Cisco Cisco ios Cisco tips and tricks Networking networking tips and tricks online security ports security security switch switching tips and tricks,
How to give security to switch ports in cisco
Posted by Anbu
Published on Sunday, February 17, 2013
Problem:
How to give security to switch ports in cisco
Solution:
Someone connecting to your network can cause serious damage if you are sloppy with security.
Port-security
port-security on switches is very flexible, first show the status of port security
Switch#show port-security interface Gi0/19
Port Security : Disabled
Port Status : Secure-down
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 0
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : 001b.53b1.ffff:20
Security Violation Count : 181
Port security is disabled, violation mode is shutdown which means that the port should be shutdown if port security is tripped. There are
Let us limit this port to one MAC address, and if we see more than one; shutdown the port.
Switch#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#int gi 0/19
Switch(config-if)#switchport port-security maximum 1
Switch(config-if)#switchport port-security violation shutdown
Switch(config-if)#switchport port-security
Switch(config-if)#
11:31:17: %PM-4-ERR_DISABLE: psecure-violation error detected on Gi0/19, putting Gi0/19 in err-disable state
Switch(config-if)#
11:31:17: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 001b.53b1.ffff on port GigabitEthernet0/19.
11:31:18: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/19, changed state to down
Switch(config-if)#
11:31:19: %LINK-3-UPDOWN: Interface GigabitEthernet0/19, changed state to down
What happened here? First we limited the port to max one MAC address, then we configured that if this is violated then the port should be shutdown. And at last we turned on port-security.
As you can see, immediately the port went in an errdisable state for a security violation.
Storm-control
Storm control can be used to limit the amount of broadcast, unicast or multicast traffic on a port.
To show the status of storm control
Switch#show storm-control gigabitEthernet 0/19
Interface Filter State Upper Lower Current
——— ————- ———– ———– ———-
Switch#
A typical broadcast storm can look like this
Switch#show interface gigabitEthernet 0/19 | i rate
Queueing strategy: fifo
5 minute input rate 106111000 bits/sec, 207129 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
Switch#
I have over 100mbit input traffic, and nothing output. I can try to apply storm-control that with shutdown the port if the amount of broadcast traffic reaches 100mbit.
Switch#conf t
Switch(config)#interface gigabitEthernet 0/19
Switch(config-if)#storm-control action shutdown
Switch(config-if)#storm-control broadcast level bps 100000000
2d10h: %PM-4-ERR_DISABLE: storm-control error detected on Gi0/19, putting Gi0/19 in err-disable state
2d10h: %STORM_CONTROL-3-SHUTDOWN: A packet storm was detected on Gi0/19. The interface has been disabled.
2d10h: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/19, changed state to down
2d10h: %LINK-3-UPDOWN: Interface GigabitEthernet0/19, changed state to down
The interface went straight into errdisable due to the huge amount of broadcast traffic we were receiving.
You can also get the status of storm control
Switch#show storm-control
Interface Filter State Upper Lower Current
——— ————- ———– ———– ———-
Gi0/19 Link Down 100m bps 100m bps 0 bps
These are two great techniques of securing your network ports, just tune them to your preference and they will bring you a lot of good.
How to give security to switch ports in cisco
Solution:
Someone connecting to your network can cause serious damage if you are sloppy with security.
Port-security
port-security on switches is very flexible, first show the status of port security
Switch#show port-security interface Gi0/19
Port Security : Disabled
Port Status : Secure-down
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 0
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : 001b.53b1.ffff:20
Security Violation Count : 181
Port security is disabled, violation mode is shutdown which means that the port should be shutdown if port security is tripped. There are
Let us limit this port to one MAC address, and if we see more than one; shutdown the port.
Switch#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#int gi 0/19
Switch(config-if)#switchport port-security maximum 1
Switch(config-if)#switchport port-security violation shutdown
Switch(config-if)#switchport port-security
Switch(config-if)#
11:31:17: %PM-4-ERR_DISABLE: psecure-violation error detected on Gi0/19, putting Gi0/19 in err-disable state
Switch(config-if)#
11:31:17: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 001b.53b1.ffff on port GigabitEthernet0/19.
11:31:18: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/19, changed state to down
Switch(config-if)#
11:31:19: %LINK-3-UPDOWN: Interface GigabitEthernet0/19, changed state to down
What happened here? First we limited the port to max one MAC address, then we configured that if this is violated then the port should be shutdown. And at last we turned on port-security.
As you can see, immediately the port went in an errdisable state for a security violation.
Storm-control
Storm control can be used to limit the amount of broadcast, unicast or multicast traffic on a port.
To show the status of storm control
Switch#show storm-control gigabitEthernet 0/19
Interface Filter State Upper Lower Current
——— ————- ———– ———– ———-
Switch#
A typical broadcast storm can look like this
Switch#show interface gigabitEthernet 0/19 | i rate
Queueing strategy: fifo
5 minute input rate 106111000 bits/sec, 207129 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
Switch#
I have over 100mbit input traffic, and nothing output. I can try to apply storm-control that with shutdown the port if the amount of broadcast traffic reaches 100mbit.
Switch#conf t
Switch(config)#interface gigabitEthernet 0/19
Switch(config-if)#storm-control action shutdown
Switch(config-if)#storm-control broadcast level bps 100000000
2d10h: %PM-4-ERR_DISABLE: storm-control error detected on Gi0/19, putting Gi0/19 in err-disable state
2d10h: %STORM_CONTROL-3-SHUTDOWN: A packet storm was detected on Gi0/19. The interface has been disabled.
2d10h: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/19, changed state to down
2d10h: %LINK-3-UPDOWN: Interface GigabitEthernet0/19, changed state to down
The interface went straight into errdisable due to the huge amount of broadcast traffic we were receiving.
You can also get the status of storm control
Switch#show storm-control
Interface Filter State Upper Lower Current
——— ————- ———– ———– ———-
Gi0/19 Link Down 100m bps 100m bps 0 bps
These are two great techniques of securing your network ports, just tune them to your preference and they will bring you a lot of good.
0 comments
Readers Comments