encryption” command.
The “enable secret” command supersedes the “enable password” command and this password will be used instead.

All passwords appear in the configuration in clear text by default except the enable secret.

The command service password-encryption will encrypt the remaining passwords.

When configuring VTY lines be sure to enable “login” and set a password or else they will not be able to log in via telnet, ssh, etc

SW2(config)#line con 0
SW2(config-line)#login
% Login disabled on line 0, until ‘password’ is set
SW2(config-line)#password lbsser

Cisco switches have more VTY lines than routers. Routers allow up to five simultaneous Telnet sessions, switches allow more – 0-15 (16) typically

Any user who telnets in to a switch will be placed into user exec mode, and will then be prompted for the proper enable mode password.

If neither the enable secret nor the enable password has been set, the user will not be able to enter enable mode

To place users coming into the switch via telnet straight into enable mode, use the command “privilege level 15” under the VTY lines.

SW2(config)#line con 0
SW2(config-line)#privilege level 15

To place some users in user user-exec mode and some into privileged-exec mode create a local user database, set the appropriate privilege levels and set the VTY login to use the “local” database (remove any passwords configured on VTY lines as good habit and housekeeping):

SW2(config)#username lbsources privilege 15 password CCIE

Configures the user for privilege level 15 – will be placed into privilege-exec mode on login

SW2(config)#username joeshmoe password CCNP
SW2(config)#username ricosuave password CCNA

No privilege level set – will be placed into global configuration mode and be required to enter the enable password to enter privilege-exec mode.

SW2(config)#line vty 0 15
SW2(config-line)#login local

Introduction To AAA

You can use RADIUS and TACACS+ to support AAA (Authentication, Authorization, and Accounting) on Cisco routers/switches

RADIUS (Remote Authentication Dial-In User Service) uses UDP
TACACS+ Terminal Access Controller Access Control System) uses TCP

Authentication

To enable AAA:

SW2(config)#aaa new-model

Basics to configure a RADIUS server

SW2(config)#radius-server host 172.1.1.1

Basics to configure TACACS+

SW2(config)#tacacs-server host 172.1.1.1

Configure methods of authentication

SW2(config)#aaa authentication login default local group radius <- This command would check the local database first, then the RADIUS server(s)

Login = Set lists for authenticating login
Default = The default authentication list that will be created with the methods of AAA
Local = Use the loca username database for authentication
Group = Use the following server group
Radius = Use list of RADIUS groups defined

Apply to VTY lines:

SW2(config)#line vty 0 15
SW2(config-line)#login authentication default

Default = use the default authentication list

Authorization

RADIUS is limited in the different levels of authorization

TACACS+ can be configured to force the user to be authenticated for any of the following tasks:

SW2(config)#aaa authorization ?
auth-proxy For Authentication Proxy Services
commands For exec (shell) commands.
config-commands For configuration mode commands.
configuration For downloading configurations from AAA server
exec For starting an exec (shell).
network For network services. (PPP, SLIP, ARAP)
reverse-access For reverse access connections

Authorization is applied in the same way Authentication was.

Accounting

Accounting will use a RADIUS or TACACS+ server to track user activity

The more accounting you do, the more resources it takes from your router/switch.

Basics to configure accounting:

SW2(config)#aaa accounting ?
commands For exec (shell) commands.
connection For outbound connections. (telnet, rlogin) exec For starting an exec (shell).
nested When starting PPP from EXEC, generate NETWORK records before EXEC-STOP record.
network For network services. (PPP, SLIP, ARAP)
send Send records to accounting server.
suppress Do not generate accounting records for a specific type of user.
system For System events.
update Enable accounting update records.

Apply the methods list:

SW2(config)#line vty 0 15
SW2(config-line)#accounting ?
arap For Appletalk Remote Access Protocol
commands For exec (shell) commands
connection For connection accounting
exec For starting an exec (shell)

Port Security

Port security uses a host’s MAC address as a password, and if a device with a different MAC address sends frames to the switch on that port, the port will take action – by default, it will shut down.

