Switch Port Security Summary
The most common understanding of port security is based on the MAC address to do the control and management of network traffic, such as MAC address and specific port binding, limit the number of specific ports through the MAC address, or in the specific port does not allow some MAC address frame traffic through. A little extension of the lower port safety, which can be based on 802.1X to control the network access traffic.
First, talk about MAC address and port binding, and the configuration that allows traffic according to MAC address.
1.MAC address and port binding, the corresponding port of the switch will be down when the MAC address of the host is found to be not the same as the MAC address specified on the switch. When you specify a MAC address to a port, the port mode must be either access or trunk state.
3550-1 (config) #int F0/1
3550-1 (config-if) #switchport mode access/Specify port modes.
3550-1 (config-if) #switchport port-security mac-address 00-90-F5-10-79-C1/Configure MAC address.
3550-1 (config-if) #switchport port-security maximum 1/limit the number of MAC addresses allowed for this port is 1.
3550-1 (config-if) #switchport port-security violation shutdown/port down when found to be inconsistent with the above configuration.
2. Through the MAC address to limit port traffic, this configuration allows a trunk port through up to 100 MAC addresses, more than 100, but data frames from the new host will be lost.
3550-1 (config) #int F0/1
3550-1 (config-if) #switchport trunk Encapsulation dot1q
3550-1 (config-if) #switchport mode trunk/Configure Port model to trunk.
3550-1 (config-if) #switchport port-security maximum 100/The maximum number of MAC addresses allowed for this port is 100.
3550-1 (config-if) #switchport port-security violation Protect/When the number of host MAC addresses exceeds 100, the switch continues to work, but data frames from the new host are lost.
The above configuration is based on the MAC address to allow traffic, the following configuration is based on the MAC address to reject traffic.
1. This configuration in the catalyst switch can only filter unicast traffic, for multicast traffic is invalid.
3550-1 (config) #mac-address-table static 00-90-F5-10-79-C1 VLAN 2 drop/Drop traffic on the corresponding VLAN.
3550-1 (config) #mac-address-table static 00-90-f5-10-79-c1 VLAN 2 int F0/1/Discard traffic on the corresponding interface.
Understanding Port Security:
When you configure the maximum number of secure MAC addresses for a port, the security address is included in an address table in one of the following ways:
• You can configure all MAC addresses using Switchport port-security mac-address
• You can also allow dynamic configuration of a secure MAC address, using the MAC address of a connected device.
• You can configure the number of addresses and allow dynamic configuration to be maintained.
Note: If this port is shutdown, all dynamic MAC addresses will be removed.
Once the maximum number of MAC addresses configured is reached, the addresses will be present in an address table. Set the maximum number of MAC addresses to 1 and configure the address attached to the device to ensure that the device exclusively has the bandwidth of this port.
This is a security violation when the following conditions occur:
• Maximum security number A MAC address outside of the MAC address table attempts to access this port.
• A site where a MAC address is configured as a secure MAC address for other interfaces attempts to access this port.
You can configure the three types of offending modes for the interface, which are based on the actions after the violation occurs:
protect-when the number of MAC addresses reaches the maximum allowable number of this port, packets with an unknown source address are discarded until a sufficient number of MAC addresses are removed to drop the maximum value.
restrict-a port security violation that restricts data and causes a "security violation" counter to increase.
shutdown-a port security violation action that causes the interface to shutdown immediately and sends an SNMP trap. When a security port is in the error-disable state, you must either tap the global errdisable recovery cause psecure-violation command, or you can manually shut the no shut port. This is the default action for port security violations.
Default port Security Configuration:
Here is the port security configuration under the interface-
Attributes: port-sercurity default settings: Off.
Features: Maximum number of secure MAC addresses default setting: 1
Feature: Default configuration of violation mode: shutdown, this port will be shutdown when the maximum number of secure MAC addresses is reached, concurrent SNMP traps.
The following is a wizard for configuring port security-
• Security ports cannot be done on a dynamic access or trunk port, in other words, after switch mode ACC is required before knocking Port-secure.
• Safe ports cannot be a protected port.
• The secure port cannot be the destination address for span.
• Security ports cannot belong to GEC or FEC groups.
• Security ports cannot belong to 802.1X ports. If you try to open 802.1x on a secure port, there will be an error message and 802.1x is off. If you try to change the port on which 802.1x is turned on, the error message will appear and the security settings will not change.
Finally, the concept and configuration of 802.1X.
The 802.1X authentication protocol was initially used for wireless networks and was later used on network devices such as common switches and routers. It can authenticate the identity of the user based on the port, that is, when the user's data traffic attempts to configure the port of the 802.1X protocol, the authentication must be authenticated and the legal access to the network is allowed. The advantage of doing this is that you can authenticate the user on the intranet and simplify the configuration to a certain extent to replace the Windows AD.
To configure the 802.1X authentication protocol, you first have to globally enable AAA authentication, which is not much different from using AAA authentication on the network boundary, except that the authentication protocol is 802.1X; second, you need to enable 802.1X authentication on the appropriate interface. (It is recommended that 802.1X authentication be enabled on all ports and that a RADIUS server be used to manage user names and passwords)
The following configuration uses the local username and password for AAA authentication.
3550-1 (config) #aaa New-model/enable AAA authentication.
3550-1 (config) #aaa authentication dot1x default local/Global enable 802.1X protocol authentication, and uses a native username and password.
3550-1 (config) #int range F0/1-24
3550-1 (config-if-range) #dot1x Port-control Auto/enable 802.1X authentication on all interfaces.
Through the MAC address to control the network traffic can be achieved through the above configuration, can also be achieved through the access control list, such as on the Cata3550 can be accessed through the number 700-799 access control list can be implemented MAC address filtering. But the use of access control lists to control the traffic is more troublesome, it seems that the use of less, here is not more introduced.
MAC address Binding Although to some extent to ensure intranet security, but the effect is not very good, it is recommended to use the 802.1X authentication protocol. 802.1X is a good choice in controllability and manageability