Conventional network security often focuses more on routers and blocking traffic from the outside. Switches are internal to the organization, and designed to allow ease of connectivity, therefore only limited or no security measures are applied.
The following basic security features can be used to secure your switches and network:
Â Â Â *Â Physically secure the device
Â Â Â *Â Use secure passwords
Â Â Â *Â Enable SSH access
Â Â Â *Â Enable port security
Â Â Â *Â Disable https access
Â Â Â *Â Disable unused ports
Â Â Â *Â Disable Telnet
Â Â Â
Â Â Â Â Â Â Use the enable secret command to set the password. For this activity, set the password to orbit.
SW1#configure terminalSW1(config)#enable secret orbitSW1(config)#
Configure virtual terminal (Telnet)Â and console passwords and require users to login.
A password should be required to access the console line.Â Even the basic user EXEC mode can provide significant information to a malicious user. In addition, the VTY lines must have a password before users can access the switch remotely.
Use the following commands to secure the console and telnet:
SW1(config)#line console 0SW1(config-line)#password ciscoSW1(config-line)#loginSW1(config-line)#line vty 0 15SW1(config-line)#password ciscoSW1(config-line)#loginSW1(config-line)#exitSW1(config)#
Configure password encryption.
At this stage, the privileged EXEC password is already encrypted. To encrypt the line passwords that you just configured, enter the service password-encryption command in global configuration mode.
Configure and test the MOTD banner.
Configure the message-of-the-day (MOTD) using Authorized Access Only as the text. Follow these guidelines:
i.Â Â Â The banner text is case sensitive. Make sure you do not add any spaces before or after the banner text.Âii.Â Â Â Use a delimiting character before and after the banner text to indicate where the text begins and ends. The delimiting character used in the example below is %, but you can use any character that is not used in the banner text.Âiii.Â Â Â After you have configured the MOTD, log out of the switch to verify that the banner displays when you log back in.ÂSW1(config)#banner motd %Authorized Access Only%SW1(config)#endSW1#exitÂÂÂ
Configure Port Security
Enter interface configuration mode for FastEthernet 0/11 and enable port security.
Before any other port security commands can be configured on the interface, port security must be enabled.
SW1(config-if)#interface fa0/11SW1(config-if)#switchport port-security
* Notice that you do not have to exit back to global configuration mode before entering interface configuration mode for fa0/11.
To configure the port to learn only one MAC address, set the maximum to 1:
SW1(config-if)#switchport port-security maximum 1
The MAC address learned on the port can be added to (â€œstuckâ€ to) the running configuration for that port.
SW1(config-if)#switchport port-security mac-address stickyÂ
Configure the port to automatically shut down if port security is violated.
If you do not configure the following command, SW1 only logs the violation in the port security statistics but does not shut down the port.
SW1(config-if)#switchport port-security violation shutdown
Use the show-mac-address- table command to confirm that SW1 has learned the MAC address for the intended devices, in this case PC1.
SW1#show mac-address-tableMac Address Table-------------------------------------------Vlan Mac Address Type Ports---- ----------- -------- -----20 0060.5c4b.cd22 STATIC Fa0/11
SW1#show port-security interface fa0/11ÂPort Security : Enabled
Port Status : Secure-shutdown
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 1
Sticky MAC Addresses : 0
Last Source Address:Vlan : 00E0.F7B0.086E:20
Security Violation Count : 1
Disabling unused switch ports a simple method many network administrators use to help secure their network from unauthorized access. Disabling an unused port stops traffic from flowing through the port(s)
Step 1: Disable interface Fa0/10 on SW1.
Enter interface configuration mode for FastEthernet 0/17 and shut down the port.