To enable port security:

SW2(config)#int fast 0/5
SW2(config-if)#switchport port-security
Command rejected: Fa0/5 is not an access port. <– Port must be made an access port. Ports security can’t be enabled on a port that can possibly form a trunk

SW2(config-if)#switchport mode access
SW2(config-if)#switchport access vlan 10
SW2(config-if)#switchport port-security ?
aging Port-security aging commands
mac-address Secure mac address <– Identify the secure MAC address for this port – static option
maximum Max secure addresses <– the maximum number of secure MAC addresses allowed on the port. This number can vary. These addresses can be configured statically with the mac-address option, or they can be learned dynamically
violation Security violation mode
<cr>

SW2(config-if)#switchport port-security violation ?
protect Security violation protect mode <– Protect mode drops the offending frames
restrict Security violation restrict mode <– Restrict mode drops the offending frames and will generate both an SNMP trap notification and syslog message regarding the violation.
shutdown Security violation shutdown mode <- DEFAULT – the port is placed into error-disabled state, an SNMP trap message is generated and manual intervention is needed to reopen the port

Output from a port running in default “shutdown” mode when the receiving frames from a different MAC address than the one configured:
05:06:04: %PM-4-ERR_DISABLE: psecure-violation error detected on Fa0/7, puttingFa0/7 in err-disable state
05:06:04: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 000f.f773.ed20 on port FastEthernet0/7.
05:06:05: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/7, changed state to down
05:06:06: %LINK-3-UPDOWN: Interface FastEthernet0/7, changed state to down

· SW1#show int fast 0/7
FastEthernet0/7 is down, line protocol is down (err-disabled) <– That port must now manually be reopened

When you specify the number of secure MAC addresses, and you specify secure MAC addresses – if you allow for more secure MAC address than you actually configure manually the remaining secure MAC address will be dynamically learned. This means a rogue host can connect to the port and it will be allowed to communicate.

SW1(config-if)#switchport port-security
SW1(config-if)#switchport port-security maximum 3
SW1(config-if)#switchport port-security mac-address aaaa.aaaa.aaaa
SW1(config-if)#switchport port-security mac-address cccc.cccc.cccc

To verify your port security configuration, run show port-security interface.

SW1#show port-security interface fast 0/2
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 3
Total MAC Addresses : 2
Configured MAC Addresses : 2
Sticky MAC Addresses : 0
Last Source Address:Vlan : 0000.0000.0000:0
Security Violation Count : 0

Port security cannot be configured on the following types of ports:

trunk ports
ports placed in an Etherchannel
destination SPAN port
802.1x ports

Dot1x Port-Based Authentication

Based on the IEEE 802.1x standard

The Cisco authentication server must be RADIUS, TACACS+ is not supported.

Major difference between dot1x port-based security and port security:

With Dot1x port based authentication, host(s) and switch ports must be configured for 802.1x EAPOL (Extensible Authentication Protocol over LANs).

Until the user is authenticated, only the following protocols can travel through the port:

EAPOL
STP
CDP

By default, once the user authenticates, all traffic can be received and transmitted through this port.

To configure dot1x, AAA must be enabled and a method list must be created.

SW2(config)#aaa new-model
SW2(config)#aaa authentication dot1x ?
WORD Named authentication list.
default The default authentication list.

SW2(config)#aaa authentication dot1x default ?
SW2(config)# aaa authentication dot1x default group radius local

To enable dot1x on the switch:

SW2(config)#dot1x ?
system-auth-control Enable or Disable SysAuthControl

Dot1x must be configured globally, but every switch port that’s going to run dot1x authentication must be configured as well.

SW2(config-if)#dot1x port-control ?
auto PortState will be set to AUTO
force-authorized PortState set to Authorized
force-unauthorized PortState will be set to UnAuthorized

Force-authorized – forces the port to authorize any host attempting to use the port, but authentication is not required. Basically, there is no authentication on this port type.

Force-unauthorized – literally has the port unable to authorize any client – even clients who could otherwise successfully authenticate

The auto setting enables dot1x on the port, which will begin the process as unauthorized. Only the necessary EAPOL frames will be sent and received while the ports unauthorized. Once the authentication is complete, normal transmission and receiving can begin. This is the most common setting.

SPAN Basics

SPAN allows the switch to mirror the traffic from the source port(s) to the destination port to which the network analyzer is attached. (In some Cisco documentation, the destination port is referred to as the monitor port.)

