Monday, March 24, 2008

Implementing Port Security

Port Security is used when you want to secure fixed host ports from being used by other device.

For all static devices like servers, printers etc, you can lock it down by using port security, and when somebody attempts to use the link connect another device into the network.

SW1(config-if)# switchport port-security mac-address 0011.2233.4455

Only device with MAC address 0011.2233.4455 is allowed to access that switch port.

Besides, you can limit the number of devices that can be seen on a given switch port. It is useful in protecting the switch from a MAC flooding attack. A MAC flooding attack works by sending random MAC addresses into the switch in an attempt to fill the L2 forwarding table. Address learning will stop until space is freed up in the table and the switch will have to flood all the traffic destined to the yet-to-learnt MAC addresses. Hackers could then exploit this extra flooding and use a sniffer to collect all the data flooded in his VLAN.

SW2(config-if)# switchport port-security maximum 10

It limits the given port from learning more than 10 MAC addresses.

No comments: