Professional Documents
Culture Documents
College Of Engineering
Switch Security:
Conventional network security often focuses more on routers and blocking traffic from the outside.
Switches are internal to the organization and designed to allow ease of connectivity, therefore only
limited or no security measures are applied.
The following basic security features can be used to secure your switches and network:
Let’s look at how to implement and configure some of the features of switch security.
1. Name Can Be Set From Global Configuration Mode. Use Hostname [Desired Hostname]
Command To Set Name On Switch
SW1#configure terminal
SW1(config)#enable secret orbit
SW1(config)#
3. How to Configure Virtual Terminal (Telnet) and Console Passwords and Require Users to
Login
Passwords are used to restrict physical access to switch. Cisco switch supports console line for local
login and VTYs for remote login. All supported lines need be secure for User Exec mode. For example
if you have secured VTYs line leaving console line insecure. An intruder can take advantage of it to
connect with device. Once you are connected with device, all remaining authentication are same. No
separate configuration is required for further modes.
Use the following commands to secure the console and telnet:
SW1(config)#line console 0
SW1(config-line)#password cisco
SW1(config-line)#login
SW1(config-line)#line vty 0 15
SW1(config-line)#password cisco
SW1(config-line)#login
SW1(config-line)#exit
SW1(config)#
At this stage, the privileged EXEC password is already encrypted. To encrypt the line passwords that
you just configured, enter the service password-encryption command in global configuration mode.
SW1(config)#service password-encryption
SW1(config)#
Configure the message-of-the-day (MOTD) using Authorized Access Only as the text. Follow these
guidelines:
1. The banner text is case sensitive. Make sure you do not add any spaces before or after the banner
text.
2. Use a delimiting character before and after the banner text to indicate where the text begins and
ends. The delimiting character used in the example below is %, but you can use any character that
is not used in the banner text.
3. After you have configured the MOTD, log out of the switch to verify that the banner displays when
you log back in.
Enter interface configuration mode for Fast Ethernet 0/11 and enable port security.
Before any other port security commands can be configured on the interface, port security must be
enabled.
SW1(config-if)#interface fa0/11
Switch(config-if)#switchport mode access
SW1(config-if)#switchport port-security
* Notice that you do not have to exit back to global configuration mode before entering interface
configuration mode for fa0/11.
To configure the port to learn only one MAC address, set the maximum to 1:
8. How to Configure the Port to Add the Mac Address to the Running Configuration
The MAC address learned on the port can be added to (“stuck” to) the running configuration for that
port.
9. How to Configure the Port to Automatically Shut Down if Port Security is Violated
If you do not configure the following command, SW1 only logs the violation in the port security statistics
but does not shut down the port.
Use the show-mac-address- table command to confirm that SW1 has learned the MAC address for the
intended devices, in this case PC1.
SW1#show mac-address-table
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
20 0060.5c4b.cd22 STATIC Fa0/11
You can use the show port-security interface fa0/11 command to also verify a security violation with
the command.
Disabling unused switch ports a simple method many network administrators use to help secure their
network from unauthorized access. Disabling an unused port stops traffic from flowing through the
port(s)
Enter interface configuration mode for FastEthernet 0/17 and shut down the port.
SW1(config)#interface fa0/10
SW1(config-if)#shutdown
1. Implement the switch security using 2 PCs connect to a single switch. (Marks: 5)
Home task:
1. Implement the switch security in a network given below: (Marks: 3)
2. What basic measures take to secure the router? (write any 8 of it) (Marks: 1)