Cisco Switch Port Security And Remote Access
Cisco Switch Port Security And Remote Access on Cisco Switches are basic concepts in Cisco Switch security. Here you will learn all the methods and steps are securing your Cisco Switch. The first step for securing the Cisco Switch is control the remote access. Learn How to secure your network.
SECURE REMOTE ACCESS
You can use the following steps or methods for securing remote access on Cisco Switch:
Configure SSH on Cisco Router:
Secure Shell (SSH) is a protocol that provides a secure (encrypted) management connection to a remote device. SSH must replace Telnet for management connections. Telnet is an older protocol that uses the unsecured transmission of unencrypted text from login authentication (username and password) and the data transmitted between the communicating devices. SSH provides security for remote connections through secure encryption when a device (username and password) is authenticated and also for data transmitted between the communicating devices. SHH is assigned to TCP port 22. Telnet is assigned to TCP port 23.
To enable SSH on a Catalyst 2960 switch, the switch must use a version of the IOS software that includes cryptographic (encrypted) features and capabilities. Use the show version command on the switch to see which IOS is currently running on the device. An IOS file name that includes the “k9” combination supports cryptographic (encrypted) features and capabilities.
S1> show version
Before configuring SSH, the switch must have at least one unique host name and the correct network connectivity parameters configured.
S1 # configure terminal
S1 (config) # ip domain-name cisco.com
S1 (config) # crypto key generate rsa
The name for the keys will be: S1.cisco.com
How many bits in the modulus [512]: 1024
...
S1 (config) # username admin secret ccna
S1 (config-line) # line vty 0 15
S1 (config-line) # transport input ssh
S1 (config-line) # local login
S1 (config-line) # exit
S1 (config) # ip ssh version 2
S1 (config) # exit
S1 #
Steps for configuring SSH:
- STEP 1: VERIFY SSH COMPATIBILITY
Use the show ip ssh command to verify that the switch supports SSH. If the switch does not run an IOS that supports cryptographic features, this command is not recognized.
- STEP 2: CONFIGURE THE IP DOMAIN
Set the domain name IP network using the command ip domain-name name-of-domain global command configuration mode. In the scheme shown, the value of domain-name is cisco.com .
- STEP 3: GENERATE RSA KEY PAIRS
Not all versions of IOS use SSH version 2 by default, and SSH version 1 has known security flaws . To configure SSH version 2, issue the ip ssh version 2 command of global configuration mode. Creating an RSA key pair enables SSH automatically. Use the crypto key generate rsa global configuration mode command to enable the SSH server on the switch and generate an RSA key pair. When creating RSA keys, the administrator is requested to enter a module length. The example configuration in Figure 1 uses a module size of 1024 bits. A longer module length is safer, but it takes longer to generate and use it.
- STEP 4: CONFIGURE USER AUTHENTICATION
The SSH server can authenticate users locally or with an authentication server. To use the local authentication method, create a pair of usernames and passwords with the username command Username secret Password global command configuration mode. In the example, the ccna password was assigned to the admin user .
- STEP 5: CONFIGURE THE VTY LINES
Enable the SSH protocol on vty lines using the transport input ssh command of the line configuration mode. The Catalyst 2960 switch has vty lines ranging from 0 to 15. This configuration avoids non-SSH connections (such as Telnet) and limits the switch to accepting only SSH connections. Use the line vty command of the global configuration mode and then the local login command of the line configuration mode to require local authentication of SSH connections using the local user name database.
- STEP 6: ENABLE SSH VERSION 2
By default, SSH supports versions 1 and 2. If both versions are supported, the show ip ssh result shows that version 1.99 is supported. Version 1 has known vulnerabilities. For this reason, it is recommended to enable only version 2. Enable the SSH version using the global configuration command ip ssh version 2 .
SSH VERIFICATION
In computers, an SSH client, such as PuTTY , is used to connect to an SSH server. For a practical example, the following was configured:
- SSH was enabled on switch S1.
- VLAN 99 (SVI) interface with IP address 172.17.99.11 on switch S1.
- PC1 with IPv4 address 172.17.99.21.
- In Image 1, the computer initiates an SSH connection to the IPv4 address of the SVI VLAN of S1.
In Image 2, the user is requested to enter a username and password. With the configuration of the previous example, the username admin and the password ccna are entered . After entering the correct combination, the user connects to the CLI of the Catalyst 2960 switch via SSH.
