Saturday, December 30, 2017

PORT SECURITY ON NETWORK SWITCH

OVERVIEW OF PORT SECURITY

Port security is a feature of network switch that offers the ability to configure port of network switch so that traffic can be limited to only a specific configured MAC addresses.

To check if the port security is enable or not, we can use following command

switch> enable
switch# show port-security


Note: Port security is disable by default therefore no records available.

To show port security status of a specific port, we can use following command

switch> enable
switch# show port-security interface fa0/1
Port Security                : Disable  
Port Status                  : Secure-up
Violation Mode               : Shutdown
Aging Time                   : 0 mins
Aging Type                   : Absolute
SecureStatic Address Aging   : Disable
Maximum MAC Addresses        : 1
Total MAC Addresses          : 0
Configured MAC Addresses     : 0
Sticky MAC Addresses         : 0
Last Source Address: VLAN    : 0000.0000.0000:0
Security Violation Count     : 0

Note: Port security is disable by default

To enable port Security of a specific ports of switch
switch> enable
switch# config t
switch (config) # interface fa0/1
switch (config-if) # switchport mode access
switch (config-if) # switchport port-security

To enable port Security of a range of ports of switch (from fa0/1 to fa0/6)

switch> enable
switch# config t
switch (config) # interface range fa0/1 - 6
switch (config-if) # switchport mode access
switch (config-if) # switchport port-security

Note: It can be enable on access port. Port security feature will not work on three types of ports. 

  1. Trunk port
  2. Ether Channel port
  3. Switch port analyzer port
Note: you can configure port security for trunk port but it is not a part of this article.

To check port security status of all ports of switch.


switch> enable
switch # show port-security

Secure Port  MaxSecureAddr  CurrentAddr  SecurityViolation  SecurityAction
               (Count)        (Count)        (Count)  
--------------------------------------------------------------------------
Fa0/1           5                0            0               Shutdown
Fa0/2           1                0            0               Shutdown
Fa0/3           1                0            0               Shutdown
Fa0/4           1                0            0               Shutdown
Fa0/5           1                0            0               Shutdown
Fa0/6           1                0            0               Shutdown

--------------------------------------------------------------------------

To check port security status of a specific ports of switch.

switch> enable
switch # show port-security interface fa0/1

Port Security                : Enabled  
Port Status                  : Secure-up
Violation Mode               : Shutdown
Aging Time                   : 0 mins
Aging Type                   : Absolute
SecureStatic Address Aging   : Disable
Maximum MAC Addresses        : 1
Total MAC Addresses          : 0
Configured MAC Addresses     : 0
Sticky MAC Addresses         : 0
Last Source Address: VLAN    : 0000.0000.0000:0
Security Violation Count     : 0

SECURE MAC ADDRESS LEARNING

The process of securing a MAC address is called learning. There are three method of MAC address learning. They are:
1. Static
2. Dynamic 
3. Sticky

Static: The static learning method allows you to manually add or remove MAC address in the mac-address-table. These MAC addresses are stored in the address table and in the running configuration of the switch. 

Dynamic: In dynamic learning, switch learns MAC address dynamically and stores in its MAC address table. They are removed from the configuration when the switch restarts.

Sticky: – like Dynamic secure MAC addresses, MAC addresses are learned dynamically but are saved in the running configuration.

Note: default mode of learning is Dynamic.

switch> enable
switch # show mac-address-table

                Mac Address Table 
------------------------------------------------
Vlan     MAC Address        Type        Ports
-----    --------------     -------     --------

1        0030.a3e1.a590     DYNAMIC     Fa0/1 
1        00d0.97d8.895a     DYNAMIC     Fa0/2
------------------------------------------------

We can change DYNAMIC mode in static or Sticky

 sw> enable
sw# config t
sw(config) # interface fa0/1
sw(config-if) # switchport port-security mac-address static 0030.a3e1.a590 (for static)
sw(config-if) # switchport port-security mac-address sticky                         (for sticky) 

MAXIMUM MAC ADDRESSES LIMIT FOR A SINGLE PORT

According to requirement we can hosts limit that can be associated with an interface. We can set this limit anywhere from 1 to 132. This may be depends on router`s series but default is 1.

To show maximum mac addresses limit

switch> enable
switch # show port-security interface fa0/1

Port Security                : Enabled  
Port Status                  : Secure-up
Violation Mode               : Shutdown
Aging Time                   : 0 mins
Aging Type                   : Absolute
SecureStatic Address Aging   : Disable
Maximum MAC Addresses        : 1
Total MAC Addresses          : 0
Configured MAC Addresses     : 0
Sticky MAC Addresses         : 0
Last Source Address: VLAN    : 0000.0000.0000:0
Security Violation Count     : 0

To change maximum mac addresses limit

switch> enable
switch# conf t
switch (config) # interface fa0/1
switch (config-if) # switchport port-security maximum ?
 <1 - 132 >
switch (config-if) # switchport port-security maximum 2

For Verification

switch> enable
switch # show port-security interface fa0/1

Port Security                : Enabled  
Port Status                  : Secure-up
Violation Mode               : Shutdown
Aging Time                   : 0 mins
Aging Type                   : Absolute
SecureStatic Address Aging   : Disable
Maximum MAC Addresses        : 2
Total MAC Addresses          : 0
Configured MAC Addresses     : 0
Sticky MAC Addresses         : 0
Last Source Address: VLAN    : 0000.0000.0000:0
Security Violation Count     : 0

PORT SECURITY VIOLATION

We need to specify what action; it should take in security violation. Three possible modes are available:
1. Protect
2. Restrict
3. Shutdown

Protect mode: This mode will work with sticky MAC address learning. In this mode frames from unknown address would be dropped. It will not make log entry for dropped frames.

