TRADITIONAL FIREWALLS

(Remember that the dedicate role of a router is - Packet forwarding)

Normally a firewall do the same work that routers do with ACLs, but
firewalls can perform that packet-filtering function with many more
options, and perform other security tasks.

Also, a router does stateless filtering whereas all effective firewalls are
stateful firewalls.

Stateful - Keep state information by storing information about each packet,

and make decisions about filtering future packets based on the historical
state information.

PORT SECURITY CONCEPTS AND CONFIGURATION

As switches are kind of devices which are placed in open locations in the
network.
As end devices needs to be connected to switches, not all of them could be
placed in the server room.
So, switches are provided with some extra security feature to help in
preventing physical attacks.
Some of the feature are:
Port Security
DHCP Snooping
Dynamic ARP Inspection

PORT SECURITY CONCEPTS AND CONFIGURATION

As switches are layer 2 devices; so, to implement security at switch level,
we use layer 2 addresses.
It means, Port Security is implemented on the basis of the MAC address.
Port security identifies devices based on the source MAC address of
Ethernet frames that the devices send.
It means, port security defines a maximum number of unique source MAC
addresses allowed for all frames coming in the interface.
The MAC addresses allowed on an interface can be all statically configured,
all dynamically learned or some configured statically and others learned
dynamically. Then it examines frames received on the interface to
determine if a violation has occurred.

Port Security configuration

Give ip to 1st pc 10.0.0.1

# En
# Config t
# Interface f 0/1 we can also set range in large networks
# Switchport mode access
# Switchport port-security
# Do show run
Switches run on mac table
# Switchport port-security ?
# Switchport port-security maximum ? to check how much port
should switch learn
# Switchport port-security maximum 1
# Switchport port-security mac-address sticky we write or use
command sticky for large amount of switches
# Switchport port-security violation ?
# switchport port-security violation restrict
# do show run
Ctrl +z
# show mac address-table
Change the pc ip to 10.0.0.11 to check mac table
Switch# show mac address-table
switch# show port-security interface f0/1
Now change the cable to other pc and give new ip to pc 10.0.0.4
# show port-security interface fa 0/1
Plug cable to original pc again and change ip 10.0.0.10
# show port-security interface fa 0/1 check counter
# conf
# interface f 0/1
# switchport port-security violation shutdown
Now again plug cable to other pc and change ip to eg. 10.0.0.40 and
run
Ctrl +z
# show mac address-table
# show port-security interface f 0/1