Home > Articles > Cisco Network Technology > General Networking > Cisco Networking Academy's Introduction to Basic Switching Concepts and Configuration

Cisco Networking Academy's Introduction to Basic Switching Concepts and Configuration

Chapter Description

This chapter examines some of the basic switch configuration settings required to maintain a secure, available, switched LAN environment.

Switch Security: Management and Implementation (2.2)

When you take a new switch out of the box, the first thing the network engineer does is secure the switch and assign it an IP address, subnet mask, and default gateway so the switch can be managed from a remote location. Learning the different methods used to secure a switch is important. Also important is learning the types of attacks that can be launched on, toward, or through a switch. By understanding the attacks and the available tools and countermeasures, a technician can be better prepared to secure the switch and make use of the tools and security commands.

Secure Remote Access (2.2.1)

There are different methods that can be used to secure a switch including Telnet and SSH. Telnet has already been covered, but SSH is a much better method used to securely manage the switch from a remote location.

SSH Operation (2.2.1.1)

Secure Shell (SSH) is a protocol that provides a secure (encrypted) management connection to a remote device. SSH should replace Telnet for management connections. Telnet is an older protocol that uses insecure plaintext transmission of both the login authentication (username and password) and the data transmitted between the communicating devices. SSH provides security for remote connections by providing strong encryption when a device is authenticated (username and password) and also for the transmitted data between the communicating devices. SSH is assigned to TCP port 22. Telnet is assigned to TCP port 23.

Look at the online course, and select the first graphic to see how an attacker can monitor packets using a product such as Wireshark. A Telnet stream can be targeted to capture the username and password.

In the following output, you can see how the attacker can capture the username and password of the administrator from the plaintext Telnet session.

...........
User Access verification
username: ..................P.........vt100..BBoobb
.
Password: cisco
.
R1> eenn
.
Password: class
.
R1#

Click on the third graphic in the online course to see a Wireshark view of an SSH session. The attacker can track the session using the IP address of the administrator device.

However, if a Wireshark capture is made on the SSH session, the fourth graphic in the online course shows how the username and password are encrypted.

To enable SSH on a Catalyst 2960 switch, the switch must be using a version of the IOS software including cryptographic (encrypted) features and capabilities. In the following output, use the show version command on the switch to see which IOS the switch is currently running, and IOS filename that includes the combination “k9” supports cryptographic (encrypted) features and capabilities.

S1> show version
Cisco IOS Software, C2960 Software (C2960-LANBASEK9-M),
Version 15.0(@)SE, RELEASE SOFTWARE (fc1)

<output omitted>

Configuring SSH (2.2.1.2)

Before configuring SSH, the switch must be minimally configured with a unique hostname and the correct network connectivity settings.

  • Verify SSH support: Use the show ip ssh command to verify that the switch supports SSH. If the switch is not running an IOS that supports cryptographic features, this command is unrecognized.
  • Configure the IP domain: Configure the IP domain name of the network using the ip domain-name domain-name global configuration mode command. In Figure 2-12, the domain-name value is cisco.com.

    Figure 2-12

    Figure 2-12 Configure SSH for Remote Management

  • Generate RSA key pairs: Generating an RSA key pair automatically enables SSH. Use the crypto key generate rsa global configuration mode command to enable the SSH server on the switch and generate an RSA key pair. When generating RSA keys, the administrator is prompted to enter a modulus length. Cisco recommends a minimum modulus size of 1024 bits (refer to the sample configuration in Figure 2-12). A longer modulus length is more secure, but it takes longer to generate and use.

Verifying SSH (2.2.1.3)

On a PC, an SSH client, such as PuTTY, is used to connect to an SSH server. For the examples in Figures 2-16 to 2-18, the following have been configured:

  • SSH enabled on switch S1
  • Interface VLAN 99 (SVI) with IP address 172.17.99.11 on switch S1
  • PC1 with IP address 172.17.99.21

In Figure 2-13, the PC initiates an SSH connection to the SVI VLAN IP address of S1.

