What is Switchport Security?
Switchport security is a feature used in network switches, particularly in Cisco devices, to provide a layer of security at the switch port level. This feature helps in preventing unauthorized access to the network by controlling which devices are allowed to connect to each switch port.
It is particularly relevant in environments where network security is a priority, such as in enterprise settings or where sensitive data is transmitted.
Here are the key aspects of switchport security:
MAC Address-Based Security: Switchport security typically involves restricting access to a switch port based on the MAC (Media Access Control) addresses of devices. A switch port can be configured to allow only a specified number of MAC addresses or specific MAC addresses to access the network through that port.
Security Violation Policies: When an unauthorized device tries to connect to a secured port, the switch can be configured to handle this violation in several ways:
Shutdown: The most secure option, where the switch port is automatically disabled when a violation occurs.
Restrict: The port remains active, but the switch restricts network access for the violating device and generates an alert.
Protect: The switch drops packets from the violating device without shutting down the port or alerting the administrator.
Dynamic Learning of MAC Addresses: Switches can be configured to dynamically learn and store the MAC addresses of devices when they first connect to a port. This allows for flexibility, as devices can be moved between ports without requiring manual reconfiguration.
Sticky MAC Addresses: This is a feature where dynamically learned MAC addresses are stored in the running configuration of the switch. If the switch is reloaded, these addresses can be retained, adding a level of convenience in managing allowed devices.
Aging Time: Some switchport security configurations allow for an aging time to be set, after which a dynamically learned MAC address will be forgotten, useful in environments where devices are frequently changed.
Application in Different Environments:
Switchport security is beneficial in various environments, such as in office buildings where network ports are accessible in public areas, or in scenarios where a network wants to ensure that only authorized devices have network access.
Conventional network security often focuses more on routers and blocking traffic from the outside. Switches are internal to the organization, and designed to allow ease of connectivity, therefore only limited or no security measures are applied.
The following basic security features can be used to secure your switches and network:
* Physically secure the device
* Use secure passwords
* Enable SSH access
* Enable port security
* Disable HTTP access
* Disable unused ports
* Disable Telnet
Let us look at how to implement and configure some of the above-mentioned switch security features.
How to Configure Switchport Security Example.
- How To Configure the Privileged EXEC Password.
Use the enable secret command to set the password. For this activity, set the password to orbit.
SW1#configure terminal
SW1(config)#enable secret orbit
SW1(config)#
- How To Configure virtual terminal (Telnet) and console passwords and require users to login.
A password should be required to access the console line. Even the basic user EXEC mode can provide significant information to a malicious user. In addition, the VTY lines must have a password before users can access the switch remotely.
Use the following commands to secure the console and telnet:
SW1(config)#line console 0
SW1(config-line)#password cisco
SW1(config-line)#login
SW1(config-line)#line vty 0 15
SW1(config-line)#password cisco
SW1(config-line)#login
SW1(config-line)#exit
SW1(config)#
How To Configure Password Encryption.
At this stage, the privileged EXEC password is already encrypted. To encrypt the line passwords that you just configured, enter the service password-encryption command in global configuration mode.
SW1(config)#service password-encryption
SW1(config)#
How To Configure and test the MOTD banner.
Configure the message-of-the-day (MOTD) using Authorized Access Only as the text. Follow these guidelines:
- The banner text is case-sensitive. Make sure you do not add any spaces before or after the banner text.
- Use a delimiting character before and after the banner text to indicate where the text begins and ends. The delimiting character used in the example below is %, but you can use any character that is not used in the banner text.
iii. After you have configured the MOTD, log out of the switch to verify that the banner displays when you log back in.
SW1(config)#banner motd %Authorized Access Only%
SW1(config)#end
SW1#exit
How To Configure Port Security
Enter the interface configuration mode for FastEthernet 0/11 and enable port security.
Before any other port security commands can be configured on the interface, port security must be enabled.
SW1(config-if)#interface fa0/11
SW1(config-if)#switchport port-security
* Notice that you do not have to exit back to global configuration mode before entering interface configuration mode for fa0/11.
How To configure the maximum number of MAC addresses.
To configure the port to learn only one MAC address, set the maximum to 1:
SW1(config-if)#switchport port-security maximum 1
- How To configure the port to add the MAC address to the running configuration.
The MAC address learned on the port can be added to (“stuck” to) the running configuration for that port.
SW1(config-if)#switchport port-security mac-address sticky
How To Configure the port to automatically shut down if port security is violated.
If you do not configure the following command, SW1 only logs the violation in the port security statistics but does not shut down the port.
SW1(config-if)#switchport port-security violation shutdown
Use the show-mac-address- table command to confirm that SW1 has learned the MAC address for the intended devices, in this case, PC1.
SW1#show mac-address-table
Mac Address Table
——————————————-
Vlan Mac Address Type Ports
—- ———– ——– —–
20 0060.5c4b.cd22 STATIC Fa0/11
You can use the show port-security interface fa0/11 command to verify a security violation with the command.
SW1#show port-security interface fa0/11
Port Security: Enabled
Port Status: Secure-shutdown
Violation Mode: Shutdown
Aging Time : 0 mins
Ageing Type: Absolute
SecureStatic Address Aging: Disabled
Maximum MAC Addresses: 1
Total MAC Addresses: 1
Configured MAC Addresses: 1
Sticky MAC Addresses : 0
Last Source Address:Vlan: 00E0.F7B0.086E:20
Security Violation Count: 1
How To Secure Unused Ports
Disabling unused switch ports is a simple method many network administrators use to help secure their network from unauthorized access. Disabling an unused port stops traffic from flowing through the port(s)
Step 1: Disable interface Fa0/10 on SW1.
Enter the interface configuration mode for FastEthernet 0/17 and shut down the port.
SW1(config)#interface fa0/10
SW1(config-if)#shutdown
Step 2: Disable interfaces Fa0/1 to Fa0/24 on SW1
SW1(config)#interface range fa0/1-24
SW1(config-if)#shutdown
In conclusion, switchport security is a vital component in network security, providing an additional layer of protection by controlling access at the physical port level. It is especially useful in preventing unauthorized or rogue devices from connecting to a network, thereby helping to protect sensitive data and resources.
Features and functions of Switches How a Switch Forward Frames
How a Root Port is Selected on a Switch How a Root Bridge and Ports is selected on a Switch
VLAN Switchport Membership mode VLAN Configuration on a Switch
Related Posts
