Sunday, December 31, 2017

Cisco CCNP:300-115 - 2.1 Configure and verify switch security features: 2.1.d Port security

Recently I needed to renew my Cisco CCNPs, that is both CCNP Routing and Switching as well as CCNP Security. While working with Cisco products (well now they own SourceFire, so exclude these) is not within my daily duties, I still thought it was important for me to maintain these two credentials. As a result, I've put together my notes below focusing on the key points I used to study. I believe that someone else may find them useful.

      -    Used to restrict input to an interface by limiting and identifying MAC addresses
      -    When the maximum number of MAC addresses are reached on a secure port, a security violation occurs
      -    Port Security is disabled by default
      -    When enabled the port is shutdown when the maximum number of secure MAC addresses have been exceeded

      -    Static secure MAC addresses - manually configured. Stored in the address table and added to the switch running config
      -    Dynamic Secure MAC Addresses - dynamically configured and only stored in the address table and removed when the switch restarts
      -    Sticky secure MAC addresses - learned dynamically or manually configured, stored in the address table and added to the running configuration
      -    All sticky MAC addresses are added to the running configuration

      Violation occurs for any of the following:
              -    Maximum number of secure MAC address have been added to the address table and a new station attempts to access the interface
              -    An address learned or configured on one secure interface is seen on another secure interface

      -    Violation modes are:
              -    Protect
                      -    Packets from unknown sources are dropped when the maximum number of MAC addresses are reached on an interface
                      -    You must either remove a sufficient number of uknown MAC addresses or increase the number of allowable addresses
                      -    Notificaton is provided that a violation has occurred
                      -    No notification is provided that a security violation has occurred             

            -    Restrict
                      -    Packets from unknown sources are dropped when the maximum number of MAC addresses are reached on an interface
                      -    You must either remove a sufficient number of uknown MAC addresses or increase the number of allowable addresses
                      -    Notificaton is provided that a violation has occurred
                      -    SNMP traps is sent, syslog message is logged and violation counter increases   

             
              -    Shutdown
                      -    This is the default mode
                      -    When a violation occurs, the interfaces becomes error-disabled and is shutdown immediately
                      -    Port leds are turned off
                      -    SNMP trap is sent, a syslog message is looged and violation counter increases
                      -    Can leverage the following command to bring the interface out of error-disable state within a specific time:
                              SW2(config)#errdisable recovery cause psecure-violation
                      -    Alternatively you can manually reenable it by "shutdown" followed by "shutdown"

              -    Shutdown VLAN
                      -    Sets the security violation mode per-VLAN
                      -    Puts the VLAN in error disabled instead of the port when a violation occurs
         
          -    Port security can be configured on static access or trunk port only.
          -    Secure port cannot be a dynamic access port
          -    A secure port cannot be a destination port for SPAN
          -    Secure ports cannot belong to a Gigabit EtherChannel port group
          -    Note, Voice VLAN is only available on access port and not trunk ports
          -    Secure ports cannot be a private-VLAN port
          -    When using port-security with voice VLANs, set the max allowable MAC to 2 on the port

 References:
 https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/12-2_53_se/configuration/guide/3750xscg/swtrafc.html

No comments:

Post a Comment