Figure 2-13

Figure 2-13 Configure PuTTY with SSH Client Connection Parameters

In Figure 2-14, the user has been prompted for a username and password. Using the configuration from the previous example, the username admin and password ccna are entered. After entering the correct combination, the user is connected via SSH to the CLI on the Catalyst 2960 switch.

Figure 2-14

Figure 2-14 Remote Management SSH Connection

To display the version and configuration data for SSH on the device that you configured as an SSH server, use the show ip ssh command. In the example, SSH version 2 is enabled. To check the SSH connections to the device, use the show ssh command (see Figure 2-15).

Figure 2-15

Figure 2-15 Verify SSH Status and Settings

Security Concerns in LANs (2.2.2)

Wired LANs are a common source of attack because so much information can be gained about the wired network using free downloadable tools. By examining downloaded frames, attackers can determine IP addresses of network devices, protocols being used, valid server names and IP addresses, etc. With this information an attacker can launch further attacks or even insert a rogue device. This section introduces the types of attacks and countermeasures to be performed on a wired LAN.

Common Security Attacks: MAC Address Flooding (2.2.2.1)

Basic switch security does not stop malicious attacks. Security is a layered process that is essentially never complete. The more aware networking professionals within an organization are regarding security attacks and the dangers they pose, the better. Some types of security attacks are described here, but the details of how some of these attacks work are beyond the scope of this course. More detailed information is found in the CCNA WAN Protocols course and the CCNA Security course.

MAC Address Flooding

All Catalyst switch models use a MAC address table for Layer 2 switching. The MAC address table in a switch contains the MAC addresses associated with each physical port and the associated VLAN for each port. As a frame arrives on a switch port, the source MAC address is recorded in the MAC address table. The switch then examines the received destination MAC address and looks in the MAC address table to see if it contains the destination MAC address. If an entry already exists for the destination MAC address, the switch forwards the frame to the correct port. If the destination MAC address does not exist in the MAC address table, the switch floods the frame out of every port on the switch, except the port where the frame was received.

The MAC address flooding behavior of a switch for unknown addresses can be used to attack a switch. This type of attack is called a MAC address table overflow attack. MAC address table overflow attacks are sometimes referred to as MAC flooding attacks and CAM table overflow attacks. The following figures show how this type of attack works.

In Figure 2-16, host A sends traffic to host B. The switch receives the frames and looks up the destination MAC address in its MAC address table. If the switch cannot find the destination MAC in the MAC address table, the switch then copies the frame and floods (broadcasts) it out of every switch port, except the port where it was received.

Figure 2-16

Figure 2-16 MAC Address Flooding - Switch Floods Frame for Unknown MAC

In Figure 2-17, host B receives the frame and sends a reply to host A. The switch then learns that the MAC address for host B is located on port 2 and records that information into the MAC address table.

Host C also receives the frame from host A to host B, but because the destination MAC address of that frame is host B, host C drops that frame.

Figure 2-17

Figure 2-17 MAC Address Flooding - Switch Records MAC Address

As shown in Figure 2-18, any frame sent by host A (or any other host) to host B is forwarded to port 2 of the switch and not broadcasted out every port.

Figure 2-18

Figure 2-18 MAC Address Flooding - Switch Uses MAC Address Table to Forward Traffic

MAC address tables are limited in size. MAC flooding attacks make use of this limitation to overwhelm the switch with fake source MAC addresses until the switch MAC address table is full.

As shown in Figure 2-19, an attacker at host C can send frames with fake, randomly-generated source and destination MAC addresses to the switch. The switch updates the MAC address table with the information in the fake frames. When the MAC address table is full of fake MAC addresses, the switch enters into what is known as fail-open mode. In this mode, the switch broadcasts all frames to all machines on the network. As a result, the attacker can see all of the frames.

Figure 2-19

Figure 2-19 MAC Address Flooding Attack - Attacker Launches Attack

Some network attack tools can generate up to 155,000 MAC entries on a switch per minute. The maximum MAC address table size is switch model-dependent.

As shown in Figure 2-20, as long as the MAC address table on the switch remains full, the switch broadcasts all received frames out of every port except the ingress port. In this example, frames sent from host A to host B are also broadcast out of port 3 on the switch and seen by the attacker at host C.

