Switchport Security Concepts and Configuration

Date: Jul 1, 2011

Return to the article

One of the most overlooked security areas is the configuration of individual switchport security configuration. The reason to this may be is that it requires a more granular configuration. This is because a typical configuration requires the knowledge of the specific MAC address(es) that will be connecting to each switchport. Keeping track of all of this information in a medium to large organization can be quite time consuming. There are a couple of different ways to configure the use of switchport security and this article will review the available options and requirements.

One of the most overlooked security areas is the configuration of individual switchport security configuration. The reason may be that it requires a more granular configuration; this is because a typical configuration requires the knowledge of the specific MAC address(es) that will be connecting to each switchport. Keeping track of all of this information in a medium to large organization can be quite time consuming. There are a couple of different ways to configure the use of switchport security and this article will review the available options and requirements.

Switchport Security Overview

The switchport security feature offers the ability to configure a switchport so that traffic can be limited to only a specific configured MAC address or list of MAC addresses.

Secure MAC Address Types

To begin with, there are three different types of secure MAC address:

The type of secure MAC address that is configured depends on the intended end result. Static secure MAC addresses are typically used when the MAC addresses used are known and do not change often. For example, if a single host is always connected to the same switchport.

Dynamic secure MAC addresses are typically used when the host(s) connecting to a specific switchport is constantly changing, and the intention is to limit the port to only be used by a specific number of hosts at once. For example, a switchport can be configured to only allow a single MAC address to be learned at a time and not permit hosts other than the one initially learned; the only way to change the host that connects to the switchport is to disable switchport security and reenable it, to delete the learned MAC address from the table directly, or to wait for the port-security aging time to expire if configured.

Sticky secure MAC addresses are a bit of a combination between the two prior secure MAC address types; not only are addresses able to be statically-configured but they can also be dynamically learned. The key difference here is that dynamically-learned addresses are automatically put into the running-configuration; if the engineer wants these addresses to be saved on device reboot, the option is available to save the running-configuration into the startup configuration, thus effectively making these addresses static.

Switchport Security Violations

The second piece of switchport port-security that must be understood is a security violation including what it is what causes it and what the different violation modes that exist. A switchport violation occurs in one of two situations:

The action that the device takes when one of these violations occurs can be configured:

Switchport Security Aging

Another option that is available when configuring switchport security is the use of an aging timer. This provides for a MAC address to be removed from being learned after a configured amount of time. By default, aging is not enabled and addresses are not deleted unless the device is rebooted or the MAC addresses are cleared through a removal command being issued.

There are two different methods of implementing secure MAC address aging, these include:

Switchport Security Configuration

As with any feature configuration there are a number of different guidelines and requirements that need to be known before a configuration is implemented:

The configuration of switchport security is not overly complex; the following commands are used when initially configuring a switchport with security:

1

router#configure terminal

Enters the device into global configuration mode

2

router(config)#interface interface-id

Enters the device into interface configuration mode

3

router(config-if)#switchport mode {access | trunk}

Statically configures the switchport into access or trunk mode

4

router(config-if)#switchport port-security

Enables switchport port security

5

router(config-if)#switchport port-security maximum value [vlan {vlan-id | {access | voice}]

Configures the maximum number of MAC addresses that are permitted by switchport security; by default this is set to 1 MAC address.

6

router(config-if)#switchport port-security violation {protect | restrict | shutdown [vlan]}

Configures the switchport security violation mode; by default this is set to shutdown.

7

router(config-if)#switchport port-security mac-address mac-address [vlan {vlan-id | {access | voice}]

Configures a static secure MAC address on a switchport

8

router(config-if)#switchport port-security mac-address sticky

Configures the use of sticky learning on a switchport

9

router(config-if)#switchport port-security aging {static | time time| type {absolute | inactivity}}

Configures the use of switchport port-security aging, the aging time and/or the aging type. The default is for switchport port-security aging to be disabled.

Summary

The use of switchport port-security provides another level of security that can help in securing locally connected computers and the networks they connect to. This article was written to make the basic features of port-security more familiar to the reader and offered as an additional option when securing a network. Hopefully, the information contained within this article will help in this and be able to serve as a research base for securing the switched network of the reader.

800 East 96th Street, Indianapolis, Indiana 46240

sale-70-410-exam    | Exam-200-125-pdf    | we-sale-70-410-exam    | hot-sale-70-410-exam    | Latest-exam-700-603-Dumps    | Dumps-98-363-exams-date    | Certs-200-125-date    | Dumps-300-075-exams-date    | hot-sale-book-C8010-726-book    | Hot-Sale-200-310-Exam    | Exam-Description-200-310-dumps?    | hot-sale-book-200-125-book    | Latest-Updated-300-209-Exam    | Dumps-210-260-exams-date    | Download-200-125-Exam-PDF    | Exam-Description-300-101-dumps    | Certs-300-101-date    | Hot-Sale-300-075-Exam    | Latest-exam-200-125-Dumps    | Exam-Description-200-125-dumps    | Latest-Updated-300-075-Exam    | hot-sale-book-210-260-book    | Dumps-200-901-exams-date    | Certs-200-901-date    | Latest-exam-1Z0-062-Dumps    | Hot-Sale-1Z0-062-Exam    | Certs-CSSLP-date    | 100%-Pass-70-383-Exams    | Latest-JN0-360-real-exam-questions    | 100%-Pass-4A0-100-Real-Exam-Questions    | Dumps-300-135-exams-date    | Passed-200-105-Tech-Exams    | Latest-Updated-200-310-Exam    | Download-300-070-Exam-PDF    | Hot-Sale-JN0-360-Exam    | 100%-Pass-JN0-360-Exams    | 100%-Pass-JN0-360-Real-Exam-Questions    | Dumps-JN0-360-exams-date    | Exam-Description-1Z0-876-dumps    | Latest-exam-1Z0-876-Dumps    | Dumps-HPE0-Y53-exams-date    | 2017-Latest-HPE0-Y53-Exam    | 100%-Pass-HPE0-Y53-Real-Exam-Questions    | Pass-4A0-100-Exam    | Latest-4A0-100-Questions    | Dumps-98-365-exams-date    | 2017-Latest-98-365-Exam    | 100%-Pass-VCS-254-Exams    | 2017-Latest-VCS-273-Exam    | Dumps-200-355-exams-date    | 2017-Latest-300-320-Exam    | Pass-300-101-Exam    | 100%-Pass-300-115-Exams    |
http://www.portvapes.co.uk/    | http://www.portvapes.co.uk/    |