Scribd
Upload
32 views11 pages

Understanding Switch Security: Ethernet Lans

The document discusses various methods for securing Ethernet LAN switch installations and configurations. It covers establishing passwords, login banners, securing remote access with SSH, configuring port security to limit MAC addresses per port, verifying port security, securing unused ports by disabling interfaces, and provides an overview of common physical, environmental, electrical and maintenance threats.

Uploaded by

tuancoi
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
32 views11 pages

Understanding Switch Security: Ethernet Lans

The document discusses various methods for securing Ethernet LAN switch installations and configurations. It covers establishing passwords, login banners, securing remote access with SSH, configuring port security to limit MAC addresses per port, verifying port security, securing unused ports by disabling interfaces, and provides an overview of common physical, environmental, electrical and maintenance threats.

Uploaded by

tuancoi
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 11

Understanding

Switch Security

Ethernet LANs

http://vnexperts.net

ICND1 v1.01-1

Common Threats to Physical Installations


Hardware threats
Environmental threats
Electrical threats
Maintenance threats

http://vnexperts.net

ICND1 v1.01-2

Configuring a Switch Password

http://vnexperts.net

ICND1 v1.01-3

Configuring the Login Banner


Defines and enables a customized banner to be displayed before
the username and password login prompts.

SwitchX# banner login " Access for authorized users only. Please enter your
username and password. "

http://vnexperts.net

ICND1 v1.01-4

Telnet vs. SSH Access


Telnet
Most common access method
Insecure
SSH-encrypted
! The username command create the username and password for the SSH session
Username cisco password cisco
ip domain-name mydomain.com
crypto key generate rsa
ip ssh version 2
line vty 0 4
login local
transport input ssh

http://vnexperts.net

ICND1 v1.01-5

Configuring Port Security


Cisco Catalyst 2960 Series
SwitchX(config-if)#switchport port-security [ mac-address
mac-address | mac-address sticky [mac-address] | maximum
value | violation {restrict | shutdown}]

SwitchX(config)#interface fa0/5
SwitchX(config-if)#switchport mode access
SwitchX(config-if)#switchport port-security
SwitchX(config-if)#switchport port-security maximum 1
SwitchX(config-if)#switchport port-security mac-address sticky
SwitchX(config-if)#switchport port-security violation shutdown

http://vnexperts.net

ICND1 v1.01-6

Verifying Port Security


on the Catalyst 2960 Series
SwitchX#show port-security [interface interface-id] [address] [ |
{begin | exclude | include} expression]

SwitchX#show port-security
Port Security
Port Status
Violation Mode
Aging Time
Aging Type
SecureStatic Address Aging
Maximum MAC Addresses
Total MAC Addresses
Configured MAC Addresses
Sticky MAC Addresses
Last Source Address
Security Violation Count

http://vnexperts.net

interface fastethernet 0/5


: Enabled
: Secure-up
: Shutdown
: 20 mins
: Absolute
: Disabled
: 1
: 1
: 0
: 0
: 0000.0000.0000
: 0

ICND1 v1.01-7

Verifying Port Security


on the Catalyst 2960 Series (Cont.)
SwitchX#sh port-security address
Secure Mac Address Table
------------------------------------------------------------------Vlan
Mac Address
Type
Ports
Remaining Age
(mins)
--------------------------------1
0008.dddd.eeee
SecureConfigured
Fa0/5
------------------------------------------------------------------Total Addresses in System (excluding one mac per port)
: 0
Max Addresses limit in System (excluding one mac per port) : 1024

SwitchX#sh port-security
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
(Count)
(Count)
(Count)
-------------------------------------------------------------------------Fa0/5
1
1
0
Shutdown
--------------------------------------------------------------------------Total Addresses in System (excluding one mac per port)
: 0
Max Addresses limit in System (excluding one mac per port) : 1024

http://vnexperts.net

ICND1 v1.01-8

Securing Unused Ports


Unsecured ports can create a security hole.
A switch plugged into an unused port will be added to the
network.
Secure unused ports by disabling interfaces (ports).

http://vnexperts.net

ICND1 v1.01-9

Disabling an Interface (Port)


SwitchX(config-int)#

shutdown
To disable an interface, use the shutdown command in interface
configuration mode.
To restart a disabled interface, use the no form of this command.

http://vnexperts.net

ICND1 v1.01-10

Summary
The first level of security is physical.
Passwords can be used to limit access to users that have been
given the password.
The login banner can be used to display a message before the
user is prompted for a username.
Telnet sends session traffic in cleartext; SSH encrypts the session
traffic.
Port security can be used to limit MAC addresses to a port.
Unused ports should be shut down.

http://vnexperts.net

ICND1 v1.01-11

You might also like