1 CISCO PRESENTATION Enabling Port Security. 2 2950 CISCO SWITCH.
-
Upload
marvin-chambers -
Category
Documents
-
view
224 -
download
2
Transcript of 1 CISCO PRESENTATION Enabling Port Security. 2 2950 CISCO SWITCH.
![Page 1: 1 CISCO PRESENTATION Enabling Port Security. 2 2950 CISCO SWITCH.](https://reader031.fdocuments.us/reader031/viewer/2022020721/56649f1d5503460f94c34620/html5/thumbnails/1.jpg)
1
CISCO PRESENTATION
Enabling Port Security
![Page 2: 1 CISCO PRESENTATION Enabling Port Security. 2 2950 CISCO SWITCH.](https://reader031.fdocuments.us/reader031/viewer/2022020721/56649f1d5503460f94c34620/html5/thumbnails/2.jpg)
2
2950 CISCO SWITCH
![Page 3: 1 CISCO PRESENTATION Enabling Port Security. 2 2950 CISCO SWITCH.](https://reader031.fdocuments.us/reader031/viewer/2022020721/56649f1d5503460f94c34620/html5/thumbnails/3.jpg)
3
2950 CISCO SWITCH The Cisco Catalyst® 2950 Series is
a family of wire-speed Fast Ethernet desktop switches that delivers the next generation of performance and functionality for the LAN with 10/100/1000BaseT uplinks, enhanced IOS service, quality of service (QoS), multicast management, high availability and security features using a simple, Web-based interface.
![Page 4: 1 CISCO PRESENTATION Enabling Port Security. 2 2950 CISCO SWITCH.](https://reader031.fdocuments.us/reader031/viewer/2022020721/56649f1d5503460f94c34620/html5/thumbnails/4.jpg)
4
Introduction Secured ports restrict a port to a user-defined group of stations. When you assign secure addresses to a secure port, the switch does not forward any packets with source addresses outside the defined group of addresses. If you define the address table of a secure port to contain only one address, the workstation or server attached to that port is guaranteed the full bandwidth of the port. As part of securing the port, you can also define the size of the address table for the port.
![Page 5: 1 CISCO PRESENTATION Enabling Port Security. 2 2950 CISCO SWITCH.](https://reader031.fdocuments.us/reader031/viewer/2022020721/56649f1d5503460f94c34620/html5/thumbnails/5.jpg)
5
IMPORTANT NOTE
Port security can only be configured on static access ports.
![Page 6: 1 CISCO PRESENTATION Enabling Port Security. 2 2950 CISCO SWITCH.](https://reader031.fdocuments.us/reader031/viewer/2022020721/56649f1d5503460f94c34620/html5/thumbnails/6.jpg)
6
Secured ports generate address-security
violations under these conditions
The address table of a secured port is full, and the address of an incoming packet is not found in the table.
An incoming packet has a source address assigned as a secure address on another port
![Page 7: 1 CISCO PRESENTATION Enabling Port Security. 2 2950 CISCO SWITCH.](https://reader031.fdocuments.us/reader031/viewer/2022020721/56649f1d5503460f94c34620/html5/thumbnails/7.jpg)
7
ADVANTAGES OF PORT SECURITY
Dedicated bandwidth If the size of the address table is set to 1, the attached device is guaranteed the full bandwidth of the port.
Added security—Unknown devices cannot connect to the port
![Page 8: 1 CISCO PRESENTATION Enabling Port Security. 2 2950 CISCO SWITCH.](https://reader031.fdocuments.us/reader031/viewer/2022020721/56649f1d5503460f94c34620/html5/thumbnails/8.jpg)
8
COMMANDS TO VALIDATE PORT SECURITY
Interface :Port to secure.
Security :Enable port security on the port.
Trap :Issue a trap when an address-security violation occurs.
Shutdown Port :Disable the port when an address-security violation occurs.
![Page 9: 1 CISCO PRESENTATION Enabling Port Security. 2 2950 CISCO SWITCH.](https://reader031.fdocuments.us/reader031/viewer/2022020721/56649f1d5503460f94c34620/html5/thumbnails/9.jpg)
9
COMMANDS TO VALIDATE PORT SECURITY
Secure Addresses :Number of addresses in the secure address table for this port. Secure ports have at least one address.
Max Addresses :Number of addresses that the secure address table for the port can contain.
Security Rejects :Number of unauthorized addresses seen on the port.
![Page 10: 1 CISCO PRESENTATION Enabling Port Security. 2 2950 CISCO SWITCH.](https://reader031.fdocuments.us/reader031/viewer/2022020721/56649f1d5503460f94c34620/html5/thumbnails/10.jpg)
10
Security Violation Mode
Shutdown- The interface is shut down immediately following a security violation
Restrict- A security violation sends a trap to the network management station.
Protect- When the port secure addresses reach the allowed limit on the port, all packets with unknown addresses are dropped.
