port security.ppt - Securing Multilayer Switched Networks Network Access Port Security \u2022 Port security is a MAC address lockdown that disables the

port security.ppt - Securing Multilayer Switched Networks...

This preview shows page 1 out of 30 pages.

You've reached the end of your free preview.

Want to read all 30 pages?

Unformatted text preview: Securing Multilayer Switched Networks Network Access Port Security • Port security is a MAC address lockdown that disables the port if the MAC address is not valid. Enabling Port Security Switch(config-if)#switchport port-security [maximum value] violation {protect | restrict | shutdown} • Enables port security and specifies the maximum number of MAC addresses that can be supported by this port Verifying Port Security Switch#show port-security • Displays security information for all interfaces Switch#show port-security Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action (Count) (Count) (Count) ---------------------------------------------------------------------------Fa5/1 11 11 0 Shutdown Fa5/5 15 5 0 Restrict Fa5/11 5 4 0 Protect ---------------------------------------------------------------------------Total Addresses in System: 21 Max Addresses limit in System: 128 Verifying Port Security (Cont.) Switch#show port-security interface interface x/y • Displays security information for a specific interface Switch#show port-security interface fastethernet 5/1 Port Security: Enabled Port status: SecureUp Violation mode: Shutdown Maximum MAC Addresses: 11 Total MAC Addresses: 11 Configured MAC Addresses: 3 Aging time: 20 mins Aging type: Inactivity SecureStatic address aging: Enabled Security Violation count: 0 Port Security with Sticky MAC Address AAA Network Configuration – Authentication • Verifies a user’s identify – Authorization • Specifies the permitted tasks for the user – Accounting • Provides billing, auditing, and monitoring Configuring Authentication Switch(config)#aaa new-model • Enables AAA globally Switch(config)#aaa authentication login {default | list-name} method1 [method2...] • Creates a local authentication list Switch(config)#line [aux | console | tty | vty] line-number [ending-line-number] • Enters line configuration mode Switch(config-line)#login authentication {default | list-name} • Applies the authentication list to a line Configuring Authorization Switch(config)#aaa authorization {auth-proxy | network | exec | commands level | reverse-access | configuration | ipmobile} {default | list-name} [method1 [method2...]] • Creates an authorization method list and enables authorization Switch(config)#interface interface-type interface-number • Enters interface configuration mode Switch(config-if)#ppp authorization {default | list-name} • Applies the named authorization method list to the interface Configuring Accounting Switch(config)#aaa accounting {system | network | exec | connection | commands level} {default | list-name} {startstop | stop-only | none} [method1 [method2...]] • Creates an accounting method list and enables accounting Switch(config)#interface interface-type interface-number • Enters interface configuration mode Switch(config-if)#ppp accounting {default | list-name} • Applies the named accounting method list to the interface 802.1X Port-Based Authentication – Restricts unauthorized clients from connecting to a LAN through publicly accessible ports Configuring 802.1X Port-Based Authentication Switch(config)#aaa authentication dot1x {default} method1 [method2...] • Creates an 802.1X port-based authentication method list Switch(config)#dot1x system-auth-control • Globally enables 802.1X port-based authentication Switch(config)#interface type slot/port • Enters interface configuration mode Switch(config-if)#dot1x port-control auto • Enables 802.1X port-based authentication on the interface Types of ACLs Configuring VACLs Switch(config)#vlan access-map map_name [seq#] • Defines a VLAN access map Switch(config-access-map)# match {ip address {1-199 | 1300-2699 | acl_name} | ipx address {800-999 | acl_name}| mac address acl_name} • Configures the match clause in a VLAN access map sequence Switch(config-access-map)#action {drop [log]} | {forward [capture]} | {redirect {type slot/port} | {port-channel channel_id}} • Configures the action clause in a VLAN access map sequence Switch(config)#vlan filter map_name vlan_list list • Applies the VLAN access map to the specified VLANs Private VLANs PVLAN Ports and Types • Private VLAN ports: – Promiscuous: Can communicate with all other ports – Isolated: Can only communicate with promiscuous ports – Community: Can communicate with other members of community and all promiscuous ports • Private VLAN types: – Primary: Used by promiscuous ports to communicate with all other ports in the private VLAN – Isolated: Used by isolated ports to communicate with promiscuous ports – Community: Used by community ports to communicate with each other and promiscuous ports Configuring Private VLANs Switch(config-vlan)#private-vlan [primary | isolated | community] • Configures a VLAN as a private VLAN Switch(config-vlan)#private-vlan association {secondary_vlan_list | add svl | remove svl} • Associates secondary VLANs with the primary VLAN Switch#show vlan private-vlan type • Verifies private VLAN configuration Configuring Private VLAN Ports Switch(config-if)#switchport mode private-vlan {host | promiscuous} • Configures an interface as a private VLAN port Switch(config-if)#switchport private-vlan host-association primary_vlan_ID secondary_vlan_ID • Associates an isolated or community port with a private VLAN Switch(config-if)#private-vlan mapping primary_vlan_ID {secondary_vlan_list | add svl | remove svl} • Maps a promiscuous PVLAN port to a private VLAN Switch#show interfaces private-vlan mapping • Verifies private VLAN port configuration Protecting Against Spoof Attacks DHCP Spoof Attacks DHCP Snooping Securing DHCP Snooping Attacks Verifying DHCP Snooping STP Security Mechanisms Protecting The Operation of STP Enabling and Verifying BPDU Guard Describing BPDU Filtering Describing Root Guard Root Guard Configuration Commands Switching Labs • • • • • • • • • • • • • Implementing VLAN’s Configure Trunking Dynamic Trunking Protocol Implementing Inter-VLAN Routing Propagating VLAN Configuration With VTP Implementing Spanning Tree Protocol Load Balancing in STP Implementing MSTP Configure Link Aggregation Using Ether-Channel Configure SPAN Configure Layer 3 Redundancy With HSRP Configure Layer 3 Redundancy With VRRP Configure Layer 3 Redundancy With GLBP ...
View Full Document

  • Summer '20
  • IP address, Port security

  • Left Quote Icon

    Student Picture

  • Left Quote Icon

    Student Picture

  • Left Quote Icon

    Student Picture

Stuck? We have tutors online 24/7 who can help you get unstuck.
A+ icon
Ask Expert Tutors You can ask You can ask You can ask (will expire )
Answers in as fast as 15 minutes