Basic Switch Security

This post will be updated often !

Any form of access to a network device should be authenticated so we need to configure users . ( see Users Post )

Password are not encrypted by default , you can configure it in global configuration mode :
(config)#service password-encryption

Login banners can be used to clearly state that unauthorized access to a device is not permitted , you can configure it in global configuration mode :
(config)#banner login $Unauthorized Access to this device is prohibited$

Unused ports should always configure as access port with a none existant vlan with the port shutdown , you can configure it on the interface configuration mode :
(config)#interface range ( interfaces )
(config-if-range)#switchport mode access
(config-if-range)#switchport access vlan ( none existant vlan # )
(config-if-range)#shutdown 

You can configure each port with the command switchport port-security with the options to input the mac-address of the devices static or dynamic . You can also decide the maximum of devices that will be able to connect to the network and finally what action to take . You can configure them on the interfaces :
(config-if)#switchport port-security
(config-if)#switchport port-security maximum ( # of connections ) 
(config-if)#switchport port-security mac-address ( mac-address )
(config-if)#switchport port-security violation ( action choice )
OR
(config-if)#switchport port-security
(config-if)#switchport port-security maximum ( #of connections )
(config-if)#switchport port-security mac-address sticky
(config-if)#switchport port-security violation ( action choice )

Leave a Comment