To display the version and SSH configuration data on the device that you configured as the SSH server, use the show ip ssh command . In the example, version 2 of SSH was enabled. To check the SSH connections to the device, use the show ssh command :
S1 # show ip ssh
SSH Enabled - version 2.0
Authentication timeout: 90 secs; Authentication retries: 2
Minimum expected Diffie Hellman key size: 1024 bits
IOS Keys in SECSH format (ssh-rsa, base64 encoded):
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQCdLksVz2QlREsoZt2f2scJHbW3aMDM8
/ 8jg / srGFNL
i + f + qJWwxt26BWmy694 + 6ZIQ / j7wUfIVNlQhI8GUOVIuKNqVMOMtLg8Ud4qAiLbGJfAa
P3fyrKmViPpO
eOZof6tnKgKKvJz18Mz22XAf2u / 7Jq2JnEFXycGMO88OUJQL3Q ==
S1 # show ssh
Connection Version Mode Encryption Hmac State Username
0 2.0 IN aes256-cbc hmac-sha1 Session started admin
0 2.0 OUT aes256-cbc hmac-sha1 Session started admin
% No SSHv1 server connections running.
S1 #
Cisco Switch Port Security
You can achieve the Cisco Switch Port Security by configuring following steps and checks on Cisco Switch:
- Disable deprecated ports
A simple method that many administrators use to contribute to network security against unauthorized access is to disable all unused switch ports. For example, if a Catalyst 2960 switch has 24 ports and there are three Fast Ethernet connections in use, it is advisable to disable the 21 unused ports. Navigate to all unused ports and issue the Cisco IOS shutdown command . If, later, a port must be reactivated, it can be enabled with the no shutdown command .
S1 # show run
Building configuration ...
...
version 15.0
hostname S1
...
FastEthernet interface
shutdown
!
FastEthernet interface
shutdown
!
...
Making configuration changes to several ports on a switch is simple. If a range of ports must be configured, use the interface range command .
Switch (config) # interface range write the module / first-number - last-numberThe process of enabling and disabling ports can take a long time, but it improves network security and is worth the effort.
All ports (interfaces) of the switch must be protected before deploying the device for production. One way to protect the ports is by implementing a feature called " port security ." Port security limits the amount of valid MAC addresses allowed on the port. Access to the MAC addresses of legitimate devices is allowed, while other MAC addresses are rejected.
Port security can be configured to allow one or more MAC addresses. If the number of MAC addresses allowed on the port is limited to one, only the device with that specific MAC address can connect correctly to the port.
If a port is configured as secure and the maximum number of MAC addresses is reached, any additional attempt to connect the unknown MAC addresses results in a security breach.
TYPES OF SECURE MAC ADDRESSES
There are several ways to configure port security. The type of secure address is based on the configuration and includes the following:- Secure MAC addresses static : are MAC addresses that are manually set a port using the command switchport port-security mac-address address-mac (mode command interface configuration) MAC addresses configured in this way are stored in the table addresses and are added to the running configuration of the switch.
- Dynamic secure MAC addresses : these are dynamically detected MAC addresses and are stored only in the address table. MAC addresses configured in this way are removed when the switch restarts.
- Persistent secure MAC addresses : these are MAC addresses that can be detected dynamically or configured manually, and then stored in the address table and added to the running configuration.
PERSISTENT SECURE MAC ADDRESSES
To configure an interface to convert dynamically detected MAC addresses to persistent secure MAC addresses and add them to the running configuration, you must enable persistence learning. Persistence learning is enabled on an interface using the switchport port-security mac-address sticky command in the interface configuration mode.When this command is entered, the switch converts all dynamically detected MAC addresses to persistent secure MAC addresses, even those that were dynamically detected before persistence learning was enabled. All persistent secure MAC addresses are added to the address table and the running configuration.
Persistent secure MAC addresses can also be defined manually. When persistent secure MAC addresses with the interface configuration command are configured switchport port-security mac-address sticky -address mac all specified addresses are added to the address table and the running configuration.
If persistent secure MAC addresses are saved in the startup configuration file, when the switch restarts or the interface is disabled, the interface does not need to learn the addresses again. If persistent secure addresses are not saved, they are lost.
If persistence learning is disabled using the no switchport port-security mac-address sticky command in the interface configuration mode, persistent secure MAC addresses remain part of the address table, but are removed from the running configuration.
