I wish to share an awesome feature of Cisco Switches - SwitchPort Security.
NEED ::
A growing challenge facing network administrators is determining how to control who can access the organization’s internal network — and who can’t. For example, can anyone walk into your office, plug in a laptop, and access your network? Moreover, in today's network, needless to say, you donot trust each of your employees. And if none of the above two scenarios is correct, it may be an infected PC that is generating a broadcast storm or generating frames from thousand different MAC addresses to populate Switch's CAM (Content Addressable Memory) table and turn the Switch into a miserable Hub.
Understand the basics
Of course, implementing any security solution always involves a trade-off — most often, you trade increased security for less convenience. When using port security, you can prevent devices from accessing the network, which increases security.
Configure port security
Switch)# config t
Switch(config)# int fa0/18
Switch(config-if)# switchport port-security ?
aging Port-security aging commands
mac-address Secure mac address
maximum Max secure addresses
violation Security violation mode
Switch(config-if)# switchport port-security
Switch(config-if)#^Z
By entering the most basic command to configure port security, we accepted the default settings of only allowing one MAC address, determining that MAC address from the first device that communicates on this switch port, and shutting down that switch port if another MAC address attempts to communicate via the port. But you don’t have to accept the defaults.
Know your options
As you can see in the example, there are a number of other port security commands that you can configure. Here are some of your options:- switchport port-security maximum {max # of MAC addresses allowed}: You can use this option to allow more than the default number of MAC addresses, which is one. For example, if you had a 12-port hub connected to this switch port, you would want to allow 12 MAC addresses — one for each device. The maximum number of secure MAC addresses per port is 132.
- switchport port-security violation {shutdown | restrict | protect}: This command tells the switch what to do when the number of MAC addresses on the port has exceeded the maximum. The default is to shut down the port. However, you can also choose to alert the network administrator (i.e., restrict) or only allow traffic from the secure port and drop packets from other unknown MAC addresses (i.e., protect).
- switchport port-security mac-address {MAC address}: You can use this option to manually define the MAC address allowed for this port rather than letting the port dynamically determine the MAC address.
Switch)# config t
Switch(config)# int range fastEthernet 0/1 - 24
Switch(config-if)# switchport port-security
View the status of port security
Switch# show port-security address
Secure Mac Address Table
-------------------------------------------------------------------
Vlan Mac Address Type Ports Remaining Age
(mins)
---- ----------- ---- ----- -------------
1 0004.00d5.285d SecureDynamic Fa0/18 -
-------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) : 0
Max Addresses limit in System (excluding one mac per port) : 1024
Switch# show port-security interface fa0/18
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address : 0004.00d5.285d
Security Violation Count : 0
Switch#
For more information on switch port commands and configuring the Port Security feature, check out Cisco’s Enabling Port Security documentation for the Catalyst 2950. What steps have you taken to lock down switch port security? Share your tips in this article’s discussion.