Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
905
Views
13
Helpful
8
Replies

Unauthorised switch port access

curtis03_2
Level 1
Level 1

‎11-14-2006 01:31 AM - edited ‎03-05-2019 12:47 PM

I am responsible for several LANs that include sharing WCs with other organisations, and therefore access to my 3750 switches in unlocked cabinets.

I have no port security enabled and the ports are not shut down.

I would like to know the security implications of having unused switchports available to anyone eg with a laptop & DHCP configured?

What security measures can I configure?

Thanks in advance!

Labels:
0 Helpful
8 Replies 8

spremkumar
Level 9
Level 9

‎11-14-2006 01:41 AM

Hi Curtis

The best option would be disabling the ports using shutdown command and securing the access to the switch.

regds

0 Helpful

curtis03_2
Level 1
Level 1
In response to spremkumar

‎11-14-2006 07:47 AM

thanks

what about the ports in use - how do i defend against someone unpatching a port and using it - MAC address port assignment?

thanks

0 Helpful

mheusinger
Level 10
Level 10
In response to curtis03_2

‎11-14-2006 07:56 AM

Hi,

Your task sounds like you need to enable port security with sticky learning. The switch will learn the MAC address of the device attached to a port and add it to the config.

This can be configured with "switchport port-security mac-address sticky".

Have a look at f.e. "Configuring Port Security"

http://www.cisco.com/en/US/products/hw/switches/ps4324/products_configuration_guide_chapter09186a0080379add.html#wp1047696

Hope this helps! Please rate all posts.

Regards, Martin

curtis03_2
Level 1
Level 1
In response to mheusinger

‎11-14-2006 08:32 AM

thanks martin

0 Helpful

lgijssel
Level 9
Level 9

‎11-14-2006 01:58 AM

You may configure unused ports in a separate vlan which has limited access to network resources. This can be achieved in a simple way by placing an access-list on the vlan interface.

When your organization has more money, you may consider using a firewall for this.

Regards,

Leo

0 Helpful

curtis03_2
Level 1
Level 1
In response to lgijssel

‎11-14-2006 07:45 AM

thanks leo

can you please explain further use of a firewall in this case?

thanks

0 Helpful

cprice2k7
Level 1
Level 1
In response to curtis03_2

‎11-14-2006 08:17 AM

In this case a firewall wouldn't be very effective. If a port were unpatched and a device like a WAP were connected to that port then the intruder is in your network.

I would administratively shutdown the unused ports and then use mac-address security sticky on the active ports. If possible I would also consider a secure rack for your network equipment.

t-heeter
Level 1
Level 1

‎11-14-2006 12:43 PM

I would look into 802.1x port authentication.

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card