Simple Layer 2 security

Simple Layer 2 security

by Cyrus Lok on Friday, December 18, 2009 at 6:42pm
Most of the time overlooked, a lot of people focus security on firewalls and routers. We may have a robust security against the outside, but actually the hardest to defend against is insider’s attack.

This section will show the features of port-security of a switch.

Damn… I need a switch with full security feature, probably I will buy one 2950 switch next year.

I will do this using Packet Tracer version 5.2.

Switch(config-if)#switchport mode ?
access Set trunking mode to ACCESS unconditionally
dynamic Set trunking mode to dynamically negotiate access or trunk mode
trunk Set trunking mode to TRUNK unconditionally

Some switch interfaces were configured as dynamic or desirable by cisco, as far as security is concern it is undesirable for switch to automatically changes to trunk or access mode on the fly. What dynamic and desirable means are: if i connect a switch to a specific interface of another switch, the switch interface will change to trunk automatically, and if I connect a pc to the switch interface (example fa0/1) the interface will automatically changes to access mode.

For this example, the 2950’s fast ethernet 0/1 will be the trunk port connecting to the router.
Switch(config)#int fa0/1
Switch(config-if)#switchport mode trunk

Set the rest of the remaining ports as access mode.
Switch(config)#interface range fa0/2 – 24
Switch(config-if-range)#switchport mode access

Configure all my interface fast Ethernet ports to allow only one mac address.
If there is more than one mac address using the switch ports a shutdown of the port will occur.
the last statement turns on the port-security feature.
Note: If you are using ip phones, you have to change the maximum to 2, here’s why:
an ip phone has a fast ethernet port connects to switch and another ethernet port connects to pc, hence two mac addresses will be appeared; mac address of pc and ip phone.

Switch(config)#interface range fa0/1 – 24
Switch(config-if-range)#switchport port-security maximum 1
Switch(config-if-range)#switchport port-security violation shutdown
Switch(config-if-range)#switchport port-security

This statement tells the switch to remember the first mac address that’s plug into this interface, if there’s other pc connects to the port, the port will be error disabled.
Switch(config-if-range)#switchport port-security mac-address sticky


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s