CISCO PRESENTATION Enabling Port Security 1 2950 CISCO SWITCH 2 2950 CISCO SWITCH The Cisco Catalyst 2950 Series is a family of wire-speed Fast Ethernet desktop switches that delivers the next generation of performance and functionality for the LAN with 10/100/1000BaseT uplinks, enhanced IOS service, quality of service (QoS), multicast management, high availability and security features using a simple, Web-based interface. 3
Introduction Secured ports restrict a port to a user-defined group of stations. When you assign secure addresses to a secure port, the switch does not forward any packets with source addresses outside the defined group of addresses. If you define the address table of a secure port to contain only one address, the workstation or server attached to that port is guaranteed the full bandwidth of the port. As part of securing the port, you can also define the size of the address table for the port. 4 IMPORTANT NOTE Port security can only be configured on static access ports. 5 Secured ports generate address-security violations under these conditions
The address table of a secured port is full, and the address of an incoming packet is not found in the table. An incoming packet has a source address assigned as a secure address on another port 6 ADVANTAGES OF PORT SECURITY Dedicated bandwidth If the size of the address table is set to 1, the attached device is guaranteed the full bandwidth of the port. Added securityUnknown devices cannot connect to the port 7 COMMANDS TO VALIDATE PORT SECURITY Interface :Port to secure.
Security :Enable port security on the port. Trap :Issue a trap when an address-security violation occurs. Shutdown Port :Disable the port when an address-security violation occurs. 8 COMMANDS TO VALIDATE PORT SECURITY Secure Addresses :Number of addresses in the secure address table for this port. Secure ports have at least one address. Max Addresses :Number of addresses that the secure address table for the port can contain. Security Rejects :Number of unauthorized addresses seen on the port. 9 Security Violation Mode Shutdown- The interface is shut down immediately following a security violation Restrict- A security violation sends a trap to the
network management station. Protect- When the port secure addresses reach the allowed limit on the port, all packets with unknown addresses are dropped. **The default is shutdown 10 Defining the Maximum Secure Address Count A secure port can have from 1 to 132 associated secure addresses. Setting one address in the MAC address table for the port ensures that the attached device has the full bandwidth of the port. If the secure-port maximum addresses are set between 1 to 132 addresses and some of the secure addresses have not been added by user, the remaining addresses are dynamically learnt and become secure addresses. 11
IMPORTANT NOTE If the port link goes down, all the dynamically learned addresses are removed 12 Enabling Port Security on The Switch Beginning in privileged EXEC mode on the switch, follow these steps to enable port security, these settings will guarantee accurate and tight security. 13 TABLE OF COMMANDS Command Purpose Step 1
configure terminal Enter global configuration mode. Step 2 interface interface Enter interface configuration mode for the port you want to secure. Step 3 switchport portsecurity Enable basic port security on the interface. Step 4 switchport portsecurity maximum
max_addrs Set the maximum number of MAC addresses that is allowed on this interface. 14 TABLE OF COMMANDS Step 5 switchport port-security violation {shutdown | restrict | protect} Set the security violation mode for the interface. The default is shutdown. For mode, select one of these keywords: shutdownThe interface is shut down immediately following a security violation. restrictA security violation sends a trap
to the network management station. protectWhen the port secure addresses reach the allowed limit on the port, all packets with unknown addresses are dropped. Step 6 end Return to privileged EXEC mode. Step 7 show port security [interface interface-id | address] Verify the entry. 15
DISABLING PORT SECURITY Step 1 configure terminal Enter global configuration mode. Step 2 interface interface Enter interface configuration mode for the port that you want to unsecure. Step 3 no switchport portsecurity Disable port security.
Step 4 end Return to privileged EXEC mode. Step 5 show port security [interface interfaceid | address] Verify the entry. 16 AVOID CONFIGURATION CONFLICTS Certain combinations of port features conflict with one another. For example, if you define a port as the network port for a VLAN, all unknown unicast and multicast traffic is flooded to the port. You could not enable port security on the network port because a secure port limits the
traffic allowed on it. In the table of conflicting features, no means that the two features are incompatible and that both should not be enabled; yes means that both can be enabled at the same time and will not cause an incompatibility conflict. If you try to enable incompatible features by using CMS, it issues a warning message that you are configuring a setting that is incompatible with another setting, and the switch does not save the change 17 TABLE OF CONFLICTING FEATURES Port Group Port Security SPAN Source Port
SPAN Destination Port Connect to Cluster Protected Port 802.1X Port Port Group - No Yes No
Yes Yes No Port Security No - Yes No Yes No No
SPAN Source Port Yes Yes - No Yes Yes1 Yes SPAN Destination Port
No No No - Yes Yes No Connect to Cluster Yes Yes Yes
Yes - Yes - Protected Port Yes No Yes1 Yes1 Yes -
- 802.1X Port No No Yes No - - - 18