The following table shows the characteristics of persistent secure MAC addresses.
Persistent Secure MAC Address Table Features
- Persistent secure MAC addresses discovered dynamically are stored in the running-config file.
- They are removed from the running-config file if port security is disabled.
- They are lost when the switch is restarted (turns off and on).
- If persistent secure MAC addresses are saved in the startup-config file, they become permanent, and the switch retains them after a restart.
- If persistence learning is disabled, persistent MAC addresses are converted to secure dynamic addresses and removed from the running-config file.
Note : The port security feature does not work until port security is enabled on the interface using the switchport port-security command .
SECURITY VIOLATION MODES
An interface can be configured for one of three violation modes, with the specific action that must be taken if a violation occurs. Image 3 shows the types of data traffic that are sent when one of the following security breach modes is configured on the port.- Protect: When the number of secure MAC addresses reaches the allowed limit for the port, packets with unknown source addresses are discarded until a sufficient number of secure MAC addresses are removed or the maximum number of allowed addresses is increased. There is no notification that a security breach occurred.
- Restrict: When the number of secure MAC addresses reaches the allowed limit for the port, packets with unknown source addresses are discarded until a sufficient number of secure MAC addresses are removed or the maximum number of allowed addresses is increased. In this mode, there is a notification that a security breach occurred.
- Shutdown : In this (default) mode, a port security violation causes the interface to be immediately disabled due to errors and the port LED to turn off. Rape counter increases. When a secure port is in the disabled state for errors, it can be removed from this state if the shutdown interface configuration mode command is entered followed by the no shutdown command .
To change the violation mode on a switch port, use the interface configuration mode command switchport port-security violation { protect | restrict | shutdown }
Configuring Cisco Switch Port Security
The following
table summarizes the default port security settings on a Cisco Catalyst switch.
features
|
Default
settings
|
Port security
|
Disabled in a port.
|
Maximum number of secure MAC addresses
|
one
|
Rape mode
|
Shutdown The port is deactivated when
the maximum number of secure MAC addresses is exceeded.
|
Address learning without modification
|
Disabled
|
Default Port Security Options Table.
|
In Image 4,
the Cisco IOS CLI commands needed to configure port security on the Fast
Ethernet F0 / 18 port of the S1 switch are shown. Note that the example
does not specify a violation mode. In this example, the violation mode is
shutdown, the default mode.
The following
shows how to enable persistent secure MAC addresses for port security on the
Fast Ethernet 0/19 port of switch S1. As mentioned earlier, the maximum
number of secure MAC addresses can be configured manually. In this
example, the Cisco IOS command syntax is used to set the maximum number of MAC
addresses for port 0/19 to 10. By default, the violation mode is set to shut
down.
Description
|
Command
|
Specifies the interface that must be
configured for port security.
|
S1 (config) # interface fastethernet 0/19
|
Set the interface in access mode.
|
S1 (config-if) # switchport mode access
|
Set the port security on the interface.
|
S1 (config-if) # switchport port-security
|
Sets the maximum number of secure addresses
allowed in the port.
|
S1 (config-if) # switchport port-security
maximum 10
|
Enable persistence learning.
|
S1 (config-if) # switchport port-security
mac-address sticky
|
Cisco IOS CLI Commands table.
|
VERIFY PORT SECURITY
After configuring port security on a switch, check each
interface to verify that the port security and static MAC addresses were
configured correctly.
2.5.1. VERIFY
PORT SECURITY PARAMETERS
To display the port security settings for the
specified switch or interface, use the show port-security
interface [ id-interface ] command . The result of the dynamic port
security configuration is shown below. By default, a MAC address is
allowed on this port.
S1 #
show port-security interface fastethernet 0/18
Port
Security: Enabled
Port
Status: Secure-up
Violation
Mode: Shutdown
Aging
Time: 0 mins
Aging
Type: Absolute
SecureStatic
Address Aging: Disabled
Maximum
MAC Addresses: 1
Total
MAC Addresses: 1
Configured
MAC Addresses: 0
Sticky
MAC Addresses: 0
Last
Source Address: Vlan: 0025.83e6.4b01: 1
Security
Violation Count: 0
The following result shows the security configuration
settings of the persistent port. The maximum number of addresses was set
to 10, as configured.
