Pic Courtesy: Cisco Press

Although the title “31 days before your CCNA Exam” aims at Cisco Network Academy students, but it can be used for the Cisco CCNA 640-802 Certification aspirers who does self study.

The author Allan Johnson divided the title suiting in to 31 chapters, which are so concise you can finish each chapter in an hour. The cream of the title  “31 days before your CCNA Exam” is the section called “Exam day and post exam information” which gives the CCNA Certification aspirers guidelines on what to expect after the completion of exam as well as what they should do if they fail to pass the exam on first attempt. One more section that I really liked is “CCNA Skills review and practice” which helps you to practice the CCNA skills which includes most of the CCNA 640-802 exam configurations skills in one topology, which covers topics like VLAN configuration, frame-relay configuration, inter vlan routing, EIGRP,VTP, port security , STP. You can practice those topologies either on Cisco Packet Tracer or GNS3 graphical network simulator.

Overall the title “31 days before your CCNA Exam” is a true gem, but cannot be a only source for passing CCNA 640-802 exam, this title is good for the some one who is looking for quick reference on CCNA 640-802 exam topics in an well organized way. I thank Cisco Press and Jamie in particular for providing me the copy of “31 days before your CCNA Exam”

You might think this an unlikely scenario, but it does happen. For example a salesmen coming in to demo products, and they would just pull the Ethernet jack off a PC and connect it to their laptop, hoping to get Internet access.

I turned to switch port security to help solve the problem. Let’s look at how we can use Cisco’s Port Security feature to protect our organization.

Understand the basics
In its most basic form, the Port Security feature remembers the Ethernet MAC address connected to the switch port and allows only that MAC address to communicate on that port. If any other MAC address tries to communicate through the port, port security will disable the port. Most of the time, network administrators configure the switch to send a SNMP trap to their network monitoring solution that the port’s disabled for security reasons. When using port security, we can prevent devices from accessing the network, which increases security.

Benefits to port Securty
The key benefits of Port Security are:
•Network Availability – Reduce campus wide network outages caused by broadcast storms by blocking non standard hubs and switches.
•Network Reliability – Network port bandwidth can be guaranteed if limited to one MAC address. Bandwidth can’t be guaranteed if other network devices are sharing the network port.
•DHCP Availability – Reduce the risk of over subscription of DHCP IP Address per VLAN by limiting one MAC address per port.
•Network Security – Limiting one MAC address per switch port is an attack mitigation strategy. Stops CAM tables flooding attacks forcing the switch into repeater mode. Tools like macof can be used for this type of attack.
•Future Proofing – The implementation of port authentication at the edge of the network (802.1x) will also limit user to one MAC address per port.

Applying Cisco Security Features to Solve Common Problems

Sample Configuration for port security
Configuring the Port Security feature is relatively easy. In its simplest form, port security requires going to an already enabled switch port and entering the port-security Interface Mode command. Here’s an example:

Switch)# config t
Switch(config)# int fa0/18
Switch(config-if)# switchport port-security ?
aging Port-security aging commands
mac-address Secure mac address
maximum Max secure addresses
violation Security violation mode

Switch(config-if)# switchport port-security
Switch(config-if)#^Z

By entering the most basic command to configure port security, we accepted the default settings of only allowing one MAC address, determining that MAC address from the first device that communicates on this switch port, and shutting down that switch port if another MAC address attempts to communicate via the port. But you don’t have to accept the defaults.

Know your options
As you can see in the example, there are a number of other port security commands that you can configure. Here are some of your options:
switchport port-security maximum {max # of MAC addresses allowed}: You can use this option to allow more than the default number of MAC addresses, which is one. For example, if you had a 12-port hub connected to this switch port, you would want to allow 12 MAC addresses—one for each device. The maximum number of secure MAC addresses per port is 132.
switchport port-security violation {shutdown | restrict | protect}: This command tells the switch what to do when the number of MAC addresses on the port has exceeded the maximum. The default is to shut down the port. However, you can also choose to alert the network administrator (i.e., restrict) or only allow traffic from the secure port and drop packets from other MAC addresses (i.e., protect).
switchport port-security mac-address {MAC address}: You can use this option to manually define the MAC address allowed for this port rather than letting the port dynamically determine the MAC address.

Of course, you can also configure port security on a range of ports. Here’s an example:
Switch)# config t
Switch(config)# int range fastEthernet 0/1 – 24
Switch(config-if)# switchport port-security
However, you need to be very careful with this option if you enter this command on an uplink port that goes to more than one device. As soon as the second device sends a packet, the entire port will shut down.

View the status of port security
Once you’ve configured port security and the Ethernet device on that port has sent traffic, the switch will record the MAC address and secure the port using that address. To find out the status of port security on the switch, you can use the show port-security address and show port-security interface commands. Below are examples for each command’s output:
Switch# show port-security address
Secure Mac Address Table
——————————————————————-
Vlan Mac Address Type Ports Remaining Age
(mins)
—- ———– —- —– ————-
1 0004.00d5.285d SecureDynamic Fa0/18 -
——————————————————————-
Total Addresses in System (excluding one mac per port) : 0
Max Addresses limit in System (excluding one mac per port) : 1024

Switch# show port-security interface fa0/18
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address : 0004.00d5.285d
Security Violation Count : 0

Switch#

Yasir
Personel website:www.yasirirfan.com