Figure 2-20

Figure 2-20 MAC Address Flooding Attack - Attacker Sees Broadcasts

One way to mitigate MAC address table overflow attacks is to configure port security.

Common Security Attacks: DHCP Spoofing (2.2.2.2)

DHCP is the protocol that automatically assigns a host a valid IP address out of a DHCP pool. DHCP has always been the main protocol used within industry for allocating clients IP addresses. Two types of DHCP attacks can be performed against a switched network: DHCP starvation attacks and DHCP spoofing, as shown in Figure 2-21.

Figure 2-21

Figure 2-21 DHCP Spoofing and Starvation Attack

In DHCP starvation attacks, an attacker floods the DHCP server with DHCP requests to use all the available IP addresses that the DHCP server can issue. After these IP addresses are issued, the server cannot issue any more addresses, and this situation produces a denial-of-service (DoS) attack as new clients cannot obtain network access. A DoS attack is any attack that is used to overload specific devices and network services with illegitimate traffic, thereby preventing legitimate traffic from reaching those resources.

In DHCP spoofing attacks, an attacker configures a fake DHCP server on the network to issue DHCP addresses to clients. The normal reason for this attack is to force the clients to use false Domain Name System (DNS) or Windows Internet Naming Service (WINS) servers and to make the clients use the attacker, or a machine under the control of the attacker, as their default gateway.

DHCP starvation is often used before a DHCP spoofing attack to deny service to the legitimate DHCP server, making it easier to introduce a fake DHCP server into the network.

To mitigate DHCP attacks, use the DHCP snooping and port security features on the Cisco Catalyst switches. These features are covered in a later topic.

Common Security Attacks: Leveraging CDP (2.2.2.3)

The Cisco Discovery Protocol (CDP) is a proprietary protocol that all Cisco devices can be configured to use. CDP discovers other Cisco devices that are directly connected, which allows the devices to auto-configure their connection. In some cases, this simplifies configuration and connectivity.

By default, most Cisco routers and switches have CDP enabled on all ports. CDP information is sent in periodic, unencrypted broadcasts. This information is updated locally in the CDP database of each device. Even though CDP is a Layer 2 protocol, all Cisco devices can use CDP to communicate and share device information with an adjacent Cisco device; however, this information cannot be shared beyond a single, adjacent Cisco device.

CDP contains information about the device, such as the IP address, software version, platform, capabilities, and the native VLAN. This information can be used by an attacker to find ways to attack the network, typically in the form of a DoS attack.

Figure 2-22 shows a portion of a Wireshark capture showing the contents of a CDP packet. The Cisco IOS software version discovered via CDP, in particular, would allow the attacker to determine whether there were any security vulnerabilities specific to that particular version of IOS. Also, because CDP is not authenticated, an attacker could craft bogus CDP packets and send them to a directly-connected Cisco device.

Figure 2-22

Figure 2-22 Wireshark CDP Packet Capture

Telnet Attacks

The Telnet protocol is insecure and can be used by an attacker to gain remote access to a Cisco network device. There are tools available that allow an attacker to launch a brute force password-cracking attack against the vty lines on the switch.

Brute Force Password Attack

A brute force password attack tries to crack a password on another device. The first phase of a brute force password attack starts with the attacker using a list of common passwords and a program designed to try to establish a Telnet session using each word on the dictionary list. If the password is not discovered by the first phase, a second phase begins. In the second phase of a brute force attack, the attacker uses a program that creates sequential character combinations in an attempt to guess the password. Given enough time, a brute force password attack can crack almost all passwords used.

To mitigate against brute force password attacks, use strong passwords that are changed frequently. A strong password should have a mix of uppercase and lowercase letters and should include numerals and symbols (special characters). Access to the vty lines can also be limited using an access control list (ACL) that designates what IP address(es) are allowed access to the vty lines.

Telnet DoS Attack

Telnet can also be used to launch a DoS attack. In a Telnet DoS attack, the attacker exploits a flaw in the Telnet server software running on the switch that renders the Telnet service unavailable. This sort of attack prevents an administrator from remotely accessing switch management functions. This can be combined with other direct attacks on the network as part of a coordinated attempt to prevent the network administrator from accessing core devices during the breach.