S1 #
show port-security interface fastethernet 0/19
Port
Security: Enabled
Port
Status: Secure-up
Violation
Mode: Shutdown
Aging
Time: 0 mins
Aging
Type: Absolute
SecureStatic
Address Aging: Disabled
Maximum
MAC Addresses: 10
Total
MAC Addresses: 1
Configured
MAC Addresses: 0
Sticky
MAC Addresses: 1
Last
Source Address: Vlan: 0025.83e6.4b02: 1
Security
Violation Count: 0
Persistent MAC addresses are added to the MAC address
table and the running configuration. As shown below, the persistent MAC
address of PC2 was added to the running configuration for S1.
S1 #
show run | begin FastEthernet 0/19
FastEthernet
interface
switchport mode access
switchport port-security maximum 10
switchport port-security
switchport port-security mac-address sticky
switchport port-security mac-address sticky
0025.83e6.4b02
2.5.2. VERIFY
SECURE MAC ADDRESSES
To display all secure MAC addresses
configured on all switch interfaces or on a specified interface with expiration
information for each, use the show port-security address command . As
shown in the following result, secure MAC addresses are indicated along with
the types.
S1 #
show port-security address
Secure
Mac Address Table
--------------------------------------------------
---------
Vlan
Mac Address Type Ports Remaining Age
(mins)
----
----------- ---- ----- -------------
1
0025.83e6.4b01 SecureDynamic Fa0 / 18 -
1
0025.83e6.4b02 SecureSticky Fa0 / 19 -
--------------------------------------------------
---------
2.6. PORTS IN DISABLING STATUS DUE TO ERRORS
When a port is configured with port security, a violation
can cause the port to be disabled due to errors. When a port is disabled
due to errors, it is deactivated effectively, and traffic is not sent or
received on that port. In the console (see result below), a series of
messages related to port security is displayed.
Sep 20
19: 44: 54.966:% PM-4-ERR_DISABLE: psecure-violation
error
detected on Fa0 / 18, putting Fa0 / 18 in err-disable state
Sep 20
06: 44: 54,966:% PORT_SECURITY-2-PSECURE_VIOLATION:
Security
violation occurred, caused by MAC address
000c.292b.4c75
on port FastEthernet0 / 18.
Sep 20
06: 44: 55,973:% LINEPROTO-5-PPDOWN: Line protocol on
Interface
FastEthernet0
/ 18, changed state to down
Sep 20
06: 44: 56,971:% LINK-3-UPDOWN: Interface
FastEthernet0
/ 18, changed state to down
Note: The
link and port protocol status changes to down (inactive).
The port LED will turn off. The show interfaces command identifies
the port status as err-disabled (see
result below). The result of the show port-security interface command now
shows the port status as secure-shutdown . Because
the port security breach mode is set to shutdown, the port experiencing the
security breach goes into the disable state for errors.
S1
# show interface fa0 / 18 status
Port
Name Status Vlan Duplex Speed Type
Fa0 /
18 err-disabled 1 auto car 10 / 100BaseTX
S1
# show port-security interface fastethernet 0/18
Port
Security: Enabled
Port
Status: Secure-shutdown
Violation
Mode: Shutdown
Aging
Time: 0 mins
Aging
Type: Absolute
SecureStatic
Address Aging: Disabled
Maximum
MAC Addresses: 1
Total
MAC Addresses: 0
Configured
MAC Addresses: 0
Sticky
MAC Addresses: 0
Last
Source Address: Vlan: 000c.292b.4c75: 1
Security
Violation Count: 1
The administrator must determine the cause of
the security breach before re-enabling the port. If an unauthorized device
is connected to a secure port, the port should not be re-enabled until the
security threat is removed. To re-enable the port, use the shutdown command of the interface
configuration mode (see result below). Then, use the no shutdown command of the
interface configuration mode to make the port work.
S1
(config) # interface FastEthernet 0/18
S1
(config-if) # shutdown
Sep 20
06: 57: 28,532:% LINK-5-CHANGED: Interface
FastEthernet0
/ 18, changed state to administratively down
S1
(config-if) # <b> no shutdown </b>
Sep 20
06: 57: 48.186:% LINK-3-UPDOWN: Interface
FastEthernet0
/ 18, changed state to up
Sep 20
06: 57: 49.193:% LINEPROTO-5-UPDOWN: Line protocol on
Interface
FastEthernet0
/ 18, changed state to up
No comments:
Post a Comment