Safety switch ports Cisco

Securing ports of Cisco switches

In this article we will see how you can set certain standards of security at ports of Cisco switches.

As in the other articles in this series that we are publishing, is necessary for certain knowledge management Cisco simulator devices and networks have Packet Tracer.

Safety switches starts with the access system itself, through the console or via the virtual lines (vty), ya sea por Telnet o SSH, or also by Http. You can set a password to access privileged mode and also, the authentication can be local mode, configured by users on the system itself, with different levels of privileges, or by means of an external server (as a server RADIUS for instance).


To set a password for console access, so they ask nothing more connected through a terminal session:

sw(config)#line console 0
sw(config-line)#password micontraseña

With that enough it is enough.
In some systems, especially routers, There is an auxiliary connection (TO) that to use it you have to set a password; It is designed for connection via modem.

For safety from the point of view of the network, a nivel de switch (cover 2) Virtual LANs are often used (VLAN) to separate broadcast domains.
There is also a safety level ports, that goes beyond access to the system switch, with which you try to control which computers connect to the network. It is here where focus Article.

Static address assignment

It is to manually assign a MAC address to a specific port. You can verify that the computer can not connect to another port. Otherwise if you can.
The command syntax:

sw(config)#mac-address-table static Mac address interface No.  vlan nombre_vlan

To remove the mapping should be used no form of the command.

sw(config)#no mac-address-table static Mac address interface No.  vlan nombre_vlan

It should be noted that the syntax shown may vary slightly depending on the switch model or version of IOS.
The configuration check can be done simply by consulting the MAC address table of the switch:

sw#show mac-address-table
          Mac Address Table

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----

   1    0001.6429.c999    STATIC      Fa0/7
   1    0002.4aea.d2c1    STATIC      Fa0/4
   1    0006.2a85.3b41    STATIC      Fa0/3
   1    0010.111d.078d    STATIC      Fa0/2
   1    0040.0b95.0844    STATIC      Fa0/8
   1    0060.7074.1915    STATIC      Fa0/5
   1    0090.0c2b.8c7a    STATIC      Fa0/6

Safe harbors

It is known as a safe harbor that is configured so that it can establish a MAC address as safe, and prevent other computers to connect to the same port.
There are several ways to treat the safe harbor. Basic configuration:

  • To apply security requires the port to be in access. Note then the problems in the case of trunk (vlan treatment and particularly the native VLAN)
sw(config-if)#switchport mode access
  • To establish security.
sw(config-if)#switchport port-security

With the port and configured, default, the first MAC to learn (of the first frame that passes by) It is the only one to use, until you disconnect, then learn later become safe. You can switch to learn more than one as safe (only it makes sense in a port connected to a hub or another switch).
To learn about a direction, do not allow change.

sw(config-if)#switchport port-security mac-address sticky

Indicates the MAC also hand. Off default interface if it detects a change. To retrieve the interface after a security lock must be turned off and on again (running shutdown in this port, and no shutdown Next).
Other options port-secuity son violation and maximum.
To indicate the number of secure addresses:

sw(config-if)#switchport port-security maximum No.

To indicate the mode of rape:

sw(config-if)#switchport port-security violation {shutdown | protect | restrict}

Options violation They indicate the behavior before a violation security, these options are:

      • shutdown, default, blocking the port and increments the counter of violations.
      • protect, prevents sending frames without blocking the port, does not increase the count of rape.
      • restrict, prevents sending frames without blocking the port, increments the counter and sends notices of violations by SNMP.

Note that sending frames to be produced that can be caused to a security violation in the port. To do so, make ye a ping for instance.
The default, shutdown, Note that it may be detrimental in a port connected to another switch or hub, it could block and cancel service equipment “legitimate”.
Switch cisco: puerto bloqueado
Example of a locked port (in red) to share. Otherwise it would be better option violation.

Operation checks:

To check the status of port security.

sw#show port-security

To view the detailed configuration of a port.

sw#show port-security  interface interface
Switch#sh port-security
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
          (Count)     (Count)          (Count)
Fa0 / 2        1          1                 0             Protect
Fa0/3        1          1                 0             Protect
Fa0/4        1          1                 3            Restrict
Fa0/5        1          1                 0            Restrict
Fa0/6        3          0                 0            Shutdown
Fa0/7        1          1                 1            Shutdown
Fa0/8        3          2                 0            Shutdown

They can see the columns show the number of secure addresses and those that have been learned and remembered, and counter violations. In the protect that counter will be reset every.
To remove safe mac:

sw#clear port-security all
sw#clear port-security configured --> para las estáticas
sw#clear port-security dynamic --> para las dinámicas
sw#clear port-security sticky --> for sticky

You can also set the time it preserves the MAC learned:

sw#switchport port-security aging time minutes --> after which it is erased.

Download here a sample file to prove these things (created with Packet Tracer 6)

For port security DHCP:

An important defense that we can apply in the ports is facing DHCP service attacks.

DHCP works based broadcasts, unauthenticated, so it is susceptible to attack by DHCP server “pirates” which give false configurations to legitimate customers. These, normally, You will not get the necessary settings to access external resources.
He snooping It consists in identifying reliable ports, those who will be allowed to both send and receive messages DHCP.

With the option trust, the port becomes reliable, allowing the passage of DHCP server offers to clients.

sw(config)# ip dhcp snooping --> to enable the service.
sw(config)#interface f0/1
sw(config-if)#ip dhcp snooping trust

Untrusted can only send requests, so that they can be connected DHCP clients, but no servers.
DHCP is also very susceptible to DoS attacks (Denial of Service) to launch multiple applications based on IP address configuration MAC invented, in order to exhaust all available IP on the server.
For the latter case, It is appropriate to limit the number of requests that can be made through a port, with the command:

sw(config-if)#ip dhcp snooping limit rate ratio --> number of valid requests.

These commands are not available in the simulator Packet Tracer, tendremos que comprobarlos en switches reales 🙂

I hope this new article will have been interesting, if so can you give +1 or I like in your favorite social networks and help us share this content, thanks.

About Angel Calvo

Passionate about science and technology. Teacher, author of manuals and systems and communications manager.

Leave a Reply

Your email address will not be published. Required fields are marked *