Oct 21, 2019
#Dot1x #nac #accessnetwork #networking #networkers https://www.instagram.com/p/B34KV_TH8X9/?igshid=1p06dm1xws9x3
Loading...
seen from United Kingdom
seen from Kazakhstan
seen from Chile
seen from Chile
seen from China
seen from China
seen from United Kingdom
seen from China
seen from Kazakhstan
seen from United States
seen from China
seen from Malaysia
seen from Malaysia
seen from China
seen from China
seen from Germany
seen from China
seen from China
seen from China
seen from China
#Dot1x #nac #accessnetwork #networking #networkers https://www.instagram.com/p/B34KV_TH8X9/?igshid=1p06dm1xws9x3
Anya is live and ready to show you everything. Watch her strip, dance, and perform exclusive shows just for you. Interact in real-time and make your fantasies come true.
Free to watch • No registration required • HD streaming
Switch Port Security
I recently had to protect the switch ports on a Cisco switch. This is a good idea for all businesses, particularly if the switches are not physically secured (in a comms room) or the switch ports are patched through to outlets in offices.
As far as I can see there are four methods for securing the ports on a Cisco switch:
Shut down the ports that aren't in use.
Use the Cisco proprietary method.
Use 802.1x to secure the ports.
A combination of 2 and 3!
802.1x Port Security
Number 1 is fairly simple and good practice if you aren't using 802.1x. 802.1x allows you to configure the switch ports so that when a device is connected it is authenticated against a AAA server (i.e. RADIUS) which in turn will send back an ACCESS-ACCEPT or ACCESS-REJECT packet based upon a number of attribute in the ACCESS-REQUEST packet (i.e. MAC Address or username and password).
Unfortunately this option wasn't open to me as the RADIUS server deployed on the site is only compliant with the original RADIUS RFC. The original RFC states that the authentication methods PAP and CHAP must be supported. For 802.1x security the RADIUS server must support EAP. So this was out of the question.
Cisco Method
This left me with using a combination of number 1 and number 2. The network I configure has a combination of switch ports with either 1 device (printer/server/access-point etc.), 2 devices (PC and IP phone) or no devices.
On the ports where I had no devices I simply issued the shutdown command on the interface:
switch(config-if)#shutdown
For ports where there was one device I configured port security with stick MAC addresses with shutdown on violation. This means that the switch learns which devices are connected to the switch port, learns the addresses and then shuts down the port if a rogue device is detected on the port:
switch(config-if)#shutdown
switch(config-if)#switchport port-security
switch(config-if)#switchport port-security mac-address sticky
switch(config-if)#switchport port-security violation shutdown
switch(config-if)#switchport port-security maximum 1
switch(config-if)#no shutdown
It is also a good idea to configure your switch to send log alerts to an SNMP server or a Syslog server so you know when there has been a violation on a switch port.
One thing I realised after configuring a switch port is that sometimes an IP phone was unable to connect. I read the Cisco documentation and they recommend using the following command when the switch port is in trunk mode:
switch(config-if)#switchport nonegotiate