**The default is shutdown
![Page 11: 1 CISCO PRESENTATION Enabling Port Security. 2 2950 CISCO SWITCH.](https://reader031.fdocuments.us/reader031/viewer/2022020721/56649f1d5503460f94c34620/html5/thumbnails/11.jpg)
11
Defining the Maximum Secure Address Count
A secure port can have from 1 to 132 associated secure addresses. Setting one address in the MAC address table for the port ensures that the attached device has the full bandwidth of the port. If the secure-port maximum addresses are set between 1 to 132 addresses and some of the secure addresses have not been added by user, the remaining addresses are dynamically learnt and become secure addresses.
![Page 12: 1 CISCO PRESENTATION Enabling Port Security. 2 2950 CISCO SWITCH.](https://reader031.fdocuments.us/reader031/viewer/2022020721/56649f1d5503460f94c34620/html5/thumbnails/12.jpg)
12
IMPORTANT NOTE
If the port link goes down, all the dynamically learned addresses are removed
![Page 13: 1 CISCO PRESENTATION Enabling Port Security. 2 2950 CISCO SWITCH.](https://reader031.fdocuments.us/reader031/viewer/2022020721/56649f1d5503460f94c34620/html5/thumbnails/13.jpg)
13
Enabling Port Security on The Switch
Beginning in privileged EXEC mode on the switch, follow these steps to enable port security, these settings will guarantee accurate and tight security.
![Page 14: 1 CISCO PRESENTATION Enabling Port Security. 2 2950 CISCO SWITCH.](https://reader031.fdocuments.us/reader031/viewer/2022020721/56649f1d5503460f94c34620/html5/thumbnails/14.jpg)
14
TABLE OF COMMANDS
Command Purpose
Step 1 configure terminal Enter global configuration mode.
Step 2 interface interface Enter interface configuration mode for the port you want to secure.
Step 3 switchport port-security
Enable basic port security on the interface.
Step 4 switchport port-security maximum max_addrs
Set the maximum number of MAC addresses that is allowed on this interface.
![Page 15: 1 CISCO PRESENTATION Enabling Port Security. 2 2950 CISCO SWITCH.](https://reader031.fdocuments.us/reader031/viewer/2022020721/56649f1d5503460f94c34620/html5/thumbnails/15.jpg)
15
TABLE OF COMMANDS
Step 5 switchport port-security
violation {shutdown | restrict | protect}
Set the security violation mode for the interface.
The default is shutdown.
For mode, select one of these keywords:
shutdown—The interface is shut down immediately following a security violation.
restrict—A security violation sends a trap to the network management station.
protect—When the port secure addresses reach the allowed limit on the port, all packets with unknown addresses are dropped.
Step 6 end Return to privileged EXEC mode.
Step 7 show port security [interface interface-id | address]
Verify the entry.
![Page 16: 1 CISCO PRESENTATION Enabling Port Security. 2 2950 CISCO SWITCH.](https://reader031.fdocuments.us/reader031/viewer/2022020721/56649f1d5503460f94c34620/html5/thumbnails/16.jpg)
16
DISABLING PORT SECURITY
Step 1 configure terminal Enter global configuration mode.
Step 2 interface interface Enter interface configuration mode for the port that you want to unsecure.
Step 3 no switchport port-security
Disable port security.
Step 4 end Return to privileged EXEC mode.
Step 5 show port security [interface interface-id | address]
Verify the entry.
![Page 17: 1 CISCO PRESENTATION Enabling Port Security. 2 2950 CISCO SWITCH.](https://reader031.fdocuments.us/reader031/viewer/2022020721/56649f1d5503460f94c34620/html5/thumbnails/17.jpg)
17
AVOID CONFIGURATION CONFLICTS
Certain combinations of port features conflict with one another. For example, if you define a port as the network port for a VLAN, all unknown unicast and multicast traffic is flooded to the port. You could not enable port security on the network port because a secure port limits the traffic allowed on it.
In the table of conflicting features, no means that the two features are incompatible and that both should not be enabled; yes means that both can be enabled at the same time and will not cause an incompatibility conflict.
If you try to enable incompatible features by using CMS, it issues a warning message that you are configuring a setting that is incompatible with another setting, and the switch does not save the change
![Page 18: 1 CISCO PRESENTATION Enabling Port Security. 2 2950 CISCO SWITCH.](https://reader031.fdocuments.us/reader031/viewer/2022020721/56649f1d5503460f94c34620/html5/thumbnails/18.jpg)
18
TABLE OF CONFLICTING FEATURES
Port Group
Port Security
SPAN Source Port
SPAN Destination Port
Connect to Cluster
Protected Port
802.1X Port
Port Group - No Yes No Yes Yes No
Port Security
No - Yes No Yes No No
SPAN Source Port
Yes Yes - No Yes Yes1 Yes
SPAN Destination Port
No No No - Yes Yes No
Connect to Cluster
Yes Yes Yes Yes - Yes -
Protected Port
Yes No Yes1 Yes1 Yes - -
802.1X Port
No No Yes No - - -