The number of simultaneous sessions you can run differs from one switch platform to another

There are several versions of SPAN, the differences depend on source ports – its’ the location of the source ports that determines the SPAN version

Local SPAN – Destination and source ports are all on same switch
VLAN-based SPAN – Source is a VLAN rather than a collection of physical ports.

Local SPAN

To enable SPAN:

SW2(config)#monitor session 1 source interface fast 0/1 – 5 <– Configure source ports/VLANs
SW2(config)#monitor session 1 destination interface fast 0/10 <– Configure destination port

Verify the SPAN configuration with show monitor

· SW2#show monitor
Remote SPAN

When traffic to be monitored is on one switch, but the only vacant port available is on another switch or there is a switch in between the switch you wish to monitor, you must use Remote SPAN (RSPAN)

All switches along the path to the destination port will need to be configured for RSPAN

Considers when configuring RSPAN:

If there are intermediate switches between the source and destination switches, they would all need to be RSPAN-capable.
VTP treats the RSPAN VLAN like any other VLAN. It will be propagated throughout the VTP domain if configured on a VTP server. Otherwise, it’s got to be manually configured on every switch along the intermediate path. VTP Pruning will also prune the RSPAN VLAN under the same circumstances that it would prune a “normal” VLAN.
MAC address learning is disabled for the RSPAN VLAN.
The source and destination must be defined on both the switch with the source port and the switch connected to the network analyzer, but the commands are not the same on each.

Configuring RSPAN

Create the VLAN first, and identify it as the RSPAN VLAN with the remote-span command.

SW2(config)#vlan 30
SW2(config-vlan)#remote-span

SW2 is the source switch, and the traffic from ports 0/1 – 0/5 will be monitored and frames mirrored to SW1 via RSPAN VLAN 30.

SW2(config)#monitor session 1 source interface fast 0/1 – 5 <– Define source ports on source switch
SW2(config)#monitor session 1 destination remote ?
vlan Remote SPAN destination RSPAN VLAN

SW2(config)#monitor session 1 destination remote vlan 30 ?
reflector-port Remote SPAN reflector port

SW2(config)#monitor session 1 destination remote vlan 30 reflector-port fast 0/12 <– Define the port that will be copying SPAN traffic onto VLAN 30

SW1(config)#monitor session 1 source remote vlan 30 <– Define the RSPAN VLAN.
SW1(config)#monitor session 1 destination interface fast 0/10 <– SW1 will receive the mirrored traffic and will send it to a network analyzer on port 0/10.

Run show monitor to verify the configuration.

SW1#show monitor

SPAN Limitations

Source port notes:

A source port can be monitored in multiple, simultaneous SPAN sessions.
A source port can be part of an Etherchannel.
A source port cannot be configured as a destination port.
A source port can be any port type – Ethernet, FastEthernet, etc.

Destination port notes:

A destination port can be any port type.
A destination port can participate in only one SPAN session.
A destination port cannot be a source port.
A destination port cannot be part of an Etherchannel.
A destination port doesn’t participate in STP, CDP, VTP, PaGP, LACP, or DTP.

Trunk ports can be configured as source and/or destination SPAN ports; the default behavior will result in the monitoring of all active VLANs on the trunk.

ESPAN – Enhanced SPAN. This term has been used to describe different additions that the term has lost meaning. It doesn’t refer to any specific addition or change to SPAN.

VLAN Access Control Lists

An ACL can filter traffic traveling between VLANs, but cannot prevent hosts in a VLAN from communicating from another host in the same VLAN.

ACLs on switches:

Multilayer switchs can use an ACL to filter traffic for hosts on different VLANS
Multilayer switchs must use a VACL to filter traffic for hosts on the same VLAN

An ACL must be written in combination with a VACL. The ACL will be used to as the match criterion within the VACL.

SW2(config)#ip access-list extended NO_123_CONTACT
SW2(config-ext-nacl)#permit ip 171.10.10.0 0.0.0.3 172.10.10.0 0.0.0.255

VLAN access-map – any traffic matching the ACL to be dropped and all other traffic to be forwarded.