Vulnerabilities in the Telnet service that permit DoS attacks to occur are usually addressed in security patches that are included in newer Cisco IOS revisions.

Security Best Practices (2.2.3)

With so many devices being attached to the wired network, network security is even more important today. Security starts the moment you take a network device, such as a switch, out of the box for the first time. Now that some of the common attacks have been covered, next is what a network administrator can do to protect and counteract those attacks.

Best Practices (2.2.3.1)

Defending your network against attack requires vigilance and education. The following are best practices for securing a network:

  • Develop a written security policy for the organization.
  • Shut down unused services and ports.
  • Use strong passwords and change them often.
  • Control physical access to devices.
  • Avoid using standard insecure HTTP websites, especially for login screens; instead use the more secure HTTPS.
  • Perform backups and test the backed up files on a regular basis.
  • Educate employees about social engineering attacks, and develop policies to validate identities over the phone, via email, and in person.
  • Encrypt and password-protect sensitive data.
  • Implement security hardware and software, such as firewalls.
  • Keep software up-to-date by installing security patches weekly or daily, if possible.

These methods are only a starting point for security management. Organizations must remain vigilant at all times to defend against continually evolving threats. Use network security tools to measure the vulnerability of the current network.

Network Security Tools and Testing (2.2.3.2)

Network security tools help a network administrator test a network for weaknesses. Some tools allow an administrator to assume the role of an attacker. Using one of these tools, an administrator can launch an attack against the network and audit the results to determine how to adjust security policies to mitigate those types of attacks. Security auditing and penetration testing are two basic functions that network security tools perform.

Network security testing techniques may be manually initiated by the administrator. Other tests are highly automated. Regardless of the type of testing, the staff that sets up and conducts the security testing should have extensive security and networking knowledge. This includes expertise in the following areas:

  • Network security
  • Firewalls
  • Intrusion prevention systems
  • Operating systems
  • Programming
  • Networking protocols (such as TCP/IP)

Network Security Audits (2.2.3.3)

Network security tools allow a network administrator to perform a security audit of a network. A security audit reveals the type of information an attacker can gather simply by monitoring network traffic.

For example, network security auditing tools allow an administrator to flood the MAC address table with fictitious MAC addresses. This is followed by an audit of the switch ports as the switch starts flooding traffic out of all ports. During the audit, the legitimate MAC address mappings are aged out and replaced with fictitious MAC address mappings. This determines which ports are compromised and not correctly configured to prevent this type of attack.

Timing is an important factor in performing the audit successfully. Different switches support varying numbers of MAC addresses in their MAC table. It can be difficult to determine the ideal amount of spoofed MAC addresses to send to the switch. A network administrator also has to contend with the age-out period of the MAC address table. If the spoofed MAC addresses start to age out while performing a network audit, valid MAC addresses start to populate the MAC address table, and limiting the data that can be monitored with a network auditing tool.

Network security tools can also be used for penetration testing against a network. Penetration testing is a simulated attack against the network to determine how vulnerable it would be in a real attack. This allows a network administrator to identify weaknesses within the configuration of networking devices and make changes to make the devices more resilient to attacks. There are numerous attacks that an administrator can perform, and most tool suites come with extensive documentation detailing the syntax needed to execute the desired attack.

Because penetration tests can have adverse effects on the network, they are carried out under very controlled conditions, following documented procedures detailed in a comprehensive network security policy. An off-line test bed network that mimics the actual production network is the ideal. The test bed network can be used by networking staff to perform network penetration tests.

Switch Port Security (2.2.4)

Port security is the process of enabling specific commands on switch ports to protect against unauthorized wired devices being attached to the network. An easy way for an intruder to gain access to a corporate network is to plug into an unused Ethernet jack or to unplug an authorized device and use that connector. Cisco provides ways to protect against such behavior.

Secure Unused Ports (2.2.4.1)

The first step in port security is to be aware of ports that are not currently being used on the switch.

