Securing Switch Access
Catalyst
switches have a variety of methods that can secure or control user access.
Users can be authenticated as they connect to or through a switch and can be
authorized to perform certain action on a switch. User access can be recorded
as switch accounting information. The physical switch port access also can be
controlled based on the user’s MAC address or authentication.
Port Security
Catalyst
switch offer the port security feature to control port access based on MAC
addresses. To configure port security on an access layer switch port, begin by
enabling it on a per-interface basis with the following interface –
configuration command:
Switch(config-if)#Switchport
port-security (enable port security)
Switch(config-if)#switchport
port-security maximum <max-addr no.> (set maximum mac address)
Note: we can
set the maximum number of addresses in the range of 1 to 1024.
By default,
port security learns MAC address dynamically and stores in the CAM table also
in the running configuration. If the switch reboots for some reason, port
security will have to relearn a new set MAC address. To make the learned
addresses persistent across a switch reboot, we can enable “sticky” MAC address
learning with the following command:
Switch(config-if)#
Switchport port-security mac-address sticky
We can also
static set mac address:
Switch(config-if)#
Switchport port-security mac-address <mac-addr>
Finally, we
must define how each interface using port security should react if a MAC
address is in violation by using following command:
Switch(config-if)#switchport
port-security violation (shutdown/restrict/protcect)
Shutdown:
The port immediately goes into shutdown state, we can manually up this port for
using no shutdown command.
Restrict:
The port is allowed to stay up, but all packet from violating MAC addresses are
dropped. The switch keeps a running count of the number of violating packets
and can send an SNMP trap and a syslog message is an alert of the violation.
Protect: The
port is allowed to stay up, as in the restrict mode. Although packets from
violating addresses are dropped, no record of the violation is kept.
We can check
port-security for using command:
Switch# show
port-security
Switch# show
port-security interface fastethernet 0/0
Switch#show interfaces
status err-disabled
No comments:
Post a Comment