SW2(config)# vlan access-map NO_123 10
SW2(config-access-map)# match ip address NO_123_CONTACT
SW2(config-access-map)# action drop
SW2(config-access-map)# vlan access-map NO_123 20
SW2(config-access-map)# action forward

You must add the final “action forward” statement in order to pass unmatched traffic. Same theory holds when writing a VLAN access-map as with a route-map. Any traffic that doesn’t match the specific clause in the ACL will be dropped.

Apply the VACL

SW2(config)# vlan filter NO_123 vlan-list 100

VACL notes:

Bridged traffic, as well as non-IP and non-IPX traffic, should be filtered with VACLs
VACLs run from top to bottom, and run until a match occurs
VACLs have an implicit deny at the end. The VACL equivalent of “permit all” is an “action forward” clause with no match criterion, as shown in the previous example. If traffic is not expressly forwarded, it’s implicitly dropped!
Only one VACL can be applied to a VLAN
The sequence numbers allow you to go back and add lines without rewriting the entire VACL. They are still active while being edited.
A routing ACL can be applied to a SVI to filter inbound and/or outbound traffic just as you would apply one to a physical interface, but VACLs are not applied in that way – they’re applied in global configuration mode.
On L3 switches, if there’s a VACL configured, and a “normal” ACL affecting incoming traffic that is applied to a routed port that belongs to that same VLAN. Packets entering that VLAN will be matched against the VACL first; if the traffic is allowed to proceed, it will then be matched against the inbound ACL on that port.

Dot1q Tunneling

Dot1q tunneling allows a service provider to transport frames from different customers over the same tunnel – even if they’re using the same VLAN numbers. This technique also keeps customer VLAN traffic segregated from the service provider’s own VLAN traffic.

Dot1q tunneling configuration takes place on the service provider sending and receiving data to customer switches:

MLS_1(config)#int fast 0/12
MLS_1(config-if)#switchport access vlan 100

The VLAN number that the customer is using.

MLS_1(config-if)#switchport mode dot1qtunnel
MLS_1(config-if)#vlan dot1q tag native

STP, VTP and CDP (service provider accepts CDP, but doesn’t send them through the tunnel) frames will not be transmitted over the dot1q tunnel (this gives the customer only a partial and inaccurate picture of this network). To transmit such frames, a Layer 2 Protocol Tunnel must be built on the service provider edge switches.

Ethernet over MultiProtocol Label Switching

Another approach to solve the requirements of STP, VTP and CDP packets to be received and sent over the service providers network to far-end switches.

Service providers must have an MPLS core to support this option.

With EoMPLS, the service provider cloud consists of two router types.

Edge Label Switch Routers (ELSR)
Label Switch Routers (LSR)

The Edge Label Switch Routers (ELSR) are found at the edge of the cloud, and these routers place a MPLS tag, or label, onto incoming traffic that meets predefined criteria. Inside the cloud, Label Switch Routers (LSR) will route the traffic looking only at the MPLS label. Once the remote ELSR receives the packet, the MPLS label is removed and the data can be forwarded normally. The original VLAN value is kept intact.

Transparent LAN Service

Another approach to solve the requirements of STP, VTP and CDP packets to be received and sent over the service providers network to far-end switches.

Transparent LAN Service is basically a LAN interconnection technology that hides the connecting WAN from the end users

One drawback to TLS is that broadcasts will be treated as a broadcast on any VLAN – they’ll be sent to every host in the VLAN

Private VLANs

Hosts placed into secondary VLANs may have one of the following configurations:

The host will be able to communicate with other hosts in the secondary VLAN and with the primary VLAN, but not with hosts in other secondary VLANs – this is a community private VLAN
The host can communicate with the primary VLAN, but with no other hosts, including other hosts in its own secondary VLAN — this is an isolated private VLAN

As an example, a router located off a switch port that has been configured as a private VLAN port – The following are options:

Promiscuous mode: The device connected to the private VLAN port can communicate with any device connected to any primary or secondary VLAN – This is the recommended mode for ports connected to gateway devices, such as the router
The host connected to the port is on either type of private VLAN (isolated or community), and can communicate with devices found off other promiscuous ports. If the host is configured as part of a community private VLAN, the host can also communicate with other hosts in that private VLAN.