Disable Unused Ports

A simple method that many administrators use to help secure the network from unauthorized access is to disable all unused ports on a switch. For example, if a Catalyst 2960 switch has 24 ports and there are three Fast Ethernet connections in use, it is good practice to disable the 21 unused ports. Navigate to each unused port and issue the Cisco IOS shutdown command. If a port later on needs to be reactivated, it can be enabled with the no shutdown command. Figure 2-23 shows partial output for this configuration.

Figure 2-23

Figure 2-23 Disable Unused Switch Ports

It is simple to make configuration changes to multiple ports on a switch. If a range of ports must be configured, use the interface range command.

Switch(config)# interface range type module/first-number – last-number

The process of enabling and disabling ports can be time-consuming, but it enhances security on the network and is well worth the effort.

DHCP Snooping (2.2.4.2)

DHCP snooping is a Cisco Catalyst feature that determines which devices attached to switch ports can respond to DHCP requests. DHCP snooping can be used to prevent unauthorized DHCP messages that contain information such as IP address-related data being provided to legitimate network devices.

As part of the DHCP configuration process, switch ports can be identified as trusted and untrusted. Trusted ports can source any type of DHCP message; untrusted ports can source DHCP requests only. This configuration protects the network from someone attacking a device by acting as a rogue DHCP server. Trusted ports host a DHCP server or can be an uplink toward the DHCP server. If a rogue device on an untrusted port attempts to send a DHCP response packet into the network, the port is shut down. This feature can be coupled with DHCP options in which switch information, such as the port ID of the DHCP request, can be inserted into the DHCP request packet.

As shown in Figures 2-24 and 2-25, untrusted ports are those not explicitly configured as trusted. A DHCP binding table is built for untrusted ports. Each entry contains a client MAC address, IP address, lease time, binding type, VLAN number, and port ID recorded as clients make DHCP requests. The table is then used to filter subsequent DHCP traffic. From a DHCP snooping perspective, untrusted access ports should not send any DHCP server responses.

Figure 2-24

Figure 2-24 DHCP Snooping Operation

Figure 2-25

Figure 2-25 DHCP Snooping Configuration

These steps illustrate how to configure DHCP snooping on a Catalyst 2960 switch:

how-to.jpg

Step 1. Enable DHCP snooping using the ip dhcp snooping global configuration mode command.

Step 2. Enable DHCP snooping for specific VLANs using the ip dhcp snooping vlan number command.

Step 3. Define ports as trusted at the interface level by defining the trusted ports using the ip dhcp snooping trust command.

Optional Limit the rate at which an attacker can continually send bogus DHCP

Step 4. requests through untrusted ports to the DHCP server using the ip dhcp snooping limit rate rate command.

Port Security: Operation (2.2.4.3)

All switch ports (interfaces) should be secured before the switch is deployed for production use. One way to secure ports is by implementing a feature called port security. Cisco port security limits the number of valid MAC addresses allowed on a port. The MAC addresses of legitimate devices are allowed access, while other MAC addresses are denied.

Port Security

Port security can be configured to allow one or more MAC addresses. If the number of MAC addresses allowed on the port is limited to one, then only the device with that specific MAC address can successfully connect to the port.

If a port is configured as a secure port and the maximum number of MAC addresses is reached, any additional attempts to connect by unknown MAC addresses will generate a security violation.

Secure MAC Address Types

There are a number of ways to configure port security. The type of secure address is based on the configuration and includes:

  • Static secure MAC addresses: MAC addresses that are manually configured on a port by using the switchport port-security mac-address mac-address interface configuration mode command. MAC addresses configured in this way are stored in the address table and are added to the running configuration on the switch.
  • Dynamic secure MAC addresses: MAC addresses that are dynamically learned and stored only in the address table. MAC addresses configured in this way are removed when the switch restarts.
  • Sticky secure MAC addresses: MAC addresses that can be dynamically learned or manually configured stored in the address table, and added to the running configuration.
Sticky Secure MAC addresses

To configure an interface to convert dynamically learned MAC addresses to sticky secure MAC addresses and add them to the running configuration, you must enable sticky learning. Sticky learning is enabled on an interface by using the switchport port-security mac-address sticky interface configuration mode command.

When this command is entered, the switch converts all dynamically learned MAC addresses, including those that were dynamically learned before sticky learning was enabled, to sticky secure MAC addresses. All sticky secure MAC addresses are added to the address table and to the running configuration.

