Se ha denunciado esta presentación.
Se está descargando tu SlideShare. ×

Cisco Switch How To - Secure a Switch Port

Más Contenido Relacionado

Audiolibros relacionados

Gratis con una prueba de 30 días de Scribd

Ver todo

Cisco Switch How To - Secure a Switch Port

  1. 1. To learn more about this tutorial contact us info_ipmax@ipmax.it or visit our site www.ipmax.it/support WWW.IPMAX.IT Secure a Switch Port CISCO Switch
  2. 2. To learn more about this tutorial contact us info_ipmax@ipmax.it or visit our site www.ipmax.it/support WWW.IPMAX.IT Next, you must identify a set of allowed MAC addresses so that the port can grant them access. You can explicitly configure addresses or they can be learned dynamically from port traffic. On each interface that uses port security, specify the maximum number of MAC addresses that will be allowed access using the following interface configuration command: Switch(config-if)#switchport port-security maximum max-addr 01 In some environments, a network must be secured by controlling what stations can gain access to the network itself. Where user workstations are stationary, their MAC addresses always can be expected to connect to the same access-layer switch ports. If stations are mobile, their MAC addresses can be learned dynamically or added to a list of addresses to expect on a switch port. Catalyst switches offer the port security feature to control port access based on MAC addresses. To configure port security on an access-layer switch port, begin by enabling it with the following interface-configuration command: Switch(config-if)#switchport port-security Secure a Switch Port CISCO Switch 1. Port security By default, only one MAC address will be allowed access on each switch port. You can set the maximum number of addresses in the range of 1 to 1,024.
  3. 3. To learn more about this tutorial contact us info_ipmax@ipmax.it or visit our site www.ipmax.it/support WWW.IPMAX.IT You also can statically define one or more MAC addresses on an interface. Any of these addresses are allowed to access the network through the port. Use the following interface configuration command to define a static address: Switch(config-if)#switchport port-security mac-address mac-addr 02 Each interface using port security dynamically learns MAC addresses by default and expects those addresses to appear on that interface in the future. These are called sticky MAC addresses. MAC addresses are learned as hosts transmit frames on an interface. The interface learns up to the maximum number of addresses allowed. Learned addresses also can be aged out of the table if those hosts are silent for a period of time. By default, no aging occurs. For example, to set the maximum number of MAC addresses that can be active on a switch port at any time to two, you could use the following command: Switch(config-if)#switchport port-security maximum 2 Secure a Switch Port CISCO Switch 2. Set maximum mac address
  4. 4. To learn more about this tutorial contact us info_ipmax@ipmax.it or visit our site www.ipmax.it/support WWW.IPMAX.IT Finally, you must define how each interface using port security should react if a MAC address is in violation by using the following interface-configuration command: Switch(config-if)# switchport port-security violation {shutdown | restrict |protect} 03 The MAC address is given in dotted-triplet format. If the number of static addresses configured is less than the maximum number of addresses secured on a port, the remaining addresses are learned dynamically. Be sure to set the maximum number appropriately. You can use the following command to configure a static address entry on an interface: Switch(config-if)#switchport port-security mac-address 0006.5b02.a841 Secure a Switch Port CISCO Switch 3. Set reaction to violation A violation occurs if more than the maximum number of MAC addresses are learned or if an unknown (not statically defined) MAC address attempts to transmit on the port. The switch port takes one of the following configured actions when a violation is detected: • Shutdown - The port immediately is put into the errdisable state, which effectively shuts it down. It must be re-enabled manually or through errdisable recovery to be used again. • Restrict - The port is allowed to stay up, but all packets from violating MAC addresses are dropped. The switch keeps a running count of the number of violating packets and can send an SNMP trap and a syslog message as an alert of the violation. • Protect - The port is allowed to stay up, as in the restrict mode. Although packets from violating addresses are dropped, no record of the violation is kept.
  5. 5. To learn more about this tutorial contact us info_ipmax@ipmax.it or visit our site www.ipmax.it/support WWW.IPMAX.IT When the default maximum of one MAC address is exceeded on this interface, the condition is logged but the interface stays up. This is shown by the following syslog message: Jun 3 17:18:41.888 EDT: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0000.5e00.0101 on port GigabitEthernet0/11 04 As an example of the restrict mode, a switch interface has received the following configuration commands: interface GigabitEthernet0/11 switchport access vlan 991 switchport mode access switchport port-security switchport port-security violation restrict spanning-tree portfast Secure a Switch Port CISCO Switch 3. Set reaction to violation In the shutdown mode, the port security action is much more drastic. When the maximum number of MAC add resses is exceeded, the following syslog messages indicate that the port has been shut down in the errdisable state: Jun 3 17:14:19.018 EDT: %PM-4-ERR_DISABLE: psecure-violation error detected on Gi0/11, putting Gi0/11 in err-disable state Jun 3 17:14:19.022 EDT: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0003.a089.efc5 on port GigabitEthernet0/11. Jun 3 17:14:20.022 EDT: %LINEPROTO-5-UPDOWN: Line protocol on Interface Gigabit Ethernet0/ 11, changed state to down Jun 3 17:14:21.023 EDT: %LINK-3-UPDOWN: Interface GigabitEthernet0/11, changed state to down
  6. 6. To learn more about this tutorial contact us info_ipmax@ipmax.it or visit our site www.ipmax.it/support WWW.IPMAX.IT 05 The command show port-security interface , shows port status as you can see in the following exemple Switch#show port-security interface gigabitethernet 0/11 Port Security : Enabled Port Status : Secure-shutdown Violation Mode : Shutdown Aging Time : 0 mins Aging Type : Absolute SecureStatic Address Aging : Disabled Maximum MAC Addresses : 1 Total MAC Addresses : 0 Configured MAC Addresses : 0 Sticky MAC Addresses : 0 Last Source Address : 0003.a089.efc5 Security Violation Count : 1 Secure a Switch Port CISCO Switch 4. Port Status To see a quick summary of only ports in the errdisable state, along with the reason for errdisable, you can use the show interfaces status err-disabled command, as demonstrated in Example Switch#show interfaces status err-disabled Port Name Status Reason Gi0/11 Test port err-disabled psecure-violation
  7. 7. To learn more about this tutorial contact us info_ipmax@ipmax.it or visit our site www.ipmax.it/support WWW.IPMAX.IT 06 Finally, you can display a summary of the port-security status with the show port-security command, as demonstrated in next Example Switch#show port-security Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action (Count) (Count) (Count) --------------------------------------------------------------------------- Gi0/11 5 1 0 Restrict Gi0/12 1 0 0 Shutdown --------------------------------------------------------------------------- Total Addresses in System (excluding one mac per port) : 0 Max Addresses limit in System (excluding one mac per port) : 6176 Secure a Switch Port CISCO Switch 4. Port Status
  8. 8. To learn more about this tutorial contact us info_ipmax@ipmax.it or visit our site www.ipmax.it/support WWW.IPMAX.IT More Needs? Services and Solutions Products Remote IpService Security Via Ponchielli, 4 20063 Cernusco sul Naviglio (MI) – Italy +39 02 9290 9171 info_ipmax@ipmax.it About us IPMAX is the ideal partner for companies seeking quality in products and services. IPMAX guarantees method and professionalism to support its customers in selecting technologies with the best quality / price ratio, in the design, installation, commissioning and operation

×