Search this blog

Wednesday, January 6, 2010

Day 22: Switch Security

The switchport can be assigned a static MAC address:
mac-address-table static {host-mac-address} interface {interface} vlan {vlan}
and verified with show mac-address-table, cleared with clear mac-address-table

This is how we secure a switchport:
enter the interface mode:
S2(config)#interface fastEthernet 0/6
first we need to define whether the port is an access port (end host) or trunk ports. A trunk port is configured to trunk multiple VLANs. Only access ports (with only one VLAN) can have port security enable. Notice that the default mode is trunk!
S2(config-if)#switchport mode access
switchport port-security enables port security:
S2(config-if)#switchport port-security
S2(config-if)#switchport port-security maximum 1
this last command will not appear in show run because 1 is the default maximum!
easiest way is to allow the switch to dynamically learn the first MAC address by enabling sticky.
S2(config-if)#switchport port-security mac-address sticky
the switchport needs to go administratively down when a wrong device connects, other options are protected and restrict. The difference between these two is not that obvious, restrict will send a message.
S2(config-if)#switchport port-security violation shutdown
we can also manually configure a MAC address for this port (if we remove port security), notice global configuration:
S2(config)#mac-address-table static 0001.C7C1.E31C vlan 1 interface fastEthernet 0/6
use no mac-address-table... to remove it
when an nauthorized device connects to the port, the switch shuts it down. Once this happened, the port must be administratively shutdown and re-enabled to bring it back online.
S2(config-if)# no shutdown
it's important to secure unused switch ports, use ranges instead of manually doing one interface at a time. You can secure it by disabling the port or putting the port in an unused VLAN.

Speed and duplex can be set on a switch port like this:
speed {speed-imegabits-per-second}
duplex {half | full}

Other interesting show commands are:
show port-security
show interfaces
show vlan

As a sidenote: we can delete VLAN database information and erase the startup configuration with the following two commands in privileged EXEC mode:
delete flash:vlan.dat
erase startup-config

No comments:

Post a Comment