Configuring Private VLANs

MLS(config-vlan)#private-vlan ?
association Configure association between private VLANs
community Configure the VLAN as a community private VLAN
isolated Configure the VLAN as an isolated private VLAN
primary Configure the VLAN as a primary private VLAN
twoway-community Configure the VLAN as a two way community private VLAN

MLS(config-vlan)#private-vlan community

Private VLANs can only be configured when VTP is in transparent mode

MLS(config-vlan)#exit
MLS(config)#vtp mode transparent

Setting device to VTP TRANSPARENT mode.

Now the primary VLAN must be configured as the “associate” of the private VLAN.

MLS(config)#vlan 20
MLS(config-vlan)#private-vlan community
MLS(config-vlan)#private-vlan association ?
WORD VLAN IDs of the private VLANs to be configured
add Add a VLAN to private VLAN list
remove Remove a VLAN from private VLAN list

MLS(config-vlan)#private-vlan association 30

Now place the ports into the private VLAN:

MLS(config)#interface f0/4
MLS(config-if)# switchport mode private-vlan 20 host

If this were the port connected to a router, we’d need the promiscuous option configured instead of host.

DHCP Snooping

DHCP Snooping allows the switch to serve as a firewall between hosts and untrusted DHCP servers. DHCP Snooping classifies interfaces on the switch into one of two categories – trusted and untrusted.

DHCP messages received on trusted interfaces will be allowed to pass through the switch.

DHCP messages received on untrusted interfaces be dropped by the switch, the interface itself will be placed into err-disabled state.

When DHCP Snooping is enabled, all ports are considered untrusted

Enable DHCP Snooping on the entire switch:

SW1(config)#ip dhcp snooping

Identify the VLANs that will be using DHCP Snooping.

SW1(config)#ip dhcp snooping ?
database DHCP snooping database agent
information DHCP Snooping information
verify DHCP snooping verify
vlan DHCP Snooping vlan
<cr>

SW1(config)#ip dhcp snooping vlan ?
WORD DHCP Snooping vlan fist number or vlan range, example: 1,3-5,7,9-11

SW1(config)#ip dhcp snooping vlan 4

Assuming we have a trusted DHCP server off port 0/10, we would then trust that port with the following command:

SW1(config-if)#ip dhcp snooping trust

DHCP Snooping is verified with the show ip dhcp snooping command.

SW1#show ip dhcp snooping

Dynamic ARP Inspection

ARP Cache Poisoning / ARP Spoofing: A rogue host responds to an ARP request intended for another hose with its own MAC address. The rogue host will acquire the true MAC address of the intended host and possibly relay (after reading) packets from the originating host to the intended host – through itself – creating a man in the middle scenario

Cisco’s recommended trusted/untrusted port configuration is to have all ports connected to hosts run as untrusted and all ports connected to switches as trusted.

Since DAI runs only on ingress ports, this configuration scheme ensures that every ARP packet is checked once, but no more than that.

There is no problem with running DAI on trunk ports or ports bundled into an Etherchannel.

Enabling Dynamic ARP Inspection (DAI) prevents this behavior by building a database of trusted MAC-IP address mappings – using the same database that is built by the DHCP Snooping process.

DAI uses the concept of trusted and untrusted ports, just as DHCP Snooping does. However, untrusted ports in DAI do not automatically drop ARP Requests and Replies.

Once the IP-MAC address database is built, every single ARP Request and ARP Reply received on an untrusted interface is examined.

If the ARP message has an approved MAC-IP address mapping, the message is forwarded appropriately; if not, the ARP message is dropped.
If the interface has been configured as trusted, DAI allows the ARP message to pass through without checking the database of trusted mappings.

DAI is performed as ARP messages are received, not transmitted.

Since DAI uses entries in the DHCP Snooping database to do its job, DHCP Snooping must be enabled before beginning to configure DAI.

