Basic switch security
In this topic we will discuss basic switch security and how we can lock down the ports on a switch. I found when using Packet Tracer the port-security didn’t work constantly and in some cases didn’t work at all.
I would recommend configuring this if possible on real equipment. Packet Tracer will accept the commands but the desired effect might not happen.
Our three switches have 24 ports each, currently only three ports are used on each switch. With the remaining ports we will turn these into access ports to stop someone from plugging in a switch and creating a trunk link but we will also shut them down.
By default switches are in desired mode, meaning if another switch is plugged in it will trunk.
configure terminal interface range fa0/4-fa0/24 switchport mode access shutdown
We’ll now configure fa0/3 on Switch A to dynamically learn the connected PC’s MAC address and setup violation so the port shutdowns if an unknown MAC address such as another device is plugged into fa0/3.
configure terminal interface fa0/3 switchport port-security switchport port-security mac sticky switchport port-security violation shutdown
The sticky command is useful for the switch to detect the MAC address, we can manually set the MAC address:
configure terminal interface fa/0/3 switchport port-security MAC
It’s possible to allow more than one MAC address assigned to a switchport:
configure terminal interface fa0/3 switchport port-security maximum 2
Other violation modes:
switchport port-security violation restrict switchport port-security violation protect
Restrict: This mode allows known MAC addresses to continue sending frames whilst blocking unknown MAC addresses from sending. A violation message is sent to a SNMP service if configured.
Protect: This mode allows known MAC addresses to continue sending frames whilst blocking unknown MAC addresses from sending. A violated message is not sent.
Configuring violations are all well and good but what happens if a PC hasn’t been live on a port for a while? a new PC will come along and the port may be put into a shutdown state.
We can configure how long before the MAC addresses are pruned using the aging command:
switchport port-security aging time 10
The aging timer is done in minutes, so 10 minutes in this example.
We can also prune the MAC addresses if the port has had no activity:
switchport port-security aging type inactivity
Verifying:
- show port-security interface <interface>
- show port-security address
Switch security practises:
- Ensure physical access to switches is restricted
- Set login password/enable passwords on switches and configure banners
- Web service can be disabled if the switch supports web service (no ip http server/secure server)
- Access-lists can be used to restrict SSH/telnet access by only allowing a specific subnet or host to SSH/telnet to the switch
- Use SSH rather than telnet as it’s more secure – Telnet is sent in plain text, SSH is encrypted
- Config logging to SNMP to capture violation etc