Scribd
Upload
55 views3 pages

Securing Switch Access

This document discusses several methods for securing switch access and ports, including: 1. Shutting down unused ports and applying descriptions. 2. Enabling MAC address binding to allow only authorized devices and shutdown ports on violation. 3. Setting storm control limits to prevent flooding of broadcast, multicast, and unknown unicast frames. 4. Configuring port-based 802.1x authentication using RADIUS for authentication, authorization, and accounting to secure switch ports.

Uploaded by

sagar002100
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
55 views3 pages

Securing Switch Access

This document discusses several methods for securing switch access and ports, including: 1. Shutting down unused ports and applying descriptions. 2. Enabling MAC address binding to allow only authorized devices and shutdown ports on violation. 3. Setting storm control limits to prevent flooding of broadcast, multicast, and unknown unicast frames. 4. Configuring port-based 802.1x authentication using RADIUS for authentication, authorization, and accounting to secure switch ports.

Uploaded by

sagar002100
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 3

Securing Switch Access

Port Security

A. Shutdown unused ports

Config t
Interface range f0/11-15
Shutdown
Description Port shutdown due to unused
End

SW# show ip interface brief


SW# show run

B. MAC binding

Config t
Interface f0/11
Switchport mode access
Switchport port-security
Switchport port-security maximum 1
Switchport port-security mac-address sticky
Switchport port-security violation shutdown
End

Violation actions:
1. Protect
2. Restrict
3. Shutdown

Recovery of a port from err-disable state


1. Manual recovery
Config t
Interface f0/11
Shutdown
No shutdown
end
2. Auto-recovery
Config t
Errdisable recovery cause psecure-violation
Errdisable recovery interval 100
end

Verification
SW# show run
SW# show mac address-table
SW# show port-security
SW# show port-security interface f0/11
Storm Control

Switch floods the following frames if it receives:


 Broadcast frames
 Multicast frames
 Unknown unicast frames

Storm Control is a feature used to set limits on flooded traffic before it can cause problems on your
network.

Config t
Int range f0/1-10
Storm-control broadcast | multicast | unicast level level | bps ____ | pps _____
Storm-control action shutdown | trap
End

Sw# show storm-control interface f0/1

Port-based Authentication

 Catalyst switches can support port-based authentication, a combination of AAA authentication


and port security.

 This feature is based on the IEEE 802.1X standard.

Conf t
Hostname SW-X
Vlan 2
Name server
Vlan 3
Name sales
Vlan 4
Name marketing

Int vlan 2
Ip address 170.10.2.1 255.255.255.0
No shut
Exit
Int vlan 3
Ip address 170.10.3.1 255.255.255.0
No shut
Exit
Int vlan 4
Ip address 170.10.4.1 255.255.255.0
No shut
Exit

ip routing
int f0/24
switchport mode access
switchport access vlan 2
exit

ip dhcp pool sales


network 170.10.3.0 255.255.255.0
default-router 170.10.3.1
exit
ip dhcp excluded-address 170.10.3.1

ip dhcp pool marketing


network 170.10.4.0 255.255.255.0
default-router 170.10.4.1
exit
ip dhcp excluded-address 170.10.4.1

aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
radius-server host 170.10.2.100 key cisco123

dot1x system-auth-control (Globally enables 802.1x on switch)

int range f0/1 -4


shutdown
switchport mode access
dot1x port-control auto (Enables 802.1x auth on the port)
dot1x reauthentication (Enables periodic re-authentication of the client)
dot1x timeout reauth-period 60 (Number of seconds between re-authentication attempts)
dot1x auth-fail max-attempts 2 (No of auth attempts to allow before a port moves to the
restricted VLAN)
dot1x host-mode multi-host
spanning-tree portfast
no shut
end

You might also like