Configuring Dynamic Arp Inspection:

SW1(config)#ip arp inspection ?
filter Specify ARP acl to be applied
log-buffer Log Buffer Configuration
validate Validate addresses
vlan Enable/Disable ARP Inspection on vlans

SW1(config)#ip arp inspection vlan ?
WORD vlan range, example: 1,3-5,7,9-11

SW1(config)#ip arp inspection vlan 4
SW1(config)#int fast 0/4
SW1(config-if)#ip arp inspection trust

DAI “validate” options:

SW1(config)#ip arp inspection validate ?
dst-mac Validate destination MAC address <– compares the source MAC address in the Ethernet header and the MAC address of the source of the ARP message.

ip Validate IP addresses <– compares the IP address of the sender of the ARP Request against the destination address of the ARP Reply.

src-mac Validate source MAC address ß compares the destination MAC address in the Ethernet header

To verify DAI configuration:

SW1#show ip arp inspection

IP Source Guard

Use IP Source Guard to prevent a host on the network from using another host’s IP address.

IP Source Guard works in tandem with DHCP Snooping, and uses the DHCP Snooping database to carry out this operation.

As with DAI, DHCP Snooping must be enabled before enabling IP Source Guard.

How IP Source Guard works:

When the host first comes online and connects to an untrusted port on the switch, the only traffic that can reach that host are DHCP packets.
When the client successfully acquires an IP address from the DHCP Server, the switch makes a note of this IP address assignment.
The switch will then dynamically create an ACL that will only allow traffic with the corresponding source IP address to be processed by the switch.
If the host pretends to be another host on that subnet, or to spoof that host’s IP address — the switch will simply filter that traffic because the source IP address will not match the database’s entry for that port.

MAC Address Flooding

A MAC Address Flooding attack is an attempt by a network intruder to overwhelm the switch memory reserved for maintenance of the MAC address table. The intruder generates a large number of frames with different source MAC addresses – all of them invalid. As the switch’s MAC address table capabilities are exhausted, valid entries cannot be made – and this results in those valid frames being broadcast instead of unicast.

This has three side effects:

As mentioned, the MAC address table fills to capacity, preventing legitimate entries from being made.
The large number of unnecessary broadcasts quickly consumes bandwidth as well as overall switch resources
The intruder can easily intercept packets with a packet sniffer, since the unnecessarily broadcasted packets will be sent out every port on the switch – including the port the intruder is using.
When the switch on the other side of the trunk gets that frame, it sees the tag for VLAN 100 and forwards the frame to ports in that VLAN. The rogue now has successfully fooled the switches and has hopped from one VLAN to another.

MAC address flooding can be combated using 2 features:

Port-based authentication
Port-security

VLAN Hopping

One method of VLAN hopping is where double tagging takes place. The intruder will transmit frames that are double tagged with two separate VLAN IDs. Changing the native VLAN and having no hosts on this VLAN usually resolves this issue with this version.

When the rogue host transmits a frame, that frame will have two tags. One will indicate native VLAN membership, and the second will be the number of the VLAN under attack.
The trunk receiving this double-tagged frame will see the tag for the native VLAN, that tag will be removed and then transmitted across the trunk – but the tag VLAN under attack is still there!
When the switch on the other side of the trunk gets that frame, it sees the tag for the VLAN under attack and forwards the frame to ports in that VLAN.
The rogue now has successfully fooled the switches and has hopped from one VLAN to another.

Circumstances for double tagging attacks to be successful:

The intruder’s host device must be attached to an access port.
The VLAN used by that access port must be the native VLAN.
Dot1q must be the trunking protocol in use, since ISL doesn’t use the native VLAN.

Switch Spoofing – Allows the rogue to pretend to be a member of *all* VLANs in your network.

A switch in default dynamic desirable mode sends out DTP frames in an aggressive effort to form a trunk
When a port is left at this default and placed into “auto” mode, a trunk will still form, though it’s not actively trying to do so.
The rogue host will pretend to be a switch and send DTP frames back to the switch and this will lead to a trunk.
Once the trunk is formed, the rogue now has access to all VLANs known to that switch and the network

To prevent Switch Spoofing and as best practice turn ports into access ports – this disables the port’s ability to create a trunk.

Any corrections or additions are greatly appreciated! You can download a copy of these notes by clicking the “Printer Friendly” below.

Cheers!

DK - Engineer's Notebook Routing and Switching

main

Sunday, February 28, 2016

SWITCH Study Notes – Securing The Switches & Tunneling

visitors