The importance of port security can never be over emphasized. Most of the time, network security is concerned with efforts aimed at preventing external attacks on a network. It is mainly about preventing intrusion on a network through the deploying of firewalls and intrusion prevention/detection systems but as has been observed in some cases especially in the financial institutions, some of the deadly attacks have come from the inside. A worker can have his personal computer plugged to the company network and in a matter of minutes copy vital information from a server. While it is extremely necessary to protect your network from external attacks, it is equally important that you protect your network from internal aggressors. One of the ways to do this is by statically defining which device gets plugged into what switch port and also defining the operational mode of each switch port either as an access or a trunk port.
Port security is configured on a Cisco switch by statically stating the maximum number of mac addresses a switch can learn on a switch port. For a financial institution wishing to stop employees from connecting their personal computers to its network, static mac address entries for the authorized computers can be entered on the switch with the port security violation shutdown command to shut down the ports if unauthorized computers are plugged into the switch.
To configure port security on a Cisco switch, first, the ports connecting to end user devices have to be set up as access ports, then we will need to get the mac addresses of the authorized computers, and finally, we will define the action to be taken once an unauthorized device is plugged into any of the switch ports.
I am using a Cisco catalyst 2960 switch for this demonstration. First, to get the mac address of any system, go to its command prompt and type “ipconfig /all”. Type it without the quotation marks. This will display the mac addresses associated with all the network cards on your computer, simply locate the one for LAN and copy it. The next commands are entered on the catalyst switch to configure port security on the fast ethernet 1 port of the switch..
TimiGate(config)#int f0/1
TimiGate(config-if)#sw mode access
TimiGate(config-if)#sw port max 1
TimiGate(config-if)#sw port mac d4:c9:ef:70:f9:f7
TimiGate(config-if)#sw port violation shutdown
TimiGate(config-if)#sw port
The last command is always neglected by students. It is the command that turns on port-sec on an interface. Without it, port-sec won’t take any effect. There are three states that a switch port can be placed in once port security policy is violated. These are protect, restrict, and shutdown. The protect mode ignores the new mac address trying to connect to the network through the switch and simply does nothing. The administrator is unaware of the attempt to connect an authorized device to the network. I do not recommend this mode. The next is restrict. This mode does the same thing as the protect mode but increments the counter which notifies the network admin of an unsuccessful attempt to connect an unauthorized device to the network. The last one is the shutdown mode. This mode is the default mode of any switch port configured for port security. It shuts down the port once there is a violation, enabling the admin to know the port on which the security policy has been violated. This helps in determining who is responsible for the violation. To enable the port, the network administrator will have to log on to the switch, shut down the port and then type no shut to bring it back on.
There you have it guys. The configuration commands are few and simple but the concept is huge.