Conventional network security often focuses
more on routers and blocking traffic from the outside. Switches are internal to
the organization and designed to allow ease of connectivity, therefore only
limited or no security measures are applied.
The following basic security features can
be used to secure your switches and network:
* Physically
secure the device
* Use
secure passwords
* Enable
SSH access
* Enable
port security
* Disable
http access
* Disable
unused ports
* Disable
Telnet
Let’s look at how to implement and
configure some of the above mentioned switch security features.
1. How to Configure the privileged EXEC
password.
Use the enable secret command
to set the password. For this activity, set the password to orbit.
SW1#configure terminal
SW1(config)#enable secret orbit
SW1(config)#
2. How to Configure virtual
terminal (Telnet) and console passwords and require users to login.
A password should be required to access the
console line. Even the basic user EXEC mode can provide significant
information to a malicious user. In addition, the VTY lines must have a
password before users can access the switch remotely.
Use the following commands to secure the
console and telnet:
SW1(config)#line console 0
SW1(config-line)#password cisco
SW1(config-line)#login
SW1(config-line)#line vty 0 15
SW1(config-line)#password cisco
SW1(config-line)#login
SW1(config-line)#exit
SW1(config)#
3. How to Configure password
encryption.
At this stage, the privileged EXEC password
is already encrypted. To encrypt the line passwords that you just configured,
enter the service password-encryption command in global
configuration mode.
SW1(config)#service password-encryption
SW1(config)#
4. How to Configure and test the
MOTD banner.
Configure the message-of-the-day (MOTD)
using Authorized Access Only as the text. Follow these
guidelines:
i. The
banner text is case sensitive. Make sure you do not add any spaces before or
after the banner text.
ii. Use
a delimiting character before and after the banner text to indicate where the
text begins and ends. The delimiting character used in the example below
is %, but you can use any character that is not used in the
banner text.
iii. After
you have configured the MOTD, log out of the switch to verify that the banner
displays when you log back in.
SW1(config)#banner motd %Authorized
Access Only%
SW1(config)#end
SW1#exit
5. How to Configure Port Security
Enter interface configuration mode for
FastEthernet 0/11 and enable port security.
Before any other port security commands can
be configured on the interface, port security must be enabled.
SW1(config-if)#interface fa0/11
SW1(config-if)#switchport port-security
* Notice that you do not have to exit back
to global configuration mode before entering interface configuration mode for
fa0/11.
6. How to configure the maximum number
of MAC addresses.
To configure the port to learn only one MAC
address, set the maximum to 1:
SW1(config-if)#switchport port-security
maximum 1
7. How to configure the port to add the
MAC address to the running configuration.
The MAC address learned on the port can be
added to (“stuck” to) the running configuration for that port.
SW1(config-if)#switchport port-security
mac-address sticky
8. How to configure the port to
automatically shut down if port security is violated.
If you do not configure the following
command, SW1 only logs the violation in the port security statistics but does
not shut down the port.
SW1(config-if)#switchport port-security
violation shutdown
Use the show-mac-address- table command
to confirm that SW1 has learned the MAC address for the intended devices, in
this case PC1.
SW1#show mac-address-table
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
20 0060.5c4b.cd22 STATIC Fa0/11
You can use the show port-security
interface fa0/11 command to also verify a security violation with the
command.
SW1#show port-security interface fa0/11
Port Security : Enabled
Port Status : Secure-shutdown
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 1
Sticky MAC Addresses : 0
Last Source Address:Vlan : 00E0.F7B0.086E:20
Security Violation Count : 1
9. How to Secure Unused Ports
Disabling unused switch ports a simple
method many network administrators use to help secure their network from
unauthorized access. Disabling an unused port stops traffic from flowing
through the port(s)
Step 1: Disable interface Fa0/10 on SW1.
Enter interface configuration mode for
FastEthernet 0/17 and shut down the port.
SW1(config)#interface fa0/10
SW1(config-if)#shutdown
Step 2: Disable interfaces Fa0/1 to
Fa0/24 on SW1
SW1(config)#interface range fa0/1-24
SW1(config-if)#shutdown
More
Related Network Topics:
Thanks for sharing poe switches
ReplyDelete