Restrict mode: In restrict mode frames from unknown address would be dropped. But in this mode, switch will make a log entry and generate a security violation alert.

Shutdown mode: In this mode frames from unknown address would be dropped and switch will generate the violation alert and disable the port. 

switch> enable
switch# conf t
switch (config) # interface fa0/1
switch (config-if) # switchport port-security violation ?

Protect    Security violation protect mode
restrict   Security violation restrict mode 
shutdown   Security violation shutdown mode

PORT SECURITY AGING TIME

Using this feature we can set aging time and aging type

switch (config-if) # switchport port-security aging static

The static keyword enable aging for statically configured secure addresses on this port.
switch (config-if) # switchport port-security aging time 120

The time keyword specifies the aging time for this port. Valid range for aging time is 0 to 1440 minutes. Aging time 0 means that aging is disable on this port.

PORT SECURITY AGING TYPES

switch (config-if) # switchport port-security aging time 120 type absolute

For absolute aging, all the secure addresses on this port ago out exactly after the specified aging time.

switch (config-if) # switchport port-security aging time 120 type inactivity

For inactive aging, all the secure address on this port ago out only if there is no data traffic from the secure source address for the specified time period. 



POINTS TO BE REMEMBER

MAC Address Learning
1. Static
2. Dynamic
3. Sticky

Maximum MAC Address Limit
1. Range 1 to 132
2. Default

Port Security Violation
1. Protect
2. Restric
3. Shutdown

Port Security Aging Time
1. Static
2. Time in minutes (range is 0 to 1440)
3. 0 minute means disable aging time

Port Security Aging Types
1. Absolute
2. Inactivity


Summary of Commands

switch> enable                                                               (to switch on privileged mode)
switch# config t                                                              (to switch on config mode)
switch(config)# interface fa0/1                                       (to select interface)
switch(config-if)# switchport mode access                (to change interface in access mode)
switch(config-if)# switchport port-security
switch(config-if)# switchport port-security maximum 1              (mac-address-limit)
switch(config-if)# switchport port-security mac-address sticky   (mac-address-learning)
switch(config-if)# switchport port-security violation protect       (violation type)
switch(config-if)# end
switch# write                                                                               (to save)







Posted by on 5 comments:

VLAN INTERFACES (ACCESS AND TRUNK LINK)



TYPES OF VLAN CONNECTION LINKS

After completing VLAN Part-1, we need to understand vlan connection links. These links allow us to connect multiple switches together or just end devices like PC, printer or camera etc. 

There are mainly two types of vlan links, they are-
1. Access link
2. Trunk link

ACCESS LINK

An access link is a link that is a part of only one vlan, and normally access links are for end devices like computer, printer or IP camera etc.

let`s look an example:



In this case, each of the 4 ports have been configured for specific vlan. Port fa0/1, fa0/2 have been assign to vlan 2 (sales) so they only allow network traffic for vlan 2 and fa0/3, fa0/4 have been assign to vlan 3 (mkt) therefore they allow network traffic only for vlan 3.

Steps to configure switch for assigning access link for specific vlan

switch> enable
switch# config t
switch(config)# vlan 2
switch(config)#name sales

switch(config)# interface range fa0/1 - 2
switch(config-if)# switchport mode access
switch(config-if)# switchport access vlan 2

switch(config-if)# exit
switch(config)# vlan 3
switch(config)# name mkt

switch(config)# interface range fa0/3 - 4
switch(config-if)# switchport mode access
switch(config-if)# switchport access vlan 3

TRUNK LINK

Trunk port or trunk link is not a member of single VLAN. It can carry network traffic  for any or all VLAN.

let`s look an example:








Posted by on 4 comments:




OVERVIEW OF VLAN 
Virtual Local Area Network (VLAN) divides a single existing physical network into multiple networks and mostly used to separate departments to each other on the same network switch. Each vlan forms its own broadcast domain.

       To understand VLAN more clearly let's take an example.


suppose that

Our company has one office with two departments named Sales and HR. All computers connected to a single network switch. With default configuration, all computers forms same broadcast domain therefore sales and HR department can share resources of each other.



