1

Configuring switch security for cisco catalyst 2950 By admin 18 June 2008 at 5:25 pm and have


Configuring port security

A switch without port security allows attackers to connect to unused, ports and gather info or attack the network. All ports should be secured before a switch is deployed. Port security limits the number of MAC addresses allowed on port.
If you limit the number to 1 & assign a single MAC address only the pc attached is allowed to connect via that port, when that number is reached a security violation occurs.

STATIC secure: manually configured. Stored in the address table & running-config
DYNAMIC secure: dynamically learned & stored in the address table. Removed when switch restarts.
STICKY secure: dynamically learned addresses are saved to running-config(can be saved to startup) includes those dynamically learned before sticky. If you disable sticky, learned addresses are removed from the address table, but kept in running-config.

SECURITY VIOLATION MODES
A security violation occurs when:
The max number of secure MAC addresses have been added, & a station not listed attempts to access the interface. An address configured on one interface is seen on another.

VERIFY PORT SECURITY
Sw1#show port-security

DISABLE UNUSED PORTS
This is a simple way to provide security. You can navigate to each unused port & issue shutdown or alternatively use the range command

Sw1(config)#interface fa0/1 - 24 shutdown

interface FastEthernet0/2
R1(config-if)#switchport mode access
Sets the interface mode as access; an interface in the default mode (dynamic desirable) cannot be configured as a secure port.
R1(config-if)#switchport port-security
Enables port security on the interface
R1(config-if)#switchport port-security maximum 6
(Optional) Sets the maximum number of secure MAC addresses for the interface. The range is 1 to 132; the default is 1.
R1(config-if)#switchport port-security aging time 5
Learned addresses are not aged out by default but can be with this command. Value from 1 to 1024 in minutes.
R1(config-if)#switchport port-security mac-address 0000.0000.000b
(Optional) Enter a static secure MAC address for the interface, repeating the command as many times as necessary. You can use this command to enter the maximum number of secure MAC addresses. If you configure fewer secure MAC addresses than the maximum, the remaining MAC addresses are dynamically learned.
R1(config-if)#switchport port-security mac-address sticky
(Optional) Enable stick learning on the interface.
switch security
(Optional) Set the violation mode, the action to be taken when a security violation is detected.


Share and Enjoy: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • bodytext
  • Sphinn
  • del.icio.us
  • Facebook
  • Mixx
  • Google
  • Furl
  • Live
  • Reddit
  • StumbleUpon
  • Technorati

Previous Post
Next Post


Comments:

(0) comments | Add your comments