Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Computer Networks

switchport port-security

CCNP-SWITCHING 300-115
Mohamed Samir YouTube channel
Double CCIEs #27042(R/S&SP)
Mohamed Samir
© 2015 Mohamed Samir YouTube channel
All rights reserved.
www.mohamedsamir.com
Part VII: Securing
Switched Networks
Mohamed Samir
© 2015 Mohamed Samir YouTube channel
All rights reserved.
www.mohamedsamir.com
Securing Switch
Access
Mohamed Samir
© 2015 Mohamed Samir YouTube channel
All rights reserved.
www.mohamedsamir.com
Port Security
•
•
•
•
•
•
•
Switch(config-if)# switchport port-security
Switch(config-if)# switchport port-security maximum 2 (1-1024)
By default, port security will make sure that only one MAC address
To make the learned addresses persistent across a switch reboot
Switch(config-if)# switchport port-security mac-address sticky
static
Switch(config-if)# switchport port-security mac-address 0006.5b02.a841
• Switch(config-if)# switchport port-security violation {shutdown | restrict
|protect}
• Protect : all packets from violating MAC addresses are dropped
• Restrict: Protect but send syslog message as an alert of the violation
Mohamed Samir
© 2015 Mohamed Samir YouTube channel
All rights reserved.
www.mohamedsamir.com
Port Security
•
•
•
•
•
•
interface GigabitEthernet1/0/11
switchport access vlan 991
switchport mode access
switchport port-security
switchport port-security violation restrict
spanning-tree portfast
• Jun 3 17:18:41.888 EDT: %PORT_SECURITY-2-PSECURE_VIOLATION:
Security violation occurred, caused by MAC address 0000.5e00.0101 on
port GigabitEthernet1/0/11.
• You need to clear before this action
• Switch# clear port-security {all | configured | dynamic | sticky}
• [address mac-addr | interface type member/mod/num]
Mohamed Samir
© 2015 Mohamed Samir YouTube channel
All rights reserved.
www.mohamedsamir.com
Mohamed Samir
© 2015 Mohamed Samir YouTube channel
All rights reserved.
www.mohamedsamir.com
Port-Based Authentication
•
•
•
•
•
•
•
•
•
•
•
•
•
switch port will not pass any traffic until a user has authenticated with the
switch
both the switch and the end user’s PC must support the 802.1X standard,
using the Extensible Authentication Protocol over LANs (EAPOL).
Click here to view code image
Switch(config)# aaa new-model
Switch(config)# radius-server host 10.1.1.1 key BigSecret
Switch(config)# radius-server host 10.1.1.2 key AnotherBigSecret
Switch(config)# aaa authentication dot1x default group radius
Switch(config)# dot1x system-auth-control
Switch(config)# interface range gigabitethernet1/0/1 - 40
Switch(config-if)# switchport access vlan 10
Switch(config-if)# switchport mode access
Switch(config-if)# dot1x port-control auto {force-authorized |
forceunauthorized| auto}
Switch(config-if)# dot1x host-mode multi-host
Mohamed Samir
© 2015 Mohamed Samir YouTube channel
All rights reserved.
www.mohamedsamir.com
Storm Control
• Broadcast frames
• Multicast frames
• Unknown unicast frames
• Switch(config-if)# storm-control {broadcast | multicast | unicast} level
{level [level-low] | bps bps [bps-low] | pps pps [pps-low]}
Level : percentage
Bps bits per second
PPS packet per second
• Switch(config-if)# storm-control action {shutdown | trap}
•
default action to drop excessive frames
• Switch# show storm-control [interface-id] [broadcast | multicast |
unicast]
Mohamed Samir
© 2015 Mohamed Samir YouTube channel
All rights reserved.
www.mohamedsamir.com
Best Practices for Securing Switches
• Configure secure passwords: enable secret
• Use system banners:
• Secure the web interface:
If you not need it disable
no ip http server
Else
Switch(config)# ip http secure server
Switch(config)# access-list 1 permit 10.100.50.0 0.0.0.255
Switch(config)# ip http access-class 1
Secure the switch console:
Secure virtual terminal access:
• Switch(config)# access-list 10 permit 192.168.199.10
• Switch(config)# access-list 10 permit 192.168.201.100
• Switch(config)# line vty 0 15
• Switch(config-line)# access-class 10 in
Mohamed Samir
© 2015 Mohamed Samir YouTube channel
All rights reserved.
www.mohamedsamir.com
Best Practices for Securing Switches
• Use SSH whenever possible:
• SSH uses strong encryption to secure session data
• You should use the highest SSH version that is
available on a switch
• Secure SNMP access: secure features of
• SNMPv3.
• Secure unused switch ports:
• Secure STP operation:
• Secure the use of CDP and LLDP
• Link Layer Discovery Protocol (LLDP)
Mohamed Samir
© 2015 Mohamed Samir YouTube channel
All rights reserved.
www.mohamedsamir.com
Any questions ?
Mohamed Samir
© 2015 Mohamed Samir YouTube channel
All rights reserved.
www.mohamedsamir.com
Thank you
for your
time ! 
‫شكرا‬
‫جزاكم هللا خير‬
Mohamed Samir
© 2015 Mohamed Samir YouTube channel
All rights reserved.
www.mohamedsamir.com
Related documents
CCNP-SWITCHING 300-115 Mohamed Samir YouTube
CCNP-SWITCHING 300-115 Mohamed Samir YouTube
CCNP-SWITCHING 300-115 Mohamed Samir YouTube
CCNP-SWITCHING 300-115 Mohamed Samir YouTube
index_Ny2013_0604a1-13p1
index_Ny2013_0604a1-13p1
SNMP agent
SNMP agent
index_Ns0812
index_Ns0812
C.V Details - Assiut University
C.V Details - Assiut University
index_life_0901_91-110
index_life_0901_91-110
Switch block
Switch block
index_Am100114a1-31p1
index_Am100114a1-31p1
Download