Lets me know about status of VLANs



Switch> enable
Switch# show vlan


VLAN        Name                                Status                    Ports
--------------------------------------------------------------------------------------------------------------------------
  1              default                              active                    Fa0/1, Fa0/2, Fa0/3, Fa0/4, Fa0/5, Fa0/6,                                                                                                    Fa0/7, Fa0/8, Fa0/9, Fa0/10, Fa0/11,                                                                                                          Fa0/12, Fa0/13, Fa0/14, Fa0/15, Fa0/16,                                                                                                    Fa0/17, Fa0/18, Fa0/19, Fa0/20, Fa0/21

                                                                            
 1002        fddi-default                     act/unsup
 1003        token-ring-default         act/unsup
 1004        fddinet-default              act/unsup
 1005        trnet-default                  act/unsup
--------------------------------------------------------------------------------------------------------------------------


Note: Here we can see that all lan ports are member of VLAN 1 named default. Devices connected on these ports form a single broadcast domain therefore they can share each other resources. 


Now let me create vlans for sales and HR department


Switch> enable
Switch# config t
Switch(config)# vlan 2
Switch(config)# name sales
Switch(config)# vlan 3
Switch(config)# name HR
Switch(config)# end
Switch# write

Now we again check vlan status


Switch# show vlan


VLAN    Name                                Status              Ports
-------------------------------------------------------------------------------------------------------------------
1            default                         active               Fa0/1, Fa0/2, Fa0/3, Fa0/4, Fa0/5, Fa0/6
                                                                          Fa0/7, Fa0/8, Fa0/9, Fa0/10, Fa0/11, 
                                                                          Fa0/12, Fa0/13, Fa0/14, Fa0/15, Fa0/16
                                                                          Fa0/17, Fa0/18,  Fa0/19, Fa0/20, Fa0/21                                                                               Fa0/22, Fa0/23, Fa0/24  

 2            sales                              active 

 3            HR                                 active
1002        fddi-default                   act/unsup
1003        token-ring-default         act/unsup
1004        fddinet-default              act/unsup
1005        trnet-default                 act/unsup  
-----------------------------------------------------------------------------------------------------------------                                                                                           
Note: Here we can see that 2 new vlans sales (vlan 2) and HR (vlan 3) are created but still all lan ports are members of vlan 1. There is no port assigned for vlan 2 (sales) or vlan 3 (HR) .

                                       
                                                                
                                                                                  

Now we need to assign ports for vlan 2 (sales) and vlan 3 (HR)


Switch> enable
Switch# config t
Switch(config)# interface range fa0/1 - 2
Switch(config-if)# switchport mode access vlan 2
Switch(config-if)# interface range fa0/3 - 4
Switch(config-if)# switchport mode access vlan 3
Switch(config-if)# end
Switch# write



Now we again check vlan status


Switch# show vlan


VLAN    Name                                Status                    Ports
---------------------------------------------------------------------------------------------------------------
  1            default                              active                 Fa0/5, Fa0/6, Fa0/7, Fa0/8
                                                                                  Fa0/9 , Fa0/10, Fa0/11Fa0/12
                                                                                  Fa0/13, Fa0/14, Fa0/15,  Fa0/16
                                                                                  Fa0/17, Fa0/18,  Fa0/19, Fa0/20
                                                                                  Fa0/21, Fa0/22, Fa0/23, Fa0/24                                                                                                                                                                                                                                
   2            sales                                 active                 Fa0/1, Fa0/2

  3            HR                                    active                 Fa0/3, Fa0/4

 1002        fddi-default                   act/unsup
 1003        token-ring-default         act/unsup
 1004        fddinet-default              act/unsup
 1005        trnet-default                 act/unsup
----------------------------------------------------------------------------------------------------------------

Note: Here we can see that vlan 2 (sales) forms a broadcast domain that has two ports Fa0/1 and Fa0/2, therefore only those devices connected on Fa0/1 and Fa0/2 can share resources to each other. vlan 3 (HR) also forms a separate broadcast domain having ports Fa0/3 and Fa0/4. PCs connected on these ports can share resources to each other. 



TYPES OF VLAN PORT ASSIGNMENT

There are two way to assign ports for specific vlan, they are

1. Static
2. Dynamic

Static vlan assignment like its name. you will statically assign ports to the vlan.

Dynamic vlan assignment can be done by VLAN membership Policy Server (VMPS). VMPS needs VLAN mac-address relationship data.


BENEFITS OF VLAN

1. VLAN improves network performance by reducing unnecessary broadcast traffic.

2. It enhanced network security and network control management by separating different department to each other.


POINTS TO BE REMEMBER

About VLAN: VLAN divides a large broadcast domain into multiple broadcast domains for dividing one department to another connected on same switch.

Benefits of VLAN: vlan enhanced network security and network control management by separating one department to another. It also improves network performance by reducing unnecessary broadcast traffic.

VLAN Number Range: vlan number range is 1 to 1005, where 1 is reserve for default native vlan and 1002 to 1005 are reserve for FDDI and token ring network. we can use 2 to 1001 for creating new vlans.

VLAN Ports Assignment: there are two way to assign ports for vlan. they are static and dynamic. In static port assignment, network administrator manually assign ports for specific vlan while in dynamic port assignment VMPS is required that maintain vlan mac-addresses relationship data.

Posted by on 6 comments:
Subscribe to: Comments (Atom)