Study Session Number 16! Switch Security - Port Security! #17

Hi Everyone, 

Today I'm gonna learn more about switch security, I think today's session will be focused more on protecting and limiting the physical ports themselves so I dont think there will be to much ground that needs to be covered today, after I've went through the notes I'm going to do some labbing and take last lesson and this lesson and put the theory into practice just to build the muscle memory - I think last lesson all the things discussed we're relatively straightforward so hopefully this lesson will be to. 

In a regular switched environment when a device connects into a switchport the MAC address of that device gets stored onto the switches CAM table and the device gets allocated into the network along with any specific vlan that it may have been assigned to, but what if a rouge device connects into a switchport that is designated for a manager? they now have complete access into the companies network. By configuring port security each port can be designed so that only specified MAC addresses can gain access to the network - this might be allowing the managers laptop's MAC address on the network, this then prevents any rouge devices as only that MAC address can gain access, another method is to limit the amount of MAC addresses that are allowed on a specific switchport to say 3 MAC addresses are only allowed for one port any more and the port will shutdown or drop the frames. 

Static - Statically configuring MAC addresses that are allowed on a specific port. 

DynamicHow many MAC addresses are permitted on a specific port and are dynamically learned (Example - Only two MAC addresses are permitted, so first two devices plugged in are allowed access to the network). 
    Aging Interval - defines the time for which mac addresses that have been learned will be                forgotten.

Sticky - Automatically add a learnt MAC address to the running-config. The switch learns the MAC then saves it to the running configuration, this eliminates having to save the switch and allows for constant updating. Eg Running-config (RAM) to startup-config (NVRAM). 

Static & Dynamic together = Static is defining specific MAC addresses, dynamic is defining a number of MAC addresses. A combination of both static and dynamic can be configured, for example - limit the port to four mac addresses then statically assign two.

Security violation states -
Shutdown - This is the default state puts port into error disabled mode (also snmp trap if snmp is configured).
Protect - Drops packets with unknown source mac addresses.
Restrict - Drops packets with unknown source mac addresses + security violation is incremented.

Commands - 

NOTE: FOR SWITCHPORT SECURITY COMMAND, INTERFACES MUST BE SET TO ACCESS PORTS OR IT WONT WORK, THIS IS CAUSED BY DTP.

Manually configure interface with MAC -
int *int*
    mac-address *mac address*

Enable switchport security -
int *int*.
    switchport port-security - can now be verified by show port security command.

Static security - 
int *int*.
    switchport port-security
    switchport port-security mac-address *static MAC addresses*

Dynamic security - 
int *int*.
    switchport port-security
    switchport port-security maximum *amount of allowed MAC addresses*

Sticky Security -
int *int*.
    switchport port-security
    switchport port-security mac-address sticky - adds current mac address into NVRAM.

Shutdown, Protect, Restrict -
int *int*.
    switchport port-security
    switchport port-security violation *shutdown, protect or restrict*
To fix a port from error disabled physically remove the host with the invalid mac-address or turn the port off and on (shutdown then no shutdown). 
OR
(config) errdisable recovery cause psecure-violation
              errdisable recovery interval *in seconds* - this sets a time for when the port goes down                   until it goes back to normal.
Verify - 
show port-security
    show port-security address - same output as last command instead it shows mac address over        interface.
    show port-security interface *int*
show mac-address table 

Comments

Post a Comment

Popular posts from this blog

Python Crash Course Chapter 1-2! #1

 Hi Everyone,  As a continuation from my CCNA I have started studying towards my Cisco DevNet, to do this I need some prior knowledge with Python (which I dont have) so after doing some research I have found this book! I will be using this until I am comfortable with Python.  In the first two chapters I have learned how to create variables and assigned them values, along with this I have also learned how to use methods with the variables. These are some examples of me beginning my Python journey -  blog_message = "Hi everyone! My name is" name = "Iain" first_blog = "this is my first blog about Pyhton, enjoy!" day, month, year = 29, 11, 2020 print(f"{blog_message.title()} {name.upper()} {first_blog.title()} {day, month, year}") This is my first piece of coding, in this I got to use variables, methods and integers. 
Read more

I PASSED! Cisco CCNA 200-301! Experience & Where I'm going from here!

 Hi Everyone, Long time no see. As the title says - I passed! After all the studying I have finally finished my CCNA on November 27th. So as a summary I managed to score 900/1000 - what do I think of the exam? I think that the exam focuses on a much wider spectrum than just R&S, I had an illusion in my head that most questions on the exam would revolve around R&S protocols when this wasn't the case at all! I had a majority of wireless questions is regards to WLC's, AP's etc (without going into to much detail - sorry guys blame the NDA) along with this there was other things that were involved that weren't on the blueprint which was mildly frustrating. My Advice? Learn all the gritty details, learn how to read routing tables things like longest prefix, AD, metric - what path will win? Learn protocol numbers, what the requirements for that protocol are to make a decision e.g how HSRP uses an active and standby router and how it decides what router is doing what. B
Read more

Python Notes #6 Functions

 Hi Everyone, Today I'm doing functions I have kept this as its own blog as this is a bit of a tougher topic and for my own memory I'd like to be able to find this easily if I ever had to review python notes. A function is a chunk of reusable code this means that the code can be created and then passed anywhere within the code later on. This is how a function works -  def name(first, last): print("Please enter name: ") print(f"Your name is: {first} {last}") name("Iain", "H") In this chunk of code I pass the parameters first & last within the function - from here I create a print statement asking for my name, notice how in the second print statement I am passing the parameters first and last (represented by the curly braces) and lastly I call the function name and define the values within the brackets - with the last statement now first will = 'Iain' and last will = 'H'. This code produces this output - Please enter
Read more