Sticky secure MAC addresses can also be manually defined. When sticky secure MAC addresses are configured by using the switchport port-security mac-address sticky mac-address interface configuration mode command, all specified addresses are added to the address table and the running configuration.

If the sticky secure MAC addresses are saved to the startup configuration file, then when the switch restarts or the interface shuts down, the interface does not need to relearn the addresses. If the sticky secure addresses are not saved, they will be lost.

If sticky learning is disabled by using the no switchport port-security mac-address sticky interface configuration mode command, the sticky secure MAC addresses remain part of the address table but are removed from the running configuration.

The following list shows the characteristics of sticky secure MAC addresses.

  • Learned dynamically, converted to sticky secure MAC addresses stored in the running-config.
  • Removed from the running-config if port security is disabled.
  • Lost when the switch reboots (power cycled).
  • Saving sticky secure MAC addresses in the startup-config makes them permanent, and the switch retains them after a reboot.
  • Disabling sticky learning converts sticky MAC addresses to dynamic secure addresses and removes them from the running-config.

Port Security: Violation Modes (2.2.4.4)

It is a security violation when either of these situations occurs:

  • The maximum number of secure MAC addresses have been added to the address table for that interface, and a station whose MAC address is not in the address table attempts to access the interface.
  • An address learned or configured on one secure interface is seen on another secure interface in the same VLAN.

An interface can be configured for one of three violation modes, specifying the action to be taken if a violation occurs. Table 2-9 presents which kinds of data traffic are forwarded when one of the following security violation modes are configured on a port:

  • Protect: When the number of secure MAC addresses reaches the limit allowed on the port, packets with unknown source addresses are dropped until a sufficient number of secure MAC addresses are removed or the number of maximum allowable addresses is increased. There is no notification that a security violation has occurred.
  • Restrict: When the number of secure MAC addresses reaches the limit allowed on the port, packets with unknown source addresses are dropped until a sufficient number of secure MAC addresses are removed or the number of maximum allowable addresses is increased. In this mode, there is a notification that a security violation has occurred.
  • Shutdown: In this (default) violation mode, a port security violation causes the interface to immediately become error-disabled and turns off the port LED. It increments the violation counter. When a secure port is in the error-disabled state, it can be brought out of this state by entering the shutdown and no shutdown interface configuration mode commands.

Table 2-9 Security Violations Modes

Violation Mode

Forwards Traffic

Sends Syslog Message

Displays Error Message

Increases Violation Counter

Shuts Down Port

Protect

No

No

No

No

No

Restrict

No

Yes

No

Yes

No

Shutdown

No

No

No

Yes

Yes

Security violations occur in these situations:

  • A station with MAC address that is not in the address table attempts to access the interface when the table is full.
  • An address is being used on two secure interfaces in the same VLAN.

To change the violation mode on a switch port, use the switchport port-security violation {protect | restrict |shutdown} interface configuration mode command.

Port Security: Configuring (2.2.4.5)

Table 2-10 summarizes the default port security configuration on a Cisco Catalyst switch.

Table 2-10 Port Security Default Settings

Feature

Default Setting

Port security

Disabled on a port

Maximum number of secure MAC addresses

1

Violation mode

Shutdown. The port shuts down when the maximum number of secure MAC addresses is exceeded.

Sticky address learning

Disabled

Figure 2-26 shows the topology used when configuring F0/18 on the S1 switch. Table 2-11 shows the Cisco IOS CLI commands needed to configure port security on the Fast Ethernet F0/18 port on the S1 switch. Notice that the example does not specify a violation mode. In this example, the violation mode is the default mode of shutdown.

Figure 2-26

Figure 2-26 Port Security Configuration Topology

Table 2-11 Cisco Switch IOS CLI Commands for Dynamic Port Security

Specify the interface to be configured for port security.

S1(config)# interface fastethernet 0/18

Set the interface mode to access.

S1(config-if)# switchport mode access

Enable port security on the interface.

