(1 votes, average: 2.00 out of 5)
Loading ...
Print This PostHere is one way to combat against unauthorized switches being connected by end users, which is typically done to increase the number of ports available at a location.
Enable port security:
Switch(config)#errdisable recovery cause psecure-violation
Switch(config)#int fa0/1
Switch(config-if)#switchport mode access
Switch(config-if)#switchport port-security
Switch(config-if)#switchport port-security maximum 1
Switch(config-if)#switchport port-security violation shutdown
Switch(config-if)#end
The configuration above will enable port security on fastethernet0/1, which would go out to an end user workstation. If someone placed a small switch/hub at the end of the connection in order to connect a second device (such as a network printer, another workstation, etc.), a second mac-address would be detected. This triggers the access switch to shutdown the port (and sending an snmp trap), effectively cutting off all connectivity to the network.
The global configuration command shown above: errdisable recovery cause psecure-violation causes the port to be brought out of shutdown state automatically after the default timer expires. The errdisable recovery timer can be changed from the default of 300 seconds using the errdisable recovery interval command.
Author Info:
Scott's profession is a Senior Network Engineer at a Healthcare related company in Nashville, TN. When he is not trying to secure a network or come up with a design for a new project, he enjoys spending time with his family. You can find out more at: http://www.scottp.net
March 4th, 2009 at 8:26 pm
Got a question… We are looking at doing port security where I work. However, it will be an admin nite mare, because of the many switches that we have. I recall reading somewhere (many, many, many, books and bottles of no dose ago) that one can use a centralized database in order to hold the MAC’s. The switches would be able to authentic from that centralized database using TACAS. Would you happen to know anything about this? If you do, would you be kind enuf to point me in the correct direction, so that I can get it implemented? Thanks in advance, and you have a great site!
Mark
March 9th, 2009 at 10:20 am
There have been some proprietary solutions of centralized database kept mac addresses in the past, however they never found widespread adoption. In general, 802.1x has become the accepted standard for port level access security. However, the fact that it requires an 802.1x client on each host prevents it from being implemented in many places. The following document contains information regarding port security:
http://www.nsa.gov/ia/_files/factsheets/Factsheet-Cisco%20Port%20Security.pdf