Cisco® CCNA Exam Cram Notes : switch Ports And Port Security

7. Infrastructure Security

1. Switch ports and port security

Each port on a Cisco switch can be configured as either an access or a trunk port. The type of a port specifies how the switch determines the incoming frame's VLAN. Here is a description of these two port types

Access port - a port that can be assigned to a single VLAN. The frames that arrive on an access port are assumed to be part of the access VLAN. This port type is configured on switch ports that are connected to devices with a normal network card, for example a host on a network.

1. Frames sent through this port belong to a single VLAN

2. Typically uses a straight-through cable to connect a host

3. Connects an end-user host to a switch

Trunk port - a port that is connected to another switch. This port type can carry traffic of multiple VLANs, thus allowing you to extend VLANs across your entire network. Frames are tagged by assigning a VLAN ID to each frame as they traverse between switches.

1. Frames sent through this port belong to multiple VLANs

2. Facilitates inter VLAN communications when connected to a Layer 3 device

3. Uses tags to identify traffic from different VLANs

Port Security :You can use the port security feature to restrict input to an interface by limiting and identifying MAC addresses of the workstations that are allowed to access the port. When you assign secure MAC addresses to a secure port, the port does not forward packets with source addresses outside the group of defined addresses. If you limit the number of secure MAC addresses to one and assign a single secure MAC address, the workstation attached to that port is assured the full bandwidth of the port.

There are three different main violation types: shutdown, protect, and restrict.

Shutdown - When a violation occurs in this mode, the switchport will be taken out of service and placed in the err-disabled state. The switchport will remain in this state until manually removed; this is the default switchport security violation mode.

Protect - When a violation occurs in this mode, the switchport will permit traffic from known MAC addresses to continue sending traffic while dropping traffic from unknown MAC addresses. When using this mode, no notification message is sent when this violation occurs.

Restrict - When a violation occurs in this mode, the switchport will permit traffic from known MAC addresses to continue sending traffic while dropping traffic from unknown MAC addresses. However, unlike the protect violation type, a message is also sent indicating that a violation has occurred.

The default behavior for a security violation is to shutdown that port permanently. To find out which interface associated with a given MAC address, use the "show mac-address-table" command. It shows the learned MAC addresses and their associated interfaces.

Port-security is configured on layer 2 interfaces to allow specified number of MAC addresses. The command #switchport port-security only enables port security but before you enable you have to specify if the port is access or trunk by issuing a command

switchport mode access
switchport mode trunk

To configure the maximum number of MAC addresses allowed by issuing the following command:

switchport port-security maximum 3 (you can put the number of max number you wish).

And finally in case of violation you can either set to protect, restrict or shutdown the interface by issuing the following command:

switchport port-security violation shutdown/restrict/protect

The "switchport mode access" command typically precedes the "switchport port-security" command as the port must be configured as an access or trunk port before configuring switchport port security.

The command "switchport mode access" configures the port as a static access port. The port operates as a non-trunking, single VLAN interface that transmits and receives non-encapsulated frames. An access port can be assigned to only one VLAN. On the other hand, a switchport configured as a "trunk" port, transmits and receives encapsulated (tagged) frames that identify the VLAN of origination. A trunk is a point-to-point link between two switches or between a switch and a router.

The command "switchport access vlan1" is also typically configured before "switchport port-security" command.

The command "switchport port-security maximum1" sets limit for hosts that can be associated with interface. Default value is 1. Skip this command to use default value. This command typically follows "switchport port-security" command.

The command "switchport port-security violation shutdown" command sets security violation mode. Default mode is shutdown. This command typically follows "switchport port-security" command.

Port-security can only be allowed to access ports but not trunks.

Switchport port-security maximum <value> . This command sets the maximum number of secure mac address allowed on the switch port, default is 1. The range is 1 to 3072.

To return the interface to the default number of secure MAC addresses, use the command :

no switchport port-security maximum <value>

The following are true about switch port security:

1.The IEEE standard 802.1x defines the switch port security. Most of the Catalyst class of switches supports this standard. However, end user PC should also comply with the standard for implementation.

2.When you enable port security on a switch, by default only one MAC address can be learned. To allow more than one MAC address on a switch port simultaneously, use the command:port-security maximum <max-number>.

3.You can either define the allowed MAC addresses statically or allow the port to learn the MAC addresses. If you define only part of maximum allowed MAC addresses statically, the remaining MAC addresses are learned dynamically. This may lead to security breach if misused.

4. Port security can only be configured on static access ports, trunk ports, or 802.1Q tunnel ports.

5. A secure port cannot be a dynamic access port.

6. A secure port cannot be a destination port for Switched Port Analyzer (SPAN).

7. A secure port cannot belong to a Fast EtherChannel or Gigabit EtherChannel port group.

8. You cannot configure static secure or sticky secure MAC addresses on a voice VLAN.

9. When you enable port security on an interface that is also configured with a voice VLAN, you must set the maximum allowed secure addresses on the port to at least two.

10. If any type of port security is enabled on the access VLAN, dynamic port security is automatically enabled on the voice VLAN.

11. When a voice VLAN is configured on a secure port that is also configured as a sticky secure port, all addresses seen on the voice VLAN are learned as dynamic secure addresses, and all addresses seen on the access VLAN (to which the port belongs) are learned as sticky secure addresses.

12. The switch does not support port security aging of sticky secure MAC addresses.

13. The protect and restrict options cannot be simultaneously enabled on an interface.

Sticky MAC addresses are addresses that are dynamically learned once and remain stick to the port, we can adjust the max number of sticky MAC addresses to a single interface. the use of this feature is in large networks usually where we cant afford to waste time doing manual mac addresses to port mapping.

Previous   Contents   Next


CCNA Cram Notes Contents certexams.com ad