S1(config-if)# switchport port-security

Table 2-12 shows the commands needed to enable sticky secure MAC addresses for port security on Fast Ethernet port 0/19 of switch S1. As stated earlier, a specific maximum number of secure MAC addresses can be manually configured. In this example, the Cisco IOS command syntax is used to set the maximum number of MAC addresses to 50 for port 0/19. The violation mode is set to the default mode of shutdown.

Table 2-12 Cisco Switch IOS CLI Commands for Sticky Port Security

Specify the interface to be configured for port security.

S1(config)# interface fastethernet 0/19

Set the interface mode to access.

S1(config-if)# switchport mode access

Enable port security on the interface.

S1(config-if)# switchport port-security

Set the maximum number of secure addresses allowed on the port.

S1(config-if)# switchport port-security maximum 50

Enable sticky learning.

S1(config-if)# switchport port-security mac-address sticky

Port Security: Verifying (2.2.4.6)

Many students make the mistake of forgetting to enable port security before doing the specific port security options. For any configuration step, verification is important. It is especially important when configuring port security.

Verify Port Security

After configuring port security on a switch, check each interface to verify that the port security is set correctly, and check to ensure that the static MAC addresses have been configured correctly.

Verify Port Security Settings

To display port security settings for the switch or for the specified interface, use the show port-security [interface interface-id] command. The output for the dynamic port security configuration is shown as follows. By default, there is one MAC address allowed on this port.

S1# show port-security interface fastethernet 0/18
Port Security                  : Enabled
Port Status                    : Secure-up
Violation Mode                 : Shutdown
Aging Time                     : 0 mins
Aging Type                     : Absolute
SecureStatic Address Aging     : Disabled
Maximum MAC Addresses          : 1
Total MAC Addresses            : 1
Configured MAC Addresses       : 0
Sticky MAC Addresses           : 0
Last Source Address:Vlan       : 0025.83e6.4b01:1
Security Violation Count       : 0

Taking a look at the port after the configuration has been applied shows the values for the sticky port security settings. The maximum number of addresses is set to 50 as configured.

S1# show port-security interface fastethernet 0/19
Port Security                : Enabled
Port Status                  : Secure-up
Violation Mode               : Shutdown
Aging Time                   : 0 mins
Aging Type                   : Absolute
SecureStatic Address Aging   : Disabled
Maximum MAC Addresses        : 50
Total MAC Addresses          : 1
Configured MAC Addresses     : 0
Sticky MAC Addresses         : 1
Last Source Address:Vlan     : 0025.83e6.4b02:1
Security Violation Count     : 0

Sticky MAC addresses are added to the MAC address table and to the running configuration. As shown in the output, the sticky MAC address for PC2 has been automatically added to the running configuration for S1.

S1# show run | begin FastEthernet 0/19
interface FastEthernet0/19
 switchport mode access
 switchport port-security
 switchport port-security maximum 50
 switchport port-security mac-address sticky
 switchport port-security sticky 0025.83e6.4b02
Verify Secure MAC Addresses

To display all secure MAC addresses configured on all switch interfaces, or on a specified interface with aging information for each, use the show port-security address command. As shown in the output, the secure MAC addresses are listed along with the types.

S1# show port-security address
Secure Mac Address Table
---------------------------------------------------------
Vlan  Mac Address     Type          Ports    Remaining Age
                                              (mins)
----  -----------     ----          -----    ---------------
1     0025.83e6.4b01  SecureDynamic Fa0/18   -
1     0025.83e6.4b02  SecureSticky  Fa0/19   -
---------------------------------------------------------

Ports in Error Disabled State (2.2.4.7)

When a port is configured with port security, a violation can cause the port to become error disabled. When a port is error disabled, it is effectively shut down and no traffic is sent or received on that port. A series of port security related messages display on the console as shown.

Sep 20 06:44:54.966: %PM-4-ERR_DISABLE: psecure-violation
error detected on Fa0/18, putting Fa0/18 in err-disable state
Sep 20 06:44:54.966: %PORT_SECURITY-2-PSECURE_VIOLATION:
Security violation occurred, caused by MAC address
000c.292b.4c75 on port FastEthernet0/18.
Sep 20 06:44:53.973: %LINEPROTO-5-PPDOWN: Line protocol on
Interface FastEthernet0/18, changed state to down
Sep 20 06:44:56.971: %LINK-3-UPDOWN: Interface
FastEthernet0/18, changed state to down

Another indication that a port security violation has occurred is that the switch port LED will change to orange. The show interfaces command identifies the port status as err-disabled as shown in the following output. The output of the show port-security interface command now shows the port status as secure-shutdown. Because the port security violation mode is set to shutdown, the port with the security violation goes to the error disabled state.

