Securing Switch Access
Catalyst switches have a variety of methods that can secure or control user access. Users can be authenticated as they connect to or through a switch and can be authorized to perform certain action on a switch. User access can be recorded as switch accounting information. The physical switch port access also can be controlled based on the user’s MAC address or authentication.
Catalyst switch offer the port security feature to control port access based on MAC addresses. To configure port security on an access layer switch port, begin by enabling it on a per-interface basis with the following interface – configuration command:
Switch(config-if)#Switchport port-security (enable port security)
Switch(config-if)#switchport port-security maximum <max-addr no.> (set maximum mac address)
Note: we can set the maximum number of addresses in the range of 1 to 1024.
By default, port security learns MAC address dynamically and stores in the CAM table also in the running configuration. If the switch reboots for some reason, port security will have to relearn a new set MAC address. To make the learned addresses persistent across a switch reboot, we can enable “sticky” MAC address learning with the following command:
Switch(config-if)# Switchport port-security mac-address sticky
We can also static set mac address:
Switch(config-if)# Switchport port-security mac-address <mac-addr>
Finally, we must define how each interface using port security should react if a MAC address is in violation by using following command:
Switch(config-if)#switchport port-security violation (shutdown/restrict/protcect)
Shutdown: The port immediately goes into shutdown state, we can manually up this port for using no shutdown command.
Restrict: The port is allowed to stay up, but all packet from violating MAC addresses are dropped. The switch keeps a running count of the number of violating packets and can send an SNMP trap and a syslog message is an alert of the violation.
Protect: The port is allowed to stay up, as in the restrict mode. Although packets from violating addresses are dropped, no record of the violation is kept.
We can check port-security for using command:
Switch# show port-security
Switch# show port-security interface fastethernet 0/0
Switch#show interfaces status err-disabled