| 10.3 |
|
|||
| 10.3.1 | Policy in the access layer |
The access layer is the entry point for
users to access the network. Cable connections are generally pulled
from an access layer switch to offices and cubicles within a
company. For this reason, the network devices at the access layer
are the most physically vulnerable. Anyone can plug a station into
an access-layer switch. Several precautions should be taken at the
access layer:
Port security is a feature of the Catalyst Switches that allows a switch to block input from a port when the MAC address of a station attempting to access the port is different from the configured MAC address. When a port receives a frame, the port compares the source address of the frame to the secure source address that was originally learned by the port. If the addresses do not match, the port is disabled and the LED for the port turns orange. By default, a switch allows all MAC addresses to access the network. It relies on other types of security such as file-server operating systems and applications to provide for network security. Port security allows a network administrator to configure a set of MAC addresses to provide additional security. If port security is enabled, only the MAC addresses that are explicitly allowed can use the port. A MAC address can be allowed as follows:
Use the following commands to enable and verify port security on a set command-based switch.
Use the following commands to enable and verify port security on a Cisco IOS command-based switch.
The port secure max-mac-count command allows the network administrator to define the maximum number of MAC addresses that can be supported by this port. The maximum number can range from 1 to 132. The default value is 132. The example in the Figure to the left illustrates setting the maximum number of MAC addresses to a value of 1. Further, on a Cisco IOS command-based switch, you can specify what action to take in the event of a security violation. For example, if you want the port to shut down in the event of a violation, issue the following command:
|