S1# show interfaces fastethernet 0/18 status
Port Name  Status          Vlan  Duplex   Speed   Type
Fa0/18     err-disabled    1     auto     auto    10/100BaseTX

S1# show port-security interface fastethernet 0/18
   Port Security               : Enabled
   Port Status                 : Secure-shutdown
   Violation Mode              : Shutdown
   Aging Time                  : 0 mins
   Aging Type                  : Absolute
   SecureStatic Address Aging  : Disabled
   Maximum MAC Addresses       : 1
   Total MAC Addresses         : 0
   Configured MAC Addresses    : 0
   Sticky MAC Addresses        : 0
   Last Source Address:Vlan    : 000c.292b.4c75:1
   Security Violation Count    : 1

The administrator should determine what caused the security violation before re-enabling the port. If an unauthorized device is connected to a secure port, the port should not be re-enabled until the security threat is eliminated. To re-enable the port, use the shutdown interface configuration mode command. Then, use the no shutdown interface configuration command to make the port operational, as shown in the following output.

S1(config)# interface FastEthernet 0/18
S1(config-if)# shutdown
Sep 20 06:57:28.532: %LINK-5-CHANGED: Interface
FastEthernet0/18, changed state to administratively down
S1(config-if)# no shutdown
Sep 20 06:57:48.186: %LINK-3-UPDOWN: Interface
FastEthernet0/18, changed state to up
Sep 20 06:57:49.193: %LINEPROTO-5-UPDOWN: Line protocol on
Interface FastEthernet0/18, changed state to up

Network Time Protocol (NTP) (2.2.4.8)

Having the correct time within networks is important. Correct time stamps are required to accurately track network events such as security violations. Additionally, clock synchronization is critical for the correct interpretation of events within syslog data files as well as for digital certificates.

Network Time Protocol (NTP) is a protocol that is used to synchronize the clocks of computer systems over packet-switched, variable-latency data networks. NTP allows network devices to synchronize their time settings with an NTP server. A group of NTP clients that obtain time and date information from a single source will have more consistent time settings.

A secure method of providing clocking for the network is for network administrators to implement their own private network master clocks, synchronized to UTC, using satellite or radio. However, if network administrators do not want to implement their own master clocks because of cost or other reasons, other clock sources are available on the Internet. NTP can get the correct time from an internal or external time source including the following:

  • Local master clock
  • Master clock on the Internet
  • GPS or atomic clock

A network device can be configured as either an NTP server or an NTP client. To allow the software clock to be synchronized by an NTP time server, use the ntp server ip-address command in global configuration mode. A sample configuration is shown in Figure 2-27. Router R2 is configured as an NTP client, while router R1 serves as an authoritative NTP server.

Figure 2-27

Figure 2-27 Configuring NTP

To configure a device as having an NTP master clock to which peers can synchronize themselves, use the ntp master [stratum] command in global configuration mode. The stratum value is a number from 1 to 15 and indicates the NTP stratum number that the system will claim. If the system is configured as an NTP master and no stratum number is specified, it will default to stratum 8. If the NTP master cannot reach any clock with a lower stratum number, the system will claim to be synchronized at the configured stratum number, and other systems will be willing to synchronize to it using NTP.

Figure 2-28 displays the verification of NTP. To display the status of NTP associations, use the show ntp associations command in privileged EXEC mode. This command will indicate the IP address of any peer devices that are synchronized to this peer, statically configured peers, and stratum number. The show ntp status user EXEC command can be used to display such information as the NTP synchronization status, the peer that the device is synchronized to, and in which NTP strata the device is functioning.

Figure 2-28

Figure 2-28 Verifying NTP

7. Summary (2.3) | Next Section Previous Section