![© 2007 Cisco Systems, Inc. All rights reserved. ICND1 v1.0—2-6
Cisco Catalyst 2960 Series
SwitchX(config-if)#switchport port-security [ mac-address
mac-address | mac-address sticky [mac-address] | maximum
value | violation {restrict | shutdown}]
SwitchX(config)#interface fa0/5
SwitchX(config-if)#switchport mode access
SwitchX(config-if)#switchport port-security
SwitchX(config-if)#switchport port-security maximum 1
SwitchX(config-if)#switchport port-security mac-address sticky
SwitchX(config-if)#switchport port-security violation shutdown
Configuring Port Security](https://image.slidesharecdn.com/icnd110s02l06-150412082437-conversion-gate01/85/CCNA-Icnd110-s02l06-6-320.jpg)
![© 2007 Cisco Systems, Inc. All rights reserved. ICND1 v1.0—2-7
SwitchX#show port-security [interface interface-id] [address] [ |
{begin | exclude | include} expression]
SwitchX#show port-security interface fastethernet 0/5
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 20 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address : 0000.0000.0000
Security Violation Count : 0
Verifying Port Security
on the Catalyst 2960 Series](https://image.slidesharecdn.com/icnd110s02l06-150412082437-conversion-gate01/85/CCNA-Icnd110-s02l06-7-320.jpg)
CCNA Icnd110 s02l06
- 1. © 2007 Cisco Systems, Inc. All rights reserved. ICND1 v1.0—2-1 Ethernet LANs Understanding Switch Security
- 2. © 2007 Cisco Systems, Inc. All rights reserved. ICND1 v1.0—2-2 Common Threats to Physical Installations Hardware threats Environmental threats Electrical threats Maintenance threats
- 3. © 2007 Cisco Systems, Inc. All rights reserved. ICND1 v1.0—2-3 Configuring a Switch Password
- 4. © 2007 Cisco Systems, Inc. All rights reserved. ICND1 v1.0—2-4 Configuring the Login Banner Defines and enables a customized banner to be displayed before the username and password login prompts. SwitchX# banner login " Access for authorized users only. Please enter your username and password. "
- 5. © 2007 Cisco Systems, Inc. All rights reserved. ICND1 v1.0—2-5 Telnet vs. SSH Access Telnet – Most common access method – Insecure SSH-encrypted !– The username command create the username and password for the SSH session Username cisco password cisco ip domain-name mydomain.com crypto key generate rsa ip ssh version 2 line vty 0 4 login local transport input ssh
- 6. © 2007 Cisco Systems, Inc. All rights reserved. ICND1 v1.0—2-6 Cisco Catalyst 2960 Series SwitchX(config-if)#switchport port-security [ mac-address mac-address | mac-address sticky [mac-address] | maximum value | violation {restrict | shutdown}] SwitchX(config)#interface fa0/5 SwitchX(config-if)#switchport mode access SwitchX(config-if)#switchport port-security SwitchX(config-if)#switchport port-security maximum 1 SwitchX(config-if)#switchport port-security mac-address sticky SwitchX(config-if)#switchport port-security violation shutdown Configuring Port Security
- 7. © 2007 Cisco Systems, Inc. All rights reserved. ICND1 v1.0—2-7 SwitchX#show port-security [interface interface-id] [address] [ | {begin | exclude | include} expression] SwitchX#show port-security interface fastethernet 0/5 Port Security : Enabled Port Status : Secure-up Violation Mode : Shutdown Aging Time : 20 mins Aging Type : Absolute SecureStatic Address Aging : Disabled Maximum MAC Addresses : 1 Total MAC Addresses : 1 Configured MAC Addresses : 0 Sticky MAC Addresses : 0 Last Source Address : 0000.0000.0000 Security Violation Count : 0 Verifying Port Security on the Catalyst 2960 Series
- 8. © 2007 Cisco Systems, Inc. All rights reserved. ICND1 v1.0—2-8 SwitchX#sh port-security Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action (Count) (Count) (Count) -------------------------------------------------------------------------- Fa0/5 1 1 0 Shutdown --------------------------------------------------------------------------- Total Addresses in System (excluding one mac per port) : 0 Max Addresses limit in System (excluding one mac per port) : 1024 SwitchX#sh port-security address Secure Mac Address Table ------------------------------------------------------------------- Vlan Mac Address Type Ports Remaining Age (mins) ---- ----------- ---- ----- ------------- 1 0008.dddd.eeee SecureConfigured Fa0/5 - ------------------------------------------------------------------- Total Addresses in System (excluding one mac per port) : 0 Max Addresses limit in System (excluding one mac per port) : 1024 Verifying Port Security on the Catalyst 2960 Series (Cont.)
- 9. © 2007 Cisco Systems, Inc. All rights reserved. ICND1 v1.0—2-9 Securing Unused Ports Unsecured ports can create a security hole. A switch plugged into an unused port will be added to the network. Secure unused ports by disabling interfaces (ports).
- 10. © 2007 Cisco Systems, Inc. All rights reserved. ICND1 v1.0—2-10 Disabling an Interface (Port) shutdown SwitchX(config-int)# To disable an interface, use the shutdown command in interface configuration mode. To restart a disabled interface, use the no form of this command.
- 11. © 2007 Cisco Systems, Inc. All rights reserved. ICND1 v1.0—2-11 Summary The first level of security is physical. Passwords can be used to limit access to users that have been given the password. The login banner can be used to display a message before the user is prompted for a username. Telnet sends session traffic in cleartext; SSH encrypts the session traffic. Port security can be used to limit MAC addresses to a port. Unused ports should be shut down.
- 12. © 2007 Cisco Systems, Inc. All rights reserved. ICND1 v1.0—2-12
Editor's Notes
- #4: <number> Layer 2 of 2 Emphasize: The router has one enable password. Remember that this is your only protection. Whoever owns this password can do anything with the router, so be careful about communicating this password to others. To provide an additional layer of security, particularly for passwords that cross the network or are stored on a TFTP server, you can use either the enable password or enable secret commands. Both commands accomplish the same thing; that is, they allow you to establish an encrypted password that users must enter to access enable mode (the default), or any privilege level you specify. Cisco recommends that you use the enable secret command because it uses an improved encryption algorithm. Use the enable password command only if you boot an older image of the Cisco IOS software, or if you boot older boot ROMs that do not recognize the enable secret command. If you configure the enable secret password, it is used instead of the enable password, not in addition to it. Cisco supports password encryption. Turn on password encryption using the service password-encryption command. Then enter the desired passwords for encryption. Immediately, on the next line, enter the no service password-encryption command. Only those passwords that are set between the two commands will be encrypted. If you enter service password-encryption and then press Ctrl-Z to exit, all passwords will be encrypted. Note: Password recovery is not covered in the course materials. Refer the students to the IMCR class.
- #7: <number> Layer 2 of 2 Note: When the switch-sticky learns a MAC address on a secured port, the switch will make that MAC address a permanent address.
- #8: <number> Layer 2 of 2 Emphasize: The default action is “suspend.”
- #9: <number> Layer 2 of 2 Emphasize: The default action is “suspend.”