Cisco® CCNP Switch Exam Cram Notes : Port Security

2. Infrastructure Security

2.1 Configure and verify switch security features

2.1.d Port security

Port security feature can be used to to limit and identify MAC addresses of the stations allowed to access the port. This restricts input to an interface. When you assign secure MAC addresses to a secure port, the port does not forward packets with source addresses outside the group of defined addresses. If you limit the number of secure MAC addresses to one and assign a single secure MAC address, the workstation attached to that port is assured the full bandwidth of the port. If a port is configured as a secure port and the maximum number of secure MAC addresses is reached, when the MAC address of a station that attempts to access the port is different from any of the identified secure MAC addresses, a security violation occurs. Also, if a station with a secure MAC address configured or learned on one secure port attempts to access another secure port, a violation is flagged. By default, the port shuts down when the maximum number of secure MAC addresses is exceeded.

The command "show port-security interface" used to verify the port security status for an interface. 

Catalyst switches provide port level security by use of MAC addresses to control access to a switch port. The command

Switch(config-if)# switchport port-security

enables the port security on a switch.

To statically define one or more MAC addresses that are allowed on a switch interface, use the command:

Switch(config-if)#switchport port-security mac-address <mac address>

For example, to allow the mac address 0013.0002.0023, use the command:

Switch(config-if)#switchport port-security mac-address 0013.0002.0023

You can set the maximum number of MAC addresses that could be allowed on a port by using the command:

Switch(config-if)# switchport port-security maximum <max-number-of-mac-addresses>

To allow a maximum of 2 MAC addresses to access a switch port,

Switch(config-if)#switchport port-security maximum 2

By default, one MAC address is allowed access on each switch port.

The command "no switchport" enables a switch port for layer 3 operation. On the other hand, the command "switchport" enables a switch port for layer 2 operation. 

The following are true about switch port security:

1. The IEEE standard 802.1x defines the switch port security. Most of the Catalyst class of switches supports this standard. However, end user PC should also comply with the standard for implementation.

2. When you enable port security on a switch, by default only one MAC address can be learned. To allow more than one MAC address on a switch port simultaneously, use the command:

3. port-security maximum <max-number>.

4. You can either define the allowed MAC addresses statically or allow the port to learn the MAC addresses. If you define only part of maximum allowed MAC addresses statically, the remaining MAC addresses are learned dynamically. This may lead to security breach if misused.

The following are true about inline power switch port:

1. By default, the inline power is disabled when a switch port is down.

2. When a device is connected to an inline power switch port, it first ensures that the device connected requires inline power by sending tone signals at 340kHz. Inline power is enabled only after ensuring that the connected device requires inline DC power. Otherwise, the DC power may damage connected devices if provided indiscriminately.

3. Use debug ilpower controller and debug cdp packets commands to view inline power adjustments.

4. Inline power is supplied at 48V DC, and pins 1,2 and 3,6 of the RJ-45 connector are used.

You can instruct the switch as to what to do if there is any port security violation. The command to configure port security violation is

Switch(config-if)#switchport port-security violation {shutdown | restrict | protect}

Shutdown: The port is effectively shuts down on any port violation.

Restrict: The port stays up, but drops all packets violating MAC addresses. Use SNMP to trigger a violation.

Protect: The packets from violating addresses are dropped, but no record of violation is kept.

The syntax for configuring a switch port to use 802.1x is:

Switch(config-if)#dot1x port-control [force-authorized | force-un-autorized | auto ]

Ports can be in one of three authorization modes. The first mode, force-authorized, and default mode. In first mode, a port is always authorized. Force-authorized mode is used when you do not want to run 802.1X on a particular port. This is typically the case when connecting to another switch, or a client PC that do not support 802.1X. The next mode, auto, is the normal 802.1X mode. A port in auto mode will not become authorized unless it receives a positive response from the authentication server. The final mode, force-unauthorized, prevents a port from becoming authorized even if the user has the appropriate credentials. This mode essentially disables the port from use by any user or device.

The command "switchport port security maximum 10" is not properly configured.

Note that the switch will take the mac addresses dynamically for the balance . In this case, after assigning an IP phone mac, and one for the PC, the switch is still left with 8 dynamically configurable mac addresses. You need to choose only the required number of macs. In this case, it is 2 mac addresses, one for the IP phone and the other for the user PC.

The command

Switch#show power inline [type <mod>/<num>]

Can be used to verify the inline power status for a switch port.

The command used for displaying the size of the CAM table is :

show mac address-table count

The interface configuration command :

Switch(config-if)#power inline {auto|never}

is used for configuring inline power supply on a switch port. By default, every switch port attempts to discover an inline-powered device

Previous   Contents   Next

CCNP Switch Cram Notes Contents
certexams ad

simulationexams ad