Securing ports of Cisco switches
In this article we will see how you can set certain standards of security at ports of Cisco switches.
As in the other articles in this series that we are publishing, is necessary for certain knowledge management Cisco simulator devices and networks have Packet Tracer.
Safety switches starts with the access system itself, through the console or via the virtual lines (vty), ya sea por Telnet o SSH, or also by Http. You can set a password to access privileged mode and also, the authentication can be local mode, configured by users on the system itself, with different levels of privileges, or by means of an external server (as a server RADIUS for instance).
Example
To set a password for console access, so they ask nothing more connected through a terminal session:
sw(config)#line console 0 sw(config-line)#password micontraseña
With that enough it is enough.
In some systems, especially routers, There is an auxiliary connection (TO) that to use it you have to set a password; It is designed for connection via modem.
For safety from the point of view of the network, a nivel de switch (cover 2) Virtual LANs are often used (VLAN) to separate broadcast domains.
There is also a safety level ports, that goes beyond access to the system switch, with which you try to control which computers connect to the network. It is here where focus Article.
Static address assignment
It is to manually assign a MAC address to a specific port. You can verify that the computer can not connect to another port. Otherwise if you can.
The command syntax:
sw(config)#mac-address-table static Mac address interface No. vlan nombre_vlan
To remove the mapping should be used no form of the command.
sw(config)#no mac-address-table static Mac address interface No. vlan nombre_vlan
It should be noted that the syntax shown may vary slightly depending on the switch model or version of IOS.
The configuration check can be done simply by consulting the MAC address table of the switch:
sw#show mac-address-table Mac Address Table ------------------------------------------- Vlan Mac Address Type Ports ---- ----------- -------- ----- 1 0001.6429.c999 STATIC Fa0/7 1 0002.4aea.d2c1 STATIC Fa0/4 1 0006.2a85.3b41 STATIC Fa0/3 1 0010.111d.078d STATIC Fa0/2 1 0040.0b95.0844 STATIC Fa0/8 1 0060.7074.1915 STATIC Fa0/5 1 0090.0c2b.8c7a STATIC Fa0/6
Safe harbors
It is known as a safe harbor that is configured so that it can establish a MAC address as safe, and prevent other computers to connect to the same port.
There are several ways to treat the safe harbor. Basic configuration:
- To apply security requires the port to be in access. Note then the problems in the case of trunk (vlan treatment and particularly the native VLAN)
sw(config-if)#switchport mode access
- To establish security.
sw(config-if)#switchport port-security
With the port and configured, default, the first MAC to learn (of the first frame that passes by) It is the only one to use, until you disconnect, then learn later become safe. You can switch to learn more than one as safe (only it makes sense in a port connected to a hub or another switch).
To learn about a direction, do not allow change.
sw(config-if)#switchport port-security mac-address sticky
Indicates the MAC also hand. Off default interface if it detects a change. To retrieve the interface after a security lock must be turned off and on again (running shutdown in this port, and no shutdown Next).
Other options port-secuity son violation and maximum.
To indicate the number of secure addresses:
sw(config-if)#switchport port-security maximum No.
To indicate the mode of rape:
sw(config-if)#switchport port-security violation {shutdown | protect | restrict}
Options violation They indicate the behavior before a violation security, these options are:
-
-
- shutdown, default, blocking the port and increments the counter of violations.
- protect, prevents sending frames without blocking the port, does not increase the count of rape.
- restrict, prevents sending frames without blocking the port, increments the counter and sends notices of violations by SNMP.
-
Note that sending frames to be produced that can be caused to a security violation in the port. To do so, make ye a ping for instance.
The default, shutdown, Note that it may be detrimental in a port connected to another switch or hub, it could block and cancel service equipment “legitimate”.
Example of a locked port (in red) to share. Otherwise it would be better option violation.
Operation checks:
To check the status of port security.
sw#show port-security
To view the detailed configuration of a port.
sw#show port-security interface interface
Example
Switch#sh port-security Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action (Count) (Count) (Count) -------------------------------------------------------------------- Fa0 / 2 1 1 0 Protect Fa0/3 1 1 0 Protect Fa0/4 1 1 3 Restrict Fa0/5 1 1 0 Restrict Fa0/6 3 0 0 Shutdown Fa0/7 1 1 1 Shutdown Fa0/8 3 2 0 Shutdown ----------------------------------------------------------------------
They can see the columns show the number of secure addresses and those that have been learned and remembered, and counter violations. In the protect that counter will be reset every.
To remove safe mac:
sw#clear port-security all sw#clear port-security configured --> para las estáticas sw#clear port-security dynamic --> para las dinámicas sw#clear port-security sticky --> for sticky
You can also set the time it preserves the MAC learned:
sw#switchport port-security aging time minutes --> after which it is erased.
Download here a sample file to prove these things (created with Packet Tracer 6)
For port security DHCP:
An important defense that we can apply in the ports is facing DHCP service attacks.
DHCP works based broadcasts, unauthenticated, so it is susceptible to attack by DHCP server “pirates” which give false configurations to legitimate customers. These, normally, You will not get the necessary settings to access external resources.
He snooping It consists in identifying reliable ports, those who will be allowed to both send and receive messages DHCP.
With the option trust, the port becomes reliable, allowing the passage of DHCP server offers to clients.
sw(config)# ip dhcp snooping --> to enable the service. sw(config)#interface f0/1 sw(config-if)#ip dhcp snooping trust
Untrusted can only send requests, so that they can be connected DHCP clients, but no servers.
DHCP is also very susceptible to DoS attacks (Denial of Service) to launch multiple applications based on IP address configuration MAC invented, in order to exhaust all available IP on the server.
For the latter case, It is appropriate to limit the number of requests that can be made through a port, with the command:
sw(config-if)#ip dhcp snooping limit rate ratio --> number of valid requests.
These commands are not available in the simulator Packet Tracer, tendremos que comprobarlos en switches reales 🙂
I hope this new article will have been interesting, if so can you give +1 or I like in your favorite social networks and help us share this content, thanks.